Linux under PWN from getting started to giving up

Source: Internet
Author: User

Introduction to Linux under PWN from getting started to abandoning 0x0

PWN, in the security realm, is the shell that obtains the target host by means of binary/system call.

Although the web system in the Internet occupies a relatively large component, but with the mobile side, the gradual popularity of the IoT, the traditional buffer overflow once again have authorizing place

0x01 工欲善其事, its prerequisite

The tools commonly used in PWN under Linux are:

    1. Gdb:linux necessary in the commissioning of the
    2. Gdb-peda:gdb easy to debug tools, similar tools have Gef,gdbinit, the installation of these tools can be consulted: http://blog.csdn.net/gatieme/article/details/63254211
    3. Pwntools: Write the exp and POC weapon
    4. Checksec: It is easy to know the security of ELF programs and the running platform of programs
    5. Objdump and Readelf: You can quickly know the key information in the ELF program
    6. Ida Pro: Powerful anti-compilation tools
    7. Ropgadget: A powerful tool for ROP use
    8. One_gadget: Can quickly find the location of call exec (' bin/sh ') in libc
    9. Libc-database: You can find out which libc version of the remote system is using a function address of the leaked libc
0x02 Detection of ELF security:

(1) To get the EFL, the first thing to use CHECKSEC to detect Elf running on which platform, what security is turned on, if you compile with GCC, the default is to turn on all security measures.

"1" RELRO:RELRO will have partial RELRO and full RELRO, if full RELRO is turned on, it means we cannot modify the Got table
"2" stack: If Canary found is turned on in the stack, it is not possible to overwrite the return address of the stack directly with the overflow method, and to bypass the method of overwriting pointers and local variables, leak canary, overwrite Canary.
"3" Nx:nx enabled if this protection is turned on means that the data in the stack does not have permission to execute, the previously used call ESP or JMP ESP method cannot be used, but ROP can be used to bypass
"4" Pie:pie enabled if the program turns on this address randomization option means that the address will change every time the program is run, and if no pie is opened then no pie (0x400000), the data in parentheses is the base address of the program.
The "5" Fortify:fortify_source mechanism has two restrictions on the formatted string (1) a formatted string containing%n cannot be located in the writable address of the program memory. (2) When using positional parameters, all parameters within the range must be used. So if you want to use%7$x, you have to use both 1,2,3,4,5 and 6.

0x03 Debugging Tips

Debug commands commonly used by GDB:
N: Executes a line of source code but does not enter inside the function
NI: Executes a line of assembly code but does not enter inside the function
S: Executes a line of source code and goes inside the function
Si: Executes a line of assembly code and goes inside the function
C: Continue execution to the next breakpoint
b * Address: Next Breakpoint
directory+ Source directory: Loading program source code
Set Follow-fork-mode Parent: Debug only the main process
Stack: Display stack information
X: Displays the memory data in hexadecimal format, where x/{bytes}x Displays the data at the specified address in 16 binary; {bytes} indicates the number of bytes established (b single-byte; h DWORD; w four bytes; g eight bytes; default is four bytes)

The program does not have open address randomization:

def debug (addr):    raw_input (' debug: ')    Gdb.attach (R, "b *" + addr)

This function is called when the program is running and can be debugged.

Program Open Address randomization:

Wordsz = 4hwordSz = 2bits = 32PIE = 0mypid=0def Leak (address, size): With open ('/proc/%s/mem '% mypid) as Mem:mem. Seek (address) return Mem.read (size) def findmodulebase (PID, mem): name = Os.readlink ('/proc/%s/exe '% pid) with op En ('/proc/%s/maps '% pid) as Maps:for line in Maps:if name in line:addr = Int (line.split ('-') [0               ], 4) mem.seek (addr) if Mem.read () = = "\x7felf": Bitformat = U8 (Leak (addr + 4, 1)) if Bitformat = = 2:global WORDSZ global HWORDSZ Global bit s WORDSZ = 8 Hwordsz = 4 bits = addr return log.fail   Ure ("Module ' s base Address not found.") Sys.exit (1) def debug (addr = 0): Global mypid mypid = Proc.pidof (R) [0] Raw_input (' debug: ') with open ('/proc/%s/ Mem '% mypid) as Mem:modulebase = Findmodulebase (mypid, mem) Gdb.attach (R, "set Follow-foRk-mode PARENT\NB * "+ hex (MODULEBASE+ADDR)) 

Since Ida Pro opens the program after opening the address randomization, the program's offset address is displayed instead of the actual address, and the actual address of the program after the program is loaded is: base site + offset address, when invoking the debug function, just pass the offset address in.

0x04 disclosure of libc address and version methods

"1" Using the format of the string vulnerability to disclose the data in the stack, to find a libc function address, and then use Libc-database to determine the version of the remote libc, and then calculate the base address of the libc, the general problem I like __libc_start_main to find addresses

"2" using write this function, Pwntools has a very useful function dynelf to use this function to calculate the various addresses of the program, including the base address of the function, the base address of the libc, libc the address of the system

"3" Using the printf function, the printf function output when encountering 0x00 will stop the output, if the input is not filled with 0x00 at the last byte, then the output can reveal the stack of important data, such as the libc of a function address

0x05 Simple Stack Overflow

The program does not have any protection enabled:

Method One: The traditional textbook idea is to write shellcode into the stack, and then find the program or libc there is no call ESP or JMP ESP, such as this topic: http://blog.csdn.net/niexinming/article/ details/76893510

Method Two: But the modern operating system in the LIBC will turn on the address randomization, so first look for the program system function, then layout stack space, call get (. BSS), and finally call system ('/bin/sh ') such as the topic:/HTTP blog.csdn.net/niexinming/article/details/78796408

Method Three: Cover the virtual table way to exploit the stack overflow vulnerability, this method is M4x master taught me method, I think very ingenious, such as this topic: http://blog.csdn.net/niexinming/article/details/78144301

0X06 Opening NX Program

Open NX after the stack and BSS section only read and write permissions, no execution permissions, so it is necessary to use ROP this method to get system permissions, if the program is very complex, or the program is static compilation, then you can use ropgadget this tool is very convenient to directly generate ROP using the chain. Sometimes many programs can not directly use ropgadget This tool directly find the use of the chain, so it is necessary to manually analyze the program to Getshell, such as these two topics: http://blog.csdn.net/niexinming/article/details/78259866

0X07 Opening the Canary program

When you turn on Canary, you cannot directly use the normal overflow method to overwrite the function return address in the stack, and use some ingenious methods to circumvent or exploit the weaknesses of canary itself.

"1" The use of Canary leaked flag, this method is a clever use of Canary's own weaknesses, when __stack_check_fail , will print out the name of the running program, so we can just __libc_argv[0] overwrite the flag address will be able to print the flag, such as the topic: HTTP ://blog.csdn.net/niexinming/article/details/78522682

"2" using the printf function to reveal the canary of a child process, and then Forge Canary in another subprocess stack can bypass Canary protection, such as the topic: http://blog.csdn.net/niexinming/article/ details/78681846

0X08 Open Pie Program

"1" Use the printf function to print as many stacks as possible, according to the leaked address to calculate the program base address, libc base address, system address, such as this article Echo2 wp:http://blog.csdn.net/niexinming/ article/details/78512274

"2" uses the key information of the write disclosure program, so that it is convenient to use the Dynelf function, such as the Rsbo2 of this article: http://blog.csdn.net/niexinming/article/details/78620566

0X09 All Protection Open

If the stack of the program can be fully controlled, then the protection of the program will be completely opened to be compromised, such as the topic: http://blog.csdn.net/niexinming/article/details/78666941

0x0a formatting a string vulnerability

Formatting vulnerabilities are now hard to come by in mature software, but the vulnerability is interesting

The "1" pwntools has very good functions fmtstr and fmtstr_payload to automatically calculate the exploit point of the formatting vulnerability, and automatically generate payload, such as this topic: http://blog.csdn.net/niexinming/ The solving of echo in article/details/78699413 and http://blog.csdn.net/niexinming/article/details/78512274

The "2" format vulnerability is also a good companion for information disclosure, such as the problem of creating a formatted string vulnerability that leaks various data http://blog.csdn.net/niexinming/article/details/78768850

0x0b UAF Vulnerability

If the heap is released and the pointer is not cleared 0, and the pointer is saved, there are many problems, such as the topic http://blog.csdn.net/niexinming/article/details/78598635

0x0c Write Anywhere

If the program can write anywhere in memory, then the power is absolutely great.

"1" Although only write one byte, but still can control program and Getshell, such as this topic http://blog.csdn.net/niexinming/article/details/78542089

"2" to modify the Got table is a good way to control procedures, many of the CTF topics as long as the got can be controlled by various means of writing, you can eventually win, such as the title: http://blog.csdn.net/niexinming/article/details/78542089

"3" If you can calculate the base address of libc, control Top_chunk Pointer is also a good way to solve problems, such as the topic: http://blog.csdn.net/niexinming/article/details/78759363

Linux under PWN from getting started to giving up

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.