286 lines
6.0 KiB
Go
286 lines
6.0 KiB
Go
// Copyright 2018 Mikhail Klementev. All rights reserved.
|
|
// Use of this source code is governed by a AGPLv3 license
|
|
// (or later) that can be found in the LICENSE file.
|
|
|
|
package main
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/rs/zerolog/log"
|
|
"gopkg.in/logrusorgru/aurora.v2"
|
|
|
|
"code.dumpstack.io/tools/out-of-tree/config"
|
|
"code.dumpstack.io/tools/out-of-tree/qemu"
|
|
)
|
|
|
|
type DebugCmd struct {
|
|
Kernel string `help:"regexp (first match)" required:""`
|
|
Gdb string `help:"gdb listen address" default:"tcp::1234"`
|
|
|
|
SshAddr string `help:"ssh address to listen" default:"127.0.0.1"`
|
|
SshPort int `help:"ssh port to listen" default:"50022"`
|
|
|
|
ArtifactConfig string `help:"path to artifact config" type:"path"`
|
|
|
|
Kaslr bool `help:"Enable KASLR"`
|
|
Smep bool `help:"Enable SMEP"`
|
|
Smap bool `help:"Enable SMAP"`
|
|
Kpti bool `help:"Enable KPTI"`
|
|
|
|
NoKaslr bool `help:"Disable KASLR"`
|
|
NoSmep bool `help:"Disable SMEP"`
|
|
NoSmap bool `help:"Disable SMAP"`
|
|
NoKpti bool `help:"Disable KPTI"`
|
|
}
|
|
|
|
// TODO: merge with pew.go
|
|
func (cmd *DebugCmd) Run(g *Globals) (err error) {
|
|
kcfg, err := config.ReadKernelConfig(g.Config.Kernels)
|
|
if err != nil {
|
|
log.Print(err)
|
|
}
|
|
|
|
var configPath string
|
|
if cmd.ArtifactConfig == "" {
|
|
configPath = g.WorkDir + "/.out-of-tree.toml"
|
|
} else {
|
|
configPath = cmd.ArtifactConfig
|
|
}
|
|
ka, err := config.ReadArtifactConfig(configPath)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if ka.SourcePath == "" {
|
|
ka.SourcePath = g.WorkDir
|
|
}
|
|
|
|
ki, err := firstSupported(kcfg, ka, cmd.Kernel)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
kernel := qemu.Kernel{KernelPath: ki.KernelPath, InitrdPath: ki.InitrdPath}
|
|
q, err := qemu.NewSystem(qemu.X86x64, kernel, ki.RootFS)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
err = q.SetSSHAddrPort(cmd.SshAddr, cmd.SshPort)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if ka.Qemu.Cpus != 0 {
|
|
q.Cpus = ka.Qemu.Cpus
|
|
}
|
|
if ka.Qemu.Memory != 0 {
|
|
q.Memory = ka.Qemu.Memory
|
|
}
|
|
|
|
if ka.Docker.Timeout.Duration != 0 {
|
|
g.Config.Docker.Timeout.Duration = ka.Docker.Timeout.Duration
|
|
}
|
|
|
|
q.SetKASLR(false) // set KASLR to false by default because of gdb
|
|
q.SetSMEP(!ka.Mitigations.DisableSmep)
|
|
q.SetSMAP(!ka.Mitigations.DisableSmap)
|
|
q.SetKPTI(!ka.Mitigations.DisableKpti)
|
|
|
|
if cmd.Kaslr {
|
|
q.SetKASLR(true)
|
|
} else if cmd.NoKaslr {
|
|
q.SetKASLR(false)
|
|
}
|
|
|
|
if cmd.Smep {
|
|
q.SetSMEP(true)
|
|
} else if cmd.NoSmep {
|
|
q.SetSMEP(false)
|
|
}
|
|
|
|
if cmd.Smap {
|
|
q.SetSMAP(true)
|
|
} else if cmd.NoSmap {
|
|
q.SetSMAP(false)
|
|
}
|
|
|
|
if cmd.Kpti {
|
|
q.SetKPTI(true)
|
|
} else if cmd.NoKpti {
|
|
q.SetKPTI(false)
|
|
}
|
|
|
|
redgreen := func(name string, enabled bool) aurora.Value {
|
|
if enabled {
|
|
return aurora.BgGreen(aurora.Black(name))
|
|
}
|
|
|
|
return aurora.BgRed(aurora.White(name))
|
|
}
|
|
|
|
fmt.Printf("[*] %s %s %s %s\n",
|
|
redgreen("KASLR", q.GetKASLR()),
|
|
redgreen("SMEP", q.GetSMEP()),
|
|
redgreen("SMAP", q.GetSMAP()),
|
|
redgreen("KPTI", q.GetKPTI()))
|
|
|
|
fmt.Printf("[*] SMP: %d CPUs\n", q.Cpus)
|
|
fmt.Printf("[*] Memory: %d MB\n", q.Memory)
|
|
|
|
q.Debug(cmd.Gdb)
|
|
coloredGdbAddress := aurora.BgGreen(aurora.Black(cmd.Gdb))
|
|
fmt.Printf("[*] gdb is listening on %s\n", coloredGdbAddress)
|
|
|
|
err = q.Start()
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer q.Stop()
|
|
|
|
tmp, err := ioutil.TempDir(tempDirBase, "out-of-tree_")
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer os.RemoveAll(tmp)
|
|
|
|
err = q.WaitForSSH(time.Minute)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if ka.StandardModules {
|
|
// Module depends on one of the standard modules
|
|
err = copyStandardModules(q, ki)
|
|
if err != nil {
|
|
log.Print(err)
|
|
return
|
|
}
|
|
}
|
|
|
|
err = preloadModules(q, ka, ki, g.Config.Docker.Timeout.Duration)
|
|
if err != nil {
|
|
log.Print(err)
|
|
return
|
|
}
|
|
|
|
var buildDir, outFile, output, remoteFile string
|
|
|
|
if ka.Type == config.Script {
|
|
err = q.CopyFile("root", ka.Script, ka.Script)
|
|
if err != nil {
|
|
return
|
|
}
|
|
} else {
|
|
buildDir, outFile, output, err = build(log.Logger, tmp, ka, ki, g.Config.Docker.Timeout.Duration)
|
|
if err != nil {
|
|
log.Print(err, output)
|
|
return
|
|
}
|
|
|
|
remoteFile = "/tmp/exploit"
|
|
if ka.Type == config.KernelModule {
|
|
remoteFile = "/tmp/module.ko"
|
|
}
|
|
|
|
err = q.CopyFile("user", outFile, remoteFile)
|
|
if err != nil {
|
|
return
|
|
}
|
|
}
|
|
|
|
// Copy all test files to the remote machine
|
|
for _, f := range ka.TestFiles {
|
|
if f.Local[0] != '/' {
|
|
if buildDir != "" {
|
|
f.Local = buildDir + "/" + f.Local
|
|
}
|
|
}
|
|
err = q.CopyFile(f.User, f.Local, f.Remote)
|
|
if err != nil {
|
|
log.Print("error copy err:", err, f.Local, f.Remote)
|
|
return
|
|
}
|
|
}
|
|
|
|
coloredRemoteFile := aurora.BgGreen(aurora.Black(remoteFile))
|
|
fmt.Printf("[*] build result copied to %s\n", coloredRemoteFile)
|
|
|
|
fmt.Printf("\n%s\n", q.GetSSHCommand())
|
|
fmt.Printf("gdb %s -ex 'target remote %s'\n\n", ki.VmlinuxPath, cmd.Gdb)
|
|
|
|
// TODO set substitute-path /build/.../linux-... /path/to/linux-source
|
|
|
|
err = interactive(q)
|
|
return
|
|
}
|
|
|
|
func firstSupported(kcfg config.KernelConfig, ka config.Artifact,
|
|
kernel string) (ki config.KernelInfo, err error) {
|
|
|
|
km, err := kernelMask(kernel)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
ka.SupportedKernels = []config.KernelMask{km}
|
|
|
|
for _, ki = range kcfg.Kernels {
|
|
var supported bool
|
|
supported, err = ka.Supported(ki)
|
|
if err != nil || supported {
|
|
return
|
|
}
|
|
}
|
|
|
|
err = errors.New("No supported kernel found")
|
|
return
|
|
}
|
|
|
|
func handleLine(q *qemu.System) (err error) {
|
|
fmt.Print("out-of-tree> ")
|
|
rawLine := "help"
|
|
fmt.Scanf("%s", &rawLine)
|
|
params := strings.Fields(rawLine)
|
|
cmd := params[0]
|
|
|
|
switch cmd {
|
|
case "h", "help":
|
|
fmt.Printf("help\t: print this help message\n")
|
|
fmt.Printf("log\t: print qemu log\n")
|
|
fmt.Printf("clog\t: print qemu log and cleanup buffer\n")
|
|
fmt.Printf("cleanup\t: cleanup qemu log buffer\n")
|
|
fmt.Printf("ssh\t: print arguments to ssh command\n")
|
|
fmt.Printf("quit\t: quit\n")
|
|
case "l", "log":
|
|
fmt.Println(q.Stdout)
|
|
case "cl", "clog":
|
|
fmt.Println(q.Stdout)
|
|
q.Stdout = ""
|
|
case "c", "cleanup":
|
|
q.Stdout = ""
|
|
case "s", "ssh":
|
|
fmt.Println(q.GetSSHCommand())
|
|
case "q", "quit":
|
|
return errors.New("end of session")
|
|
default:
|
|
fmt.Println("No such command")
|
|
}
|
|
return
|
|
}
|
|
|
|
func interactive(q *qemu.System) (err error) {
|
|
for {
|
|
err = handleLine(q)
|
|
if err != nil {
|
|
return
|
|
}
|
|
}
|
|
}
|