å‰å›ž ã¯ã€C言語ã¨ã‚¢ã‚»ãƒ³ãƒ–ラã§ã‚·ã‚§ãƒ«ã‚’èµ·å‹•ã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ を作ã£ã¦ã¿ã¾ã—ãŸã€‚
今回ã¯ã€ã‚¢ã‚»ãƒ³ãƒ–ラã§ä½œã£ãŸãƒ—ãƒã‚°ãƒ©ãƒ ã‚’Exploitコードã®éƒ¨å“ã¨ãªã‚Šãã†ãª C言語ã‹ã‚‰ã‚·ã‚§ãƒ«ã‚’èµ·å‹•ã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ を実装ã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
å‚考文献
ã¯ã˜ã‚ã«
「セã‚ュリティã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚良ã‹ã£ãŸã‚‰å‚考ã«ã—ã¦ãã ã•ã„。
ã‚»ã‚ュリティã®è¨˜äº‹ä¸€è¦§
å‰å›žã«å¼•ã続ãã€ä»Šå›žã‚‚以下ã®ã‚µã‚¤ãƒˆã‚’å‚考ã«ã•ã›ã¦é ‚ãã¾ã™ã€‚以下㯠x86 ã®è¨˜äº‹ã§ã™ã€‚
inaz2.hatenablog.com
以下ã¯ã€ä¸Šã®è¨˜äº‹ã® ARM32bit版ã®è¨˜äº‹ã§ã™ã€‚
inaz2.hatenablog.com
ã¾ãŸã€64bitARM(Aarch64)ã®ã‚¢ã‚»ãƒ³ãƒ–ラã«ã¤ã„ã¦ã¯ã€ä»¥ä¸‹ã®ã‚µã‚¤ãƒˆã‚’å‚考ã«ã•ã›ã¦é ‚ãã¾ã—ãŸã€‚
www.mztn.org
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
実装ã—ã¦ãƒ‡ãƒãƒƒã‚°ã—ãŸã‚¢ã‚»ãƒ³ãƒ–ラプãƒã‚°ãƒ©ãƒ を確èªã™ã‚‹
ã¾ãšã€å‰å›žå®Ÿè£…ã—ãŸã‚¢ã‚»ãƒ³ãƒ–ラã®ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã§ã™ã€‚
.global _start
_start:
ldr x8, binsh
mov x2, xzr
mov x0, sp
stp x8, x2, [sp],
mov x1, sp
stp x0, x2, [sp,
mov x8,
svc
binsh:
.asciz "/bin/sh"
次ã¯ã€ã‚¢ã‚»ãƒ³ãƒ–ルã¨é€†ã‚¢ã‚»ãƒ³ãƒ–ラ表示ã§ã™ã€‚今回ã¯ã€ãƒžãƒƒãƒ—ファイルも出力ã—ã¦ãŠãã¾ã™ã€‚
$ gcc -g -Wl,-Map=execve.map -o execve.out -nostdlib execve.s
$ objdump -d execve.out
execve.out: file format elf64-littleaarch64
Disassembly of section .text:
0000000000000244 <_start>:
244: 58000108 ldr x8, 264 <binsh>
248: aa1f03e2 mov x2, xzr
24c: 910003e0 mov x0, sp
250: a8bf0be8 stp x8, x2, [sp],
254: 910003e1 mov x1, sp
258: a9000be0 stp x0, x2, [sp]
25c: d2801ba8 mov x8,
260: d4000001 svc
0000000000000264 <binsh>:
264: 6e69622f .word 0x6e69622f
268: 0068732f .word 0x0068732f
出力ã•ã‚ŒãŸãƒžãƒƒãƒ—ファイルを確èªã—ã¾ã™ã€‚以下ã¯ã€æŠœç²‹ã§ã™ã€‚確ã‹ã«ã€244番地ã‹ã‚‰ãƒ†ã‚ストセクションãŒå§‹ã¾ã£ã¦ã„ã¾ã™ã€‚0x28(40)byte ã¨ã„ã†ã“ã¨ãªã®ã§ã€è¨˜è¿°ã—ãŸã‚¢ã‚»ãƒ³ãƒ–ラã¯å…¨ã¦å…¥ã£ã¦ã„るよã†ã§ã™ã€‚
.text 0x0000000000000244 0x28
*(.text.unlikely .text.*_unlikely .text.unlikely.*)
*(.text.exit .text.exit.*)
*(.text.startup .text.startup.*)
*(.text.hot .text.hot.*)
*(SORT_BY_NAME(.text.sorted.*))
*(.text .stub .text.* .gnu.linkonce.t.*)
.text 0x0000000000000244 0x28 /tmp/ccmxWWSK.o
0x0000000000000244 _start
readelf ã§ã€ELFヘッダã®å†…容を確èªã—ã¾ã™ã€‚エントリãƒã‚¤ãƒ³ãƒˆã¯ã€0x244 ã«ãªã£ã¦ã„ã¾ã™ã€‚
$ readelf -h execve.out
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Position-Independent Executable file)
Machine: AArch64
Version: 0x1
Entry point address: 0x244
Start of program headers: 64 (bytes into file)
Start of section headers: 66864 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 7
Size of section headers: 64 (bytes)
Number of section headers: 19
Section header string table index: 18
続ã„ã¦ã€ãƒ—ãƒã‚°ãƒ©ãƒ ヘッダã§ã™ã€‚64bitプãƒã‚°ãƒ©ãƒ ã«ãªã£ã¦ã€ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒé•·ã™ãŽã¦è¦‹ã¥ã‚‰ã„ã§ã™ï¼ˆç¬‘)。
$ readelf -l execve.out
Elf file type is DYN (Position-Independent Executable file)
Entry point 0x244
There are 7 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040 0x0000000000000188 0x0000000000000188 R 0x8
INTERP 0x00000000000001c8 0x00000000000001c8 0x00000000000001c8 0x000000000000001b 0x000000000000001b R 0x1 [Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x000000000000026c 0x000000000000026c R E 0x10000
LOAD 0x000000000000ff10 0x000000000001ff10 0x000000000001ff10 0x00000000000000f0 0x00000000000000f0 RW 0x10000
DYNAMIC 0x000000000000ff10 0x000000000001ff10 0x000000000001ff10 0x00000000000000d0 0x00000000000000d0 RW 0x8
NOTE 0x00000000000001e4 0x00000000000001e4 0x00000000000001e4 0x0000000000000024 0x0000000000000024 R 0x4
GNU_RELRO 0x000000000000ff10 0x000000000001ff10 0x000000000001ff10 0x00000000000000f0 0x00000000000000f0 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.build-id .gnu.hash .dynsym .dynstr .text
03 .dynamic .got .got.plt
04 .dynamic
05 .note.gnu.build-id
06 .dynamic .got .got.plt
セクションヘッダã§ã™ã€‚
$ readelf -S execve.out
There are 19 section headers, starting at offset 0x10530:
Section Headers:
[Nr] Name Type Address Offset Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000 0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 00000000000001c8 000001c8 000000000000001b 0000000000000000 A 0 0 1
[ 2] .note.gnu.bu[...] NOTE 00000000000001e4 000001e4 0000000000000024 0000000000000000 A 0 0 4
[ 3] .gnu.hash GNU_HASH 0000000000000208 00000208 000000000000001c 0000000000000000 A 4 0 8
[ 4] .dynsym DYNSYM 0000000000000228 00000228 0000000000000018 0000000000000018 A 5 1 8
[ 5] .dynstr STRTAB 0000000000000240 00000240 0000000000000001 0000000000000000 A 0 0 1
[ 6] .text PROGBITS 0000000000000244 00000244 0000000000000028 0000000000000000 AX 0 0 4
[ 7] .dynamic DYNAMIC 000000000001ff10 0000ff10 00000000000000d0 0000000000000010 WA 5 0 8
[ 8] .got PROGBITS 000000000001ffe0 0000ffe0 0000000000000008 0000000000000008 WA 0 0 8
[ 9] .got.plt PROGBITS 000000000001ffe8 0000ffe8 0000000000000018 0000000000000008 WA 0 0 8
[10] .debug_aranges PROGBITS 0000000000000000 00010000 0000000000000030 0000000000000000 0 0 16
[11] .debug_info PROGBITS 0000000000000000 00010030 0000000000000028 0000000000000000 0 0 1
[12] .debug_abbrev PROGBITS 0000000000000000 00010058 0000000000000014 0000000000000000 0 0 1
[13] .debug_line PROGBITS 0000000000000000 0001006c 000000000000004e 0000000000000000 0 0 1
[14] .debug_str PROGBITS 0000000000000000 000100ba 0000000000000035 0000000000000001 MS 0 0 1
[15] .debug_line_str PROGBITS 0000000000000000 000100ef 0000000000000029 0000000000000001 MS 0 0 1
[16] .symtab SYMTAB 0000000000000000 00010118 00000000000002e8 0000000000000018 17 23 8
[17] .strtab STRTAB 0000000000000000 00010400 0000000000000071 0000000000000000 0 0 1
[18] .shstrtab STRTAB 0000000000000000 00010471 00000000000000bd 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
D (mbind), p (processor specific)
å‰å›žã¯ã€ã“ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’ GDB を使ã£ã¦å‹•ä½œç¢ºèªã—ã¾ã—ãŸã€‚
メモリã«é…ç½®ã§ãるよã†ã«æ©Ÿæ¢°èªžã§åŸ‹ã‚込む
å‚考サイトã§ã¯ã€ã“ã®æ©Ÿæ¢°èªžã‚’ Linux ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’使ã£ã¦åŠ å·¥ã—ã¦ã„ã¾ã™ã€‚ã¡ã‚‡ã£ã¨é›£ã—ã‹ã£ãŸã®ã§ã€ã“ã“ã§ã¯æ‰‹å‹•ã§ä¸¦ã¹ã¾ã™ï¼ˆç¬‘)。
å…ˆã»ã©ã®é€†ã‚¢ã‚»ãƒ³ãƒ–ラã®ã¯ã€4byteãšã¤ã€10行並んã§ã„ã¾ã—ãŸã€‚ã“ã®4byteã¯ã€ãƒªãƒˆãƒ«ã‚¨ãƒ³ãƒ‡ã‚£ã‚¢ãƒ³ãªã®ã§ã€ãƒã‚¤ãƒˆå˜ä½ã§ã²ã£ãã‚Šè¿”ã—ã¾ã™ã€‚ãれを連çµã—ã¾ã—ãŸã€‚以下ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
main関数ã®1è¡Œã¯ã€shellcode を実行ã—ã¦ã„ã¾ã™ã€‚shellcode ã¯é…列ã®å…ˆé アドレスãªã®ã§ã€ã“れを関数ã ã¨æ€ã£ã¦è¦‹ã‚‹ã¨ã€é–¢æ•°ã®å…ˆé アドレスã¨ã‚‚言ãˆã¾ã™ã€‚ã“ã®1è¡Œã¯é–¢æ•°ãƒã‚¤ãƒ³ã‚¿ã‚’実行ã—ã¦ã„るコードã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
関数ãƒã‚¤ãƒ³ã‚¿ã®ã‚ャストã¯è¦‹ã«ãã„ã§ã™ãŒã€void(*) ãŒé–¢æ•°ã®æˆ»ã‚Šå€¤ã®åž‹ï¼ˆvoid)ã¨é–¢æ•°ãƒã‚¤ãƒ³ã‚¿ã‹ã‚‰é–¢æ•°ã«ã™ã‚‹ãŸã‚ã®ã‚¢ã‚¹ã‚¿ãƒªã‚¹ã‚¯ã§ã™ã€‚次㮠() ã¯å¼•æ•°ã§ã™ã€‚ã¤ã¾ã‚Šã€å¼•æ•°ç„¡ã—ã€æˆ»ã‚Šå€¤ç„¡ã—ã®é–¢æ•°ã¸ã®ã‚ャストã§ã™ã€‚å…ˆé ã®ã‚¢ã‚¹ã‚¿ãƒªã‚¹ã‚¯ã¯ã€ãªãœä»˜ã„ã¦ã‚‹ã®ã‹åˆ†ã‹ã‚Šã¾ã›ã‚“。ã“ã®ã‚¢ã‚¹ã‚¿ãƒªã‚¹ã‚¯ã¯ç„¡ãã¦ã‚‚コンパイルも通りã¾ã™ã—ã€å®Ÿè¡Œã«ã¤ã„ã¦ã‚‚変化ã¯ã‚ã‚Šã¾ã›ã‚“。ãŸã¶ã‚“ã€ã„らãªã„ã‚“ã˜ã‚ƒãªã„ã‹ã¨æ€ã£ã¦ã„ã¾ã™ã€‚
char shellcode[] = "\x08\x01\x00\x58\xe2\x03\x1f\xaa\xe0\x03\x00\x91\xe8\x0b\xbf\xa8\xe1\x03\x00\x91\xe0\x0b\x00\xa9\xa8\x1b\x80\xd2\x01\x00\x00\xd4\x2f\x62\x69\x6e\x2f\x73\x68\x00";
int main()
{
( *(void (*)())shellcode )();
}
ã“れをコンパイルã—ã¦ã€å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚Segmentation Fault ãŒå‡ºã¾ã—ãŸã€‚
$ gcc -g -Wl,-Map=execve_str.map -static -o execve_str.out execve_str.c
$ ./execve_str.out
Segmentation fault
機械語ã§åŸ‹ã‚込んã プãƒã‚°ãƒ©ãƒ ã‚’GDBã§ç¢ºèªã™ã‚‹
GDB ã§ç¢ºèªã—ã¾ã™ã€‚é•·ã„ã®ã§ã€ã„ãã¤ã‹çœç•¥ã—ã¾ã™ã€‚0x490000 ã« 0x50 ã‚’åŠ ãˆãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã«åˆ†å²ã™ã‚‹ã‚ˆã†ã§ã™ã€‚
$ gdb execve_str.out
Reading symbols from execve_str.out...
(gdb) start
Temporary breakpoint 1 at 0x4006dc: file execve_str.c, line 7.
Starting program: /home/daisuke/svn/experiment/c/execve_str.out
Temporary breakpoint 1, main () at execve_str.c:7
7 (*(void (*)())shellcode)();
(gdb) disassemble
Dump of assembler code for function main:
0x00000000004006d4 <+0>: stp x29, x30, [sp, #-16]!
0x00000000004006d8 <+4>: mov x29, sp
=> 0x00000000004006dc <+8>: adrp x0, 0x490000
0x00000000004006e0 <+12>: add x0, x0,
0x00000000004006e4 <+16>: blr x0
0x00000000004006e8 <+20>: mov w0,
0x00000000004006ec <+24>: ldp x29, x30, [sp],
0x00000000004006f0 <+28>: ret
End of assembler dump.
分å²ã—ãŸå¾Œã§ã™ã€‚実装ã—ãŸé€šã‚Šã®ã‚³ãƒ¼ãƒ‰ãŒä¸¦ã‚“ã§ã„ã¾ã™ã€‚ã©ã“ã§è½ã¡ã‚‹ã®ã‹ã¨è¨€ã†ã¨ã€æœ€åˆã® ldr命令を実行ã—ãŸã¨ã“ã‚ã§è½ã¡ã¾ã™ã€‚上㯠40万番地付近ã§ã—ãŸãŒã€ã“ã“ã‹ã‚‰ã¯ã€49万番地ã¨ãªã£ã¦ã„ã¾ã™ã€‚
(gdb) disassemble
Dump of assembler code for function shellcode:
=> 0x0000000000490050 <+0>: ldr x8, 0x490070 <shellcode+32>
0x0000000000490054 <+4>: mov x2, xzr
0x0000000000490058 <+8>: mov x0, sp
0x000000000049005c <+12>: stp x8, x2, [sp],
0x0000000000490060 <+16>: mov x1, sp
0x0000000000490064 <+20>: stp x0, x2, [sp]
0x0000000000490068 <+24>: mov x8,
0x000000000049006c <+28>: svc
0x0000000000490070 <+32>: rsubhn2 v15.8h, v17.4s, v9.4s
0x0000000000490074 <+36>: .inst 0x0068732f ; undefined
0x0000000000490078 <+40>: udf
End of assembler dump.
マップファイルを見ã¦ã¿ã¾ã™ã€‚ã¾ãšã€åˆ†å²å‰ã® 40万番地付近ã§ã™ã€‚普通㮠textセクションã§ã™ã€‚
*(.text.startup .text.startup.*)
*fill* 0x0000000000400524 0xc 1f2003d5
.text.startup 0x0000000000400530 0x24 /usr/lib/gcc/aarch64-linux-gnu/12/libgcc.a(lse-init.o)
*(.text.hot .text.hot.*)
*(SORT_BY_NAME(.text.sorted.*))
*(.text .stub .text.* .gnu.linkonce.t.*)
*fill* 0x0000000000400554 0x2c 1f2003d5
.text 0x0000000000400580 0x44 /usr/lib/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/crt1.o
0x0000000000400580 _start
0x00000000004005c0 _dl_relocate_static_pie
.text 0x00000000004005c4 0x14 /usr/lib/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/crti.o
*fill* 0x00000000004005d8 0x8 1f2003d5
.text 0x00000000004005e0 0xf4 /usr/lib/gcc/aarch64-linux-gnu/12/crtbeginT.o
.text 0x00000000004006d4 0x20 /tmp/ccG8mGtX.o
0x00000000004006d4 main
*fill* 0x00000000004006f4 0xc 1f2003d5
.text 0x0000000000400700 0x42c /usr/lib/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/libc.a(libc-start.o)
0x00000000004007e4 __libc_start_main_impl
0x00000000004007e4 __libc_start_main
*fill* 0x0000000000400b2c 0x4 1f2003d5
続ã„ã¦ã€åˆ†å²å¾Œã®æ©Ÿæ¢°èªžã‚’埋ã‚込んã 方を見ã¦ã¿ã¾ã™ã€‚dataセクションã«ãªã£ã¦ã„ã¾ã—ãŸã€‚ã“ã“ã¯å®Ÿè¡Œå¯èƒ½ãªã¨ã“ã‚ã§ã¯ãªã„ã‚“ã ã¨æ€ã„ã¾ã™ã€‚
.data 0x0000000000490040 0x1948
[!provide] PROVIDE (__data_start = .)
*(.data .data.* .gnu.linkonce.d.*)
.data 0x0000000000490040 0x4 /usr/lib/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/crt1.o
0x0000000000490040 data_start
0x0000000000490040 __data_start
.data 0x0000000000490044 0x0 /usr/lib/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/crti.o
*fill* 0x0000000000490044 0x4
.data 0x0000000000490048 0x8 /usr/lib/gcc/aarch64-linux-gnu/12/crtbeginT.o
0x0000000000490048 __dso_handle
.data 0x0000000000490050 0x29 /tmp/ccG8mGtX.o
0x0000000000490050 shellcode
セクションヘッダを見ã¦ã¿ã¾ã™ã€‚textセクション㯠X ãŒä»˜ã„ã¦ã‚‹ã®ã§ã€å®Ÿè¡Œå¯èƒ½ãªé ˜åŸŸã§ã™ã€‚一方ã€dataセクション㯠X ãŒä»˜ã„ã¦ã„ã¾ã›ã‚“。ã“ã‚ŒãŒåŽŸå› ã ã¨æ€ã‚ã‚Œã¾ã™ã€‚
$ readelf -S execve_str.out
There are 35 section headers, starting at offset 0xab428:
Section Headers:
[Nr] Name Type Address Offset Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000 0000000000000000 0000000000000000 0 0 0
[ 1] .note.gnu.bu[...] NOTE 0000000000400190 00000190 0000000000000024 0000000000000000 A 0 0 4
[ 2] .note.ABI-tag NOTE 00000000004001b4 000001b4 0000000000000020 0000000000000000 A 0 0 4
[ 3] .rela.plt RELA 00000000004001d8 000001d8 00000000000000a8 0000000000000018 AI 32 18 8
[ 4] .init PROGBITS 0000000000400280 00000280 0000000000000018 0000000000000000 AX 0 0 4
[ 5] .plt PROGBITS 00000000004002a0 000002a0 0000000000000070 0000000000000000 AX 0 0 16
[ 6] .text PROGBITS 0000000000400340 00000340 0000000000056394 0000000000000000 AX 0 0 64
[ 7] __libc_freeres_fn PROGBITS 00000000004566e0 000566e0 0000000000000b04 0000000000000000 AX 0 0 16
[ 8] .fini PROGBITS 00000000004571e4 000571e4 0000000000000014 0000000000000000 AX 0 0 4
[ 9] .rodata PROGBITS 0000000000457200 00057200 000000000001a320 0000000000000000 A 0 0 16
[10] .eh_frame PROGBITS 0000000000471520 00071520 000000000000ba84 0000000000000000 A 0 0 8
[11] .gcc_except_table PROGBITS 000000000047cfa4 0007cfa4 00000000000000dc 0000000000000000 A 0 0 1
[12] .tdata PROGBITS 000000000048c710 0008c710 0000000000000018 0000000000000000 WAT 0 0 8
[13] .tbss NOBITS 000000000048c728 0008c728 0000000000000048 0000000000000000 WAT 0 0 8
[14] .init_array INIT_ARRAY 000000000048c728 0008c728 0000000000000010 0000000000000008 WA 0 0 8
[15] .fini_array FINI_ARRAY 000000000048c738 0008c738 0000000000000008 0000000000000008 WA 0 0 8
[16] .data.rel.ro PROGBITS 000000000048c740 0008c740 0000000000003498 0000000000000000 WA 0 0 16
[17] .got PROGBITS 000000000048fbd8 0008fbd8 0000000000000408 0000000000000008 WA 0 0 8
[18] .got.plt PROGBITS 000000000048ffe8 0008ffe8 0000000000000050 0000000000000008 WA 0 0 8
[19] .data PROGBITS 0000000000490040 00090040 0000000000001948 0000000000000000 WA 0 0 16
[20] __libc_subfreeres PROGBITS 0000000000491988 00091988 0000000000000048 0000000000000000 WAR 0 0 8
[21] __libc_IO_vtables PROGBITS 00000000004919d0 000919d0 0000000000000690 0000000000000000 WA 0 0 8
[22] __libc_atexit PROGBITS 0000000000492060 00092060 0000000000000008 0000000000000000 WAR 0 0 8
[23] .bss NOBITS 0000000000492070 00092068 00000000000054f8 0000000000000000 WA 0 0 16
[24] __libc_freer[...] NOBITS 0000000000497568 00092068 0000000000000020 0000000000000000 WA 0 0 8
[25] .comment PROGBITS 0000000000000000 00092068 000000000000001f 0000000000000001 MS 0 0 1
[26] .debug_aranges PROGBITS 0000000000000000 00092087 0000000000000030 0000000000000000 0 0 1
[27] .debug_info PROGBITS 0000000000000000 000920b7 0000000000000088 0000000000000000 0 0 1
[28] .debug_abbrev PROGBITS 0000000000000000 0009213f 0000000000000068 0000000000000000 0 0 1
[29] .debug_line PROGBITS 0000000000000000 000921a7 000000000000004f 0000000000000000 0 0 1
[30] .debug_str PROGBITS 0000000000000000 000921f6 0000000000000070 0000000000000001 MS 0 0 1
[31] .debug_line_str PROGBITS 0000000000000000 00092266 000000000000002d 0000000000000001 MS 0 0 1
[32] .symtab SYMTAB 0000000000000000 00092298 0000000000012318 0000000000000018 33 1953 8
[33] .strtab STRTAB 0000000000000000 000a45b0 0000000000006cfe 0000000000000000 0 0 1
[34] .shstrtab STRTAB 0000000000000000 000ab2ae 0000000000000178 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
R (retain), D (mbind), p (processor specific)
機械語を埋ã‚込んã プãƒã‚°ãƒ©ãƒ ãŒå®Ÿè¡Œã§ãるよã†ã«å¯¾ç–ã™ã‚‹
å‚考サイトã§ã¯ã€ã‚¹ã‚¿ãƒƒã‚¯ã«é…ç½®ã•ã‚ŒãŸã®ã§ã€ã‚¹ã‚¿ãƒƒã‚¯é ˜åŸŸã‚’実行å¯èƒ½ã«ã™ã‚‹å¯¾ç–ã‚’è¡Œã£ã¦ã„ã¾ã—ãŸã€‚ã“ã¡ã‚‰ã¯ã€dataセクションã«é…ç½®ã•ã‚Œã¦ã„ã‚‹ã®ã§ã€åˆ¥ã®å¯¾ç–ãŒå¿…è¦ã§ã™ã€‚
ã„ã‚ã„ã‚調ã¹ãŸã¨ã“ã‚ã€C言語㮠mprotect ã¨ã„ã†é–¢æ•°ãŒã‚るよã†ã§ã™ã€‚メモリã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨ã‚µã‚¤ã‚ºã‚’指定ã—ã¦ã€Read/Write/Exec ã®å±žæ€§ã‚’変更ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã‚‹ã‚ˆã†ã§ã™ã€‚プãƒãƒˆã‚¿ã‚¤ãƒ—ã¯ã€int mprotect(void *addr, size_t len, int prot); ã§ã™ã€‚
注æ„点ã¨ã—ã¦ã¯ã€ç¬¬1引数㮠addr ã¯ã€ãƒšãƒ¼ã‚¸å¢ƒç•Œã§ãªã‘ã‚Œã°ãªã‚‰ãªã„ã¨ã„ã†ã“ã¨ã§ã™ã€‚
以下ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚ページ境界ã¨ã™ã‚‹ãŸã‚ã€ãƒšãƒ¼ã‚¸ã‚µã‚¤ã‚ºã‚’表示ã—ã¦ã„ã¾ã™ã€‚ãã®å¾Œã€
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
char shellcode[] = "\x08\x01\x00\x58\xe2\x03\x1f\xaa\xe0\x03\x00\x91\xe8\x0b\xbf\xa8\xe1\x03\x00\x91\xe0\x0b\x00\xa9\xa8\x1b\x80\xd2\x01\x00\x00\xd4\x2f\x62\x69\x6e\x2f\x73\x68\x00";
int main()
{
long page_size = sysconf( _SC_PAGESIZE );
printf( "page_size=0x%x\n", page_size );
if( mprotect((void *)0x490000, 0x1940, PROT_READ | PROT_WRITE | PROT_EXEC) == -1 ){
perror( "mprotect failed" );
return 1;
}
( (void (*)())shellcode )();
}
コンパイルã—ã¦ã€å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚シェルã®èµ·å‹•ã«æˆåŠŸã—ã¾ã—ãŸï¼
$ gcc -g -Wl,-Map=execve_str_fixed.map -static -o execve_str_fixed.out execve_str_fixed.c
$ ./execve_str_fixed.out
page_size=0x1000
$ ls
execve.map execve_chatgpt2.map execve_objdump.s execve_x86.txt
execve.out execve_chatgpt2.out execve_str.c k_and_r_org.c
execve.s execve_chatgpt2.s execve_str.map main_execve.s
execve_c.c execve_chatgpt2_objdump.s execve_str.out memorymap.c
execve_c.out execve_chatgpt_fixed.map execve_str_fixed.c memorymap.out
execve_chatgpt.map execve_chatgpt_fixed.out execve_str_fixed.map
execve_chatgpt.out execve_chatgpt_fixed.s execve_str_fixed.out
execve_chatgpt.s execve_chatgpt_objdump.s execve_str_fixed_objdump.s
$ exit
今回ã¯ã“ã“ã¾ã§ã§ã™ã€‚
ãŠã‚ã‚Šã«
今回ã¯ã€å‚考サイトを見ãªãŒã‚‰ã€execve を使ã£ãŸã‚·ã‚§ãƒ«ã‚’èµ·å‹•ã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’ã€æ©Ÿæ¢°èªžã‚’埋ã‚込んã プãƒã‚°ãƒ©ãƒ ã«å¤‰æ›´ã—ã¦å‹•ä½œã‚’確èªã—ã¾ã—ãŸã€‚
çµæ§‹æ™‚é–“ãŒã‹ã‹ã‚Šã¾ã—ãŸãŒã€ä½Žãƒ¬ã‚¤ãƒ¤ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã«ã¤ã„ã¦ã€ã„ã‚ã„ã‚周辺ã®çŸ¥è˜ãŒæ·±ã¾ã‚Šã¾ã—ãŸã€‚
最後ã«ãªã‚Šã¾ã—ãŸãŒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ©ãƒ³ã‚ングã«å‚åŠ ä¸ã§ã™ã€‚
気楽ã«ãƒãƒãƒƒã¨ã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ðŸ™‡
今回ã¯ä»¥ä¸Šã§ã™ï¼
最後ã¾ã§ãŠèªã¿ã„ãŸã ãã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚
