linux-kernel expoit study(1) ---编译并用qemu运行内核

<–more–>
Joker师傅老早前发了两个 linux kernel的pwn demo给我们,我到现在才开始搞

编译linux kernel

linux内核下载

创建目录,放我们要放的linux kernel

1
2
3
4
5
$ madir linux-kernel
$ cd linux-kernel
$ mkdir linux-2.6.32.1
$ cd linux-2.6.32.1/
$ wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.32.1.tar.gz -O linux-2.6.32.1.tar.gz

解压

1
2
$ tar -xjvf linux-2.6.32.1.tar.gz
$ cd linux-2.6.32.1/

配置

1
2
3
$ sudo apt-get install libncurses5-dev
$ sudo apt-get install qemu qemu-system
$ make menuconfig

编译

1
2
3
$ make
$ make all
$ make modules

编译这个地方,可能会出现几个错误~

报错 以及解决办法

编译出现的问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
错误:
rch/x86/kernel/ptrace.c:1472:17: error: conflicting types for ‘syscall_trace_enter’
asmregparm long syscall_trace_enter(struct pt_regs *regs)
^
In file included from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/vm86.h:130:0,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/processor.h:10,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/thread_info.h:22,
from include/linux/thread_info.h:56,
from include/linux/preempt.h:9,
from include/linux/spinlock.h:50,
from include/linux/seqlock.h:29,
from include/linux/time.h:8,
from include/linux/timex.h:56,
from include/linux/sched.h:56,
from arch/x86/kernel/ptrace.c:11:
/home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/ptrace.h:145:13: note: previous declaration of ‘syscall_trace_enter’ was here
extern long syscall_trace_enter(struct pt_regs *);
^
arch/x86/kernel/ptrace.c:1517:17: error: conflicting types for ‘syscall_trace_leave’
asmregparm void syscall_trace_leave(struct pt_regs *regs)
^
In file included from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/vm86.h:130:0,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/processor.h:10,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/thread_info.h:22,
from include/linux/thread_info.h:56,
from include/linux/preempt.h:9,
from include/linux/spinlock.h:50,
from include/linux/seqlock.h:29,
from include/linux/time.h:8,
from include/linux/timex.h:56,
from include/linux/sched.h:56,
from arch/x86/kernel/ptrace.c:11:
/home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/ptrace.h:146:13: note: previous declaration of ‘syscall_trace_leave’ was here
extern void syscall_trace_leave(struct pt_regs *);
^
make[2]: *** [arch/x86/kernel/ptrace.o] 错误 1
make[1]: *** [arch/x86/kernel] 错误 2
make: *** [arch/x86] 错误 2

解决方案:
两处修改:
/linux-kernel/linux-2.6.32.1/arch/x86/include/asm$ vim ptrace.h

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <linux/init.h>
+#include <linux/linkage.h>

struct cpuinfo_x86;
struct task_struct;
@@ -142,8 +143,8 @@
int error_code, int si_code);
void signal_fault(struct pt_regs *regs, void __user *frame, char *where);

-extern long syscall_trace_enter(struct pt_regs *);
-extern void syscall_trace_leave(struct pt_regs *);
+extern asmregparm long syscall_trace_enter(struct pt_regs *);
+extern asmregparm void syscall_trace_leave(struct pt_regs *);

gcc: error: elf_i386: 没有那个文件或目录

1
2
3
错误:
gcc: error: elf_i386: 没有那个文件或目录
gcc: error: unrecognized command line option ‘-m’

解决方案:
beswing@swing:~/linux-kernel/linux-2.6.32.1$ vim arch/x86/vdso/Makefile

两处修改

1
2
3
4
#VDSO_LDFLAGS_vdso.lds = -m elf_x86_64 -Wl,-soname=linux-vdso.so.1 \
-Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096
VDSO_LDFLAGS_vdso.lds = -m64 -Wl,-soname=linux-vdso.so.1 \
-Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096

以及

1
2
# VDSO_LDFLAGS_vdso32.lds = -m elf_i386 -Wl,-soname=linux-gate.so.1
VDSO_LDFLAGS_vdso32.lds = -m32 -Wl,-soname=linux-gate.so.1

drivers/net/igbvf/igbvf.h:128:15: error: duplicate member ‘page’

1
2
3
4
5
6
7
8
错误:
drivers/net/igbvf/igbvf.h:128:15: error: duplicate member ‘page’
struct page *page;
^
make[3]: *** [drivers/net/igbvf/ethtool.o] 错误 1
make[2]: *** [drivers/net/igbvf] 错误 2
make[1]: *** [drivers/net] 错误 2
make: *** [drivers] 错误 2

修改名字重复即可,路径在beswing@swing:~/linux-kernel/linux-2.6.32.1$ vim ./drivers/net/igbvf/igbvf.h

创建文件系统

1
2
$ cd ~/linux-kernel/linux-2.6.32.1/linux-2.6.32.1/arch/i386/boot
$ mkinitramfs -o initrd.img-2.6.23.1

使用qemu运行编译好的内核

1
$ qemu-system-i386 -kernel arch/i386/boot/bzImage -initrd arch/i386/boot/initrd.img-2.6.32.1  -m 512M

使用qemu运行内核(使用qemu官网提供的文件系统)

1
2
3
$ wget http://wiki.qemu.org/download/linux-0.2.img.bz2 -O linux-0.2.img.bz2
$ bunzip2 -d linux-0.2.img.bz2
$ qemu-system-i386 -kernel arch/i386/boot/bzImage -hda linux-0.2.img -append "root=/dev/sda"

gdb调试内核

1
2
3
4
5
6
7
$ qemu-system-i386 -S -kernel arch/i386/boot/bzImage -hda linux-0.2.img -append "root=/dev/sda"
$ Ctrl+Alt+2即切换到QEMU工作台下
$ Ctrl+Alt+G切换出QEMU工作台
qemu $ gdbserver tcp::1234
$ gdb vmlinux
gdb $ target remote localhost:1234
$ c

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
  1. 1. 编译linux kernel
    1. 1.1. linux内核下载
    2. 1.2. 解压
    3. 1.3. 配置
    4. 1.4. 编译
      1. 1.4.1. 报错 以及解决办法
        1. 1.4.1.1. 编译出现的问题
        2. 1.4.1.2. gcc: error: elf_i386: 没有那个文件或目录
        3. 1.4.1.3. drivers/net/igbvf/igbvf.h:128:15: error: duplicate member ‘page’
    5. 1.5. 创建文件系统
    6. 1.6. 使用qemu运行编译好的内核
    7. 1.7. 使用qemu运行内核(使用qemu官网提供的文件系统)
    8. 1.8. gdb调试内核
,