adminact
commented
2 years ago 你好,在搭建调试环境时,按照您上边的编译选项编译内核,在使用qemu运行的虚拟机中执行exploit,exploit结果一直卡在Error could not corrupt any primary message. 调试中没有发现target中包含“NFQUEUE”规则,我目前对netfilter尚不是很熟悉,您能指导我一下嘛
Open bsauce opened 3 years ago
adminact
commented
2 years ago 你好,在搭建调试环境时,按照您上边的编译选项编译内核,在使用qemu运行的虚拟机中执行exploit,exploit结果一直卡在Error could not corrupt any primary message. 调试中没有发现target中包含“NFQUEUE”规则,我目前对netfilter尚不是很熟悉,您能指导我一下嘛
bsauce
commented
2 years ago 你好,在搭建调试环境时,按照您上边的编译选项编译内核,在使用qemu运行的虚拟机中执行exploit,exploit结果一直卡在Error could not corrupt any primary message. 调试中没有发现target中包含“NFQUEUE”规则,我目前对netfilter尚不是很熟悉,您能指导我一下嘛
没有“NFQUEUE”规则的话,你编译的内核版本是啥呢?
bsauce
commented
2 years ago 你好,在搭建调试环境时,按照您上边的编译选项编译内核,在使用qemu运行的虚拟机中执行exploit,exploit结果一直卡在Error could not corrupt any primary message. 调试中没有发现target中包含“NFQUEUE”规则,我目前对netfilter尚不是很熟悉,您能指导我一下嘛
我当时勾了很多选项,可能有些选项没有列上去,一是你看看你是不是编译选项的问题,二是start.sh给的设置,也可能导致堆喷失败。
adminact
commented
2 years ago @bsauce
你好,在搭建调试环境时,按照您上边的编译选项编译内核,在使用qemu运行的虚拟机中执行exploit,exploit结果一直卡在Error could not corrupt any primary message. 调试中没有发现target中包含“NFQUEUE”规则,我目前对netfilter尚不是很熟悉,您能指导我一下嘛
没有“NFQUEUE”规则的话,你编译的内核版本是啥呢?
我重新查看了一下编译选项,发现config_netfliter_xt_target_nfqueue选项没有选(抱歉我的粗心感觉辜负您回答上一条的时间啦),重新编译内核运行结果exp运行到stage 2:SMAP bypass的时候出现BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 15.327618] #PF: supervisor read access in kernel mode,我的内核版本是5.11.14。start.sh配置跟您基本一致,不过我使用的是syzkaller中提供的stretch.img
adminact
commented
2 years ago [+] STAGE 1: Memory corruption [] Spraying primary messages... [] Spraying secondary messages... [] Creating holes in primary messages... [] Triggering out-of-bounds write... [ 13.745290] x_tables: ip_tables: icmp.0 match: invalid size 8 (kernel) != (u0 [] Searching for corrupted primary message... [-] Error could not corrupt any primary message. /exp $ ./exploit [+] STAGE 0: Initialization [] Setting up namespace sandbox... [*] Initializing sockets and message queues...
[+] STAGE 1: Memory corruption [] Spraying primary messages... [] Spraying secondary messages... [] Creating holes in primary messages... [] Triggering out-of-bounds write... [ 15.178142] x_tables: ip_tables: icmp.0 match: invalid size 8 (kernel) != (u0 [*] Searching for corrupted primary message... [+] fake_idx: 801 [+] real_idx: 7d3
[+] STAGE 2: SMAP bypass [] Freeing real secondary message... [] Spraying fake secondary messages... [*] Leaking adjacent secondary message... [ 15.326946] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 15.327618] #PF: supervisor read access in kernel mode [ 15.327888] #PF: error_code(0x0000) - not-present page [ 15.328202] PGD 80000000046cc067 P4D 80000000046cc067 PUD 46cb067 PMD 0 [ 15.328665] Oops: 0000 [#1] SMP PTI [ 15.328923] CPU: 0 PID: 106 Comm: exploit Not tainted 5.11.14 #5 [ 15.329206] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-4 [ 15.329874] RIP: 0010:selinux_msg_queue_msgrcv+0x9b/0xd0 [ 15.330409] Code: 20 01 c6 04 24 04 e8 14 b6 ff ff 85 c0 74 1b 48 8b 4c 24 28 [ 15.331840] RSP: 0018:ffffc9000026fd88 EFLAGS: 00000246 [ 15.332046] RAX: 0000000000000000 RBX: ffff88800b776900 RCX: 00000000000001c5 [ 15.332656] RDX: ffff8880033cb324 RSI: 0000000000000001 RDI: 000000000000001c [ 15.333409] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 15.333764] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 15.334035] R13: 0000000000000000 R14: 0000000000000005 R15: ffffffff825a6e70 [ 15.334424] FS: 0000000000000000(0000) GS:ffff88803e600000(0063) knlGS:00000 [ 15.334756] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 15.334978] CR2: 0000000000000000 CR3: 000000000b6fc000 CR4: 00000000003006f0 [ 15.335397] Call Trace: [ 15.336301] security_msg_queue_msgrcv+0x3d/0x60 [ 15.336839] do_msgrcv+0x18f/0x630 [ 15.337085] ? do_msg_fill+0x40/0x40 [ 15.337314] compat_ksys_ipc+0x146/0x240 [ 15.337659] __ia32_compat_sys_ipc+0x20/0x30 [ 15.337922] __do_fast_syscall_32+0x5c/0x90 [ 15.338258] do_fast_syscall_32+0x2f/0x70 [ 15.338437] entry_SYSENTER_compat_after_hwframe+0x4d/0x5f [ 15.338990] RIP: 0023:0xf7f54549 [ 15.339403] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 00 [ 15.340988] RSP: 002b:00000000ffd071d0 EFLAGS: 00000206 ORIG_RAX: 00000000005 [ 15.341577] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 0000000000005801 [ 15.342186] RDX: 0000000000001fc8 RSI: 0000000000004800 RDI: 00000000ffd071f4 [ 15.343041] RBP: 00000000ffd07248 R08: 0000000000000000 R09: 0000000000000000 [ 15.343905] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 15.344090] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 15.344700] Modules linked in: [ 15.344887] CR2: 0000000000000000 [ 15.345277] ---[ end trace 149be548c7cc9430 ]--- [ 15.345502] RIP: 0010:selinux_msg_queue_msgrcv+0x9b/0xd0 [ 15.345647] Code: 20 01 c6 04 24 04 e8 14 b6 ff ff 85 c0 74 1b 48 8b 4c 24 28 [ 15.347413] RSP: 0018:ffffc9000026fd88 EFLAGS: 00000246 [ 15.347608] RAX: 0000000000000000 RBX: ffff88800b776900 RCX: 00000000000001c5 [ 15.348169] RDX: ffff8880033cb324 RSI: 0000000000000001 RDI: 000000000000001c [ 15.348686] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 15.349170] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 15.349659] R13: 0000000000000000 R14: 0000000000000005 R15: ffffffff825a6e70 [ 15.350035] FS: 0000000000000000(0000) GS:ffff88803e600000(0063) knlGS:00000 [ 15.350559] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 15.350883] CR2: 0000000000000000 CR3: 000000000b6fc000 CR4: 00000000003006f0 [ 15.356860] exploit (106) used greatest stack depth: 13792 bytes left Killed 这是qemu运行出问题打出的log,此时qemu虚拟机还未崩溃
adminact
commented
2 years ago 冒昧问一下您编译好的vmlinux方便发我一份吗?我想调试一下
bsauce
commented
2 years ago 冒昧问一下您编译好的vmlinux方便发我一份吗?我想调试一下
你的内核版本和我一样,我传过一份config配置文件。你现在编译的应该是对的,根据你的log我看不出问题,可能需要调试才知道(你的环境应该是可以正常调试了)。我的vmlinux有1个G,太大了,我目前没有很好的上网环境来上传,可能周末可以传
adminact
commented
2 years ago @bsauce
冒昧问一下您编译好的vmlinux方便发我一份吗?我想调试一下
你的内核版本和我一样,我传过一份config配置文件。你现在编译的应该是对的,根据你的log我看不出问题,可能需要调试才知道(你的环境应该是可以正常调试了)。我的vmlinux有1个G,太大了,我目前没有很好的上网环境来上传,可能周末可以传
好的,太感谢啦,我先尝试调试看看,并用您的config文件编译试一下。:)
https://bsauce.github.io/2021/09/23/CVE-2021-22555/
【kernel exploit】CVE-2021-22555 2字节堆溢出写0漏洞提权分析影响版本:Linux v2.6.19-rc1~v5.12-rc7 v5.12-rc8已修补,漏洞存在了15年,评分7.8。 已修复的版本有 5.12,5.10.31, 5.4.113, 4.19.188, 4.14.231, 4.9.267, 4.4.267。 由syzkaller发现,参见crash现场。测试版本:Linux-5.11.14 exploit及测试环境下载地址—https://github.com/bsauce/kernel-exploit-factory编译选项:所有 CONFIG_IPNF 和 CONFIGNETFILTER 相关的选项。CONFIG_USER_NS=yCONFIG_NET_NS=yCONFIG_COMPAT=yCONFIG_IP_NF_IPTABLES=y // /net/ipv4/netfilter/ip_tables.cCONFIG_IP_NF_FILTER=yCONFIG_IP_NF_MANGLE=yCONFIG_IP_NF_NAT=yCONFIG_IP_NF_RAW=yCONFIG_IP_NF_SECURITY=yCONFIG_IPNF=y CONFIG_NETFILTER_NETLINK=yCONFIG_NETFILTER_XTABLES=y // /net/netfilter/x_tables.cCONFIG_NETFILTER_XT_MATCH_U32=yCONFIGNETFILTER=y在编译时将.config中的CONFIG_E1000和CONFIG_E1000E,变更为=y。参考$ wget https://mirrors.tuna.tsinghua.edu.cn/kernel/v5.x/linux-5.11.14.tar.xz$ tar -xvf linux-5.11.14.tar.xz# KASAN: 设置 make menuconfig 设置