DirtyCred on 办公AI智能小助手 https://blog.qife122.com/tags/dirtycred/ Recent content in DirtyCred on 办公AI智能小助手 Hugo zh-cn qife Sun, 26 Oct 2025 22:24:23 +0800 基于文件DirtyCred的容器逃逸新技术详解 https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/ Sun, 26 Oct 2025 22:24:23 +0800 https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/ <h1 id="基于文件dirtycred的容器逃逸新方法--star-labs">基于文件DirtyCred的容器逃逸新方法 | STAR Labs</h1> <p><strong>目录</strong></p> <ul> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e7%9b%b8%e5%85%b3io_uring%e7%bb%84%e4%bb%b6%e4%bb%8b%e7%bb%8d">相关io_uring组件介绍</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e5%9b%ba%e5%ae%9a%e6%96%87%e4%bb%b6">固定文件</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e7%8e%af%e6%b6%88%e6%81%af">环消息</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90">漏洞分析</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e7%9b%b4%e6%8e%a5%e5%90%8e%e6%9e%9c">直接后果</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#dirtycred%e6%8a%80%e6%9c%af">DirtyCred技术</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%96%87%e4%bb%b6%e7%bb%93%e6%9e%84%e4%bd%93">文件结构体</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e4%bb%a3%e7%a0%81%e5%88%86%e6%9e%90">代码分析</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e4%bc%a0%e7%bb%9fdirtycred%e9%92%88%e5%af%b9ext4%e6%96%87%e4%bb%b6">传统DirtyCred:针对ext4文件</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%9c%ac%e5%9c%b0%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87">本地权限提升</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%8a%80%e6%9c%af%e6%8e%a2%e7%b4%a2">技术探索</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#proc%e6%96%87%e4%bb%b6%e7%b3%bb%e7%bb%9f">proc文件系统</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%96%b0%e7%9b%ae%e6%a0%87aio_write">新目标:aio_write()</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%85%a2%e9%a1%b5%e9%9d%a2%e6%95%85%e9%9a%9c%e6%95%91%e6%8f%b4">慢页面故障救援</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%95%b4%e4%bd%93%e5%88%a9%e7%94%a8%e6%96%b9%e6%a1%88">整体利用方案</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e5%ae%9e%e9%99%85%e5%ae%b9%e5%99%a8%e6%b5%8b%e8%af%95">实际容器测试</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%a0%87%e5%87%86docker%e5%ae%b9%e5%99%a8">标准Docker容器</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e7%a6%81%e7%94%a8apparmor%e7%9a%84docker%e5%ae%b9%e5%99%a8">禁用AppArmor的Docker容器</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%a0%87%e5%87%86containerd%e5%ae%b9%e5%99%a8">标准containerd容器</a></li> </ul> </li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e6%bc%94%e7%a4%ba">演示</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e8%87%b4%e8%b0%a2">致谢</a></li> <li><a href="https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%8A%80%E6%9C%AF%E8%AF%A6%E8%A7%A3/#%e5%8f%82%e8%80%83%e6%96%87%e7%8c%ae">参考文献</a></li> </ul> <p>最近,我在研究针对Linux内核漏洞CVE-2022-3910的各种利用技术。在成功编写了一个利用DirtyCred实现本地权限提升的漏洞利用程序后,我的导师Billy问我是否可以通过修改代码,通过覆盖<code>/proc/sys/kernel/modprobe</code>来实现容器逃逸。</p> 基于文件DirtyCred的容器逃逸新方法 https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%96%B9%E6%B3%95/ Thu, 11 Sep 2025 18:37:47 +0800 https://blog.qife122.com/p/%E5%9F%BA%E4%BA%8E%E6%96%87%E4%BB%B6dirtycred%E7%9A%84%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%E6%96%B0%E6%96%B9%E6%B3%95/ <h1 id="基于文件dirtycred的容器逃逸新方法">基于文件DirtyCred的容器逃逸新方法</h1> <h2 id="相关io_uring组件介绍">相关io_uring组件介绍</h2> <h3 id="固定文件">固定文件</h3> <p>固定文件(或称直接描述符)可视为io_uring特定的文件描述符。io_uring维护对任何已注册文件的引用,以减少每次涉及文件的操作中文件描述符解析带来的额外开销;该引用仅在固定文件被注销或io_uring实例被销毁时释放。</p>