-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathquestions.txt
executable file
·93 lines (65 loc) · 3.3 KB
/
questions.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
The functions in this assignment are meant to replicate the kernel operations
that execute during dirty cow exploit, however it is not a *complete* replication.
I have shortened and combined many kernel functions because only part of the
execution is relevent to the dirty cow exploit, as such this is not a fully
accurate picture of what happens in the kernel. Instead what I aimed to do is
"follow" the general logic and concepts and turn it into a interactive toy-kernel
that you can play with.
Watch the updated explanation here https://youtu.be/FKdZ0QEIga8?t=295
Start at 4:55 for the indepth explanation of Dirty Cow
The full detailed write up is here https://chao-tic.github.io/blog/2017/05/24/dirty-cow
NOTE: You will notice discrepancies between the sources linked above and my
simulated kernel code, please refer to the actual code in Kernel.py and not just
the video/write up. The concepts and exploit logic should translate well.
Question 1:
Explore the flow of the real dirtycow exploit in real_dirtyc0w.c.
Line 83:
map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
Why must the PROT_READ and MAP_PRIVATE flags be set for this exploit to work?
Hint:
https://man7.org/linux/man-pages/man2/mmap.2.html
Remember the file being read in is read only!
EXPLANATION: [1 or 2 sentences for PROT_READ and MAP_PRIVATE]
Question 2:
Line 43:
int f=open("/proc/self/mem",O_RDWR);
Line 49:
lseek(f,(uintptr_t) map,SEEK_SET);
c+=write(f,str,strlen(str));
The flag O_RDWR is set, however the file we've mapped into memory is read
only protected. Why do we not get a permission error when we try to write
to that read only region in memory?
Hint:
https://man7.org/linux/man-pages/man2/open.2.html
mmap flags
EXPLANATION: [1 or 2 sentences]
Question 3:
Run User.py and paste the console output below.
Negative addresses means that page was copied on write
ANSWER: [Yes/No was any of the original memory overwritten?]
OUTPUT: [Output from User.py]
Question 4:
*write* is non-atomic meaning it takes multiple steps.
The following is a snippet of what write actually looks like behind the
scenes:
---------- USER SPACE ----------
write(...)
--------- KERNEL SPACE ---------
mem_write(...)
access_remote_vm(...)
__get_user_pages(...)
faultin_page(...)
handle_mm_fault(...)
The real dirty cow exploit relies on racing two threads that execute write
and madvise many many times! The goal of this is to cause
write and madvise to execute in a *specific* order to cause a write to the
read protected file.
For this exercise you have direct access to Kernel.py so we do not need to
rely on randomness.
Modify the scheduler function in Kernel.py so that dirtyc0w exploit works.
Run User.py after setting EXECUTE in Kernel.py and observe read_only.txt
When does madvise have to execute?
ANSWER: [Just put the number you put for EXECUTE = x]
OUTPUT 1: [Paste read_only.txt]
OUTPUT 2: [Paste the console output]
WHY: [Why does madvise cause a write to the actual file?]