关联漏洞
描述
Source code and configuration files related to our article in MISC96
介绍
# Exploiting CVE-2017-5123
## Introduction
This repository is an addition to the article published in MISC Magazine #96.
We achieved to elevate our privileges in a reliable way, on our virtual
machine with SMEP / SMAP and KASLR enabled. It should however be noted that
the system if left in an unstable state and that a oops is very likely to
occur.
## Contents of this repository
In the folder `configs/`, you will find configuration files for the Linux kernel
and Busybox, each one being sightly different of the default ones.
The folder `binaries/` contains all the pre-built binaries that you will need
to reproduce our test environment, such as a whole rootfs ready to be used with
QEMU.
`linux-stable` is a git submodule pointing to a vulnerable revision of the Linux
kernel. Use `git submodule update --recursive` to fetch it (if you a least
1GB free on your system...). Same thing goes for `busybox`.
## Environment setup
Our environment is based on a QEMU x86 virtual machine with a folder shared
with the host via 9P. A vulnerable version of the kernel (`ff33952e4d23`) is
compiled along with a statically-linked build of [Busybox](https://www.busybox.net/).
### Kernel configuration
Our configuration is pretty simple, since we do not need to support any kind
of exotic architecture or hardware. Is has been generated by running `make
defconfig` and some features were enabled, to support QEMU's networking and
folder sharing:
```
CONFIG_BLK_MQ_VIRTIO=y
CONFIG_MEMORY_BALLOON=y
CONFIG_BALLOON_COMPACTION=y
CONFIG_NET_9P=y
CONFIG_NET_9P_VIRTIO=y
CONFIG_NET_9P_DEBUG=y
CONFIG_VIRTIO_BLK=y
CONFIG_VIRTIO_BLK_SCSI=y
CONFIG_VIRTIO_NET=y
CONFIG_HVC_DRIVER=y
CONFIG_VIRTIO_CONSOLE=y
CONFIG_HW_RANDOM_VIRTIO=y
CONFIG_VIRTIO=y
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_PCI_LEGACY=y
CONFIG_VIRTIO_BALLOON=y
CONFIG_VIRTIO_INPUT=y
CONFIG_VIRTIO_MMIO=y
CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
CONFIG_9P_FS=y
CONFIG_9P_FS_POSIX_ACL=y
CONFIG_9P_FS_SECURITY=y
```
GDB scripts and debugging symbols were also added to ease the developpement of
the first PoCs:
```
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_DWARF4=y
CONFIG_GDB_SCRIPTS=y
```
Please note that in this version, KASLR is enabled by default on x86. Since the
kernel mapped at a different addresses after each reboot, GDB will not be able
to match the symbol file with it. You have then two options: performing tests
without KASLR or passing the base address of the kernel to `symbol-file` when
loading the symbols in GDB.
After compiling it, you will find the bzImage in `linux-stable/arch/x86/boot/bzImage`.
This file is present in `binaries/bzImage` and our configuration file in
`confifs/kernel.config`. To use it, you only have to copy it as `.config`
in `linux-stable`.
### Compiling Busybox
We used the last stable version of Busybox, 1.28. The only setting to change is
`CONFIG_STATIC`, set it to `y`. Compiling it should not cause any issue.
Our configuration file is available into `configs/busybox.config` and a
statically-compiled binary in `binaries/busybox`. As for Linux, just copy it
as `.config` in Busybox's sources folder.
### Assembling it together
Busybox already implements an init process that will try to execute `/etc/init.d/rcS`.
Usually, it is provided by your distribution (potentially with a different name)
but we will have to do it by ourselves here! This script will create and mount
several mandatory system folders (`proc`, `sys`, `dev`), our folder shared with
the host and drop us into an unprivilegied shell:
```
for i in $(seq 1 9); do mknod /dev/tty$i c 4 1; done
mknod -m 0666 /dev/null c 1 3
mknod -m 0660 /dev/ttyS0 c 4 64
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs none /dev
mkdir -p /mnt/share
mount -t 9p -o trans=virtio share /mnt/share/ -oversion=9p2000.L,posixacl,sync
chmod 777 /mnt/share/
export ENV=/etc/profile
setsid cttyhack setuidgid 1000 sh
umount /proc
umount /sys
umount /dev
poweroff -f
```
The file `/etc/profile` is not mandatory but kind of useful during our tests,
more especially when the exploit was not reliable and it took several tries to
obtain root privileges.
## Exploit
The process behing exploit's writing is fairly documented in MISC 96: we use
`unsafe_put_user` to probe memory until we find the base address of the heap.
Then, thousands of calls to `clone` let us spray numerous `cred` structures
in memory. During our tests, their position in memory was much more "constant"
than when using `fork`, since it allocates less structures for the new task.
## What's left
Exiting the child will cause a kernel oops, due to a faulty paging request, this
needs to be correctly handled.
## Contributing
If you want to improve the reliability of this exploit or add documentation,
contributions are welcome! We may also have also made mistakes or imprecisions
on some concepts, do not hesitate to open an issue if you think something is
wrong.
## Useful links
**Linux kernel**
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=96ca579a1ecc943b75beba58bebb0356f6cc4b51
- https://01.org/linuxgraphics/gfx-docs/drm/dev-tools/gdb-kernel-debugging.html
**Exploitation**
- https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/
- https://github.com/0x5068656e6f6c/CVE-2017-5123/blob/master/CVE-2017-5123.c
文件快照
[4.0K] /data/pocs/3510fa47c8996245964bc04833aebcbb9043fba6
├── [4.0K] binaries
│ ├── [2.5M] busybox
│ ├── [7.1M] bzImage
│ ├── [706K] cve-2017-5123
│ └── [3.0M] rootfs.img
├── [4.0K] busybox
├── [4.0K] configs
│ ├── [ 26K] busybox.config
│ └── [113K] kernel.config
├── [2.3K] cve-2017-5123.c
├── [4.0K] filesystem
│ ├── [4.0K] bin
│ │ ├── [ 7] arch -> busybox
│ │ ├── [ 7] ash -> busybox
│ │ ├── [ 7] base64 -> busybox
│ │ ├── [3.0M] busybox
│ │ ├── [ 7] cat -> busybox
│ │ ├── [ 7] chattr -> busybox
│ │ ├── [ 7] chgrp -> busybox
│ │ ├── [ 7] chmod -> busybox
│ │ ├── [ 7] chown -> busybox
│ │ ├── [ 7] conspy -> busybox
│ │ ├── [ 7] cp -> busybox
│ │ ├── [ 7] cpio -> busybox
│ │ ├── [ 7] cttyhack -> busybox
│ │ ├── [ 7] date -> busybox
│ │ ├── [ 7] dd -> busybox
│ │ ├── [ 7] df -> busybox
│ │ ├── [ 7] dmesg -> busybox
│ │ ├── [ 7] dnsdomainname -> busybox
│ │ ├── [ 7] dumpkmap -> busybox
│ │ ├── [ 7] echo -> busybox
│ │ ├── [ 7] ed -> busybox
│ │ ├── [ 7] egrep -> busybox
│ │ ├── [ 7] false -> busybox
│ │ ├── [ 7] fatattr -> busybox
│ │ ├── [ 7] fdflush -> busybox
│ │ ├── [ 7] fgrep -> busybox
│ │ ├── [ 7] fsync -> busybox
│ │ ├── [ 7] getopt -> busybox
│ │ ├── [ 7] grep -> busybox
│ │ ├── [ 7] gunzip -> busybox
│ │ ├── [ 7] gzip -> busybox
│ │ ├── [ 7] hostname -> busybox
│ │ ├── [ 7] hush -> busybox
│ │ ├── [ 7] ionice -> busybox
│ │ ├── [ 7] iostat -> busybox
│ │ ├── [ 7] ipcalc -> busybox
│ │ ├── [ 7] kbd_mode -> busybox
│ │ ├── [ 7] kill -> busybox
│ │ ├── [ 7] link -> busybox
│ │ ├── [ 7] linux32 -> busybox
│ │ ├── [ 7] linux64 -> busybox
│ │ ├── [ 7] ln -> busybox
│ │ ├── [ 7] login -> busybox
│ │ ├── [ 7] ls -> busybox
│ │ ├── [ 7] lsattr -> busybox
│ │ ├── [ 7] lzop -> busybox
│ │ ├── [ 7] makemime -> busybox
│ │ ├── [ 7] mkdir -> busybox
│ │ ├── [ 7] mknod -> busybox
│ │ ├── [ 7] mktemp -> busybox
│ │ ├── [ 7] more -> busybox
│ │ ├── [ 7] mount -> busybox
│ │ ├── [ 7] mountpoint -> busybox
│ │ ├── [ 7] mpstat -> busybox
│ │ ├── [ 7] mt -> busybox
│ │ ├── [ 7] mv -> busybox
│ │ ├── [ 7] netstat -> busybox
│ │ ├── [ 7] nice -> busybox
│ │ ├── [ 7] nuke -> busybox
│ │ ├── [ 7] pidof -> busybox
│ │ ├── [ 7] ping -> busybox
│ │ ├── [ 7] ping6 -> busybox
│ │ ├── [ 7] pipe_progress -> busybox
│ │ ├── [ 7] printenv -> busybox
│ │ ├── [ 7] ps -> busybox
│ │ ├── [ 7] pwd -> busybox
│ │ ├── [ 7] reformime -> busybox
│ │ ├── [ 7] resume -> busybox
│ │ ├── [ 7] rev -> busybox
│ │ ├── [ 7] rm -> busybox
│ │ ├── [ 7] rmdir -> busybox
│ │ ├── [ 7] rpm -> busybox
│ │ ├── [ 7] run-parts -> busybox
│ │ ├── [ 7] scriptreplay -> busybox
│ │ ├── [ 7] sed -> busybox
│ │ ├── [ 7] setarch -> busybox
│ │ ├── [ 7] setpriv -> busybox
│ │ ├── [ 7] setserial -> busybox
│ │ ├── [ 7] sh -> busybox
│ │ ├── [ 7] sleep -> busybox
│ │ ├── [ 7] stat -> busybox
│ │ ├── [ 7] stty -> busybox
│ │ ├── [ 7] su -> busybox
│ │ ├── [ 7] sync -> busybox
│ │ ├── [ 7] tar -> busybox
│ │ ├── [ 7] touch -> busybox
│ │ ├── [ 7] true -> busybox
│ │ ├── [ 7] umount -> busybox
│ │ ├── [ 7] uname -> busybox
│ │ ├── [ 7] usleep -> busybox
│ │ ├── [ 7] vi -> busybox
│ │ ├── [ 7] watch -> busybox
│ │ └── [ 7] zcat -> busybox
│ ├── [4.0K] dev
│ ├── [4.0K] etc
│ │ ├── [ 178] passwd
│ │ └── [ 188] profile
│ ├── [4.0K] home
│ │ └── [4.0K] synacktiv
│ ├── [ 11] linuxrc -> bin/busybox
│ ├── [4.0K] mnt
│ ├── [4.0K] proc
│ ├── [4.0K] root
│ ├── [4.0K] sbin
│ │ ├── [ 14] acpid -> ../bin/busybox
│ │ ├── [ 14] adjtimex -> ../bin/busybox
│ │ ├── [ 14] arp -> ../bin/busybox
│ │ ├── [ 14] blkid -> ../bin/busybox
│ │ ├── [ 14] blockdev -> ../bin/busybox
│ │ ├── [ 14] bootchartd -> ../bin/busybox
│ │ ├── [ 14] depmod -> ../bin/busybox
│ │ ├── [ 14] devmem -> ../bin/busybox
│ │ ├── [ 14] fbsplash -> ../bin/busybox
│ │ ├── [ 14] fdisk -> ../bin/busybox
│ │ ├── [ 14] findfs -> ../bin/busybox
│ │ ├── [ 14] freeramdisk -> ../bin/busybox
│ │ ├── [ 14] fsck -> ../bin/busybox
│ │ ├── [ 14] fsck.minix -> ../bin/busybox
│ │ ├── [ 14] fstrim -> ../bin/busybox
│ │ ├── [ 14] getty -> ../bin/busybox
│ │ ├── [ 14] halt -> ../bin/busybox
│ │ ├── [ 14] hdparm -> ../bin/busybox
│ │ ├── [ 14] hwclock -> ../bin/busybox
│ │ ├── [ 14] ifconfig -> ../bin/busybox
│ │ ├── [ 14] ifdown -> ../bin/busybox
│ │ ├── [ 14] ifenslave -> ../bin/busybox
│ │ ├── [ 14] ifup -> ../bin/busybox
│ │ ├── [ 14] init -> ../bin/busybox
│ │ ├── [ 14] insmod -> ../bin/busybox
│ │ ├── [ 14] ip -> ../bin/busybox
│ │ ├── [ 14] ipaddr -> ../bin/busybox
│ │ ├── [ 14] iplink -> ../bin/busybox
│ │ ├── [ 14] ipneigh -> ../bin/busybox
│ │ ├── [ 14] iproute -> ../bin/busybox
│ │ ├── [ 14] iprule -> ../bin/busybox
│ │ ├── [ 14] iptunnel -> ../bin/busybox
│ │ ├── [ 14] klogd -> ../bin/busybox
│ │ ├── [ 14] loadkmap -> ../bin/busybox
│ │ ├── [ 14] logread -> ../bin/busybox
│ │ ├── [ 14] losetup -> ../bin/busybox
│ │ ├── [ 14] lsmod -> ../bin/busybox
│ │ ├── [ 14] makedevs -> ../bin/busybox
│ │ ├── [ 14] mdev -> ../bin/busybox
│ │ ├── [ 14] mkdosfs -> ../bin/busybox
│ │ ├── [ 14] mke2fs -> ../bin/busybox
│ │ ├── [ 14] mkfs.ext2 -> ../bin/busybox
│ │ ├── [ 14] mkfs.minix -> ../bin/busybox
│ │ ├── [ 14] mkfs.vfat -> ../bin/busybox
│ │ ├── [ 14] mkswap -> ../bin/busybox
│ │ ├── [ 14] modinfo -> ../bin/busybox
│ │ ├── [ 14] modprobe -> ../bin/busybox
│ │ ├── [ 14] nameif -> ../bin/busybox
│ │ ├── [ 14] pivot_root -> ../bin/busybox
│ │ ├── [ 14] poweroff -> ../bin/busybox
│ │ ├── [ 14] raidautorun -> ../bin/busybox
│ │ ├── [ 14] reboot -> ../bin/busybox
│ │ ├── [ 14] rmmod -> ../bin/busybox
│ │ ├── [ 14] route -> ../bin/busybox
│ │ ├── [ 14] run-init -> ../bin/busybox
│ │ ├── [ 14] runlevel -> ../bin/busybox
│ │ ├── [ 14] setconsole -> ../bin/busybox
│ │ ├── [ 14] slattach -> ../bin/busybox
│ │ ├── [ 14] start-stop-daemon -> ../bin/busybox
│ │ ├── [ 14] sulogin -> ../bin/busybox
│ │ ├── [ 14] swapoff -> ../bin/busybox
│ │ ├── [ 14] swapon -> ../bin/busybox
│ │ ├── [ 14] switch_root -> ../bin/busybox
│ │ ├── [ 14] sysctl -> ../bin/busybox
│ │ ├── [ 14] syslogd -> ../bin/busybox
│ │ ├── [ 14] tunctl -> ../bin/busybox
│ │ ├── [ 14] udhcpc -> ../bin/busybox
│ │ ├── [ 14] uevent -> ../bin/busybox
│ │ ├── [ 14] vconfig -> ../bin/busybox
│ │ ├── [ 14] watchdog -> ../bin/busybox
│ │ └── [ 14] zcip -> ../bin/busybox
│ ├── [4.0K] sys
│ └── [4.0K] usr
│ ├── [4.0K] bin
│ │ ├── [ 17] [ -> ../../bin/busybox
│ │ ├── [ 17] [[ -> ../../bin/busybox
│ │ ├── [ 17] awk -> ../../bin/busybox
│ │ ├── [ 17] basename -> ../../bin/busybox
│ │ ├── [ 17] beep -> ../../bin/busybox
│ │ ├── [ 17] blkdiscard -> ../../bin/busybox
│ │ ├── [ 17] bunzip2 -> ../../bin/busybox
│ │ ├── [ 17] bzcat -> ../../bin/busybox
│ │ ├── [ 17] bzip2 -> ../../bin/busybox
│ │ ├── [ 17] cal -> ../../bin/busybox
│ │ ├── [ 17] chpst -> ../../bin/busybox
│ │ ├── [ 17] chrt -> ../../bin/busybox
│ │ ├── [ 17] chvt -> ../../bin/busybox
│ │ ├── [ 17] cksum -> ../../bin/busybox
│ │ ├── [ 17] clear -> ../../bin/busybox
│ │ ├── [ 17] cmp -> ../../bin/busybox
│ │ ├── [ 17] comm -> ../../bin/busybox
│ │ ├── [ 17] crontab -> ../../bin/busybox
│ │ ├── [ 17] cryptpw -> ../../bin/busybox
│ │ ├── [ 17] cut -> ../../bin/busybox
│ │ ├── [ 17] dc -> ../../bin/busybox
│ │ ├── [ 17] deallocvt -> ../../bin/busybox
│ │ ├── [ 17] diff -> ../../bin/busybox
│ │ ├── [ 17] dirname -> ../../bin/busybox
│ │ ├── [ 17] dos2unix -> ../../bin/busybox
│ │ ├── [ 17] dpkg -> ../../bin/busybox
│ │ ├── [ 17] dpkg-deb -> ../../bin/busybox
│ │ ├── [ 17] du -> ../../bin/busybox
│ │ ├── [ 17] dumpleases -> ../../bin/busybox
│ │ ├── [ 17] eject -> ../../bin/busybox
│ │ ├── [ 17] env -> ../../bin/busybox
│ │ ├── [ 17] envdir -> ../../bin/busybox
│ │ ├── [ 17] envuidgid -> ../../bin/busybox
│ │ ├── [ 17] expand -> ../../bin/busybox
│ │ ├── [ 17] expr -> ../../bin/busybox
│ │ ├── [ 17] factor -> ../../bin/busybox
│ │ ├── [ 17] fallocate -> ../../bin/busybox
│ │ ├── [ 17] fgconsole -> ../../bin/busybox
│ │ ├── [ 17] find -> ../../bin/busybox
│ │ ├── [ 17] flock -> ../../bin/busybox
│ │ ├── [ 17] fold -> ../../bin/busybox
│ │ ├── [ 17] free -> ../../bin/busybox
│ │ ├── [ 17] ftpget -> ../../bin/busybox
│ │ ├── [ 17] ftpput -> ../../bin/busybox
│ │ ├── [ 17] fuser -> ../../bin/busybox
│ │ ├── [ 17] groups -> ../../bin/busybox
│ │ ├── [ 17] hd -> ../../bin/busybox
│ │ ├── [ 17] head -> ../../bin/busybox
│ │ ├── [ 17] hexdump -> ../../bin/busybox
│ │ ├── [ 17] hexedit -> ../../bin/busybox
│ │ ├── [ 17] hostid -> ../../bin/busybox
│ │ ├── [ 17] id -> ../../bin/busybox
│ │ ├── [ 17] install -> ../../bin/busybox
│ │ ├── [ 17] ipcrm -> ../../bin/busybox
│ │ ├── [ 17] ipcs -> ../../bin/busybox
│ │ ├── [ 17] killall -> ../../bin/busybox
│ │ ├── [ 17] last -> ../../bin/busybox
│ │ ├── [ 17] less -> ../../bin/busybox
│ │ ├── [ 17] logger -> ../../bin/busybox
│ │ ├── [ 17] logname -> ../../bin/busybox
│ │ ├── [ 17] lpq -> ../../bin/busybox
│ │ ├── [ 17] lpr -> ../../bin/busybox
│ │ ├── [ 17] lsof -> ../../bin/busybox
│ │ ├── [ 17] lspci -> ../../bin/busybox
│ │ ├── [ 17] lsscsi -> ../../bin/busybox
│ │ ├── [ 17] lsusb -> ../../bin/busybox
│ │ ├── [ 17] lzcat -> ../../bin/busybox
│ │ ├── [ 17] lzma -> ../../bin/busybox
│ │ ├── [ 17] man -> ../../bin/busybox
│ │ ├── [ 17] md5sum -> ../../bin/busybox
│ │ ├── [ 17] mesg -> ../../bin/busybox
│ │ ├── [ 17] microcom -> ../../bin/busybox
│ │ ├── [ 17] mkfifo -> ../../bin/busybox
│ │ ├── [ 17] mkpasswd -> ../../bin/busybox
│ │ ├── [ 17] nc -> ../../bin/busybox
│ │ ├── [ 17] nl -> ../../bin/busybox
│ │ ├── [ 17] nmeter -> ../../bin/busybox
│ │ ├── [ 17] nohup -> ../../bin/busybox
│ │ ├── [ 17] nproc -> ../../bin/busybox
│ │ ├── [ 17] nsenter -> ../../bin/busybox
│ │ ├── [ 17] nslookup -> ../../bin/busybox
│ │ ├── [ 17] od -> ../../bin/busybox
│ │ ├── [ 17] openvt -> ../../bin/busybox
│ │ ├── [ 17] passwd -> ../../bin/busybox
│ │ ├── [ 17] paste -> ../../bin/busybox
│ │ ├── [ 17] patch -> ../../bin/busybox
│ │ ├── [ 17] pgrep -> ../../bin/busybox
│ │ ├── [ 17] pkill -> ../../bin/busybox
│ │ ├── [ 17] pmap -> ../../bin/busybox
│ │ ├── [ 17] printf -> ../../bin/busybox
│ │ ├── [ 17] pscan -> ../../bin/busybox
│ │ ├── [ 17] pstree -> ../../bin/busybox
│ │ ├── [ 17] pwdx -> ../../bin/busybox
│ │ ├── [ 17] readlink -> ../../bin/busybox
│ │ ├── [ 17] realpath -> ../../bin/busybox
│ │ ├── [ 17] renice -> ../../bin/busybox
│ │ ├── [ 17] reset -> ../../bin/busybox
│ │ ├── [ 17] resize -> ../../bin/busybox
│ │ ├── [ 17] rpm2cpio -> ../../bin/busybox
│ │ ├── [ 17] runsv -> ../../bin/busybox
│ │ ├── [ 17] runsvdir -> ../../bin/busybox
│ │ ├── [ 17] rx -> ../../bin/busybox
│ │ ├── [ 17] script -> ../../bin/busybox
│ │ ├── [ 17] seq -> ../../bin/busybox
│ │ ├── [ 17] setfattr -> ../../bin/busybox
│ │ ├── [ 17] setkeycodes -> ../../bin/busybox
│ │ ├── [ 17] setsid -> ../../bin/busybox
│ │ ├── [ 17] setuidgid -> ../../bin/busybox
│ │ ├── [ 17] sha1sum -> ../../bin/busybox
│ │ ├── [ 17] sha256sum -> ../../bin/busybox
│ │ ├── [ 17] sha3sum -> ../../bin/busybox
│ │ ├── [ 17] sha512sum -> ../../bin/busybox
│ │ ├── [ 17] showkey -> ../../bin/busybox
│ │ ├── [ 17] shred -> ../../bin/busybox
│ │ ├── [ 17] shuf -> ../../bin/busybox
│ │ ├── [ 17] smemcap -> ../../bin/busybox
│ │ ├── [ 17] softlimit -> ../../bin/busybox
│ │ ├── [ 17] sort -> ../../bin/busybox
│ │ ├── [ 17] split -> ../../bin/busybox
│ │ ├── [ 17] ssl_client -> ../../bin/busybox
│ │ ├── [ 17] strings -> ../../bin/busybox
│ │ ├── [ 17] sum -> ../../bin/busybox
│ │ ├── [ 17] sv -> ../../bin/busybox
│ │ ├── [ 17] svc -> ../../bin/busybox
│ │ ├── [ 17] tac -> ../../bin/busybox
│ │ ├── [ 17] tail -> ../../bin/busybox
│ │ ├── [ 17] taskset -> ../../bin/busybox
│ │ ├── [ 17] tcpsvd -> ../../bin/busybox
│ │ ├── [ 17] tee -> ../../bin/busybox
│ │ ├── [ 17] telnet -> ../../bin/busybox
│ │ ├── [ 17] test -> ../../bin/busybox
│ │ ├── [ 17] tftp -> ../../bin/busybox
│ │ ├── [ 17] time -> ../../bin/busybox
│ │ ├── [ 17] timeout -> ../../bin/busybox
│ │ ├── [ 17] top -> ../../bin/busybox
│ │ ├── [ 17] tr -> ../../bin/busybox
│ │ ├── [ 17] traceroute -> ../../bin/busybox
│ │ ├── [ 17] traceroute6 -> ../../bin/busybox
│ │ ├── [ 17] truncate -> ../../bin/busybox
│ │ ├── [ 17] tty -> ../../bin/busybox
│ │ ├── [ 17] ttysize -> ../../bin/busybox
│ │ ├── [ 17] udpsvd -> ../../bin/busybox
│ │ ├── [ 17] unexpand -> ../../bin/busybox
│ │ ├── [ 17] uniq -> ../../bin/busybox
│ │ ├── [ 17] unix2dos -> ../../bin/busybox
│ │ ├── [ 17] unlink -> ../../bin/busybox
│ │ ├── [ 17] unlzma -> ../../bin/busybox
│ │ ├── [ 17] unshare -> ../../bin/busybox
│ │ ├── [ 17] unxz -> ../../bin/busybox
│ │ ├── [ 17] unzip -> ../../bin/busybox
│ │ ├── [ 17] uptime -> ../../bin/busybox
│ │ ├── [ 17] users -> ../../bin/busybox
│ │ ├── [ 17] uudecode -> ../../bin/busybox
│ │ ├── [ 17] uuencode -> ../../bin/busybox
│ │ ├── [ 17] vlock -> ../../bin/busybox
│ │ ├── [ 17] volname -> ../../bin/busybox
│ │ ├── [ 17] w -> ../../bin/busybox
│ │ ├── [ 17] wall -> ../../bin/busybox
│ │ ├── [ 17] wc -> ../../bin/busybox
│ │ ├── [ 17] wget -> ../../bin/busybox
│ │ ├── [ 17] which -> ../../bin/busybox
│ │ ├── [ 17] who -> ../../bin/busybox
│ │ ├── [ 17] whoami -> ../../bin/busybox
│ │ ├── [ 17] whois -> ../../bin/busybox
│ │ ├── [ 17] xargs -> ../../bin/busybox
│ │ ├── [ 17] xxd -> ../../bin/busybox
│ │ ├── [ 17] xz -> ../../bin/busybox
│ │ ├── [ 17] xzcat -> ../../bin/busybox
│ │ └── [ 17] yes -> ../../bin/busybox
│ └── [4.0K] sbin
│ ├── [ 17] addgroup -> ../../bin/busybox
│ ├── [ 17] add-shell -> ../../bin/busybox
│ ├── [ 17] adduser -> ../../bin/busybox
│ ├── [ 17] arping -> ../../bin/busybox
│ ├── [ 17] brctl -> ../../bin/busybox
│ ├── [ 17] chat -> ../../bin/busybox
│ ├── [ 17] chpasswd -> ../../bin/busybox
│ ├── [ 17] chroot -> ../../bin/busybox
│ ├── [ 17] crond -> ../../bin/busybox
│ ├── [ 17] delgroup -> ../../bin/busybox
│ ├── [ 17] deluser -> ../../bin/busybox
│ ├── [ 17] dhcprelay -> ../../bin/busybox
│ ├── [ 17] dnsd -> ../../bin/busybox
│ ├── [ 17] ether-wake -> ../../bin/busybox
│ ├── [ 17] fakeidentd -> ../../bin/busybox
│ ├── [ 17] fbset -> ../../bin/busybox
│ ├── [ 17] fdformat -> ../../bin/busybox
│ ├── [ 17] fsfreeze -> ../../bin/busybox
│ ├── [ 17] ftpd -> ../../bin/busybox
│ ├── [ 17] httpd -> ../../bin/busybox
│ ├── [ 17] i2cdetect -> ../../bin/busybox
│ ├── [ 17] i2cdump -> ../../bin/busybox
│ ├── [ 17] i2cget -> ../../bin/busybox
│ ├── [ 17] i2cset -> ../../bin/busybox
│ ├── [ 17] ifplugd -> ../../bin/busybox
│ ├── [ 17] inetd -> ../../bin/busybox
│ ├── [ 17] killall5 -> ../../bin/busybox
│ ├── [ 17] loadfont -> ../../bin/busybox
│ ├── [ 17] lpd -> ../../bin/busybox
│ ├── [ 17] nanddump -> ../../bin/busybox
│ ├── [ 17] nandwrite -> ../../bin/busybox
│ ├── [ 17] nbd-client -> ../../bin/busybox
│ ├── [ 17] ntpd -> ../../bin/busybox
│ ├── [ 17] partprobe -> ../../bin/busybox
│ ├── [ 17] popmaildir -> ../../bin/busybox
│ ├── [ 17] powertop -> ../../bin/busybox
│ ├── [ 17] rdate -> ../../bin/busybox
│ ├── [ 17] rdev -> ../../bin/busybox
│ ├── [ 17] readahead -> ../../bin/busybox
│ ├── [ 17] readprofile -> ../../bin/busybox
│ ├── [ 17] remove-shell -> ../../bin/busybox
│ ├── [ 17] rtcwake -> ../../bin/busybox
│ ├── [ 17] sendmail -> ../../bin/busybox
│ ├── [ 17] setfont -> ../../bin/busybox
│ ├── [ 17] setlogcons -> ../../bin/busybox
│ ├── [ 17] svlogd -> ../../bin/busybox
│ ├── [ 17] telnetd -> ../../bin/busybox
│ ├── [ 17] tftpd -> ../../bin/busybox
│ ├── [ 17] ubiattach -> ../../bin/busybox
│ ├── [ 17] ubidetach -> ../../bin/busybox
│ ├── [ 17] ubimkvol -> ../../bin/busybox
│ ├── [ 17] ubirename -> ../../bin/busybox
│ ├── [ 17] ubirmvol -> ../../bin/busybox
│ ├── [ 17] ubirsvol -> ../../bin/busybox
│ ├── [ 17] ubiupdatevol -> ../../bin/busybox
│ └── [ 17] udhcpd -> ../../bin/busybox
├── [1.0K] LICENSE
├── [4.0K] linux-stable
├── [ 735] Makefile
├── [5.2K] README.md
└── [ 443] run.sh
18 directories, 403 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。