// kpwn.c #include <stdio.h> int main() { printf("hello\n"); } 단순한 프로그램 $ gcc kpwn.c -o kpwn $ ./kpwn hello # <--- 정상 실행 확인 $ telnet host1.dreamhack.games 15211 Trying 139.99.121.66... Connected to host1.dreamhack.games. Escape character is '^]'. 위처럼 첫 번째 포트로 먼저 부팅 시키고 $ nc host1.dreamhack.games 19406 < kpwn 두 번째 포트로 테스트용 실행 파일 전송 시작하고 ~ $ cat /dev/vport0p1 > /tmp/kpwn # 오랫동안 반응 없음!!! ^C # <--- 반응이 없어서 Ctrl+C로 강제종료 ~ $ ls -l /tmp total 20 -rw-r--r-- 1 offender offender 16696 Jun 2 05:23 kpwn # <--- 파일크기 정상 ~ $ cat /tmp/kpwn @@@@





 X
X

-==X`-==
888 XXXDDStd888 Ptd   DDQtdRtd-==HH
/lib64/ld-linux-x86-64.so.2GNUGNUm9ٟ
擤wZ
GNU
em? ![ j "libc.so.6printf__cxa_finalize__libc_start_mainGLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable


ui 3@@?
?????HH=R/H=y/Hr/H9tH./HtDH=I/H5B/H)HH?HH
HtH/HfD=/u+UH=.HtH=.d.
]wUHH=]AWL=;,AVIAUIATAUH-,=pE E(D0H8G@n8A0A(B BBB@



zR
x

$4 FJ?:*3$"\ti EC ?( o
oo=0@GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
8X|p @P  P ===?@@

@
F
=m@y
=

T!=
==
?



i
@-@
4
H
g
@t

@
 
pe@m
/
@
I
@

"crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.8060__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryxx.c__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTable_edataprintf@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_init__bss_startmain__TMC_END___ITM_registerTMCloneTable__cxa_finalize@@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment

#886XX$I|| Wo
 ipp
q~o ((B


@
PP


 
  D
P P=-
?

@0@


00*


@0 X6
Z8

##### <----- 파일내용도 정상인 듯 ~ $ chmod 777 /tmp/kpwn # <--- 실행가능하게 권한 변경 ~ $ ls -l /tmp total 20 -rwxrwxrwx 1 offender offender 16696 Jun 2 05:23 kpwn ~ $ /tmp/kpwn sh: /tmp/kpwn: not found # ??? 파일 실행이 안됨 ~ $ 질문1 파일 전송에서 오랫동안 반응이 없길래 Ctrl+C로 강제종료 시켰는데 괜찮은 건가요? 올바른 파일 전송법이 어떤지 알고싶습니다. 질문2 실행파일을 실행시키는데 오류가 나오는데 어떻게 해야하나요?

rip를 변조할 수 있는게 확인되었고 leak까지 했습니다. 그리고 ret2usr기법을 이용해서 루트권한을 얻으려는데 [ 26.746655] kernel tried to execute NX-protected page - exploit attempt? (uid: 1000) [ 26.746816] BUG: unable to handle page fault for address: 00007ffc1ad4e790 [ 26.746947] #PF: supervisor instruction fetch in kernel mode [ 26.747034] #PF: error_code(0x0011) - permissions violation [ 26.747186] PGD 1de067 P4D 1de067 PUD 21f8067 PMD 1d9067 PTE 8000000004bec067 [ 26.747585] Oops: 0011 [#1] SMP NOPTI [ 26.747756] CPU: 0 PID: 84 Comm: exploit Not tainted 5.11.16-kpwnote+ #1 [ 26.748081] RIP: 0010:0x7ffc1ad4e790 [ 26.748268] Code: Unable to access opcode bytes at RIP 0x7ffc1ad4e766. [ 26.748369] RSP: 0018:ffffb8e480547e78 EFLAGS: 00000203 [ 26.748469] RAX: 00000000b7697458 RBX: ffffffff8b1834e0 RCX: ffffb8e480547ef0 [ 26.748539] RDX: 0000000000000007 RSI: 0000000000498022 RDI: 365b7567fd0aa0a3 [ 26.748607] RBP: 0000000000401d2e R08: 0000000000401d0c R09: 0000000000498029 [ 26.748674] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000498022 [ 26.748741] R13: ffffffffffffffea R14: 0000000000000007 R15: 0000000000000000 [ 26.748849] FS: 0000000002096880(0000) GS:ffff9ddd47a00000(0000) knlGS:0000000000000000 [ 26.748925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.748988] CR2: 00007ffc1ad4e790 CR3: 0000000000c04000 CR4: 00000000000006b0 [ 26.749146] Call Trace: [ 26.749823] ? proc_reg_write+0x58/0x80 [ 26.749928] ? vfs_write+0xb3/0x270 [ 26.750014] ? do_sys_openat2+0x1b4/0x2d0 [ 26.750090] ? ksys_write+0xa2/0xe0 [ 26.750140] ? __x64_sys_write+0x15/0x20 [ 26.750215] ? do_syscall_64+0x31/0x40 [ 26.750292] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.750432] Modules linked in: [ 26.750585] CR2: 00007ffc1ad4e790 [ 26.756069] ---[ end trace 4c7b0ba289993620 ]--- [ 26.756255] RIP: 0010:0x7ffc1ad4e790 [ 26.756335] Code: Unable to access opcode bytes at RIP 0x7ffc1ad4e766. [ 26.756404] RSP: 0018:ffffb8e480547e78 EFLAGS: 00000203 [ 26.756479] RAX: 00000000b7697458 RBX: ffffffff8b1834e0 RCX: ffffb8e480547ef0 [ 26.756550] RDX: 0000000000000007 RSI: 0000000000498022 RDI: 365b7567fd0aa0a3 [ 26.756621] RBP: 0000000000401d2e R08: 0000000000401d0c R09: 0000000000498029 [ 26.756689] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000498022 [ 26.756758] R13: ffffffffffffffea R14: 0000000000000007 R15: 0000000000000000 [ 26.756826] FS: 0000000002096880(0000) GS:ffff9ddd47a00000(0000) knlGS:0000000000000000 [ 26.756898] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.756961] CR2: 00007ffc1ad4e790 CR3: 0000000000c04000 CR4: 00000000000006b0 이런 로그를 남기고 커널패닉이 나네요. smep가 걸려있나 하고 cat /proc/cpuinfo를 해보았지만 smep관련 내용은 안나왔습니다. 대체 어디가 문제인걸까요??? processor : 0 vendor_id : AuthenticAMD cpu family : 6 model : 6 model name : QEMU Virtual CPU version 2.5+ stepping : 3 cpu MHz : 3503.963 cache size : 512 KB physical id : 0 siblings : 1 core id : 0 cpu cores : 1 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm nopl cpuid pni cx16 hypervisor lahf_lm svm 3dnowprefetch vmmcall bugs : fxsave_leak sysret_ss_attrs spectre_v1 spectre_v2 spec_store_bypass bogomips : 7007.92 TLB size : 1024 4K pages clflush size : 64 cache_alignment : 64 address sizes : 40 bits physical, 48 bits virtual power management: `

캡처.PNG ubuntu18@ubuntu:~/pwn$ ls bc75bd26-f24a-486f-8fc5-9374825409cf.zip initramfs.img linux-5.11.16 linux-5.11.16.config linux-5.11.16.patch no-shutdown.dtb NOTICE run.sh vmlinux vmlinuz ubuntu18@ubuntu:~/pwn$ ./run.sh qemu-system-x86_64: -M microvm,x-option-roms=off,isa-serial=off: unsupported machine type 'microvm' Use -machine help to list supported machines 문제 분석을 위해서 먼저 압축 풀고 ./run.sh를 실행시키려고 하는데 microvm설정 때문에 실행이 되지 않습니다.ㅠㅠ 혹시 mircovm이 기능을 해제하고 실행할 수 있도록 qemu스크립트를 어떻게 수정하면 될까요???

이 문제에서 커널 모듈이 어디에 있나요?