• Kernel Exploit 用到的结构体


    kernel structs

    shm_file_data

    size: 0x20 kmalloc-32

    struct shm_file_data {
    	int id;
    	struct ipc_namespace *ns;
    	struct file *file;
    	const struct vm_operations_struct *vm_ops;
    };
    

    seq_operations

    size: 0x20 kmalloc-32

    struct seq_operations {
    	void * (*start) (struct seq_file *m, loff_t *pos);
    	void (*stop) (struct seq_file *m, void *v);
    	void * (*next) (struct seq_file *m, void *v, loff_t *pos);
    	int (*show) (struct seq_file *m, void *v);
    };
    

    msg_msg

    size: 0x31-0x1000 kmalloc-64以上

    /* one msg_msg structure for each message */
    struct msg_msg {
    	struct list_head m_list;
    	long m_type;
    	size_t m_ts;		/* message text size */
    	struct msg_msgseg *next;
    	void *security;
    	/* the actual message follows immediately */
    };
    

    subprocess_info

    size: 0x60 kmalloc-128

    struct subprocess_info {
    	struct work_struct work;
    	struct completion *complete;
    	const char *path;
    	char **argv;
    	char **envp;
    	struct file *file;
    	int wait;
    	int retval;
    	pid_t pid;
    	int (*init)(struct subprocess_info *info, struct cred *new);
    	void (*cleanup)(struct subprocess_info *info);
    	void *data;
    } __randomize_layout;
    

    cred

    size: 0xa8 kmalloc-192

    alloc path:

    创建进程时,folk一个cred

    free path:

    exploit path:

    uid,gid = 0 获得root

    struct cred {
    	atomic_t	usage;
        
    #ifdef CONFIG_DEBUG_CREDENTIALS
    	atomic_t	subscribers;	/* number of processes subscribed */
    	void		*put_addr;
    	unsigned	magic;
    #define CRED_MAGIC	0x43736564
    #define CRED_MAGIC_DEAD	0x44656144
    #endif
        
    	kuid_t		uid;		/* real UID of the task */
    	kgid_t		gid;		/* real GID of the task */
    	kuid_t		suid;		/* saved UID of the task */
    	kgid_t		sgid;		/* saved GID of the task */
    	kuid_t		euid;		/* effective UID of the task */
    	kgid_t		egid;		/* effective GID of the task */
    	kuid_t		fsuid;		/* UID for VFS ops */
    	kgid_t		fsgid;		/* GID for VFS ops */
    	unsigned	securebits;	/* SUID-less security management */
    	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
    	kernel_cap_t	cap_permitted;	/* caps we're permitted */
    	kernel_cap_t	cap_effective;	/* caps we can actually use */
    	kernel_cap_t	cap_bset;	/* capability bounding set */
    	kernel_cap_t	cap_ambient;	/* Ambient capability set */
        
    #ifdef CONFIG_KEYS
    	unsigned char	jit_keyring;	/* default keyring to attach requested keys to */
    	struct key __rcu *session_keyring; /* keyring inherited over fork */
    	struct key	*process_keyring; /* keyring private to this process */
    	struct key	*thread_keyring; /* keyring private to this thread */
    	struct key	*request_key_auth; /* assumed request_key authority */
    #endif
        
    #ifdef CONFIG_SECURITY
    	void		*security;	/* subjective LSM security */
    #endif
        
    	struct user_struct *user;	/* real user ID subscription */
    	struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
    	struct group_info *group_info;	/* supplementary groups for euid/fsgid */
    	
        /* RCU deletion */
    	union {
    		int non_rcu;			/* Can we skip RCU deletion? */
    		struct rcu_head	rcu;		/* RCU deletion hook */
    	};
    } __randomize_layout;
    

    file

    size: kmalloc-256

    alloc path:

    free path:

    exploit path:

    覆盖f_op对应的file_operations函数表

    struct file {
    	union {
    		struct llist_node	fu_llist;
    		struct rcu_head 	fu_rcuhead;
    	} f_u;
    	struct path		f_path;
    	struct inode		*f_inode;	/* cached value */
    	const struct file_operations	*f_op;
    
    	/*
    	 * Protects f_ep_links, f_flags.
    	 * Must not be taken from IRQ context.
    	 */
    	spinlock_t		f_lock;
    	enum rw_hint		f_write_hint;
    	atomic_long_t		f_count;
    	unsigned int 		f_flags;
    	fmode_t			f_mode;
    	struct mutex		f_pos_lock;
    	loff_t			f_pos;
    	struct fown_struct	f_owner;
    	const struct cred	*f_cred;
    	struct file_ra_state	f_ra;
    
    	u64			f_version;
    #ifdef CONFIG_SECURITY
    	void			*f_security;
    #endif
    	/* needed for tty driver, and maybe others */
    	void			*private_data;
    
    #ifdef CONFIG_EPOLL
    	/* Used by fs/eventpoll.c to link all the hooks to this file */
    	struct list_head	f_ep_links;
    	struct list_head	f_tfile_llink;
    #endif /* #ifdef CONFIG_EPOLL */
    	struct address_space	*f_mapping;
    	errseq_t		f_wb_err;
    } __randomize_layout
      __attribute__((aligned(4)));	/* lest something weird decides that 2 is OK */
    

    timerfd_ctx

    size: kmalloc-256

    alloc path:

    free path:

    exploit path:

    tmr拥有函数指针

    struct timerfd_ctx {
    	union {
    		struct hrtimer tmr;
    		struct alarm alarm;
    	} t;
    	ktime_t tintv;
    	ktime_t moffs;
    	wait_queue_head_t wqh;
    	u64 ticks;
    	int clockid;
    	short unsigned expired;
    	short unsigned settime_flags;	/* to show in fdinfo */
    	struct rcu_head rcu;
    	struct list_head clist;
    	spinlock_t cancel_lock;
    	bool might_cancel;
    };
    
    struct hrtimer {
    	struct timerqueue_node		node;
    	ktime_t				_softexpires;
    	enum hrtimer_restart		(*function)(struct hrtimer *);
    	struct hrtimer_clock_base	*base;
    	u8				state;
    	u8				is_rel;
    	u8				is_soft;
    };
    

    tty_struct

    size: 0x2e0 kmalloc-1024

    alloc path:

    open("/dev/ptmx",O_RDWR);

    free path:

    exploit path:

    tty_operations 大量函数指针

    struct tty_struct {
    	int	magic;
    	struct kref kref;
    	struct device *dev;
    	struct tty_driver *driver;
    	const struct tty_operations *ops;
    	int index;
    
    	/* Protects ldisc changes: Lock tty not pty */
    	struct ld_semaphore ldisc_sem;
    	struct tty_ldisc *ldisc;
    
    	struct mutex atomic_write_lock;
    	struct mutex legacy_mutex;
    	struct mutex throttle_mutex;
    	struct rw_semaphore termios_rwsem;
    	struct mutex winsize_mutex;
    	spinlock_t ctrl_lock;
    	spinlock_t flow_lock;
    	/* Termios values are protected by the termios rwsem */
    	struct ktermios termios, termios_locked;
    	struct termiox *termiox;	/* May be NULL for unsupported */
    	char name[64];
    	struct pid *pgrp;		/* Protected by ctrl lock */
    	struct pid *session;
    	unsigned long flags;
    	int count;
    	struct winsize winsize;		/* winsize_mutex */
    	unsigned long stopped:1,	/* flow_lock */
    		      flow_stopped:1,
    		      unused:BITS_PER_LONG - 2;
    	int hw_stopped;
    	unsigned long ctrl_status:8,	/* ctrl_lock */
    		      packet:1,
    		      unused_ctrl:BITS_PER_LONG - 9;
    	unsigned int receive_room;	/* Bytes free for queue */
    	int flow_change;
    
    	struct tty_struct *link;
    	struct fasync_struct *fasync;
    	wait_queue_head_t write_wait;
    	wait_queue_head_t read_wait;
    	struct work_struct hangup_work;
    	void *disc_data;
    	void *driver_data;
    	spinlock_t files_lock;		/* protects tty_files list */
    	struct list_head tty_files;
    
    #define N_TTY_BUF_SIZE 4096
    
    	int closing;
    	unsigned char *write_buf;
    	int write_cnt;
    	/* If the tty has a pending do_SAK, queue it here - akpm */
    	struct work_struct SAK_work;
    	struct tty_port *port;
    } __randomize_layout;
    

    packet_socket

    size: kmalloc-2048

    alloc path:

    sock(AF_PACKET) -> packet_create -> sk_alloc

    socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));

    free path:

    exploit path:

    packet_sock->rx_ring->prb_bdqc->retire_blk_timer->func

    函数指针,timeout时间后调用,携带参数

    packet_socket->xmit

    函数指针,接受数据时调用

    struct packet_sock {
    	/* struct sock has to be the first member of packet_sock */
    	struct sock		sk;
    	struct packet_fanout	*fanout;
    	union  tpacket_stats_u	stats;
    	struct packet_ring_buffer	rx_ring;
    	struct packet_ring_buffer	tx_ring;
    	int			copy_thresh;
    	spinlock_t		bind_lock;
    	struct mutex		pg_vec_lock;
    	unsigned int		running:1,	/* prot_hook is attached*/
    				auxdata:1,
    				origdev:1,
    				has_vnet_hdr:1;
    	int			pressure;
    	int			ifindex;	/* bound device		*/
    	__be16			num;
    	struct packet_rollover	*rollover;
    	struct packet_mclist	*mclist;
    	atomic_t		mapped;
    	enum tpacket_versions	tp_version;
    	unsigned int		tp_hdrlen;
    	unsigned int		tp_reserve;
    	unsigned int		tp_loss:1;
    	unsigned int		tp_tx_has_off:1;
    	unsigned int		tp_tstamp;
    	struct net_device __rcu	*cached_dev;
    	int			(*xmit)(struct sk_buff *skb);
    	struct packet_type	prot_hook ____cacheline_aligned_in_smp;
    };
    

    参考文献

    [1] https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628

    [2] https://ama2in9.top/2020/02/08/kernel/

    [3] https://xz.aliyun.com/t/6653

  • 相关阅读:
    关于 Unity WebGL 的探索(二)
    关于 Unity WebGL 的探索(一)
    Ghostscript 中 ps2pdf 命令在 windows msys 下的运行错误问题。
    编译 Windows 版本的 Unity Mono(2017-03-12 20:59)
    Windows 下使用 mingw+msys 交叉编译 Android Unity Mono
    关于 UGUI 字体花屏或乱码。
    从 NavMesh 网格寻路回归到 Grid 网格寻路。
    Unity光照图UV显示
    2DPlatformer-SLua 编辑器 UI 美化
    SnapDragon Profiler 学习
  • 原文地址:https://www.cnblogs.com/helica/p/12572931.html
Copyright © 2020-2023  润新知