Docker环境、一些问题等

2018-10-15

syzkaller fuzz docker

docker search ubuntu14.04
docker pull  ansible/ubuntu14.04-ansible
docker run -t -d --name syzkaller ubuntu:14.04
# 运行临时容器
# docker run -it --rm ubuntu:14.04 bash -li
docker exec -it syzkaller sudo su
  • docker file 
    RUN apt update&&\
apt upgrade&&\
apt install -y gcc&&\
mkdir /home/kernel&&\
mkdir /home/gcc&&\
echo "export KERNEL=/home/kernel" >> ~/.bashrc&&\
echo "export GCC=/home/gcc" >> ~/.bashrc&&\
source ~/.bashrc&&\
apt install -y subversion git bison flex libelf-dev libssl-dev libgmp3-dev libmpfr-dev libmpc-dev build-essential bc&&\
cd $KERNEL&&\
make defconfig&&\
make kvmconfig&&\
echo "CONFIG_KCOV=y" >> .config&&\
echo "CONFIG_DEBUG_INFO=y" >> .config&&\
echo "CONFIG_KASAN=y" >> .config&&\
echo "CONFIG_KASAN_INLINE=y" >> .config&&\
make oldconfig&&\
make CC=gcc -j64

Kernel_exploit docker

  • dockerfile
FROM ubuntu:16.04
MAINTAINER DoubleMice <doublemice@qq.com>


# RUN sed -i 's/archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list

RUN dpkg --add-architecture i386 && \
    apt-get -y update && \
    apt install -y \
    libc6:i386 \
    libc6-dbg:i386 \
    libc6-dbg \
    lib32stdc++6 \
    g++-multilib \
    cmake \
    net-tools \
    libffi-dev \
    libssl-dev \
    python3-pip \
    python-pip \
    python-capstone \
    ruby2.3 \
    tmux \
    strace \
    ltrace \
    nasm \
    wget \
    radare2 \
    gdb \
    gdb-multiarch \
    netcat \
    socat \
    git \
    patchelf \
    gawk \
    qemu \
    kmod \
    file --fix-missing && \
    rm -rf /var/lib/apt/list/*


RUN cd && mkdir .pip && echo "[global]\nindex-url = https://pypi.tuna.tsinghua.edu.cn/simple/\n" > /root/.pip/pip.conf

RUN pip install --upgrade pip
RUN pip3 install --no-cache-dir \
    ropper \
    unicorn \
    keystone-engine \
    capstone

RUN pip install --upgrade setuptools && \
    pip install --no-cache-dir --ignore-installed \
    ropgadget \
    pwntools \
    zio \
    angr \
    lief \
    z3-solver \
    apscheduler && \
    pip install --upgrade pwntools

WORKDIR /root

RUN gem install \
    one_gadget && \
    rm -rf /var/lib/gems/2.3.*/cache/* && \
    git clone https://github.com/pwndbg/pwndbg && \
    cd pwndbg && sed -i s/sudo//g setup.sh && \
    chmod +x setup.sh && ./setup.sh && \
    git clone https://github.com/skysider/LibcSearcher.git LibcSearcher && \
    cd LibcSearcher && git submodule update --init --recursive && \
    python setup.py develop && cd libc-database && ./get || ls

RUN cd /root && mkdir glibc && cd glibc && mkdir 2.24 && cd && \
    wget http://mirrors.ustc.edu.cn/gnu/libc/glibc-2.24.tar.gz && \
    tar xf glibc-2.24.tar.gz && cd glibc-2.24 && mkdir build && cd build && \
    ../configure --prefix=/root/glibc/2.24/ --disable-werror --enable-debug=yes && \
    make && make install && cd ../../ && rm -rf glibc-2.24 && rm glibc-2.24.tar.gz

# COPY linux_server linux_server64 babydriver_0D09567FACCD2E891578AA83ED3BABA7 /root/

RUN chmod a+x /root/linux_server /root/linux_server64
ENTRYPOINT ["/bin/bash"]
  • docker build
docker build -t foxwest/kernel_exploit .
  • run command
docker run -it \
--rm \
-h ${ctf_name} \
--name ${ctf_name} \
-v $(pwd)/${ctf_name}:/root \
-p 23946:23946 \
--cap-add=SYS_PTRACE \
pwn/kernel_exploit

—rm 删除之前创建的容器 -h 容器主机名 —name 容器名 -v 本地文件映射到docker容器 -p 端口映射 —privileged 赋予操作宿主机文件、更改配置等权限,功能同—cap-add=ALL —cap-add=SYS_PTRACE 添加linux一些特殊功能,此处为ptrace 更多:capabilities(7) Linux manual page

C++中的一些特性

审计过程中的一些收获

auto关键字

string s("Hello World!!!");
// convert s to uppercase
for (auto &c : s)   // for every char in s (note: c is a reference)
    c = toupper(c); // c is a reference, so the assignment changes the char
in s
cout << s << endl;

for (auto &c : s)   
    c = toupper(c);

相当于:

for (auto it = s.begin(); it != s.end(); ++it)
{
    auto &c = *it;
    c = toupper(c);
}

shell中的一些小技巧

$():会将括号中执行的命令以字符串返回,重定向时没法输出

这时候可以将标准输出流重定向到错误流:

doublemice@DoubleMice-MBP:~|⇒  echo $(seq 7 9) > /dev/null
doublemice@DoubleMice-MBP:~|⇒  echo $(seq 7 9 1>&2)>/dev/null
7
8
9
doublemice@DoubleMice-MBP:~|⇒

frq内网穿透

  • #后台常驻启动
## server:
echo "nohup /usr/bin/frps -c /usr/bin/server/frps.ini > /dev/null 2>&1 &" > /etc/rc.local
## target:
echo "nohup /usr/bin/frpc -c /usr/bin/client/frpc.ini > /dev/null 2>&1 &" > /etc/rc.local
## client:
echo "nohup /Users/doublemice/Documents/seclover/frp2fuzz@seclover/frpc -c /Users/doublemice/Documents/seclover/frp2fuzz@seclover/frpc.ini > /dev/null 2>&1 &" > /etc/rc.local
# 对应配置文件
## client:

对应配置文件

  • client
frpc.ini
[common]
server_addr = 74.120.174.221
server_port = 7000

[secret_ssh_visitor]
type = stcp
# stcp 的访问者
role = visitor
# 要访问的 stcp 代理的名字
server_name = secret_ssh
sk = doublemice@seclover
# 绑定本地端口用于访问 ssh 服务
bind_addr = 127.0.0.1
bind_port = 6000
remote_port = 6000
  • target
# frpc.ini
[common]
server_addr = 74.120.174.221
server_port = 7000

[secret_ssh]
type = stcp
# 只有 sk 一致的用户才能访问到此服务
sk = doublemice@seclover
local_ip = 127.0.0.1
local_port = 22
  • server
[common]
bind_port = 7000

login

  • on client

ssh -oPort=6000 fuzz@127.0.0.1