Shulou(Shulou.com)06/02 Report--

This article mainly analyzes the relevant knowledge points of the example analysis of Linux binary vulnerability exploitation development task, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to take a look, and follow the editor to learn more about "sample analysis of Linux binary vulnerability exploitation development tasks".

Linux's PWN is not difficult.

This is a set of Linux binary vulnerability exploitation development tasks for beginners. At present, this set of learning content is mainly aimed at stack buffer overflow problems.

I created this project to learn how to perform simple binary development on different architectures, and for educational purposes, I must follow the set of rules listed below when solving this series of tasks. These tasks are actually very small, and some rules are deliberately not implemented. It's the opposite of most CTF challenges, because these tasks are provided directly to you, and we just need to implement them.

Rules

1. All tasks must be solved using suggested methods, even if you have other simpler ways.

2. All tasks must be addressed by assuming specific protections that are enabled or disabled, even if they are not supported by the architecture, tool chain, or specific environment.

3. All tasks assume a dynamically linked libc and known binaries.

4. All ROP chains must be constructed manually.

The method of task suggestion

1. 01-local-overflow: overflows buffeer and overrides the value of x.

2. 02-overwrite-ret: rewrite any return address in the heap with the address of not_called ().

3. 03one-gadget: jump to an one_gadget address to ensure that certain conditions are met, and for some architectures, you may need to use a ROP chain.

4. 04-shellcode-static: allocate a shellcode in the stack and start / bin/sh.

5. 05-shellcode-dynamic: same as the previous task, but the stack address here is unknown.

6. 06-system-rop: form a ROP chain to execute system ("/ bin/sh").

7. 07-execve-rop: form a ROP chain and execute execve ("/ bin/sh", NULL, NULL) through syscall

8. 08-overwrite-global: form a ROP chain to rewrite the x value and jump to not_called ().

Protection mechanism

The white space means that the protection status is not relevant to the recommended method.

Disable ALSR:

Echo 0 | sudo tee / proc/sys/kernel/randomize_va_space

Enable ASLR:

Echo 2 | sudo tee / proc/sys/kernel/randomize_va_space solution

These solutions are for reference only and do not necessarily apply to all scenarios.

Environmental requirements

These tasks have been tested on x86-64 CPU devices, and the test platform is Linux Mint 19.1. Here are the relevant software versions:

Tool installation package:

Sudo apt-get install build-essential

Sudo apt-get install gcc-arm-linux-gnueabihf gcc-aarch74-linux-gnugcc-mips-linux-gnu gcc-mips64-linux-gnuabi64 gcc-powerpc-linux-gnugcc-powerpc64-linux-gnu gcc-sparc64-linux-gnu

Sudo apt-get install libc6-dev:i386 libc6-armhf-cross libc6-arm64-cross libc6-mips-crosslibc6-mips64-cross libc6-powerpc-cross libc6-ppc64-cross libc6-sparc64-cross

Sudo apt-get install qemu-user

Sudo apt-get install gdb gdb-multiarch

# These are probably not required, but just in case:

# sudo apt-get install gcc-7-multilib gcc-multilib-arm-linux-gnueabigcc-multilib-mips-linux-gnu gcc-multilib-mips64-linux-gnuabi64gcc-multilib-powerpc-linux-gnu gcc-multilib-powerpc64-linux-gnu

Build code:. / build.sh installs pwntools and ropper:pip install using pip-- user pwntools ropper

Install qemu-binfmt for QWMU and pwntools:

Sudo mkdir / etc/qemu-binfmt

Sudo ln-s / usr/arm-linux-gnueabihf/ / etc/qemu-binfmt/arm

Sudo ln-s / usr/aarch74-linux-gnu / etc/qemu-binfmt/aarch74

Sudo ln-s / usr/mips-linux-gnu/ / etc/qemu-binfmt/mips

Sudo ln-s / usr/mips64-linux-gnuabi64/ / etc/qemu-binfmt/mips64

Sudo ln-s / usr/powerpc-linux-gnu/ / etc/qemu-binfmt/ppc

Sudo ln-s / usr/powerpc64-linux-gnu/ / etc/qemu-binfmt/ppc64

Sudo ln-s / usr/sparc64-linux-gnu/ / etc/qemu-binfmt/sparc64

On the "Linux binary vulnerability exploitation development task example analysis" is introduced here, more related content can search the previous article, hope to help you answer questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.