在启用了NX（DEP）和ASLR的x86-64上利用基于字符串的溢出 [英] Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled

问题描述

请考虑以下易受攻击的代码/程序：

Consider the following vulnerable code/program:

#include <string.h>

int main(int argc, char *argv[]) {
    char buf[16];
    strcpy(buf, argv[1]);

    return 0;
}

在运行NX和Linux的IA-32（x86，32位）上启用ASLR后，我将使用GOT覆盖技术来利用此技术，该技术主要包括以下步骤：

On IA-32 (x86, 32-bit) running Linux with NX and ASLR enabled, I would exploit this using GOT-overwrite technique, which essentially includes the following steps:

1. 溢出缓冲区直到RIP


2. 用 strcpy @ plt
的地址覆盖RIP

3. 使用 .text ，例如 pop edi;流行bp; ret ，作为 strcpy
的返回地址

4. 写 strcpy的参数：& bss -地址作为目标地址，并使用<$表示一个字节的 / bin / sh c $ c> .text


5. 重复步骤2-4，直到完全写入 / bin / sh 到& bss


6. 用<$覆盖 strcpy 的GOT条目c $ c> system （使用偏移量，需要有关Libc使用版本的知识-在这里让我们忽略它）


7. 写 strcpy @ plt 放在堆栈上，然后是4字节的块，最后是& bss 的地址，它指向 / bin / sh


8. 利润

1. Overflow buffer till RIP
2. Overwrite RIP with the address of strcpy@plt
3. Use a clean gadget from .text, e.g. pop edi ; pop ebp ; ret, as return address for strcpy
4. Write arguments for strcpy: &bss-address as destination and one byte of /bin/sh using .text
5. Repeat steps 2-4 until /bin/sh is completely written to &bss
6. Overwrite GOT-entry of strcpy with system (using offset, requires knowledge about the used version of Libc - let's ignore this here)
7. Write strcpy@plt on the stack, followed by some 4-byte chunk and finally address of &bss which points to /bin/sh
8. Profit

我想在x86-64启用了相同的缓解措施。但是，这比想象的要困难得多。基本上由于以下原因：

I want to exploit this on x86-64 with the same mitigation measures enabled. But this is more difficult as imagined. Basically for the following reasons:

1. x86-64基于寄存器的调用约定：使用寄存器传递函数参数，而不是堆栈。因此，需要一些附加的ROP小工具才能将参数从堆栈传递到适当的寄存器中。这是一个小问题，但也受到以下问题的影响：



2. 64位返回地址：x86-64中的RIP指向 .text 甚至不是32位长。因此，必须将NULL字节写入堆栈以链接函数调用。基本上，可以使用链接调用 strcpy 并利用以NULL结尾的字符 strcpy 总是写道。但是只能通过覆盖RIP的最低有效字节来调用 strcpy 一次。

1. x86-64 register-based calling convention: Function arguments are passed using registers, not the stack. Therefore some additional ROP-gadgets are required to transfer the arguments from the stack into the appropriate register. This is a minor problem, but is also affected by the following problem:

2. 64-bit return address: The RIP in x86-64 points to .text which is not even 32-bit long. Therefore NULL-bytes must be written on the stack to chain function calls. Basically one can write as much NULL-bytes as desired using chained calls to strcpy and taking advantage of the NULL-terminating character strcpy always writes. But one may only call strcpy once by only overwriting the least significant bytes of the RIP.

|0x00000000|        (most significant bytes)
|0x00deadbe| <- RIP (least significant bytes)
|0x41414141|
|0x41414141| <- SFP
|   ...    | 

这些是我在利用漏洞时遇到的主要问题启用NX和ASLR的x86-64上的程序。有没有解决这些问题的技术？还是x86-64确实阻止了有效的，可打开外壳的漏洞利用？

These are the major problems I got with exploiting the program on x86-64 with NX and ASLR enabled. Are there any techniques which solve these problems? Or does x86-64 really prevent a working, shell-opening exploit?

推荐答案

x86-64不会阻止此类漏洞利用。请参阅此教程。

x86-64 does not prevent these type of exploits. See this tutorial.

这篇关于在启用了NX（DEP）和ASLR的x86-64上利用基于字符串的溢出的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！