[so] pagini si drepturi de executie in Linux. security. (textul corect, v2)

Dragos Tarcatu tarcatu_dragosh at yahoo.com
Wed Jun 6 16:18:43 EEST 2012


Alexandru,

Cred că problema provine din faptul că nu compilezi programul așa cum ar trebui (aliniament corect de stivă + dezactivarea sistemelor de protecție la stack smashing). Am făcut câteva modificări asupra shellcode-ului [1] și am inclus un Makefile [2].


În principiu cel mai mare impact din ce observ eu îl are flag-ul -z execstack care marchează explicit pagini ca fiind executabile:

Uite cum a mers la mine treaba:

-z execstack disabled:

[dtarcatu at wlan-itc-lnx-shell21 test]$ gdb ./test
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-32.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /homes/dtarcatu/workspace/test/test...done.
(gdb) break main
Breakpoint 1 at 0x804837a: file test.c, line 20.
(gdb) run
Starting program: /homes/dtarcatu/workspace/test/test

Breakpoint 1, main () at test.c:20
20          ret = (int *)&ret + 2;
(gdb) s
21          *ret = (int)sc;
(gdb) s
23          return 0;
(gdb) s
24      }
(gdb) s
0x080495dc in sc ()
(gdb) s
Single stepping until exit from function sc,
which has no line number information.

Program received signal SIGSEGV, Segmentation fault.
0x080495dc in sc ()

Address space layout:

22760:   /homes/dtarcatu/workspace/test/test
0034f000      4K r-x--    [ anon ]
0052d000    108K r-x--  /lib/ld-2.5.so
00548000      4K r----  /lib/ld-2.5.so
00549000      4K rw---  /lib/ld-2.5.so
00551000   1356K r-x--  /lib/libc-2.5.so
006a4000      8K r----  /lib/libc-2.5.so
006a6000      4K rw---  /lib/libc-2.5.so
006a7000     12K rw---    [ anon ]
08048000      4K r-x--  /homes/dtarcatu/workspace/test/test
08049000      4K rw---  /homes/dtarcatu/workspace/test/test
b7fe8000      8K rw---    [ anon ]
bffea000     84K rw---    [ stack ]
 total     1600K


-z execstack enabled:

[dtarcatu at wlan-itc-lnx-shell21 test]$ gdb ./test
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-32.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /homes/dtarcatu/workspace/test/test...done.
(gdb) break main
Breakpoint 1 at 0x804837a: file test.c, line 20.
(gdb) run
Starting program: /homes/dtarcatu/workspace/test/test
warning: .dynamic section for "/lib/libc.so.6" is not at the expected address
warning: difference appears to be caused by prelink, adjusting expectations

Breakpoint 1, main () at test.c:20
20          ret = (int *)&ret + 2;
(gdb) s
21          *ret = (int)sc;
(gdb) s
23          return 0;
(gdb) s
24      }
(gdb) s
0x080495dc in sc ()
(gdb) s
Single stepping until exit from function sc,
which has no line number information.
Executing new program: /bin/bash

Breakpoint 1, 0x0805d921 in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
sh-3.2$ 


Address space layout:

22802:   /homes/dtarcatu/workspace/test/test
00110000   1356K r-x--  /lib/libc-2.5.so
00263000      8K r-x--  /lib/libc-2.5.so
00265000      4K rwx--  /lib/libc-2.5.so
00266000     12K rwx--    [ anon ]
0052d000    108K r-x--  /lib/ld-2.5.so
00548000      4K r-x--  /lib/ld-2.5.so
00549000      4K rwx--  /lib/ld-2.5.so
00627000      4K rwx--    [ anon ]
006fc000      4K rwx--    [ anon ]
007dd000      4K r-x--    [ anon ]
08048000      4K r-x--  /homes/dtarcatu/workspace/test/test
08049000      4K rwx--  /homes/dtarcatu/workspace/test/test
bffea000     84K rwx--    [ stack ]
 total     1600K


Mersi,

    Dragoș


PS: Aparent nu pot trece cu atașamente prin proxy așa că listez codul direct ...

[1]
char sc[]=              /* 24 bytes                       */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    //"\x99"                 /* cdql                           */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

int main()
{
    int *ret;

    ret = (int *)&ret + 2;
    *ret = (int)sc;

    return 0;
}

[2]
all: astest test

test: test.c
        gcc -g -ggdb -mpreferred-stack-boundary=2 -o test test.c -fno-stack-protector -z execstack

astest:
        as -o astest.o astest.s -ggstabs
        ld -o astest astest.o

clean:
        rm -f *~ *.o test astest

[*]
.text
.globl _start


_start:

xorl    %eax,%eax
pushl   %eax
pushl   $0x68732f2f
pushl   $0x6e69622f
movl    %esp,%ebx
pushl   %eax
pushl   %ebx
movl    %esp,%ecx
#cdql
movb    $0x0b,%al
int     $0x80
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cursuri.cs.pub.ro/pipermail/so/attachments/20120606/ee3fa474/attachment.html>


More information about the so mailing list