문제 질문
답변 1 · 추천 4 · 조회 428
kpwnote

rip를 변조할 수 있는게 확인되었고 leak까지 했습니다. 그리고 ret2usr기법을 이용해서 루트권한을 얻으려는데

[   26.746655] kernel tried to execute NX-protected page - exploit attempt? (uid: 1000)
[   26.746816] BUG: unable to handle page fault for address: 00007ffc1ad4e790
[   26.746947] #PF: supervisor instruction fetch in kernel mode
[   26.747034] #PF: error_code(0x0011) - permissions violation
[   26.747186] PGD 1de067 P4D 1de067 PUD 21f8067 PMD 1d9067 PTE 8000000004bec067
[   26.747585] Oops: 0011 [#1] SMP NOPTI
[   26.747756] CPU: 0 PID: 84 Comm: exploit Not tainted 5.11.16-kpwnote+ #1
[   26.748081] RIP: 0010:0x7ffc1ad4e790
[   26.748268] Code: Unable to access opcode bytes at RIP 0x7ffc1ad4e766.
[   26.748369] RSP: 0018:ffffb8e480547e78 EFLAGS: 00000203
[   26.748469] RAX: 00000000b7697458 RBX: ffffffff8b1834e0 RCX: ffffb8e480547ef0
[   26.748539] RDX: 0000000000000007 RSI: 0000000000498022 RDI: 365b7567fd0aa0a3
[   26.748607] RBP: 0000000000401d2e R08: 0000000000401d0c R09: 0000000000498029
[   26.748674] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000498022
[   26.748741] R13: ffffffffffffffea R14: 0000000000000007 R15: 0000000000000000
[   26.748849] FS:  0000000002096880(0000) GS:ffff9ddd47a00000(0000) knlGS:0000000000000000
[   26.748925] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   26.748988] CR2: 00007ffc1ad4e790 CR3: 0000000000c04000 CR4: 00000000000006b0
[   26.749146] Call Trace:
[   26.749823]  ? proc_reg_write+0x58/0x80
[   26.749928]  ? vfs_write+0xb3/0x270
[   26.750014]  ? do_sys_openat2+0x1b4/0x2d0
[   26.750090]  ? ksys_write+0xa2/0xe0
[   26.750140]  ? __x64_sys_write+0x15/0x20
[   26.750215]  ? do_syscall_64+0x31/0x40
[   26.750292]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   26.750432] Modules linked in:
[   26.750585] CR2: 00007ffc1ad4e790
[   26.756069] ---[ end trace 4c7b0ba289993620 ]---
[   26.756255] RIP: 0010:0x7ffc1ad4e790
[   26.756335] Code: Unable to access opcode bytes at RIP 0x7ffc1ad4e766.
[   26.756404] RSP: 0018:ffffb8e480547e78 EFLAGS: 00000203
[   26.756479] RAX: 00000000b7697458 RBX: ffffffff8b1834e0 RCX: ffffb8e480547ef0
[   26.756550] RDX: 0000000000000007 RSI: 0000000000498022 RDI: 365b7567fd0aa0a3
[   26.756621] RBP: 0000000000401d2e R08: 0000000000401d0c R09: 0000000000498029
[   26.756689] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000498022
[   26.756758] R13: ffffffffffffffea R14: 0000000000000007 R15: 0000000000000000
[   26.756826] FS:  0000000002096880(0000) GS:ffff9ddd47a00000(0000) knlGS:0000000000000000
[   26.756898] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   26.756961] CR2: 00007ffc1ad4e790 CR3: 0000000000c04000 CR4: 00000000000006b0

이런 로그를 남기고 커널패닉이 나네요. smep가 걸려있나 하고 cat /proc/cpuinfo를 해보았지만 smep관련 내용은 안나왔습니다. 대체 어디가 문제인걸까요???

processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 6
model		: 6
model name	: QEMU Virtual CPU version 2.5+
stepping	: 3
cpu MHz		: 3503.963
cache size	: 512 KB
physical id	: 0
siblings	: 1
core id		: 0
cpu cores	: 1
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm nopl cpuid pni cx16 hypervisor lahf_lm svm 3dnowprefetch vmmcall
bugs		: fxsave_leak sysret_ss_attrs spectre_v1 spectre_v2 spec_store_bypass
bogomips	: 7007.92
TLB size	: 1024 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management:
#pwnable
2021.07.30. 13:22
작성자 정보
답변 1
avatar
Sechack
CTF First Place

해결했습니다...!! 릭을 이상하게 하고있었네요. ㅎㅎ

2021.07.30. 16:17
질문에 대한 답을 알고 계신가요?
지식을 나누고 포인트를 획득해보세요.
답변하고 포인트 받기