Linux under PWN from getting started to giving up __linux

0x0 Introduction

PWN, the middle finger in the security field is the shell of the target host by means of binary/system calls.

Although the web system in the Internet occupies a relatively large amount of weight, but with the mobile end, IoT gradually popular, the traditional buffer overflow once again have use place

0x01 工欲善其事, its prerequisite

The tools commonly used for PWN under Linux are:

necessary for Gdb:linux debugging

Gdb-peda:gdb convenient debugging tools, similar tools have Gef,gdbinit, the installation of these tools can refer to: http://blog.csdn.net/gatieme/article/details/63254211

Pwntools: A sharp tool to write exp and POC

Checksec: It's easy to know the security of ELF programs and the running platform of programs

Objdump and Readelf: The key information in the ELF program can be quickly known

Ida Pro: Powerful decompile tool

Ropgadget: A powerful tool for using ROP

One_gadget: Can quickly look for the location of the call exec (' bin/sh ') in libc

Libc-database: You can find out which libc version the remote system is using by leaking a function address of libc

0X02 detects Elf security:

(1) To get the EFL, first of all to use CHECKSEC to detect the elf running on which platform, what security measures opened, if the use of GCC compiled, the default will open all security measures.

"1" RELRO:RELRO will have partial relro and full RELRO, and if full relro is turned on, it means we can't modify the Got table

"2" stack: If the stack open canary found, then you can not use the overflow method to overwrite the return address in the stack, but also by rewriting the pointer and local variables, leak canary, overwrite Canary method to bypass

"3" Nx:nx enabled if this protection is turned on means that the data in the stack does not execute permissions, the previous often used call ESP or JMP ESP method can not be used, but the use of ROP this way to bypass

"4" Pie:pie enabled if the program turns on this address randomization option means that the address changes every time the program runs, and without pie, no pie (0x400000), the data in parentheses is the program's base address.

The "5" Fortify:fortify_source mechanism has two restrictions on the format string (1) The formatted string containing the%n cannot be located in the writable address in program memory. (2) When using positional parameters, all parameters in the range must be used. So if you want to use%7$x, you have to use both 1,2,3,4,5 and 6.

0x03 Debugging Tips

GDB's Common Debugging instructions:

N: Execute one line of source code but not inside the function

NI: Execute one line of assembly code but not inside the function

S: Execute one line of source code and go inside the function

Si: Execute one line of assembly code and go inside the function

C: Continue execution to the next breakpoint

b * Address: Next Breakpoint

directory+ Source directory: Loading program source code

Set Follow-fork-mode Parent: Only debug the main process

Stack: displaying stack information

X: Displays the memory data in hexadecimal format, where the number of x/{bytes}x The data at the specified address in 16; {bytes} indicates byte count (b single-byte; h double byte; w four bytes; g eight bytes; default is four bytes)

0x04 leak libc Address and version of the method

"1" Using a format string vulnerability leak stack of data, so as to find libc a function address, and then use Libc-database to judge the version of Remote libc, and then calculate the libc base, general do I like to find __libc_start_main address

"2" Using the Write function, Pwntools has a very useful function dynelf to use this function to compute the various addresses of the program, including the base address of the function, the base address of the libc, and the address of system in LIBC

"3" using printf function, printf function output when encountered 0x00 will stop output, if the input is not at the end of the byte fill 0x00, then the output may reveal the stack of important data, such as libc a function address

0x05 Simple Stack Overflow

program does not have any protection turned on:

Method One: The traditional textbook idea is to put shellcode into the stack, and then find in the program or libc there is no call ESP or JMP ESP, such as this topic: http://blog.csdn.net/niexinming/article/ details/76893510

Method Two: But the modern operating system in the LIBC will open address randomization, so first look for the program system functions, and then layout stack space, call gets (. BSS), the Last Call system ('/bin/sh ') such as this topic: http:// blog.csdn.net/niexinming/article/details/78796408

Method Three: Overlay the virtual table way to use stack overflow vulnerability, this method is m4x teacher taught me the method, I think very ingenious, such as this topic: http://blog.csdn.net/niexinming/article/details/78144301

0x06 to open NX program

Open NX after the stack and BSS section only read and write permissions, there is no executive authority, so it is necessary to use ROP this method to get system permissions, if the program is very complex, or the program is statically compiled, then you can use ropgadget this tool is very convenient direct production of ROP use chain. Sometimes many programs can not directly use ropgadget This tool directly to find the use of the chain, so it is necessary to manually analyze the program to Getshell, such as these two topics: http://blog.csdn.net/niexinming/article/details/78259866

0X07 Open the Canary program

After opening the canary can not directly use the ordinary overflow method to overwrite the function return address in the stack, to use some clever method to bypass or the benefit canary own weakness to attack

"1" Using canary Leak flag, this method is very clever to use the weakness of canary itself, when __stack_check_fail, will print out the name of the running program, so we just will __libc_argv[0] A flag address can print flag, such as this topic: http://blog.csdn.net/niexinming/article/details/78522682

"2" using the printf function to divulge the canary of a subprocess, and then Forge Canary in another subprocess stack can bypass Canary protection, such as this topic: http://blog.csdn.net/niexinming/article/ details/78681846

0x08 to open Pie program

"1" Using the printf function to print as many stacks of data as possible, according to the leaked address to calculate the program base address, libc base address, system address, such as echo2 in this article wp:http://blog.csdn.net/niexinming/ article/details/78512274

"2" uses the key information of the write leak program, so it is convenient to use dynelf this function, such as the Rsbo2 in this article: http://blog.csdn.net/niexinming/article/details/78620566

0X09 All Protection Open

If the stack of the program can be fully controlled, then the protection of the program will be opened to be breached, such as the topic: http://blog.csdn.net/niexinming/article/details/78666941

0x0a format string Vulnerability

The format vulnerability is now difficult to meet in mature software, but this vulnerability is interesting

The "1" Pwntools has very good function fmtstr and fmtstr_payload to automatically compute the exploit point of the format vulnerability and automatically generate payload, such as this topic: http://blog.csdn.net/niexinming/ The solving of echo in article/details/78699413 and http://blog.csdn.net/niexinming/article/details/78512274

The "2" format vulnerability is also a good companion to information leaks, such as the creation of a format string vulnerability in this topic leaks various data http://blog.csdn.net/niexinming/article/details/78768850

0x0b UAF Vulnerability

If the heap is released, not to clear the pointer pointer 0, but also to save the pointer, it will cause a lot of problems, such as the topic http://blog.csdn.net/niexinming/article/details/78598635

Write Anywhere 0x0c

If the program can be written anywhere in memory, the power is absolutely great.

"1" Although only a byte, but still can control the program and Getshell, such as the topic http://blog.csdn.net/niexinming/article/details/78542089

"2" Modified got table is a good way to control procedures, a lot of CTF topics as long as the got through a variety of methods to write, you can eventually win, such as this topic: http://blog.csdn.net/niexinming/article/details/78542089

"3" If you can calculate the base site of libc, control Top_chunk Pointer is also a good way to solve problems, such as this topic: http://blog.csdn.net/niexinming/article/details/78759363

Turn from: https://paper.seebug.org/481/

Author: niexinming@n0tr00t Security Team