在启用了NX(DEP)和ASLR的x86-64上利用基于字符串的溢出 [英] Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled
问题描述
请考虑以下易受攻击的代码/程序:
Consider the following vulnerable code/program:
#include <string.h>
int main(int argc, char *argv[]) {
char buf[16];
strcpy(buf, argv[1]);
return 0;
}
在运行NX和Linux的IA-32(x86,32位)上启用ASLR后,我将使用GOT覆盖技术来利用此技术,该技术主要包括以下步骤:
On IA-32 (x86, 32-bit) running Linux with NX and ASLR enabled, I would exploit this using GOT-overwrite technique, which essentially includes the following steps:
- 溢出缓冲区直到RIP
- 用
strcpy @ plt
的地址覆盖RIP - 使用
.text
,例如pop edi;流行bp; ret
,作为strcpy
的返回地址 - 写
strcpy的参数
:& bss
-地址作为目标地址,并使用<$表示一个字节的/ bin / sh
c $ c> .text - 重复步骤2-4,直到完全写入
/ bin / sh
到& bss
- 用<$覆盖
strcpy
的GOT条目c $ c> system (使用偏移量,需要有关Libc使用版本的知识-在这里让我们忽略它) - 写
strcpy @ plt
放在堆栈上,然后是4字节的块,最后是& bss
的地址,它指向/ bin / sh
- 利润
- Overflow buffer till RIP
- Overwrite RIP with the address of
strcpy@plt
- Use a clean gadget from
.text
, e.g.pop edi ; pop ebp ; ret
, as return address forstrcpy
- Write arguments for
strcpy
:&bss
-address as destination and one byte of/bin/sh
using.text
- Repeat steps 2-4 until
/bin/sh
is completely written to&bss
- Overwrite GOT-entry of
strcpy
withsystem
(using offset, requires knowledge about the used version of Libc - let's ignore this here) - Write
strcpy@plt
on the stack, followed by some 4-byte chunk and finally address of&bss
which points to/bin/sh
- Profit
我想在x86-64启用了相同的缓解措施。但是,这比想象的要困难得多。基本上由于以下原因:
I want to exploit this on x86-64 with the same mitigation measures enabled. But this is more difficult as imagined. Basically for the following reasons:
- x86-64基于寄存器的调用约定:使用寄存器传递函数参数,而不是堆栈。因此,需要一些附加的ROP小工具才能将参数从堆栈传递到适当的寄存器中。这是一个小问题,但也受到以下问题的影响:
-
64位返回地址:x86-64中的RIP指向
.text
甚至不是32位长。因此,必须将NULL字节写入堆栈以链接函数调用。基本上,可以使用链接调用strcpy
并利用以NULL结尾的字符strcpy $ c $来写入所需的NULL字节。 c> 总是写道。但是只能通过覆盖RIP的最低有效字节来调用
strcpy
一次。
- x86-64 register-based calling convention: Function arguments are passed using registers, not the stack. Therefore some additional ROP-gadgets are required to transfer the arguments from the stack into the appropriate register. This is a minor problem, but is also affected by the following problem:
64-bit return address: The RIP in x86-64 points to
.text
which is not even 32-bit long. Therefore NULL-bytes must be written on the stack to chain function calls. Basically one can write as much NULL-bytes as desired using chained calls tostrcpy
and taking advantage of the NULL-terminating characterstrcpy
always writes. But one may only callstrcpy
once by only overwriting the least significant bytes of the RIP.
|0x00000000| (most significant bytes)
|0x00deadbe| <- RIP (least significant bytes)
|0x41414141|
|0x41414141| <- SFP
| ... |
这些是我在利用漏洞时遇到的主要问题启用NX和ASLR的x86-64上的程序。有没有解决这些问题的技术?还是x86-64确实阻止了有效的,可打开外壳的漏洞利用?
These are the major problems I got with exploiting the program on x86-64 with NX and ASLR enabled. Are there any techniques which solve these problems? Or does x86-64 really prevent a working, shell-opening exploit?
推荐答案
x86-64不会阻止此类漏洞利用。请参阅此教程。
x86-64 does not prevent these type of exploits. See this tutorial.
这篇关于在启用了NX(DEP)和ASLR的x86-64上利用基于字符串的溢出的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!