linux-kernel expoit study(1) ---编译并用qemu运行内核

<–more–>
Joker师傅老早前发了两个 linux kernel的pwn demo给我们,我到现在才开始搞

编译linux kernel

linux内核下载

创建目录,放我们要放的linux kernel

1
2
3
4
5
$ madir linux-kernel
$ cd linux-kernel
$ mkdir linux-2.6.32.1
$ cd linux-2.6.32.1/
$ wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.32.1.tar.gz -O linux-2.6.32.1.tar.gz

解压

1
2
$ tar -xjvf linux-2.6.32.1.tar.gz
$ cd linux-2.6.32.1/

配置

1
2
3
$ sudo apt-get install libncurses5-dev
$ sudo apt-get install qemu qemu-system
$ make menuconfig

编译

1
2
3
$ make
$ make all
$ make modules

编译这个地方,可能会出现几个错误~

报错 以及解决办法

编译出现的问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
错误:
rch/x86/kernel/ptrace.c:1472:17: error: conflicting types for ‘syscall_trace_enter’
asmregparm long syscall_trace_enter(struct pt_regs *regs)
^
In file included from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/vm86.h:130:0,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/processor.h:10,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/thread_info.h:22,
from include/linux/thread_info.h:56,
from include/linux/preempt.h:9,
from include/linux/spinlock.h:50,
from include/linux/seqlock.h:29,
from include/linux/time.h:8,
from include/linux/timex.h:56,
from include/linux/sched.h:56,
from arch/x86/kernel/ptrace.c:11:
/home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/ptrace.h:145:13: note: previous declaration of ‘syscall_trace_enter’ was here
extern long syscall_trace_enter(struct pt_regs *);
^
arch/x86/kernel/ptrace.c:1517:17: error: conflicting types for ‘syscall_trace_leave’
asmregparm void syscall_trace_leave(struct pt_regs *regs)
^
In file included from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/vm86.h:130:0,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/processor.h:10,
from /home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/thread_info.h:22,
from include/linux/thread_info.h:56,
from include/linux/preempt.h:9,
from include/linux/spinlock.h:50,
from include/linux/seqlock.h:29,
from include/linux/time.h:8,
from include/linux/timex.h:56,
from include/linux/sched.h:56,
from arch/x86/kernel/ptrace.c:11:
/home/joker/linux_kernel/linux-2.6.32.1/arch/x86/include/asm/ptrace.h:146:13: note: previous declaration of ‘syscall_trace_leave’ was here
extern void syscall_trace_leave(struct pt_regs *);
^
make[2]: *** [arch/x86/kernel/ptrace.o] 错误 1
make[1]: *** [arch/x86/kernel] 错误 2
make: *** [arch/x86] 错误 2

解决方案:
两处修改:
/linux-kernel/linux-2.6.32.1/arch/x86/include/asm$ vim ptrace.h

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <linux/init.h>
+#include <linux/linkage.h>

struct cpuinfo_x86;
struct task_struct;
@@ -142,8 +143,8 @@
int error_code, int si_code);
void signal_fault(struct pt_regs *regs, void __user *frame, char *where);

-extern long syscall_trace_enter(struct pt_regs *);
-extern void syscall_trace_leave(struct pt_regs *);
+extern asmregparm long syscall_trace_enter(struct pt_regs *);
+extern asmregparm void syscall_trace_leave(struct pt_regs *);

gcc: error: elf_i386: 没有那个文件或目录

1
2
3
错误:
gcc: error: elf_i386: 没有那个文件或目录
gcc: error: unrecognized command line option ‘-m’

解决方案:
beswing@swing:~/linux-kernel/linux-2.6.32.1$ vim arch/x86/vdso/Makefile

两处修改

1
2
3
4
#VDSO_LDFLAGS_vdso.lds = -m elf_x86_64 -Wl,-soname=linux-vdso.so.1 \
-Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096
VDSO_LDFLAGS_vdso.lds = -m64 -Wl,-soname=linux-vdso.so.1 \
-Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096

以及

1
2
# VDSO_LDFLAGS_vdso32.lds = -m elf_i386 -Wl,-soname=linux-gate.so.1
VDSO_LDFLAGS_vdso32.lds = -m32 -Wl,-soname=linux-gate.so.1

drivers/net/igbvf/igbvf.h:128:15: error: duplicate member ‘page’

1
2
3
4
5
6
7
8
错误:
drivers/net/igbvf/igbvf.h:128:15: error: duplicate member ‘page’
struct page *page;
^
make[3]: *** [drivers/net/igbvf/ethtool.o] 错误 1
make[2]: *** [drivers/net/igbvf] 错误 2
make[1]: *** [drivers/net] 错误 2
make: *** [drivers] 错误 2

修改名字重复即可,路径在beswing@swing:~/linux-kernel/linux-2.6.32.1$ vim ./drivers/net/igbvf/igbvf.h

创建文件系统

1
2
$ cd ~/linux-kernel/linux-2.6.32.1/linux-2.6.32.1/arch/i386/boot
$ mkinitramfs -o initrd.img-2.6.23.1

使用qemu运行编译好的内核

1
$ qemu-system-i386 -kernel arch/i386/boot/bzImage -initrd arch/i386/boot/initrd.img-2.6.32.1  -m 512M

使用qemu运行内核(使用qemu官网提供的文件系统)

1
2
3
$ wget http://wiki.qemu.org/download/linux-0.2.img.bz2 -O linux-0.2.img.bz2
$ bunzip2 -d linux-0.2.img.bz2
$ qemu-system-i386 -kernel arch/i386/boot/bzImage -hda linux-0.2.img -append "root=/dev/sda"

gdb调试内核

1
2
3
4
5
6
7
$ qemu-system-i386 -S -kernel arch/i386/boot/bzImage -hda linux-0.2.img -append "root=/dev/sda"
$ Ctrl+Alt+2即切换到QEMU工作台下
$ Ctrl+Alt+G切换出QEMU工作台
qemu $ gdbserver tcp::1234
$ gdb vmlinux
gdb $ target remote localhost:1234
$ c