å‰å›ž ã¯ã€Pwnableå•é¡Œã«å–り組ã¿ã¾ã—ãŸã€‚CTF ã®ã‚«ãƒ†ã‚´ãƒªã®ä¸ã§ã‚‚ã€ä¸€ç•ªé›£ã—ã„ã¨è¨€ã‚れるã ã‘ã‚ã£ã¦ã€ã‹ãªã‚Šè‹¦åŠ´ã—ã¾ã—ãŸã€‚
今回ã¯ã€å‰å›žã® Pwnableå•é¡Œã§ã‚‚使用ã—ãŸã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ã®ã‚»ã‚ュリティ機構(脆弱性緩和技術ã¨ã‚‚言ã†ï¼‰ã‚’調ã¹ã‚‹ãƒ„ールã§ã‚る「checksecã€ã®æ·±æŽ˜ã‚Šã‚’ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚
実行ファイルã®ã‚»ã‚ュリティ機構ã¨ã¯ã€ã‚‚ã—ã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ã«è„†å¼±æ€§ãŒå˜åœ¨ã—ã¦ã„ãŸã¨ã—ã¦ã‚‚ã€ãã®è„†å¼±æ€§ã«å¯¾ã™ã‚‹æ”»æ’ƒã‚’ã‚„ã‚Šã«ããã™ã‚‹ä»•çµ„ã¿ã®ã“ã¨ã§ã™ã€‚
例ãˆã°ã€ã‚¹ã‚¿ãƒƒã‚¯ã‚«ãƒŠãƒªãƒ¤ã¯ã€é–¢æ•°é–‹å§‹æ™‚ã«ã‚¹ã‚¿ãƒƒã‚¯ã«ãƒ©ãƒ³ãƒ€ãƒ ãªå€¤ã‚’æ ¼ç´ã—ã¦ãŠãã€é–¢æ•°çµ‚了時ã«ã€ãã®å€¤ãŒå¤‰åŒ–ã—ã¦ã„ãªã„ã‹ã‚’ãƒã‚§ãƒƒã‚¯ã—ã¾ã™ã€‚ã“ã‚Œã«ã‚ˆã£ã¦ã€ã‚¹ã‚¿ãƒƒã‚¯ã‚’使ã£ãŸæ”»æ’ƒã‚’æˆåŠŸã•ã›ã«ããã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã™ã€‚
実行ファイルã®ã‚»ã‚ュリティ機構ã«ã¯ã€ã„ãã¤ã‹ç¨®é¡žãŒã‚ã‚‹ã®ã§ã€ãれらã®è©³ç´°ã¨ã€å®Ÿéš›ã«ã€ã‚³ãƒ³ãƒ‘イルã—ãŸã‚Šã€GDB ã§ç¢ºèªã—ãŸã‚Šã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
å‚考文献
ã¯ã˜ã‚ã«
「セã‚ュリティã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚良ã‹ã£ãŸã‚‰å‚考ã«ã—ã¦ãã ã•ã„。
ã‚»ã‚ュリティã®è¨˜äº‹ä¸€è¦§
checksec ã®å…¬å¼ã‚µã‚¤ãƒˆã¯ä»¥ä¸‹ã§ã™ã€‚
github.com
環境ã¯ã€VirtualBox+ParrotOS 6.1 ã§ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
checksecã®æº–å‚™
checksec ã¯ã€å¾“æ¥ã‹ã‚‰ã‚·ã‚§ãƒ«ã‚¹ã‚¯ãƒªãƒ—トã§å®Ÿè£…ã•ã‚Œã¦ã„ã¾ã—ãŸãŒã€ã‚·ã‚§ãƒ«ã‚¹ã‚¯ãƒªãƒ—ト版ã¨ã—ã¦ã€2.7.x(ç¾åœ¨ã®æœ€æ–°ç‰ˆã¯ã€2.7.1)ãŒæœ€çµ‚リリースã§ã€ä»¥é™ã® 3.x ã‹ã‚‰ã¯ã€Go言語ã«ã‚ˆã‚‹å®Ÿè£…ã«ä»£ã‚ã‚‹ãã†ã§ã™ã€‚
上㮠URL ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã€å³å´ã«è¦‹ãˆã‚‹ Releases をクリックã—ã¾ã™ã€‚checksec.sh-2.7.1.zip ãŒãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã®ã§ã€ä»»æ„ã®å ´æ‰€ã«è§£å‡ã—ã¾ã™ã€‚解å‡ã—ãŸãƒ•ã‚©ãƒ«ãƒ€ã®ä¸ã«ã€Œchecksecã€ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«åã®ã‚·ã‚§ãƒ«ã‚¹ã‚¯ãƒªãƒ—トãŒå…¥ã£ã¦ã„ã‚‹ã¨æ€ã„ã¾ã™ã€‚
ファイルã®ç¢ºèªã¨ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’確èªã—ã¦ã¿ã¾ã™ã€‚
$ file ../../tools/checksec.sh-2.7.1/checksec
../../tools/checksec.sh-2.7.1/checksec: Bourne-Again shell script, ASCII text executable
$ ../../tools/checksec.sh-2.7.1/checksec --version
checksec v2.7.1, Brian Davis, github.com/slimm609/checksec.sh, Dec 2015
Based off checksec v1.5, Tobias Klein, www.trapkit.de, November 2011
以é™ã§ã¯ã€ã“ã® checksec を使ã£ã¦ã„ãã¾ã™ã€‚
ç°¡å˜ãªC言語ã®ãƒ—ãƒã‚°ãƒ©ãƒ を用æ„ã™ã‚‹
実際ã«ã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ã®ã‚»ã‚ュリティ機構ãŒã©ã†ãªã£ã¦ã„ã‚‹ã‹ã‚’見るãŸã‚ã«ã€ç°¡å˜ãªãƒ—ãƒã‚°ãƒ©ãƒ を用æ„ã—ã¾ã™ã€‚
ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ を実行ã™ã‚‹ã¨ã€ãƒ¦ãƒ¼ã‚¶ã‹ã‚‰2回入力ã—ã¦ã‚‚らã£ã¦ã€ãã®åˆè¨ˆå€¤ãŒã€0 より大ãã‹ã£ãŸã‚‰ 0(æ£å¸¸çµ‚了)を返ã—ã€0 以下ã ã£ãŸã‚‰ 1(異常終了)を返ã—ã¾ã™ã€‚
ソースコードã¯ä»¥ä¸‹ã®é€šã‚Šã§ã™ã€‚アドレスã®ç¢ºèªãŒå¿…è¦ãªã®ã§ã€å…ˆé ã§ã€main関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼ˆå®Ÿè¡Œã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼‰ã€ãƒãƒ¼ã‚«ãƒ«å¤‰æ•°ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼ˆã‚¹ã‚¿ãƒƒã‚¯ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼‰ã€malloc関数ã§ç¢ºä¿ã—ãŸãƒ¡ãƒ¢ãƒªã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼ˆãƒ’ープã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼‰ã€malloc関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼ˆå…±æœ‰ãƒ©ã‚¤ãƒ–ラリã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼‰ã‚’表示ã—ã¦ã„ã¾ã™ã€‚
#include <stdio.h>
#include <stdlib.h>
int sub( int data )
{
int data2;
printf( "input data2: " );
scanf( "%d", &data2 );
return data + data2;
}
int main( int argc, void *argv[] )
{
int ret, data;
char buf[20], *mbuf;
mbuf = malloc( 20 );
printf( " main: %p\n", main );
printf( " buf: %p\n", buf );
printf( " mbuf: %p\n", mbuf );
printf( "malloc: %p\n", malloc );
printf( "input data: " );
scanf( "%d", &data );
ret = sub( data );
printf( "result: %d", ret );
if( ret > 0 )
return 0;
else
return 1;
}
ビルドã«ã¯ gcc を使ã„ã¾ã™ã€‚v12.2 ã®ã‚ˆã†ã§ã™ã€‚
ビルドã—ã¦ã€å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚1 㨠2 を入力ã—ã¦ã€è¶³ã—åˆã‚ã›ãŸ 3 ãŒè¡¨ç¤ºã•ã‚Œã¦ã€æ£å¸¸çµ‚了ã—ã¦ã„ã¾ã™ã€‚
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/12/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 12.2.0-14' --with-bugurl=file:///usr/share/doc/gcc-12/README.Bugs --enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-12 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-12-bTRWOB/gcc-12-12.2.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-12-bTRWOB/gcc-12-12.2.0/debian/tmp-gcn/usr --enable-offload-defaulted --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.2.0 (Debian 12.2.0-14)
$ gcc -g -o hello_hello.out hello_hello.c
$ ./hello_hello.out
main: 0x55555555518d
buf: 0x7fffffffdf30
mbuf: 0x5555555592a0
malloc: 0x7ffff7e62860
input data: 1
input data2: 2
result: 3
ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ を使ã£ã¦ã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ã®ã‚»ã‚ュリティ機構を見ã¦ã„ãã¾ã™ã€‚
C言語プãƒã‚°ãƒ©ãƒ をデフォルトã§ãƒ“ルドã—ãŸå®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ã®ã‚»ã‚ュリティ機構を見ã¦ã¿ã‚‹
å…ˆã»ã©ã€ãƒ“ルドã—ã¦å®Ÿè¡Œã—㟠hello_hello.out ã«å¯¾ã—ã¦ã€checksec を実行ã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚1行目ã¯ã€ã‚»ã‚ュリティ機構ã®é …ç›®åã§ã€2行目ãŒãã®çµæžœã§ã™ã€‚例ãˆã°ã€ã‚¹ã‚¿ãƒƒã‚¯ã‚«ãƒŠãƒªãƒ¤ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ã¯ç„¡åŠ¹ã®ã‚ˆã†ã§ã™ã€‚
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 38 Symbols No 0 1 ./hello_hello.out
ç¾çŠ¶ã® ASLR(Address Space Layout Randomization)も確èªã—ã¦ãŠãã¾ã™ã€‚/proc/sys/kernel/randomize_va_space を見るã¨ç¢ºèªã§ãã¾ã™ã€‚0 ã®å ´åˆã¯ãƒ©ãƒ³ãƒ€ãƒ 化ã•ã‚Œã¾ã›ã‚“。1 ã¯ã€ä¸€éƒ¨ã‚’ランダム化ã•ã‚Œã¾ã™ï¼ˆå…±æœ‰ãƒ©ã‚¤ãƒ–ラリã€ã‚¹ã‚¿ãƒƒã‚¯ãªã©ï¼‰ã€‚2 ã®å ´åˆã¯å®Œå…¨ã«ãƒ©ãƒ³ãƒ€ãƒ 化ã•ã‚Œã¾ã™ã€‚1 ã®å ´åˆã«åŠ ãˆã¦ã€brk() ã§ç®¡ç†ã•ã‚Œã‚‹ãƒ¡ãƒ¢ãƒªã®é–‹å§‹ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚‚ランダム化ã•ã‚Œã‚‹ãã†ã§ã™ï¼ˆã‚ã¾ã‚Šåˆ†ã‹ã£ã¦ãªã„ã§ã™ãŒã€è¿½åŠ ã§ãƒ’ープを確ä¿ã™ã‚‹ã¨ãã®é ˜åŸŸï¼Ÿï¼‰ã€‚
$ cat /proc/sys/kernel/randomize_va_space
2
ã‚»ã‚ュリティ機構ã«ã¤ã„ã¦ã€ç°¡å˜ã«ã¾ã¨ã‚ã¦ãŠãã¾ã™ã€‚
| é …ç›® |
内容 |
| RELRO |
RELocation Read Only ã®ã“ã¨ã§ã€No RELRO(GOT ã«æ›¸ãè¾¼ã¿å¯èƒ½ï¼‰ã€Partial RELRO(__libc_start_main ãªã©ã®ã€ã”ã一部㮠GOT ã¯æ›¸ãè¾¼ã¿ç¦æ¢ï¼‰ã€Full RELRO(GOT ã¯æ›¸ãè¾¼ã¿ç¦æ¢ï¼‰ã®ã©ã‚Œã‹ã«ãªã‚‹ã€‚共有ライブラリã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ ¼ç´ã•ã‚Œã¦ã„ã‚‹ GOT を書ãè¾¼ã¿ç¦æ¢ã«ã™ã‚‹ |
| STACK CANARY |
関数開始時ã«ã‚¹ã‚¿ãƒƒã‚¯ã«ãƒ©ãƒ³ãƒ€ãƒ ãªå€¤ï¼ˆã‚«ãƒŠãƒªãƒ¤ï¼‰ã‚’æ ¼ç´ã—ã¦ãŠãã€é–¢æ•°çµ‚了時ã«ã€ãã®å€¤ãŒå¤‰åŒ–ã—ã¦ã„ãªã„ã‹ã‚’ãƒã‚§ãƒƒã‚¯ã™ã‚‹ï¼ˆSSP ã¨ã‚‚言ã†ï¼‰ |
| NX |
No eXecute ã®ã“ã¨ã§ã€ã‚¹ã‚¿ãƒƒã‚¯é ˜åŸŸã®ã‚³ãƒ¼ãƒ‰ã®å®Ÿè¡Œã‚’ç¦æ¢ã«ã™ã‚‹ |
| PIE |
Position Independent Executable ã®ã“ã¨ã§ã€ã“ã®å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ãŒé…ç½®ã•ã‚Œã‚‹ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’ランダム化ã™ã‚‹ |
| RPATH |
実行ファイルã«å…±æœ‰ãƒ©ã‚¤ãƒ–ラリã®ã‚µãƒ¼ãƒã™ã‚‹ãƒªã‚¹ãƒˆã‚’æ ¼ç´ã—ã¦ã„ã‚‹ã“ã¨ç¤ºã™ï¼ˆæ”»æ’ƒã«åˆ©ç”¨ã•ã‚Œã‚‹ã“ã¨ãŒã‚ã‚‹ã®ã§ã€RPATH ãŒæœ‰åŠ¹ã‹ã©ã†ã‹ã‚’表示ã—ã¦ã„る) |
| RUNPATH |
RPATH ã¨æ©Ÿèƒ½ã¯åŒã˜ã ãŒã€LD_LIBRALY_PATHãŒå„ªå…ˆã•ã‚Œã‚‹ãŸã‚ã€RPATHより安全ã¨è¨€ã‚ã‚Œã¦ã„る(RUNPATH ãŒæœ‰åŠ¹ã‹ã©ã†ã‹ã‚’表示ã—ã¦ã„る) |
| Symbols |
実行ファイルã«å«ã¾ã‚Œã¦ã„ã‚‹ã‚·ãƒ³ãƒœãƒ«æƒ…å ±ã®æ•°ï¼ˆstrip ã•ã‚Œã¦ãªã„ã“ã¨ã‚’表示ã™ã‚‹ï¼‰ |
| FORTIFY |
GCCã€GLIBC ã«ãŠã‘ã‚‹ã‚»ã‚ュリティ機能ãŒæœ‰åŠ¹ã‹ã©ã†ã‹ã‚’示㙠|
| Fortified |
FORTIFY ã®æ©Ÿèƒ½ã‚’有効ã«ã—ãŸé–¢æ•°ã®æ•° |
| Fortifiable |
FORTIFY ã®æ©Ÿèƒ½æ•°ï¼ˆæœ‰åŠ¹ã«ã§ãる関数ã®æ•°ï¼‰ |
| FILE |
今回 checksec ã®å¯¾è±¡ã¨ã—ãŸãƒ—ãƒã‚°ãƒ©ãƒ |
RELROã«ã¤ã„ã¦å…·ä½“çš„ã«ç¢ºèªã™ã‚‹
ã¾ãšã€GOT(Global Offset Table)㨠PLT(Procefure Linkage Table)ã«ã¤ã„ã¦èª¿ã¹ã¾ã™ã€‚
GOTã¨PLTã«ã¤ã„ã¦å…·ä½“çš„ã«ç¢ºèªã™ã‚‹
共有ライブラリã®é–¢æ•°ï¼ˆä¾‹ãˆã°ã€printf関数)をã€ãƒ—ãƒã‚°ãƒ©ãƒ ã‹ã‚‰å‘¼ã³å‡ºã™ã¨ãã¯ã€ã¾ãšã€PLT GOT ã¨ã¯ã€ PLT
GDB(gdb-peda 導入済ã¿ï¼‰ã‚’èµ·å‹•ã—ã¾ã™ã€‚å…ˆé ã® malloc関数をコールã™ã‚‹ç›´å‰ã§æ¢ã¾ã‚Šã¾ã—ãŸã€‚
$ gdb -q hello_hello.out
no key sequence terminator:
Reading symbols from hello_hello.out...
gdb-peda$ start
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.
Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[----------------------------------registers-----------------------------------]
RAX: 0x55555555518d (<main>: push rbp)
RBX: 0x7fffffffe358 --> 0x7fffffffe5d2 ("/home/user/svn/experiment/c/hello_hello.out")
RCX: 0x555555557dd0 --> 0x555555555100 (<__do_global_dtors_aux>: endbr64)
RDX: 0x7fffffffe368 --> 0x7fffffffe5fe ("SHELL=/bin/bash")
RSI: 0x7fffffffe358 --> 0x7fffffffe5d2 ("/home/user/svn/experiment/c/hello_hello.out")
RDI: 0x1
RBP: 0x7fffffffe240 --> 0x1
RSP: 0x7fffffffe200 --> 0x7fffffffe358 --> 0x7fffffffe5d2 ("/home/user/svn/experiment/c/hello_ hello.out")
RIP: 0x55555555519c (<main+15>: mov edi,0x14)
R8 : 0x0
R9 : 0x7ffff7fcf680 (<_dl_fini>: push rbp)
R10: 0x7ffff7fcb878 --> 0xc00120000000e
R11: 0x7ffff7fe1930 (<_dl_audit_preinit>: mov eax,DWORD PTR [rip+0x1b4e2]
R12: 0x0
R13: 0x7fffffffe368 --> 0x7fffffffe5fe ("SHELL=/bin/bash")
R14: 0x555555557dd0 --> 0x555555555100 (<__do_global_dtors_aux>: endbr64)
R15: 0x7ffff7ffd020 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555555191 <main+4>: sub rsp,0x40
0x555555555195 <main+8>: mov DWORD PTR [rbp-0x34],edi
0x555555555198 <main+11>: mov QWORD PTR [rbp-0x40],rsi
=> 0x55555555519c <main+15>: mov edi,0x14
0x5555555551a1 <main+20>: call 0x555555555050 <malloc@plt>
0x5555555551a6 <main+25>: mov QWORD PTR [rbp-0x8],rax
0x5555555551aa <main+29>: lea rax,[rip+0xffffffffffffffdc]
0x5555555551b1 <main+36>: mov rsi,rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe200 --> 0x7fffffffe358 --> 0x7fffffffe5d2 ("/home/user/svn/experiment/c/hello _hello.out")
0008| 0x7fffffffe208 --> 0x100000000
0016| 0x7fffffffe210 --> 0x0
0024| 0x7fffffffe218 --> 0x0
0032| 0x7fffffffe220 --> 0x0
0040| 0x7fffffffe228 --> 0x0
0048| 0x7fffffffe230 --> 0x0
0056| 0x7fffffffe238 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Temporary breakpoint 1, main (argc=0x1, argv=0x7fffffffe358) at hello_hello.c:20
20 mbuf = malloc( 20 );
ã¾ãšã€ãƒ¡ãƒ¢ãƒªé…置を確èªã—ã¦ãŠãã¾ã™ã€‚開始アドレスã¯ã€0x555555554000 ã§ã™ã€‚
$ i proc map
process 319238
Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
0x555555554000 0x555555555000 0x1000 0x0 r--p /home/user/svn/experiment/c/hello_hello.out
0x555555555000 0x555555556000 0x1000 0x1000 r-xp /home/user/svn/experiment/c/hello_hello.out
0x555555556000 0x555555557000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello.out
0x555555557000 0x555555558000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello.out
0x555555558000 0x555555559000 0x1000 0x3000 rw-p /home/user/svn/experiment/c/hello_hello.out
0x7ffff7dc7000 0x7ffff7dca000 0x3000 0x0 rw-p
0x7ffff7dca000 0x7ffff7df0000 0x26000 0x0 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7df0000 0x7ffff7f45000 0x155000 0x26000 r-xp /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f45000 0x7ffff7f98000 0x53000 0x17b000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f98000 0x7ffff7f9c000 0x4000 0x1ce000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9c000 0x7ffff7f9e000 0x2000 0x1d2000 rw-p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9e000 0x7ffff7fab000 0xd000 0x0 rw-p
0x7ffff7fc3000 0x7ffff7fc5000 0x2000 0x0 rw-p
0x7ffff7fc5000 0x7ffff7fc9000 0x4000 0x0 r--p [vvar]
0x7ffff7fc9000 0x7ffff7fcb000 0x2000 0x0 r-xp [vdso]
0x7ffff7fcb000 0x7ffff7fcc000 0x1000 0x0 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7fcc000 0x7ffff7ff1000 0x25000 0x1000 r-xp /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ff1000 0x7ffff7ffb000 0xa000 0x26000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffb000 0x7ffff7ffd000 0x2000 0x30000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffd000 0x7ffff7fff000 0x2000 0x32000 rw-p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 rw-p [stack]
malloc関数ã¯ä¸€åº¦ã—ã‹ä½¿ã£ã¦ãªã„ã®ã§ã€æ¬¡ã® printf関数ã§ã€GOTã€PLT ã«ã¤ã„ã¦ç¢ºèªã—ã¾ã™ã€‚逆アセンブラを表示ã—ã¦ã€å…¨ä½“を見ã¾ã™ã€‚+20 ã®ã¨ã“ã‚ã§ã€malloc関数をコールã—ã¦ã€+54 ã®ã¨ã“ã‚㧠printf関数をコールã—ã¦ã„ã¾ã™ã€‚ãã—ã¦ã€+81 ã®ã¨ã“ã‚ã§ã€2回目㮠printf関数をコールã—ã¦ã„ã¾ã™ã€‚
gdb-peda$ disas
Dump of assembler code for function main:
0x000055555555518d <+0>: push rbp
0x000055555555518e <+1>: mov rbp,rsp
0x0000555555555191 <+4>: sub rsp,0x40
0x0000555555555195 <+8>: mov DWORD PTR [rbp-0x34],edi
0x0000555555555198 <+11>: mov QWORD PTR [rbp-0x40],rsi
=> 0x000055555555519c <+15>: mov edi,0x14
0x00005555555551a1 <+20>: call 0x555555555050 <malloc@plt>
0x00005555555551a6 <+25>: mov QWORD PTR [rbp-0x8],rax
0x00005555555551aa <+29>: lea rax,[rip+0xffffffffffffffdc]
0x00005555555551b1 <+36>: mov rsi,rax
0x00005555555551b4 <+39>: lea rax,[rip+0xe5a]
0x00005555555551bb <+46>: mov rdi,rax
0x00005555555551be <+49>: mov eax,0x0
0x00005555555551c3 <+54>: call 0x555555555030 <printf@plt>
0x00005555555551c8 <+59>: lea rax,[rbp-0x30]
0x00005555555551cc <+63>: mov rsi,rax
0x00005555555551cf <+66>: lea rax,[rip+0xe4b]
0x00005555555551d6 <+73>: mov rdi,rax
0x00005555555551d9 <+76>: mov eax,0x0
0x00005555555551de <+81>: call 0x555555555030 <printf@plt>
0x00005555555551e3 <+86>: mov rax,QWORD PTR [rbp-0x8]
0x00005555555551e7 <+90>: mov rsi,rax
0x00005555555551ea <+93>: lea rax,[rip+0xe3c]
0x00005555555551f1 <+100>: mov rdi,rax
0x00005555555551f4 <+103>: mov eax,0x0
0x00005555555551f9 <+108>: call 0x555555555030 <printf@plt>
malloc関数やã€printf関数ã¯ã€@plt ã¨ã„ã†ã®ãŒä»˜ã„ã¦ã¾ã™ã€‚MAPファイルを確èªã—ã¦ã¿ã¾ã™ã€‚0x555555554000 ã« 0x1020 を足ã™ã¨ã€PLT ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ãªã‚Šã¾ã™ã€‚printf関数ã¯ã€0x1030 ã¨æ›¸ã‹ã‚Œã¦ã‚‹ã®ã§ã€0x555555554000+0x1030=0x555555555030 ã¨ãªã‚Šã€ä¸Šã®é€†ã‚¢ã‚»ãƒ³ãƒ–ラ表示ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨ä¸€è‡´ã—ã¦ã„ã¾ã™ã€‚1ã¤ã® PLT ã®ã‚¨ãƒ³ãƒˆãƒªãŒ 16byte ã¨ãªã£ã¦ã„ã¾ã™ã€‚PLT ã®é ˜åŸŸã¯ã€hello_hello.out ã«å«ã¾ã‚Œã¦ã„ã¾ã™ã€‚
.plt 0x0000000000001020 0x30
*(.plt)
.plt 0x0000000000001020 0x30 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x0000000000001030 printf@@GLIBC_2.2.5
0x0000000000001040 __isoc99_scanf@@GLIBC_2.7
ã§ã¯ã€printf@plt ã«é£›ã‚“ã 後ã®çŠ¶æ…‹ã‚’見ã¦ã¿ã¾ã™ã€‚16byte ã«æ ¼ç´ã•ã‚Œã¦ã„るコードã¯ã€[email protected] ã«æ ¼ç´ã•ã‚Œã¦ã„るアドレスã¸ã®ã‚¸ãƒ£ãƒ³ãƒ—ã¨ã€0x555555555020 ã¸ã®ã‚¸ãƒ£ãƒ³ãƒ—ã§ã—ãŸã€‚
[-------------------------------------code-------------------------------------]
0x555555555021: xor eax,0x2fca
0x555555555026: jmp QWORD PTR [rip+0x2fcc]
0x55555555502c: nop DWORD PTR [rax+0x0]
=> 0x555555555030 <printf@plt>: jmp QWORD PTR [rip+0x2fca]
| 0x555555555036 <printf@plt+6>: push 0x0
| 0x55555555503b <printf@plt+11>: jmp 0x555555555020
| 0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2fc2]
| 0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
|-> 0x555555555036 <printf@plt+6>: push 0x0
0x55555555503b <printf@plt+11>: jmp 0x555555555020
0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2fc2]
0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
JUMP is taken
MAPファイルã§ã€[email protected] ã¨æ›¸ã‹ã‚ŒãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’見ã¦ã¿ã¾ã™ã€‚_GLOBAL_OFFSET_TABLE_ ã¨æ›¸ã‹ã‚Œã¦ã„ã¾ã™ã€‚0x555555554000+0x3fe8=0x555555557fe8 ã‹ã‚‰ã€0x555555554000+0x3fe8+0x28=0x555555558010 ㌠got.plt ã®é ˜åŸŸã«ãªã‚Šã¾ã™ã€‚.got 㨠.got.plt ã¯ã€ä¸¡æ–¹ã¨ã‚‚ GOTé ˜åŸŸã¨å‘¼ã°ã‚Œã‚‹ãã†ã§ã™ã€‚ã©ã¡ã‚‰ã‚‚ã€hello_hello.out ã«å«ã¾ã‚Œã¦ã„ã¾ã™ã€‚
.got.plt 0x0000000000003fe8 0x28
*(.got.plt)
.got.plt 0x0000000000003fe8 0x28 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x0000000000003fe8 _GLOBAL_OFFSET_TABLE_
*(.igot.plt)
[email protected] ã«å…¥ã£ã¦ã‚‹ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’確èªã—ã¾ã™ã€‚gdb-peda ãŒä¸‹ã«è¡¨ç¤ºã—ã¦ãã‚Œã¦ã„るよã†ã«ã€0x555555555036 ã® push 0x0 ã§ã™ã€‚次ã®å‘½ä»¤ã§ã™ã。1回目ã¯ã€0x555555555020 ã®ã‚¸ãƒ£ãƒ³ãƒ—å…ˆã§ã‚¢ãƒ‰ãƒ¬ã‚¹è§£æ±ºã‚’ã—ã¦ã€[email protected] ã« printf関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’æ ¼ç´ã—ã¦ãれるã¯ãšã§ã™ã€‚ãã‚Œã«ã‚ˆã£ã¦ã€2回目ã¯ã€ç›´æŽ¥ printf関数ã«ã‚¸ãƒ£ãƒ³ãƒ—ã§ãるよã†ã«ãªã‚Šã¾ã™ã€‚
gdb-peda$ x/g 0x555555558000
0x555555558000 <printf@got.plt>: 0x0000555555555036
[email protected] ã«æ ¼ç´ã•ã‚Œã¦ã„るアドレスã«ã‚¸ãƒ£ãƒ³ãƒ—ã—ã¦ã¿ã¾ã™ã€‚push 0x0 ã«é£›ã³ã¾ã—ãŸã€‚
[-------------------------------------code-------------------------------------]
0x555555555026: jmp QWORD PTR [rip+0x2fcc]
0x55555555502c: nop DWORD PTR [rax+0x0]
0x555555555030 <printf@plt>: jmp QWORD PTR [rip+0x2fca]
=> 0x555555555036 <printf@plt+6>: push 0x0
0x55555555503b <printf@plt+11>: jmp 0x555555555020
0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2fc2]
0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
0x55555555504b <__isoc99_scanf@plt+11>: jmp 0x555555555020
ã“ã®å¾Œã€0x555555555020 ã«ã‚¸ãƒ£ãƒ³ãƒ—ã—ã¦ã€ã‚·ãƒ³ã‚°ãƒ«ã‚¹ãƒ†ãƒƒãƒ—実行を1回ã™ã‚‹ã¨ã€ä»¥ä¸‹ã«ãªã‚Šã¾ã™ã€‚1ã¤å‰ã®å‘½ä»¤ãŒå¤‰ã«è¦‹ãˆã¾ã™ï¼ˆ0x555555555020 ã ã£ãŸã®ãŒã€0x555555555021 ã«å¤‰ã‚ã£ãŸï¼‰ãŒã€ãã“ã¯æ°—ã«ã—ãªã„ã§ãŠãã¾ã™ã€‚_dl_runtime_resolve_xsave ã¨ã„ã†ã‚¢ãƒ‰ãƒ¬ã‚¹è§£æ±ºã‚’ã—ã¦ãれるモジュールã«é£›ã¶ã‚ˆã†ã§ã™ã€‚
[-------------------------------------code-------------------------------------]
0x55555555501d: add BYTE PTR [rax],al
0x55555555501f: add bh,bh
0x555555555021: xor eax,0x2fca
=> 0x555555555026: jmp QWORD PTR [rip+0x2fcc]
| 0x55555555502c: nop DWORD PTR [rax+0x0]
| 0x555555555030 <printf@plt>: jmp QWORD PTR [rip+0x2fca]
| 0x555555555036 <printf@plt+6>: push 0x0
| 0x55555555503b <printf@plt+11>: jmp 0x555555555020
|-> 0x7ffff7fdd060 <_dl_runtime_resolve_xsave>: push rbx
0x7ffff7fdd061 <_dl_runtime_resolve_xsave+1>: mov rbx,rsp
0x7ffff7fdd064 <_dl_runtime_resolve_xsave+4>: and rsp,0xffffffffffffffc0
0x7ffff7fdd068 <_dl_runtime_resolve_xsave+8>: sub rsp,QWORD PTR [rip+0x1fbe1]
JUMP is taken
ã“ã®ä¸ã¯ã€ã¡ã‚‡ã£ã¨é•·ãã†ãªã®ã§ã€æ¬¡ã® printf関数ã®å‘¼ã³å‡ºã—ã¾ã§é€²ã‚ã¾ã™ã€‚ç›´å‰ã¾ã§é€²ã‚ã¾ã—ãŸã€‚
[-------------------------------------code-------------------------------------]
0x5555555551cf <main+66>: lea rax,[rip+0xe4b]
0x5555555551d6 <main+73>: mov rdi,rax
0x5555555551d9 <main+76>: mov eax,0x0
=> 0x5555555551de <main+81>: call 0x555555555030 <printf@plt>
0x5555555551e3 <main+86>: mov rax,QWORD PTR [rbp-0x8]
0x5555555551e7 <main+90>: mov rsi,rax
0x5555555551ea <main+93>: lea rax,[rip+0xe3c]
0x5555555551f1 <main+100>: mov rdi,rax
Guessed arguments:
arg[0]: 0x555555556021 (" buf: %p\n")
arg[1]: 0x7fffffffe210 --> 0x0
ä¸ã«å…¥ã‚Šã¾ã™ã€‚å…ˆã»ã©ã® 1回目㮠printf関数ã¨åŒã˜ã¨ã“ã‚ã«ãã¾ã—ãŸã€‚
[-------------------------------------code-------------------------------------]
0x555555555021: xor eax,0x2fca
0x555555555026: jmp QWORD PTR [rip+0x2fcc]
0x55555555502c: nop DWORD PTR [rax+0x0]
=> 0x555555555030 <printf@plt>: jmp QWORD PTR [rip+0x2fca]
| 0x555555555036 <printf@plt+6>: push 0x0
| 0x55555555503b <printf@plt+11>: jmp 0x555555555020
| 0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2fc2]
| 0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
|-> 0x7ffff7e1c5b0 <__printf>: sub rsp,0xd8
0x7ffff7e1c5b7 <__printf+7>: mov QWORD PTR [rsp+0x28],rsi
0x7ffff7e1c5bc <__printf+12>: mov QWORD PTR [rsp+0x30],rdx
0x7ffff7e1c5c1 <__printf+17>: mov QWORD PTR [rsp+0x38],rcx
JUMP is taken
åŒã˜ã‚ˆã†ã«ã€0x555555558000 ã«æ ¼ç´ã•ã‚Œã¦ã„る値を見ã¦ã¿ã¾ã™ã€‚ã•ã£ãã¯æ¬¡ã®è¡Œã® push 0x0 ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ ¼ç´ã•ã‚Œã¦ã„ã¾ã—ãŸãŒã€å¤‰åŒ–ã—ã¦ã„ã¾ã™ã€‚
gdb-peda$ x/g 0x555555558000
0x555555558000 <printf@got.plt>: 0x00007ffff7e1c5b0
å…ˆã»ã©ã® i proc map ã®å‡ºåŠ›ã®ä¸€éƒ¨ã‚’貼りã¾ã™ã€‚0x00007ffff7e1c5b0 ã¯ã€2行目ã®å®Ÿè¡Œå¯èƒ½ãª x ã®ä»˜ã„ã¦ã‚‹ã¨ã“ã‚ã§ã™ã。libc ãªã®ã§ã€printf関数ã®å®Ÿè£…ãŒæ ¼ç´ã•ã‚Œã¦ã„ã‚‹ã¨æ€ã‚ã‚Œã¾ã™ã€‚
0x7ffff7dca000 0x7ffff7df0000 0x26000 0x0 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7df0000 0x7ffff7f45000 0x155000 0x26000 r-xp /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f45000 0x7ffff7f98000 0x53000 0x17b000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f98000 0x7ffff7f9c000 0x4000 0x1ce000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9c000 0x7ffff7f9e000 0x2000 0x1d2000 rw-p /usr/lib/x86_64-linux-gnu/libc.so.6
ã“ã“ã¾ã§ã®å†…容をã¾ã¨ã‚ã¾ã™ã€‚ã¾ãšã€plt(hello_hello.out ã«å«ã¾ã‚Œã¦ã„ã‚‹ 16byteã®ãƒ—ãƒã‚°ãƒ©ãƒ ã ã£ãŸï¼‰ã«ã¯ã€got.plt(hello_hello.out ã«å«ã¾ã‚Œã¦ã„ã‚‹ã€å…±æœ‰ãƒ©ã‚¤ãƒ–ラリをコールã™ã‚‹ãŸã‚ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’æ ¼ç´ã—ãŸãƒ†ãƒ¼ãƒ–ルã ã£ãŸï¼‰ã‹ã‚‰ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’å–å¾—ã—ã¦ã‚¸ãƒ£ãƒ³ãƒ—ã™ã‚‹å‡¦ç†ã¨ã€1回目㮠printf関数ã§å®Ÿè¡Œã•ã‚Œã¦ã„㟠_dl_runtime_resolve_xsave ã¨ã„ã†ã‚¢ãƒ‰ãƒ¬ã‚¹è§£æ±ºã‚’ã—ã¦ãã‚Œãã†ãªé–¢æ•°ã«ã‚¸ãƒ£ãƒ³ãƒ—ã™ã‚‹å‡¦ç†ãŒé…ç½®ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚
2回目㮠printf関数ã§ã¯ã€åŒã˜ã‚ˆã†ã«ã€plt ã«å…¥ã£ã¦ã€åŒæ§˜ã«ã€got.plt ã‹ã‚‰ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’å–å¾—ã—ã¾ã—ãŸãŒã€ã“ã® got.plt ã«æ ¼ç´ã•ã‚ŒãŸã‚¢ãƒ‰ãƒ¬ã‚¹ãŒã€printf関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«å¤‰åŒ–ã—ã¦ã„ã¾ã—ãŸã€‚1回目ã§ã‚¢ãƒ‰ãƒ¬ã‚¹è§£æ±ºã—ã¦ã€got.plt ã« printf関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’æ ¼ç´ã—ã¦ãã‚ŒãŸã®ã§ã€2回目以é™ã¯ç›´æŽ¥ printf関数ã«ã‚¸ãƒ£ãƒ³ãƒ—ã§ãるよã†ã«ãªã£ãŸã¨ã„ã†ã“ã¨ã§ã™ã€‚
今回確èªã—ãŸã®ã¯ã€plt 㨠got.plt ã§ã—ãŸã€‚ã—ã‹ã—ã€GOTé ˜åŸŸã¯ã€got 㨠got.plt ã¨ã„ã†ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã®ã“ã¨ã§ã™ã€‚plt.got ã¨ã„ã†é ˜åŸŸãŒã‚ã‚Šã¾ã™ãŒã€ã“ã“ã«ã¤ã„ã¦ã¯ã€ä»Šã¯åˆ†ã‹ã‚‰ãªã„ã®ã§ã€èª¿æŸ»ã§ããŸã‚‰ã€ã“ã“ã«è¿½è¨˜ã—ã¾ã™ã€‚
Partial RELROã¨FULL RELROã«ã¤ã„ã¦
RELRO ã¯ã€GOT ã®æ›¸ãè¾¼ã¿ã‚’ç¦æ¢ã™ã‚‹ã‚»ã‚ュリティ機構ã§ã™ã€‚
コンパイルオプション㮠-Wl,-z,relro ã¯ã€ãƒªãƒ³ã‚«ã« RELROセクションを作るよã†ã«æŒ‡ç¤ºã—ã¾ã™ã€‚ã¾ãŸã€ã‚³ãƒ³ãƒ‘イルオプション㮠-Wl,-z,now ã¯ã€ãƒªãƒ³ã‚«ã«ãƒ—ãƒã‚°ãƒ©ãƒ 起動時ã«ã™ã¹ã¦ã®ã‚·ãƒ³ãƒœãƒ«ã®è§£æ±ºã‚’è¡Œã†ã‚ˆã†æŒ‡ç¤ºã—ã¾ã™ã€‚
以下ã«ã€3通りを試ã—ã¾ã—ãŸã€‚çµè«–ã¨ã—ã¦ã¯ã€checksec ã®å‡ºåŠ›ã‚’ Full RELRO ã«ã™ã‚‹ã«ã¯ã€-Wl,-z,now ã ã‘ã§ã„ã„ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
$ gcc -g -Wl,-z,relro -Wl,-Map=hello_hello_relro.map -o hello_hello_relro.out hello_hello.c
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello_relro.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 39 Symbols No 0 1 ./hello_hello_relro.out
$ gcc -g -Wl,-z,now -Wl,-Map=hello_hello_now.map -o hello_hello_now.out hello_hello.c
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello_now.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 39 Symbols No 0 1 ./hello_hello_now.out
$ gcc -g -Wl,-z,relro -Wl,-z,now -Wl,-Map=hello_hello_relro_now.map -o hello_hello_relro_now.out hello_hello.c
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello_relro_now.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 39 Symbols No 0 1 ./hello_hello_relro_now.out
最åˆã«ã€ã‚³ãƒ³ãƒ‘イルオプション㮠relro ã«ã¤ã„ã¦èª¿ã¹ã¾ã™ã€‚relro を指定ã—ã¦ãªã„通常ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã¨æ¯”較ã—ã¾ã™ã€‚MAPファイルã¨é€†ã‚¢ã‚»ãƒ³ãƒ–ラã§æ¯”較ã—ã¾ã—ãŸã€‚çµæžœã‚’見るé™ã‚Šã€ã‚³ãƒ³ãƒ‘イルオプション㮠relro を付ã‘ã¦ã‚‚変化ã¯ã‚ã‚Šã¾ã›ã‚“ã§ã—ãŸã€‚上ã®çµæžœã§ã‚‚ relro ã¯å½±éŸ¿ãŒè¦‹ã‚‰ã‚Œãªã‹ã£ãŸã®ã§ã€ãã†ã„ã†ã‚‚ã®ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。
$ objdump -M intel -d hello_hello.out > hello_hello.s
$ objdump -M intel -d hello_hello_relro.out > hello_hello_relro.s
$ diff hello_hello.s hello_hello_relro.s
--- hello_hello.s 2024-09-14 16:37:21.724997508 +0900
+++ hello_hello_relro.s 2024-09-14 16:37:10.970791296 +0900
@@ -1,5 +1,5 @@
-hello_hello.out: file format elf64-x86-64
+hello_hello_relro.out: file format elf64-x86-64
$ diff hello_hello.map hello_hello_relro.map
--- hello_hello.map 2024-09-13 20:24:36.926962157 +0900
+++ hello_hello_relro.map 2024-09-13 22:50:58.807749077 +0900
@@ -6,7 +6,7 @@
As-needed library included to satisfy reference by file (symbol)
-libc.so.6 /tmp/ccVKmQjn.o (malloc@@GLIBC_2.2.5)
+libc.so.6 /tmp/cc5qA2Go.o (malloc@@GLIBC_2.2.5)
Discarded input sections
@@ -19,7 +19,7 @@
.note.gnu.property
0x0000000000000000 0x20 /usr/lib/gcc/x86_64-linux-gnu/12/crtbeginS.o
.note.GNU-stack
- 0x0000000000000000 0x0 /tmp/ccVKmQjn.o
+ 0x0000000000000000 0x0 /tmp/cc5qA2Go.o
.note.GNU-stack
0x0000000000000000 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/crtendS.o
.note.gnu.property
@@ -37,7 +37,7 @@
LOAD /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
LOAD /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crti.o
LOAD /usr/lib/gcc/x86_64-linux-gnu/12/crtbeginS.o
-LOAD /tmp/ccVKmQjn.o
+LOAD /tmp/cc5qA2Go.o
LOAD /usr/lib/gcc/x86_64-linux-gnu/12/libgcc.a
LOAD /usr/lib/gcc/x86_64-linux-gnu/12/libgcc_s.so
START GROUP
@@ -179,7 +179,7 @@
.text 0x0000000000001082 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crti.o
*fill* 0x0000000000001082 0xe
.text 0x0000000000001090 0xb9 /usr/lib/gcc/x86_64-linux-gnu/12/crtbeginS.o
- .text 0x0000000000001149 0x13c /tmp/ccVKmQjn.o
+ .text 0x0000000000001149 0x13c /tmp/cc5qA2Go.o
0x0000000000001149 sub
0x000000000000118d main
.text 0x0000000000001285 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/crtendS.o
@@ -201,7 +201,7 @@
*(.rodata .rodata.* .gnu.linkonce.r.*)
.rodata.cst4 0x0000000000002000 0x4 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x0000000000002000 _IO_stdin_used
- .rodata 0x0000000000002004 0x59 /tmp/ccVKmQjn.o
+ .rodata 0x0000000000002004 0x59 /tmp/cc5qA2Go.o
.rodata1
*(.rodata1)
@@ -220,7 +220,7 @@
.eh_frame 0x00000000000020c8 0x40 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
.eh_frame 0x0000000000002108 0x18 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x30 (size before relaxing)
- .eh_frame 0x0000000000002120 0x40 /tmp/ccVKmQjn.o
+ .eh_frame 0x0000000000002120 0x40 /tmp/cc5qA2Go.o
0x58 (size before relaxing)
.eh_frame 0x0000000000002160 0x4 /usr/lib/gcc/x86_64-linux-gnu/12/crtendS.o
*(.eh_frame.*)
@@ -334,7 +334,7 @@
.data.rel.local
0x0000000000004018 0x8 /usr/lib/gcc/x86_64-linux-gnu/12/crtbeginS.o
0x0000000000004018 __dso_handle
- .data 0x0000000000004020 0x0 /tmp/ccVKmQjn.o
+ .data 0x0000000000004020 0x0 /tmp/cc5qA2Go.o
.data 0x0000000000004020 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/crtendS.o
.data 0x0000000000004020 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crtn.o
@@ -359,7 +359,7 @@
.bss 0x0000000000004020 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
.bss 0x0000000000004020 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crti.o
.bss 0x0000000000004020 0x1 /usr/lib/gcc/x86_64-linux-gnu/12/crtbeginS.o
- .bss 0x0000000000004021 0x0 /tmp/ccVKmQjn.o
+ .bss 0x0000000000004021 0x0 /tmp/cc5qA2Go.o
.bss 0x0000000000004021 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/crtendS.o
.bss 0x0000000000004021 0x0 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crtn.o
*(COMMON)
@@ -406,7 +406,7 @@
*(.comment)
.comment 0x0000000000000000 0x1f /usr/lib/gcc/x86_64-linux-gnu/12/crtbeginS.o
0x20 (size before relaxing)
- .comment 0x000000000000001f 0x20 /tmp/ccVKmQjn.o
+ .comment 0x000000000000001f 0x20 /tmp/cc5qA2Go.o
.comment 0x000000000000001f 0x20 /usr/lib/gcc/x86_64-linux-gnu/12/crtendS.o
.gnu.build.attributes
@@ -427,29 +427,29 @@
.debug_aranges 0x0000000000000000 0x30
*(.debug_aranges)
.debug_aranges
- 0x0000000000000000 0x30 /tmp/ccVKmQjn.o
+ 0x0000000000000000 0x30 /tmp/cc5qA2Go.o
.debug_pubnames
*(.debug_pubnames)
.debug_info 0x0000000000000000 0x1ad
*(.debug_info .gnu.linkonce.wi.*)
- .debug_info 0x0000000000000000 0x1ad /tmp/ccVKmQjn.o
+ .debug_info 0x0000000000000000 0x1ad /tmp/cc5qA2Go.o
.debug_abbrev 0x0000000000000000 0x10d
*(.debug_abbrev)
- .debug_abbrev 0x0000000000000000 0x10d /tmp/ccVKmQjn.o
+ .debug_abbrev 0x0000000000000000 0x10d /tmp/cc5qA2Go.o
.debug_line 0x0000000000000000 0x93
*(.debug_line .debug_line.* .debug_line_end)
- .debug_line 0x0000000000000000 0x93 /tmp/ccVKmQjn.o
+ .debug_line 0x0000000000000000 0x93 /tmp/cc5qA2Go.o
.debug_frame
*(.debug_frame)
.debug_str 0x0000000000000000 0xdf
*(.debug_str)
- .debug_str 0x0000000000000000 0xdf /tmp/ccVKmQjn.o
+ .debug_str 0x0000000000000000 0xdf /tmp/cc5qA2Go.o
0x11e (size before relaxing)
.debug_loc
@@ -483,7 +483,7 @@
0x0000000000000000 0x7a
*(.debug_line_str)
.debug_line_str
- 0x0000000000000000 0x7a /tmp/ccVKmQjn.o
+ 0x0000000000000000 0x7a /tmp/cc5qA2Go.o
0xb2 (size before relaxing)
.debug_loclists
@@ -511,4 +511,4 @@
*(.note.GNU-stack)
*(.gnu_debuglink)
*(.gnu.lto_*)
-OUTPUT(hello_hello.out elf64-x86-64)
+OUTPUT(hello_hello_relro.out elf64-x86-64)
次ã«ã€ã‚³ãƒ³ãƒ‘イルオプション㮠now ã«ã¤ã„ã¦èª¿ã¹ã¾ã™ã€‚now を指定ã—ã¦ãªã„通常ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã¨æ¯”較ã—ã¾ã™ã€‚MAPファイルを比較ã—ãŸã¨ã“ã‚ã€å·®ç•°ãŒå¤šãã€å…¨éƒ¨ã¯è²¼ã‚Œã¾ã›ã‚“ãŒã€ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã®ã‚µã‚¤ã‚ºãŒç•°ãªã‚‹ã¨ã“ã‚ã ã‘貼りã¾ã™ã€‚dynamic ã¨ã„ã†ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã¨ã€got ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã®ã‚µã‚¤ã‚ºãŒç•°ãªã£ã¦ã„ã¾ã—ãŸã€‚
ã¾ãŸã€ã¡ã‚‡ã£ã¨åˆ†ã‹ã‚Šã«ãã„ã®ã§ã™ãŒã€ãã‚Œãžã‚Œã® .got 以é™ã®è¡Œã«æ³¨ç›®ã—ã¾ã™ã€‚now を指定ã—ãªã„æ–¹ã¯ã€.got ㌠0x3fb8 ã‹ã‚‰å§‹ã¾ã‚Šã€0x30 ã®ã‚µã‚¤ã‚ºãŒã‚り(0x3fb8+0x30=0x3fe8)ã€æ¬¡ã«ã€.got.plt ㌠0x3fe8 ã‹ã‚‰å§‹ã¾ã‚Šã€0x28 ã®ã‚µã‚¤ã‚ºãŒã‚ã‚Šã¾ã™ï¼ˆ0x3fe8+0x28=0x4010)。0x555555554000 ã‹ã‚‰ 0x555555558000 ã¾ã§ã¯æ›¸ãè¾¼ã¿ç¦æ¢ã§ã‚ã‚Šã€0x555555558000 以é™ã¯æ›¸ãè¾¼ã¿å¯èƒ½ã§ã™ã€‚ã¤ã¾ã‚Šã€.got.plt ã®æœ«å°¾ã® 16byte ã ã‘ãŒæ›¸ãè¾¼ã¿å¯èƒ½ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
一方ã€now を指定ã—ãŸæ–¹ã¯ã€.got ㌠0x3fa8 ã‹ã‚‰å§‹ã¾ã‚Šã€0x58 ã®ã‚µã‚¤ã‚ºãŒã‚ã‚‹ã ã‘ã§ã™ï¼ˆ0x3fa8+0x58=0x4000)。.got.plt ãŒã‚るよã†ã«è¦‹ãˆã¾ã™ãŒã€ã“ã‚Œã¯ã‚µãƒ–セクションã¨ã„ã†ã‚‰ã—ã(from ChatGPT)ã€.got ã®ä¸ã«å«ã¾ã‚Œã¦ã„ã¾ã™ã€‚ã¤ã¾ã‚Šã€now を指定ã—ãŸæ–¹ã¯ã€.got.plt ã¨ã„ã†ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã¯ç„¡ããªã£ã¦ã„ã¦ã€.got ã«å«ã¾ã‚Œã‚‹å½¢ã«ãªã£ã¦ã„ã¾ã—ãŸã€‚readelfコマンド㮠-S オプションã§ç¢ºèªã—ãŸã¨ã“ã‚ã€.got.plt ã¨ã„ã†ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã¯ã‚ã‚Šã¾ã›ã‚“ã§ã—ãŸã€‚GOTé ˜åŸŸã¯ã€æ›¸ãè¾¼ã¿ç¦æ¢ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
/* hello_hello.map */
.dynamic 0x0000000000003dd8 0x1e0
*(.dynamic)
.dynamic 0x0000000000003dd8 0x1e0 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x0000000000003dd8 _DYNAMIC
.got 0x0000000000003fb8 0x30
*(.got)
.got 0x0000000000003fb8 0x30 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
*(.igot)
0x0000000000003fe8 . = DATA_SEGMENT_RELRO_END (., (SIZEOF (.got.plt) >= 0x18)?0x18:0x0)
.got.plt 0x0000000000003fe8 0x28
*(.got.plt)
.got.plt 0x0000000000003fe8 0x28 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x0000000000003fe8 _GLOBAL_OFFSET_TABLE_
*(.igot.plt)
.data 0x0000000000004010 0x10
/* hello_hello_now.map */
.dynamic 0x0000000000003db8 0x1f0
*(.dynamic)
.dynamic 0x0000000000003db8 0x1f0 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x0000000000003db8 _DYNAMIC
.got 0x0000000000003fa8 0x58
*(.got.plt)
.got.plt 0x0000000000003fa8 0x28 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
0x0000000000003fa8 _GLOBAL_OFFSET_TABLE_
*(.igot.plt)
*(.got)
.got 0x0000000000003fd0 0x30 /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/Scrt1.o
*(.igot)
0x0000000000004000 . = DATA_SEGMENT_RELRO_END (., 0x0)
逆アセンブラを比較ã™ã‚‹ã¨ã€ã“れも差異ãŒå¤šãã¦è²¼ã‚Œã¾ã›ã‚“ãŒã€ã‚³ãƒ¼ãƒ‰ã¨ã—ã¦ã¯ä¸€ç·’ã§ã€ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒã‚ºãƒ¬ã¦ã„ãŸã ã‘ã®ã‚ˆã†ã§ã—ãŸã€‚
続ã„ã¦ã€ã‚³ãƒ³ãƒ‘イルオプション㮠now を指定ã—ãŸæ–¹ã‚’ GDB ã§ç¢ºèªã—ã¾ã™ã€‚1回目㮠printf@plt ã¾ã§é€²ã‚ã¾ã—ãŸã€‚å…ˆã»ã©ã® now を指定ã—ãªã‹ã£ãŸãƒ—ãƒã‚°ãƒ©ãƒ ã§ã¯ã€0x555555555030 ã§ã€[email protected] ã«æ ¼ç´ã•ã‚Œã¦ã„ãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã¯ã€æ¬¡ã®è¡Œã® 0x555555555036 ã§ã—ãŸãŒã€now を指定ã—ãŸãƒ—ãƒã‚°ãƒ©ãƒ ã§ã¯ã€1回目㮠printf関数ã‹ã‚‰ã€0x7ffff7e1c5b0(printf関数ã®å®Ÿè£…ãŒé…ç½®ã•ã‚ŒãŸã‚¢ãƒ‰ãƒ¬ã‚¹ï¼‰ãŒæ ¼ç´ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚コンパイルオプション㮠now ã¯ã€ãƒ—ãƒã‚°ãƒ©ãƒ 起動時ã«å…¨ã¦ã®ã‚·ãƒ³ãƒœãƒ«ã‚’解決ã™ã‚‹ã¨ã„ã†å½±éŸ¿ãŒç¢ºèªã§ãã¾ã—ãŸã€‚
[-------------------------------------code-------------------------------------]
0x555555555021: xor eax,0x2f8a
0x555555555026: jmp QWORD PTR [rip+0x2f8c]
0x55555555502c: nop DWORD PTR [rax+0x0]
=> 0x555555555030 <printf@plt>: jmp QWORD PTR [rip+0x2f8a]
| 0x555555555036 <printf@plt+6>: push 0x0
| 0x55555555503b <printf@plt+11>: jmp 0x555555555020
| 0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2f82]
| 0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
|-> 0x7ffff7e1c5b0 <__printf>: sub rsp,0xd8
0x7ffff7e1c5b7 <__printf+7>: mov QWORD PTR [rsp+0x28],rsi
0x7ffff7e1c5bc <__printf+12>: mov QWORD PTR [rsp+0x30],rdx
0x7ffff7e1c5c1 <__printf+17>: mov QWORD PTR [rsp+0x38],rcx
JUMP is taken
i proc map を確èªã—ã¾ã™ã€‚printf関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ ¼ç´ã•ã‚Œã¦ã„ã‚‹ 0x555555557fc0 ã¯ã€æ›¸ãè¾¼ã¿ã®ãƒ•ãƒ©ã‚°ãŒãªãã€èªã¿å–り専用ã«ãªã£ã¦ã„ã¾ã™ã€‚ã“ã‚Œã«ã‚ˆã£ã¦ã€GOT を書ã込む攻撃を防ã„ã§ã„ã‚‹ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
gdb-peda$ i proc map
process 397724
Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
0x555555554000 0x555555555000 0x1000 0x0 r--p /home/user/svn/experiment/c/hello_hello_now.out
0x555555555000 0x555555556000 0x1000 0x1000 r-xp /home/user/svn/experiment/c/hello_hello_now.out
0x555555556000 0x555555557000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello_now.out
0x555555557000 0x555555558000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello_now.out
0x555555558000 0x555555559000 0x1000 0x3000 rw-p /home/user/svn/experiment/c/hello_hello_now.out
0x555555559000 0x55555557a000 0x21000 0x0 rw-p [heap]
0x7ffff7dc7000 0x7ffff7dca000 0x3000 0x0 rw-p
0x7ffff7dca000 0x7ffff7df0000 0x26000 0x0 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7df0000 0x7ffff7f45000 0x155000 0x26000 r-xp /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f45000 0x7ffff7f98000 0x53000 0x17b000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f98000 0x7ffff7f9c000 0x4000 0x1ce000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9c000 0x7ffff7f9e000 0x2000 0x1d2000 rw-p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9e000 0x7ffff7fab000 0xd000 0x0 rw-p
0x7ffff7fc3000 0x7ffff7fc5000 0x2000 0x0 rw-p
0x7ffff7fc5000 0x7ffff7fc9000 0x4000 0x0 r--p [vvar]
0x7ffff7fc9000 0x7ffff7fcb000 0x2000 0x0 r-xp [vdso]
0x7ffff7fcb000 0x7ffff7fcc000 0x1000 0x0 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7fcc000 0x7ffff7ff1000 0x25000 0x1000 r-xp /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ff1000 0x7ffff7ffb000 0xa000 0x26000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffb000 0x7ffff7ffd000 0x2000 0x30000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffd000 0x7ffff7fff000 0x2000 0x32000 rw-p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 rw-p [stack]
now ãŒä»˜ã„ã¦ãªã„プãƒã‚°ãƒ©ãƒ ã®æ–¹ã® got.plt ã®é ˜åŸŸã‚’ GDB ã§ç¢ºèªã—ã¾ã™ã€‚1回目ã®printf関数ã«é£›ã‚“ã ã¨ã“ã‚ã§ã™ã€‚0x555555558000 ãŒå¯¾è±¡ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã§ã€æ›¸ãè¾¼ã¿ãƒ•ãƒ©ã‚°ãŒä»˜ã„ã¦ã„ã‚‹ã“ã¨ãŒç¢ºèªã§ãã¾ã™ã€‚
[-------------------------------------code-------------------------------------]
0x555555555021: xor eax,0x2fca
0x555555555026: jmp QWORD PTR [rip+0x2fcc]
0x55555555502c: nop DWORD PTR [rax+0x0]
=> 0x555555555030 <printf@plt>: jmp QWORD PTR [rip+0x2fca]
| 0x555555555036 <printf@plt+6>: push 0x0
| 0x55555555503b <printf@plt+11>: jmp 0x555555555020
| 0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2fc2]
| 0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
|-> 0x555555555036 <printf@plt+6>: push 0x0
0x55555555503b <printf@plt+11>: jmp 0x555555555020
0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2fc2]
0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
JUMP is taken
gdb-peda$ i proc map
process 397764
Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
0x555555554000 0x555555555000 0x1000 0x0 r--p /home/user/svn/experiment/c/hello_hello.out
0x555555555000 0x555555556000 0x1000 0x1000 r-xp /home/user/svn/experiment/c/hello_hello.out
0x555555556000 0x555555557000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello.out
0x555555557000 0x555555558000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello.out
0x555555558000 0x555555559000 0x1000 0x3000 rw-p /home/user/svn/experiment/c/hello_hello.out
0x555555559000 0x55555557a000 0x21000 0x0 rw-p [heap]
0x7ffff7dc7000 0x7ffff7dca000 0x3000 0x0 rw-p
0x7ffff7dca000 0x7ffff7df0000 0x26000 0x0 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7df0000 0x7ffff7f45000 0x155000 0x26000 r-xp /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f45000 0x7ffff7f98000 0x53000 0x17b000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f98000 0x7ffff7f9c000 0x4000 0x1ce000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9c000 0x7ffff7f9e000 0x2000 0x1d2000 rw-p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9e000 0x7ffff7fab000 0xd000 0x0 rw-p
0x7ffff7fc3000 0x7ffff7fc5000 0x2000 0x0 rw-p
0x7ffff7fc5000 0x7ffff7fc9000 0x4000 0x0 r--p [vvar]
0x7ffff7fc9000 0x7ffff7fcb000 0x2000 0x0 r-xp [vdso]
0x7ffff7fcb000 0x7ffff7fcc000 0x1000 0x0 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7fcc000 0x7ffff7ff1000 0x25000 0x1000 r-xp /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ff1000 0x7ffff7ffb000 0xa000 0x26000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffb000 0x7ffff7ffd000 0x2000 0x30000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffd000 0x7ffff7fff000 0x2000 0x32000 rw-p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 rw-p [stack]
ã“ã‚Œã¾ã§ã®èª¿ã¹ã§ã€got ã®é ˜åŸŸã«ã¤ã„ã¦æŽ¨æ¸¬ãŒã§ãã¾ã™ã€‚got.plt ã¯å®Ÿè¡Œä¸ã«ã‚·ãƒ³ãƒœãƒ«è§£æ±ºã‚’è¡Œã„ã€ä¸€éƒ¨ã¯æ›¸ãè¾¼ã¿å¯èƒ½ãªé ˜åŸŸã§ã‚ã‚‹ãŒã€got ã¯ãƒ—ãƒã‚°ãƒ©ãƒ 起動時ã«ã‚·ãƒ³ãƒœãƒ«è§£æ±ºï¼ˆãƒªãƒã‚±ãƒ¼ã‚·ãƒ§ãƒ³ï¼‰ã‚’è¡Œã„èªã¿å–り専用ã®é ˜åŸŸã§ã‚ã‚‹ã¨ã„ã†ã“ã¨ã§ã™ã€‚
ã‚‚ã†å°‘ã—確èªã—ã¦ã¿ã¾ã™ã€‚now を指定ã—ã¦ã„ãªã„普通ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã§ã€GDB ã‚’èµ·å‹•ã—ã¦ã€ä»¥ä¸‹ã¯ã€malloc関数ã®ä¸ã«å…¥ã£ãŸã¨ã“ã‚ã§ã™ã€‚
printf関数ã¨ã¯ç•°ãªã‚Šã€1回ã—ã‹å‘¼ã°ã‚Œãªã„ã‹ã‚‰ãªã®ã‹ã€æœ€åˆã‹ã‚‰ã€libc ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ ¼ç´ã•ã‚Œã¦ã„ã¾ã™ã€‚ã¾ãŸã€å°‘ã—下ã«è¦‹ãˆã¦ã„ã‚‹ __cxa_finalize ã¨ã„ã†é–¢æ•°ã‚‚ã€æœ€åˆã‹ã‚‰ libc ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ ¼ç´ã•ã‚Œã¦ã„ã¾ã™ã€‚ãã‚‚ãã‚‚ã€0x555555557000 ã‹ã‚‰ 0x555555558000 ã¾ã§ã¯èªã¿å–り専用ã§ã™ã€‚
[-------------------------------------code-------------------------------------]
0x555555555040 <__isoc99_scanf@plt>: jmp QWORD PTR [rip+0x2fc2]
0x555555555046 <__isoc99_scanf@plt+6>: push 0x1
0x55555555504b <__isoc99_scanf@plt+11>: jmp 0x555555555020
=> 0x555555555050 <malloc@plt>: jmp QWORD PTR [rip+0x2f7a]
| 0x555555555056 <malloc@plt+6>: xchg ax,ax
| 0x555555555058 <__cxa_finalize@plt>: jmp QWORD PTR [rip+0x2f82]
| 0x55555555505e <__cxa_finalize@plt+6>: xchg ax,ax
| 0x555555555060 <_start>: xor ebp,ebp
|-> 0x7ffff7e62860 <__GI___libc_malloc>: push r12
0x7ffff7e62862 <__GI___libc_malloc+2>: push rbp
0x7ffff7e62863 <__GI___libc_malloc+3>: push rbx
0x7ffff7e62864 <__GI___libc_malloc+4>: mov rbx,rdi
JUMP is taken
gdb-peda$ x/g 0x555555557fe0
0x555555557fe0: 0x00007ffff7e07f40
ã ã„ã¶é•·ããªã‚Šã¾ã—ãŸãŒã€Partial RELRO ã«ã¤ã„ã¦ã€ã ã„ã¶åˆ†ã‹ã£ãŸæ°—ãŒã—ã¾ã™ã€‚ã”ã一部㮠GOT ãŒæ›¸ãè¾¼ã¿ç¦æ¢ã¨ã„ã†ã“ã¨ã§ã—ãŸãŒã€ã‚‚ã—ã‹ã—ãŸã‚‰ã€ä¸€åº¦ã—ã‹å‘¼ã°ã‚Œãªã„関数ã¯æ›¸ãè¾¼ã¿ç¦æ¢ãªã®ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。ã§ã™ãŒã€å¤§éƒ¨åˆ†ã® GOT ã¯æ›¸ãè¾¼ã¿å¯èƒ½ãªã‚“ã ã¨æ€ã„ã¾ã™ã€‚
STACK CANARY(SSP)ã«ã¤ã„ã¦å…·ä½“çš„ã«ç¢ºèªã™ã‚‹
冒é ã§èª¿ã¹ãŸé€šã‚Šã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ã¯ã€STACK CANARY(スタックカナリア)ã¯ç„¡åŠ¹ã§ã—ãŸã€‚スタックä¿è·ã¨ã„ã†ã“ã¨ã§ã€SSP(Stack Smashing Protection)ã¨ã‚‚呼ã°ã‚Œã¾ã™ã€‚ã¨ã„ã†ã‚ˆã‚Šã¯ã€SSP ã®æ‰‹æ®µã®ä¸€ã¤ãŒ STACK CANARY ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã。ã“ã“ã§ã¯ã€SSP ã¨å‘¼ã¶ã“ã¨ã«ã—ã¾ã™ã€‚
SSP を有効ã«ã™ã‚‹æ–¹æ³•ã¯ã€ã„ãã¤ã‹ã‚るよã†ã§ã™ãŒã€ã¾ãšã¯ã€ä¸€ç•ªç°¡å˜ãªã‚„ã¤ã«ã—ã¾ã™ã€‚-fstack-protector を指定ã—ã¦ã¿ã¾ã—ãŸã€‚checksec ã®çµæžœãŒã€Canary found ã«å¤‰ã‚ã‚Šã¾ã—ãŸã€‚逆アセンブラを確èªã—ãŸã¨ã“ã‚ã€main関数ã«ã¯ã€ãƒã‚§ãƒƒã‚¯ãŒå…¥ã£ã¦ã„ã¾ã—ãŸãŒã€sub関数ã«ã¯ãƒã‚§ãƒƒã‚¯ãŒå…¥ã£ã¦ã„ã¾ã›ã‚“ã§ã—ãŸã€‚
$ gcc -g -fstack-protector -Wl,-Map=hello_hello_ssp.map -o hello_hello_ssp.out hello_hello.c
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello_ssp.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 40 Symbols No 0 1 ./hello_hello_ssp.out
$ objdump -M intel -d hello_hello_ssp.out > hello_hello_ssp.s
続ã„ã¦ã€ã‚‚ã†å°‘ã— SSP を強化ã—㟠-fstack-protector-all ã‚’ã‚„ã£ã¦ã¿ã¾ã™ã€‚checksec ã¯ä¸Šã¨åŒã˜çµæžœã§ã—ãŸã€‚ã“ã¡ã‚‰ã¯ã€main関数ã«åŠ ãˆã¦ã€sub関数もスタックカナリアã®ãƒã‚§ãƒƒã‚¯ãŒå…¥ã£ã¦ã„ã¾ã—ãŸã€‚
$ gcc -g -fstack-protector-all -Wl,-Map=hello_hello_ssp_all.map -o hello_hello_ssp_all.out hello_hello.c
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello_ssp_all.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 40 Symbols No 0 1 ./hello_hello_ssp_all.out
$ objdump -M intel -d hello_hello_ssp_all.out > hello_hello_ssp_all.s
sub関数㮠逆アセンブラを表示ã—ã¾ã™ã€‚1164 ã®è¡Œã§ã€ä¹±æ•°ã®å€¤ï¼ˆFSセグメントã®ã‚ªãƒ•ã‚»ãƒƒãƒˆ 0x28)を RAX ã«è¨å®šã—ã¦ã„ã¦ã€116d ã®è¡Œã§ã€ã‚¹ã‚¿ãƒƒã‚¯ã«æ ¼ç´ã—ã¦ã„ã¾ã™ã€‚sub関数ã®çµ‚了直å‰ã® 11aa ã®è¡Œã§ã€ã‚¹ã‚¿ãƒƒã‚¯ã‹ã‚‰æ ¼ç´ã—ã¦ãŠã„ãŸå€¤ã‚’ RDX ã«å–り出ã—ã€11ae ã®è¡Œã§ã€ä¹±æ•°ã®å€¤ã¨ RDX を引ãç®—ã—ã¦ã€11ae ã®è¡Œã§ã€ã‚¤ã‚³ãƒ¼ãƒ«ï¼ˆã‚¹ã‚¿ãƒƒã‚¯ã‚«ãƒŠãƒªã‚¢ã«å¤‰åŒ–ãŒãªã„)ãªã‚‰ leave命令ã«ã‚¸ãƒ£ãƒ³ãƒ—ã—ã€ã‚¹ã‚¿ãƒƒã‚¯ã‚«ãƒŠãƒªã‚¢ã«å¤‰åŒ–ãŒã‚ã£ãŸã‚‰ __stack_chk_fail@plt を呼ã³å‡ºã—ã€ãƒ—ãƒã‚°ãƒ©ãƒ を終了ã•ã›ã¾ã™ã€‚
FSセグメントã¨ã¯ã€x86 ã®ãƒ—ãƒã‚»ãƒƒã‚µãŒæŒã¤ã‚»ã‚°ãƒ¡ãƒ³ãƒˆãƒ¬ã‚¸ã‚¹ã‚¿ã§ç®¡ç†ã•ã‚ŒãŸã‚»ã‚°ãƒ¡ãƒ³ãƒˆï¼ˆãƒ¡ãƒ¢ãƒªï¼‰ã®ã“ã¨ã ãã†ã§ã™ã€‚
0000000000001159 <sub>:
1159: 55 push rbp
115a: 48 89 e5 mov rbp,rsp
115d: 48 83 ec 20 sub rsp,0x20
1161: 89 7d ec mov DWORD PTR [rbp-0x14],edi
1164: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
116b: 00 00
116d: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax
1171: 31 c0 xor eax,eax
1173: 48 8d 05 8a 0e 00 00 lea rax,[rip+0xe8a]
117a: 48 89 c7 mov rdi,rax
117d: b8 00 00 00 00 mov eax,0x0
1182: e8 b9 fe ff ff call 1040 <printf@plt>
1187: 48 8d 45 f4 lea rax,[rbp-0xc]
118b: 48 89 c6 mov rsi,rax
118e: 48 8d 05 7d 0e 00 00 lea rax,[rip+0xe7d]
1195: 48 89 c7 mov rdi,rax
1198: b8 00 00 00 00 mov eax,0x0
119d: e8 ae fe ff ff call 1050 <__isoc99_scanf@plt>
11a2: 8b 55 f4 mov edx,DWORD PTR [rbp-0xc]
11a5: 8b 45 ec mov eax,DWORD PTR [rbp-0x14]
11a8: 01 d0 add eax,edx
11aa: 48 8b 55 f8 mov rdx,QWORD PTR [rbp-0x8]
11ae: 64 48 2b 14 25 28 00 sub rdx,QWORD PTR fs:0x28
11b5: 00 00
11b7: 74 05 je 11be <sub+0x65>
11b9: e8 72 fe ff ff call 1030 <__stack_chk_fail@plt>
11be: c9 leave
11bf: c3 ret
スタックカナリア(SSP)ã«ã¤ã„ã¦ã¯ä»¥ä¸Šã§ã™ã€‚
NXã«ã¤ã„ã¦å…·ä½“çš„ã«ç¢ºèªã™ã‚‹
NX(No eXecute)ã¯ã€ãƒ¡ãƒ¢ãƒªé ˜åŸŸã«ç½®ã‹ã‚ŒãŸã‚³ãƒ¼ãƒ‰ã‚’実行ã§ããªãã—ã¾ã™ã€‚Windowsã§ã¯ DEP(Data Execution Prevention)ã¨å‘¼ã°ã‚Œã‚‹ãã†ã§ã™ã€‚デフォルトã§æœ‰åŠ¹ã«ãªã£ã¦ã„ã¾ã—ãŸã€‚無効ã«ã™ã‚‹ã«ã¯ã€ã‚³ãƒ³ãƒ‘イルオプション -z execstack を付ã‘ã‚‹ã¨å‡ºæ¥ã‚‹ã‚ˆã†ã§ã™ã€‚ã‚„ã£ã¦ã¿ãŸã¨ã“ã‚ã€NX disabled ã«å¤‰åŒ–ã—ã¾ã—ãŸã€‚
$ gcc -g -z execstack -Wl,-Map=hello_hello_nx.map -o hello_hello_nx.out hello_hello.c
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello_nx.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX disabled PIE enabled No RPATH No RUNPATH 39 Symbols No 0 1 ./hello_hello_nx.out
NX disabled ã«ãªã£ãŸãƒ—ãƒã‚°ãƒ©ãƒ ã‚’ GDB ã§ç¢ºèªã—ã¾ã™ã€‚最後ã®è¡Œã® [stack] ã«æ³¨ç›®ã—ã¾ã™ã€‚rwxp ã¨å®Ÿè¡Œå¯èƒ½ã«ãªã£ã¦ã„ã¾ã™ã€‚ã¡ãªã¿ã«ã€NX enabled ã®é€šå¸¸ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã¯ã€ã“ã®è¨˜äº‹ã®å†’é ã®çµæžœã‚’見ã¦ã¿ã‚‹ã¨ã€0x7ffffffde000 0x7ffffffff000 0x21000 0x0 rw-p [stack] ã¨ãªã£ã¦ãŠã‚Šã€å®Ÿè¡Œã¯ã§ãã¾ã›ã‚“。
$ gdb -q hello_hello_nx.out
gdb-peda$ i proc map
process 398709
Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
0x555555554000 0x555555555000 0x1000 0x0 r--p /home/user/svn/experiment/c/hello_hello_nx.out
0x555555555000 0x555555556000 0x1000 0x1000 r-xp /home/user/svn/experiment/c/hello_hello_nx.out
0x555555556000 0x555555557000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello_nx.out
0x555555557000 0x555555558000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_hello_nx.out
0x555555558000 0x555555559000 0x1000 0x3000 rw-p /home/user/svn/experiment/c/hello_hello_nx.out
0x7ffff7dc7000 0x7ffff7dca000 0x3000 0x0 rw-p
0x7ffff7dca000 0x7ffff7df0000 0x26000 0x0 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7df0000 0x7ffff7f45000 0x155000 0x26000 r-xp /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f45000 0x7ffff7f98000 0x53000 0x17b000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f98000 0x7ffff7f9c000 0x4000 0x1ce000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9c000 0x7ffff7f9e000 0x2000 0x1d2000 rw-p /usr/lib/x86_64-linux-gnu/libc.so.6
0x7ffff7f9e000 0x7ffff7fab000 0xd000 0x0 rw-p
0x7ffff7fc3000 0x7ffff7fc5000 0x2000 0x0 rw-p
0x7ffff7fc5000 0x7ffff7fc9000 0x4000 0x0 r--p [vvar]
0x7ffff7fc9000 0x7ffff7fcb000 0x2000 0x0 r-xp [vdso]
0x7ffff7fcb000 0x7ffff7fcc000 0x1000 0x0 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7fcc000 0x7ffff7ff1000 0x25000 0x1000 r-xp /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ff1000 0x7ffff7ffb000 0xa000 0x26000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffb000 0x7ffff7ffd000 0x2000 0x30000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffd000 0x7ffff7fff000 0x2000 0x32000 rw-p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 rwxp [stack]
NX ã«ã¤ã„ã¦ã¯ä»¥ä¸Šã§ã™ã€‚
PIEã¨ASLRã«ã¤ã„ã¦å…·ä½“çš„ã«ç¢ºèªã™ã‚‹
ç¾åœ¨ã¯ã€æ™®é€šã«ãƒ“ルドã™ã‚‹ã¨ã€PIE ãŒæœ‰åŠ¹ã«ãªã£ã¦ã„ã¦ã€å®Ÿè¡Œã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã®é…置アドレスã¯å¤‰åŒ–ã—ã¾ã™ã€‚ASLR ã¯ã€Linux ãªã‚‰é€šå¸¸ã¯ 2 ã«ãªã£ã¦ã‚‹ãã†ã§ã€ä¸Šã§è¨€ã£ãŸé€šã‚Šã€å…±æœ‰ãƒ©ã‚¤ãƒ–ラリã€ãƒ’ープã€ã‚¹ã‚¿ãƒƒã‚¯ã®é…置アドレスをランダム化ã—ã¾ã™ã€‚
具体的ã«ç¢ºèªã—ã¦ã¿ã¾ã™ã€‚実行ã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã€ã‚¹ã‚¿ãƒƒã‚¯ã€ãƒ’ープã€å…±æœ‰ãƒ©ã‚¤ãƒ–ラリã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã®å…¨ã¦ãŒã€ç¢ºã‹ã«å¤‰åŒ–ã—ã¦ã„ã¾ã™ã€‚
$ ./hello_hello.out
main: 0x558b2bd4018d
buf: 0x7ffdfa3c3df0
mbuf: 0x558b2cd972a0
malloc: 0x7f5973187860
input data: 1
input data2: 2
result: 3
$ ./hello_hello.out
main: 0x563e7e40d18d
buf: 0x7ffc769104a0
mbuf: 0x563e7fd652a0
malloc: 0x7efd5c029860
input data: 2
input data2: 3
result: 5
ASLR を一時的㫠1 ã«å¤‰æ›´ã—ã¦ã¿ã¾ã™ã€‚1 ã§ã‚‚ã€å…¨ã¦å¤‰åŒ–ã—ã¦ã„ã¾ã™ã€‚
$ sudo su
2
kernel.randomize_va_space = 1
1
$ ./hello_hello.out
main: 0x55bf00e6518d
buf: 0x7fffbf786810
mbuf: 0x55bf00e692a0
malloc: 0x7f386ad62860
input data: 1
input data2: 2
result: 3
$ ./hello_hello.out
main: 0x55c26238418d
buf: 0x7fffcde31f50
mbuf: 0x55c2623882a0
malloc: 0x7f3cd7205860
input data: 1
input data2: 3
result: 4
ã§ã¯ã€0 ã«ã—ã¦ã€åŒã˜ã‚ˆã†ã«ç¢ºèªã—ã¦ã¿ã¾ã™ã€‚å…¨ã¦ä¸€è‡´ã—ã¾ã—ãŸã€‚実行プãƒã‚°ãƒ©ãƒ ã¯å¤‰åŒ–ã™ã‚‹ã‹ãªï¼Ÿã¨æ€ã„ã¾ã—ãŸãŒã€ä¸€è‡´ã—ã¾ã—ãŸã€‚
$ sudo su
kernel.randomize_va_space = 0
0
$ ./hello_hello.out
main: 0x55555555518d
buf: 0x7fffffffdf30
mbuf: 0x5555555592a0
malloc: 0x7ffff7e62860
input data: 1
input data2: 2
result: 3
$ ./hello_hello.out
main: 0x55555555518d
buf: 0x7fffffffdf30
mbuf: 0x5555555592a0
malloc: 0x7ffff7e62860
input data: 3
input data2: 4
result: 7
ASLR ã¯ã€å…ƒã® 2 ã«æˆ»ã—ã¦ãŠãã¾ã™ã€‚
$ sudo su
kernel.randomize_va_space = 2
2
一方ã§ã€PIE を無効ã«ã—ãŸå ´åˆã‚‚確èªã—ã¦ã¿ã¾ã™ã€‚-no-pie を付ã‘ã‚‹ã¨ã€PIE を無効ã«ã§ãã¾ã™ã€‚
checksec を実行ã™ã‚‹ã¨ã€No PIE ã¨ã„ã†ã“ã¨ã§ã€PIE を無効化ã§ãã¦ã„ã¾ã™ã€‚実行ã—ã¦ã¿ã‚‹ã¨ã€ä¸Šã¨æ¯”ã¹ã¦ã€ãšã„ã¶ã‚“å°ã•ã„アドレスã«ãªã‚Šã¾ã—ãŸã€‚実行ã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã¯åŒã˜ã‚¢ãƒ‰ãƒ¬ã‚¹ã«é…ç½®ã•ã‚Œã¦ã„ã¾ã™ãŒã€ãれ以外ã®é ˜åŸŸã¯å¤‰åŒ–ã—ã¦ã„ã¾ã™ã€‚
ASLR ã‚’ 0 ã«ã—ãŸã¨ãã¯ã€-no-pie を付ã‘ãªãã¦ã‚‚ã€å®Ÿè¡Œã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã‚‚åŒã˜ã‚¢ãƒ‰ãƒ¬ã‚¹ã«é…ç½®ã•ã‚Œã¾ã—ãŸã€‚アドレスを見るã¨ã€åŒã˜ã‚¢ãƒ‰ãƒ¬ã‚¹ã§ã™ãŒã€å¤§ããªã‚¢ãƒ‰ãƒ¬ã‚¹ã«é…ç½®ã•ã‚Œã¦ã„ã¾ã—ãŸã®ã§ã€ASLR ã®åŠ¹æžœã¯å‡ºã¦ã„ã‚‹ã“ã¨ãŒåˆ†ã‹ã‚Šã¾ã™ã€‚PIE 㯠ASLR ㌠0 ã§ã¯ãªã„ã“ã¨ãŒå‰æã®ã‚»ã‚ュリティ機構ãªã®ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。
$ gcc -g -no-pie -Wl,-Map=hello_hello_nopie.map -o hello_hello_nopie.out hello_hello.c
$ ../../tools/checksec.sh-2.7.1/checksec --file=./hello_hello_nopie.out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 37 Symbols No 0 1 ./hello_hello_nopie.out
$ ./hello_hello_nopie.out
main: 0x40118a
buf: 0x7ffeb1e5e4d0
mbuf: 0x5fd2a0
malloc: 0x7fad9d01d860
input data: 1
input data2: 2
result: 3
$ ./hello_hello_nopie.out
main: 0x40118a
buf: 0x7ffd6570c2d0
mbuf: 0x21102a0
malloc: 0x7fb018f7a860
input data: 2
input data2: 3
result: 5
ãŠã‚ã‚Šã«
今回ã¯ã€checksec ã®çµæžœã‚’ç†è§£ã™ã‚‹ãŸã‚ã«ã€ã„ã‚ã„ã‚調ã¹ãŸã‚Šã€å®Ÿéš›ã« GDB ã§å®Ÿè¡Œã—ã¦ç¢ºèªã‚’ã—ã¾ã—ãŸã€‚ã ã„ã¶ç†è§£ãŒé€²ã‚“ã æ°—ãŒã—ã¾ã™ã€‚
checksec ãŒå¯¾å¿œã—ã¦ã„ãªã„ã‚»ã‚ュリティ機構もã‚るらã—ã„ã®ã§ã€ã¾ãŸåˆ†ã‹ã£ãŸã‚‰ã“ã®è¨˜äº‹ã«è¿½è¨˜ã—よã†ã¨æ€ã„ã¾ã™ã€‚
今回ã¯ã€ChatGPT ã«ãƒã‚´ã‚’作ã£ã¦ã‚‚らã„ã¾ã—ãŸã€‚1æ—¥2回ã¾ã§ç„¡æ–™ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã§ã‚‚作ã£ã¦ã‚‚らãˆã‚‹ãã†ã§ã™ã€‚今回ã¯ã€é‹ã‚ˆã1回ã§ã„ã„æ„Ÿã˜ã®ç”»åƒã‚’生æˆã—ã¦ãã‚Œã¾ã—ãŸã€‚
ãŠé¡˜ã„ã—ãŸå†…容ã¯ã€Œchecksec ã¨ã„ã†ãƒ„ールã®ãƒã‚´ï¼ˆPNGç”»åƒï¼‰ã‚’ 200x200 ã®ã‚µã‚¤ã‚ºã§ä½œã£ã¦ãã ã•ã„ã€ã§ã™ï¼ˆç¬‘)。PNGç”»åƒã¨ãŠé¡˜ã„ã—ã¾ã—ãŸãŒã€webpã¨ã„ã†æ‹¡å¼µåã®ç”»åƒãƒ•ã‚¡ã‚¤ãƒ«ãŒä½œã‚‰ã‚Œã¾ã—ãŸã€‚オンラインã®ãƒ„ールã§PNGç”»åƒã«ç°¡å˜ã«å¤‰æ›ã§ãã¾ã—ãŸã€‚
最後ã«ãªã‚Šã¾ã—ãŸãŒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ©ãƒ³ã‚ングã«å‚åŠ ä¸ã§ã™ã€‚
気楽ã«ãƒãƒãƒƒã¨ã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ðŸ™‡
今回ã¯ä»¥ä¸Šã§ã™ï¼
最後ã¾ã§ãŠèªã¿ã„ãŸã ãã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚
