Linux kernel hbp exploit method demo. (i.e. the degradation version of CVE-2022-42703)
fork from https://github.com/veritas501/hbp_attack_demo
# hbp_attack demo
参考P0博客:https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html
搓了个vuln module,假装我们有个内核任意地址写的原语,但开了kaslr暂时没有地址泄露。
于是可以借助`cpu_entry_area`不参与kaslr随机化的特性和硬件断点可以在内核态触发的特性,完成内核栈上kaslr和canary的泄露并通过ROP攻击提权。
blog: [https://veritas501.github.io/2023_03-22-一种借助硬件断点的提权思路分析与演示](https://veritas501.github.io/2023_03-22-%E4%B8%80%E7%A7%8D%E5%80%9F%E5%8A%A9%E7%A1%AC%E4%BB%B6%E6%96%AD%E7%82%B9%E7%9A%84%E6%8F%90%E6%9D%83%E6%80%9D%E8%B7%AF%E5%88%86%E6%9E%90/)
```shell
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.103.tar.xz
```
ctrl + \ 退出qemu
带符号的vmlinux太大了 会被reject 只能用bzImage
[4.0K] /data/pocs/ea96bdadf64c90c0e2d835b128646171ebd412cb
├── [4.0K] assets
│ └── [153K] success.png
├── [ 489] boot.sh
├── [ 11M] bzImage
├── [866K] exp
├── [7.2K] exp.c
├── [ 20] gdbscript
├── [4.0K] inc
│ ├── [6.5K] common.h
│ ├── [2.4K] fuse-exp.h
│ ├── [2.3K] snippet.h
│ └── [1.6K] uffd.h
├── [ 105] Makefile
├── [1006] README.md
├── [ 10M] rootfs.cpio
├── [ 191] search_gadget.py
├── [204K] vuln.ko
└── [4.0K] vuln_module
├── [ 315] Makefile
└── [1.3K] vuln.c
3 directories, 17 files