\uadf8\ub807\ub2e4. \uc774\uac83\uc740 Linux kernel exploit\uc5d0 \uad00\ud55c \uae30\ubcf8\uc801\uc778 \uc9c0\uc2dd\ub4e4\uc744 \uae4c\uba39\uc9c0\uc54a\uac8c \uc801\uc5b4\ub193\ub294 \uacf5\uac04\uc778 \uac83\uc774\ub2e4.
\n<\/br><\/p>\n
\uadf8\ub807\ub2e4. \ubcf4\ud638\uae30\ubc95\uc774\ub2e4.<\/p>\n
KASLR<\/code> : ASLR\uacfc \ub611\uac19\uc774 Kernel\ub2e8 address\ub97c randomization\ud568.<\/li>\nSMEP<\/code> : Ring3\uc5d0\uc11c Ring0 \uc601\uc5ed\uc758 \uba85\ub839\uc5b4\ub97c \uc2e4\ud589\ud560 \uc218 \uc5c6\ub3c4\ub85d \ub9cc\ub4e6.<\/li>\nSMAP<\/code> : Ring3\uc5d0\uc11c Ring0 \uc601\uc5ed\uc744 \uc811\uadfc\ud560 \uc218 \uc5c6\ub3c4\ub85d \ub9cc\ub4e6.<\/li>\nKADR<\/code> : \/proc\/kallsyms\uc744 \uc77d\uc5c8\uc744 \ub54c \ubcf4\uc774\ub294 \uc8fc\uc18c\ub97c \ub2e4 0\uc73c\ub85c \ubc14\uafd4\ubc84\ub9bc.<\/li>\nKPTI<\/code> : Ring3\uc5d0\uc11c Ring0\uc758 \uc815\ubcf4\ub97c \uc77d\uc5b4\uc62c \uc218 \uc5c6\uac8c \uc544\uc608 \uc0c8\ub85c \ud398\uc774\uc9d5 \ud558\ub294 \ubcf4\ud638\uae30\ubc95.<\/li>\ncanary<\/code> : \uadf8\ub807\ub2e4. \uadf8 canary\uc778 \uac83\uc774\ub2e4.<\/li>\nmmap_min_addr<\/code> : mmap\uc744 \ud560 \uc218 \uc788\ub294 \ucd5c\uc18c \uc8fc\uc18c\ub97c \uc815\ud574 null pointer dereference \uacf5\uaca9 \ubc29\uc9c0
\n<\/br><\/li>\n<\/ul>\nFunction that we need to know to exploit<\/h2>\n
\n
\uc775\uc2a4\ub97c \ud558\uae30 \uc704\ud574 \uc54c\uc544\uc57c \ud560 \ud568\uc218\ub4e4\uc774\ub2e4.<\/p>\n
prepare_kernel_cred(struct task_struct *daemon)\n<\/code><\/pre>\n\uc704 \ud568\uc218\ub294 \uc778\uc790\ub85c \ub118\uaca8\ubc1b\uc740 \uac12\uc5d0 \ub530\ub77c cred<\/code> \uad6c\uc870\uccb4\ub97c \uc0dd\uc131\ud558\uace0, \uadf8 \uc8fc\uc18c\ub97c \ubc18\ud658\ud55c\ub2e4.
\nNULL\uc744 \uc778\uc790\ub85c \ub118\uaca8\uc8fc\uba74, root<\/code>\uad8c\ud55c\uc758 cred<\/code>\uad6c\uc870\uccb4\ub97c \uc0c8\ub85c \uc0dd\uc131\ud55c \ub4a4 \ubc18\ud658\ud55c\ub2e4.<\/p>\ncommit_creds(struct cred *new)\n<\/code><\/pre>\n\uc785\ub825\ubc1b\uc740 cred<\/code> \uad6c\uc870\uccb4\ub85c \uc720\uc800\uc758 \uad8c\ud55c\uc744 \ubcc0\ud658\uc2dc\ud0a8\ub2e4. return\uac12\uc740 \ud56d\uc0c1 0\uc778\ub4ef?<\/p>\ncopy_from_user(void *to, const void __user *from, unsigned long n)\n<\/code><\/pre>\nvoid __user<\/code>\uc740 \uadf8\ub0e5 char<\/code>\ub098 void<\/code>\ub85c \ubd10\ub3c4 \ubb34\ubc29\ud560\ub4ef\ud558\ub2e4.
\nfrom -> to<\/code>\ub85c n bytes<\/code>\ub9cc\ud07c memcpy<\/code>\ud558\ub294 \uac83\uacfc \uc720\uc0ac\ud558\uac8c \uc791\ub3d9\ud55c\ub2e4.
\n\uc774\ub984\uac12 \ud558\ub4ef\uc774 user space<\/code>\uc5d0\uc11c kernel space<\/code>\ub85c \uac12\uc744 \uc801\ub294 \uac83\uc784.<\/p>\ncopy_to_user(void *to, const void *from, unsigned long n)\n<\/code><\/pre>\n\uc774\uac83\ub3c4 \uc544\uae4c\uc640 \uac19\uc774 from -> to<\/code>\ub85c n bytes<\/code>\ub9cc\ud07c memcpy<\/code>\ud558\ub294 \uac83\uacfc \uc720\uc0ac\ud558\uac8c \uc791\ub3d9\ud55c\ub2e4.
\n\ub2e4\ub9cc \ubc18\ub300\ub85c kernel space -> user space<\/code>\ub85c \ubcf5\uc0ac\ud55c\ub2e4.<\/p>\nstruct cred {\n atomic_t usage;\n#ifdef CONFIG_DEBUG_CREDENTIALS\n atomic_t subscribers; \/* number of processes subscribed *\/\n void *put_addr;\n unsigned magic;\n#define CRED_MAGIC 0x43736564\n#define CRED_MAGIC_DEAD 0x44656144\n#endif\n kuid_t uid; \/* real UID of the task *\/\n kgid_t gid; \/* real GID of the task *\/\n kuid_t suid; \/* saved UID of the task *\/\n kgid_t sgid; \/* saved GID of the task *\/\n kuid_t euid; \/* effective UID of the task *\/\n kgid_t egid; \/* effective GID of the task *\/\n kuid_t fsuid; \/* UID for VFS ops *\/\n kgid_t fsgid; \/* GID for VFS ops *\/\n unsigned securebits; \/* SUID-less security management *\/\n kernel_cap_t cap_inheritable; \/* caps our children can inherit *\/\n kernel_cap_t cap_permitted; \/* caps we're permitted *\/\n kernel_cap_t cap_effective; \/* caps we can actually use *\/\n kernel_cap_t cap_bset; \/* capability bounding set *\/\n kernel_cap_t cap_ambient; \/* Ambient capability set *\/\n#ifdef CONFIG_KEYS\n unsigned char jit_keyring; \/* default keyring to attach requested\n * keys to *\/\n struct key *session_keyring; \/* keyring inherited over fork *\/\n struct key *process_keyring; \/* keyring private to this process *\/\n struct key *thread_keyring; \/* keyring private to this thread *\/\n struct key *request_key_auth; \/* assumed request_key authority *\/\n#endif\n#ifdef CONFIG_SECURITY\n void *security; \/* subjective LSM security *\/\n#endif\n struct user_struct *user; \/* real user ID subscription *\/\n struct user_namespace *user_ns; \/* user_ns the caps and keyrings are relative to. *\/\n struct group_info *group_info; \/* supplementary groups for euid\/fsgid *\/\n \/* RCU deletion *\/\n union {\n int non_rcu; \/* Can we skip RCU deletion? *\/\n struct rcu_head rcu; \/* RCU deletion hook *\/\n };\n} __randomize_layout;\n<\/code><\/pre>\ncred<\/code>\uad6c\uc870\uccb4\uc758 \uad6c\ud604\uc740 \uc774\ub807\uac8c \ub418\uc5b4\uc788\ub2e4.
\n\ub531\ud788 \uc124\uba85\ud560 \uac83\uc740 \uc5c6\ub294\ub4ef.<\/p>\nEtc..<\/h2>\n
\n
\ucee4\ub110\uc744 \uc775\uc2a4\ud560 \ub54c\ub294 \ubcf4\ud1b5, \ucee4\ub110 \uc720\uc800 \uc258\uc5d0 \uc811\uadfc\ud55c \ud6c4 C<\/code>\uc5b8\uc5b4\ub85c \uc791\uc131\ud55c ELF<\/code>\ub97c \uc2e4\ud589\uc2dc\ucf1c\uc11c \uad8c\ud55c\uc744 \ud68d\ub4dd\ud55c\ub2e4.<\/p>\n\ud558\uc9c0\ub9cc \ub2f9\uc5f0\ud558\uac8c\ub3c4 \ubd80\ud305\ub418\ub294 \ucee4\ub110\uc5d0\ub294 gcc<\/code>\uac00 \uc874\uc7ac\ud558\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\uadf8\ub7ec\ubbc0\ub85c host\uc758 \uc258\uc5d0\uc11c \ubbf8\ub9ac gcc<\/code>\ub85c static compile<\/code>\uc744 \uc9c4\ud589\ud55c \ud6c4 exploit<\/code> \ud560 \ucee4\ub110\uc5d0 \ub118\uaca8\uc8fc\uc5b4\uc57c\ud55c\ub2e4.<\/p>\n\ubc29\ubc95\uc740 \uc5ec\ub7ec\uac00\uc9c0\uac00 \uc788\uaca0\uc9c0\ub9cc \ub098 \uac19\uc740 \uacbd\uc6b0\ub294 ELF<\/code>\ub97c base64 encoding -> kernel -> base64 decoding -> execute<\/code>\uc21c\uc11c\ub85c \uc9c4\ud589\ud558\ub294 \uac83\uc744 \uc120\ud638\ud55c\ub2e4.<\/p>\n\uc800 \ubc11\uc5d0 \uc2a4\ucf08\ub808\ud1a4 \ucc38\uc870.<\/p>\n
\nx86_64<\/code>\uac19\uc740 \uacbd\uc6b0\uc5d0\ub294 \uc0c1\uad00 \uc5c6\ub294 \uc774\uc57c\uae30\uaca0\uc9c0\ub9cc, arm<\/code>\ud639\uc740 mips<\/code>\uc544\ud0a4\ud14d\uccd0 \ucabd\uc740 \ud638\ud658\uc131 \ub54c\ubb38\uc778\uc9c0 pwndbg<\/code>, peda<\/code>\ubcf4\ub2e4 gef<\/code>\ub97c \uac00\uc7a5 \ub9ce\uc774 \uc0ac\uc6a9\ud558\ub294 \uac83 \uac19\ub2e4.<\/p>\n
\n\ucee4\ub110 \ubcf4\ud638\uae30\ubc95 \ud655\uc778\ud558\ub294 \ubc95.<\/p>\n
mmap_min_addr : sysctl -a | grep vm.mmap\nsmep : cat \/proc\/cpuinfo | grep smep\nkaslr : cat \/proc\/kallsyms | grep _text | head -n 1\n<\/code><\/pre>\n
\nfork<\/code> \ud568\uc218\ub85c \uc790\uc2dd \ud504\ub85c\uc138\uc2a4\ub97c \uc0dd\uc131\ud558\uba74 \ud604\uc7ac \uc0ac\uc6a9\uc790\uc758 \uad8c\ud55c\uc5d0 \ub9de\ub294 cred<\/code> \uad6c\uc870\uccb4\ub97c \ud799\uc5d0 \uc0c8\ub85c \uc0dd\uc131\ud55c\ub2e4.<\/p>\nskeleton code.<\/h2>\n
\n
compile.sh<\/strong><\/p>\n#!\/bin\/bash\nmusl-gcc -o solve solve.c -static\nbase64 .\/solve > solve.b64\ncat solve.b64\nrm solve solve.b64\n<\/code><\/pre>\nsolve.c<\/strong><\/p>\n#include <stdio.h>\n\nint main() {\n puts(\"Hello, World!\");\n return 0;\n} \n<\/code><\/pre>\nsolve.py<\/strong><\/p>\nfrom pwn import *\nimport subprocess as sub\n\np = process(argv=['\/bin\/bash', '-c', '.\/boot.sh'])\n\ndef main() :\n res = sub.check_output('.\/compile.sh').strip()\n p.sendlineafter('$', 'cd \/home\/ctf')\n p.sendline('echo \"{}\" > solve.b64'.format(res))\n p.sendline('base64 -d solve.b64 > solve')\n p.sendline('chmod +x solve')\n p.interactive()\nif __name__ == '__main__' :\n main()\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Linux kernel exploit basic \uadf8\ub807\ub2e4. \uc774\uac83\uc740 Linux kernel exploit\uc5d0 \uad00\ud55c \uae30\ubcf8\uc801\uc778 \uc9c0\uc2dd\ub4e4\uc744 \uae4c\uba39\uc9c0\uc54a\uac8c \uc801\uc5b4\ub193\ub294 \uacf5\uac04\uc778 \uac83\uc774\ub2e4. Mitigation \uadf8\ub807\ub2e4. \ubcf4\ud638\uae30\ubc95\uc774\ub2e4. KASLR : ASLR\uacfc \ub611\uac19\uc774 Kernel\ub2e8 address\ub97c randomization\ud568. SMEP : Ring3\uc5d0\uc11c Ring0 \uc601\uc5ed\uc758 \uba85\ub839\uc5b4\ub97c \uc2e4\ud589\ud560 \uc218 \uc5c6\ub3c4\ub85d \ub9cc\ub4e6. SMAP : Ring3\uc5d0\uc11c Ring0 \uc601\uc5ed\uc744 \uc811\uadfc\ud560 \uc218 \uc5c6\ub3c4\ub85d \ub9cc\ub4e6. KADR : \/proc\/kallsyms\uc744 \uc77d\uc5c8\uc744 \ub54c \ubcf4\uc774\ub294 \uc8fc\uc18c\ub97c \ub2e4 0\uc73c\ub85c \ubc14\uafd4\ubc84\ub9bc….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,6],"tags":[],"class_list":["post-606","post","type-post","status-publish","format-standard","hentry","category-kernel","category-http-ipwn-kr-blog-pwnable"],"_links":{"self":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/606"}],"collection":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/comments?post=606"}],"version-history":[{"count":43,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/606\/revisions"}],"predecessor-version":[{"id":933,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/606\/revisions\/933"}],"wp:attachment":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/media?parent=606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/categories?post=606"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/tags?post=606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}