Binary Exploitation Misc
Table of Contents
tags: Security PWN
Online Resouces
Tricks
create program
create 32 bit program using GCC
apt-get install g++-multilib
gcc -m32 hello.c
remove symbol
strip hello
Debug
LD_PRELOAD
自製 library 取代動態聯結
//main.c
#include <stdio.h>
#include <math.h>
int main()
{
dobule x;
scanf("%lf", &x);
printf("%f\n", sqrt(x));
return 0;
}
//hook.c
double sqrt(double x)
{
return 2;
}
$ gcc -o main main.c -lm
//-m32 to build 32-bit program
$ gcc -o hook.so -shared hook.c
//-fPIC
$ LD_PRELOAD=./hook.so ./main
remove alarm (for debugging)
vim ./printable
alarm => isnan s/alarm/isnan/g
Information Leak
No null byte
about stack
在 stack 上面找有沒有一個不錯的 pointer (差小於1, 2 bytes) 可以指到 printf 的 return address 找看看 data 段的 60 開頭在 program 裡的 data or rawdata
hooks
glibc 中存在許多 function hooks,在攻擊時如果能達到 arbitrary write 或任意寫, hooks 會是一個很好的寫入目標,來做到 control flow 在執行該 function 時,發現該 function hook 有值,則當作 function pointer 跳上去執行
void *
__libc_malloc (size_t bytes)
{
mstate ar_ptr;
void *victim;
void *(*hook) (size_t, const void *) = atomic_forced_read (__malloc_hook);
if (__builtin_expect (hook != NULL, 0))
return (*hook)(bytes, RETURN_ADDRESS (0));
...
}
Knowledge
Not Aligned stack broken the process
MOVAPS — Move Aligned Packed Single-Precision Floating-Point Values
Trouble Shooting
run 32-bit program on a 64-bit system and get error message “no such file or directory”
dpkg --add-architecture i386
apt-get update
apt-get install libc6:i386
Tools
ncat
nc -kl -n -v 8888 -e ./a.out
nc -kl -n -v 7777 --sh-exec "ltrace -l ./libc-2.27.so -x @ ./whitehole"
nc -kl -n -v 7777 --sh-exec "ltrace -S -l ./libc-2.27.so ./whitehole"
socat
socat tcp-listen:12398 exec:./a.out
ldd
print shared object dependencies(dynamically linked binaries)
maping 位置
ldd read libary
strace
trace system calls
顯示syscall
strace ./printable
ltrace
trace library calls
hexdump
readelf
readelf -l a.out
readelf -aW libc | grep atexit
readelf -S 讀 section header
readelf -r a.out
read got
objdump
objdump -f a.out
objdump -T /lib/x86_64-linux-gnu/libc.so.6 | grep puts
找 offset
我們可利用 objdump -T libc.so.6 | grep function 來找尋想找的 function 在libc 中的 offset
objdump -R ./bof GOT Table
gcc
Seccomp Tools
pwntools
OneGadget
ROPgadget
ctypes
can use it to call C library
from ctypes import *
libc = CDLL('libc.so.6')
print(libc.rand())
libc.printf(b'%d %d\n',1 ,2)
remoterand
Q:
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
int main()
{
int x;
srand(time(NULL));
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
scanf("%d", &x);
if(rand() == x)
puts("You get it!");
return 0;
}
solve:
from pwn import *
from ctypes import *
context.update(arch="amd64", os="linux")
libc = CDLL("libc.so.6")
r = remote("140.113.216.190", 30004)
libc.srand(libc.time(0))
r.sendline(str(libc.rand()))
print(r.recv())