0ctf 2017 kernel pwn knote write up
Posted Jeremy 學習筆記
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了0ctf 2017 kernel pwn knote write up相关的知识,希望对你有一定的参考价值。
UAF due to using hlist_add_behind() without checking.
There is a pair locker(mutex_lock) at delete_note(), but isn’t at edit_note_time().
And it doesn’t check the flag before hlist_add_behind() in insert_note().
for(;;) {
/* add before a larger epoch */
iter = hlist_entry(node, struct note_t, next);
if (iter->epoch > epoch) {
hlist_add_before(&(note->next), node);
flag = true;
break;
}
if (node->next == NULL)
break;
node = node->next;
}
/* at behind the last node */
// if (!flag) <-- patch...
// it can lead to hlist broken.
hlist_add_behind(&(note->next), node);
Exploitation:
1. UaF
First we could free arbitrary object (eg. tty_struct) via any vulnerabilities,
re-allocate fake object with evil functions or rop gadgets.
Finally we can call related function in user mode.
2. kernel info leak
should use the kzalloc() instead of kmalloc()
以上是关于0ctf 2017 kernel pwn knote write up的主要内容,如果未能解决你的问题,请参考以下文章