设计MacosX的Fuzzer(1)
该个人项目起源于与一朋友的打赌事件,于是这段时间在做这方面的研究,
虽然很久之前(大约3年半)也接触过bsd系统,但osx下面的漏洞挖掘一
直没有搞过,也不知道该如何下手,于是花了一周时间搜集整理兼阅读了
很多的资料。
经过分析后确定了几个问题:
1,我有windows下的很多fuzzing小工具,而且都是使用python写的,
移植到osx应该问题不大;
2,调试器是一个问题,windows下面的除了使用突突写的那个挖地球以
外,还会使用pydbg或者windbg,但osx属于bsd分支,这些调试器
在它下面都属于“废物”
3,崩溃文件转储,这个很关键,至少我自己一直把崩溃文件作为漏洞分析
时的首要条件,有些漏洞具备很强的实时性,有了崩溃文件就可以很好
的继续重现漏洞的流程
问题解决方案:
1,调试器准备使用gdb,虽然pydbg已经开始有移植到osx的项目,但好像
不是很稳定,找到一个pygdb的开源项目,但无法解决我的一些实际问
题,需要重新使用python封装一下gdb;
2,异常捕获,捕获异常信号,gdb里面有两个命令:signals、handle
在发生异常的时候进行崩溃文件转储;
# 查看及设置core文件
Mac:~ 7all$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 256
pipe size (512 bytes, -p) 1
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 266
virtual memory (kbytes, -v) unlimited
#设置core文件为无限制
Mac:~ 7all$ ulimit -S -c unlimited
Mac:~ 7all$ ulimit -a
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 256
pipe size (512 bytes, -p) 1
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 266
virtual memory (kbytes, -v) unlimited
Mac:~ 7all$
#测试
Mac:test 7all$ ./test
i = 2
j = 3
foo() return: 106
src length: 84
Bus error (core dumped)
Mac:test 7all$
#osx存放core文件目录
Mac:test 7all$ ls -lh /cores
total 1090448
-r-------- 1 7all admin 266M 4 15 15:46 core.448
-r-------- 1 7all admin 266M 4 15 15:46 core.452
Mac:test 7all$ otool /cores/core.448
otool: one of -fahlLtdoOrTMRIHScis must be specified
Usage: otool [-fahlLDtdorSTMRIHvVcXm]
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p
-s
-d print the data section
-o print the Objective-C segment
-r print the relocation entries
-S print the table of contents of a library
-T print the table of contents of a dynamic shared library
-M print the module table of a dynamic shared library
-R print the reference table of a dynamic shared library
-I print the indirect symbol table
-H print the two-level hints table
-v print verbosely (symbolicly) when possible
-V print disassembled operands symbolicly
-c print argument strings of a core file
-X print no leading addresses or headers
-m don't use archive(member) syntax
-B force Thumb disassembly (ARM objects only)
Mac:test 7all$ otool -c /cores/core.448
/cores/core.448:
Argument strings on the stack at: c0000000
./test
./test
TERM_PROGRAM=Apple_Terminal
TERM=xterm-color
SHELL=/bin/bash
TMPDIR=/var/folders/GC/GCWQjeWoG3yiShS5tPYOlE+++TI/-Tmp-/
Apple_PubSub_Socket_Render=/tmp/launch-wNbi0I/Render
TERM_PROGRAM_VERSION=273
OLDPWD=/Users/7all/7fuzzall
USER=7all
COMMAND_MODE=unix2003
SSH_AUTH_SOCK=/tmp/launch-B9dhNR/Listeners
__CF_USER_TEXT_ENCODING=0x1F5:25:52
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin
PWD=/Users/7all/7fuzzall/test
LANG=zh_CN.UTF-8
DIALOG_1_PORT_NAME=com.macromates.dialog_1.328
DIALOG_1=/Applications/TextMate.app/Contents/PlugIns/Dialog.tmplugin/Contents/Resources/tm_dialog
SHLVL=1
HOME=/Users/7all
DIALOG=/Applications/TextMate.app/Contents/PlugIns/Dialog2.tmplugin/Contents/Resources/tm_dialog2
LOGNAME=7all
DIALOG_PORT_NAME=com.macromates.dialog.328
DISPLAY=/tmp/launch-RVYzv3/org.x:0
_=./test
#gdb调试core文件,和windbg调试差不多
Mac:test 7all$ gdb -c /cores/core.448
GNU gdb 6.3.50-20050815 (Apple version gdb-1346) (Fri Sep 18 20:33:58 UTC 2009)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin".
Core was generated by `./test'.
Reading symbols for shared libraries . done
Reading symbols for shared libraries … done
#0 0x00001df2 in fooo (src=0x6161 "") at test.c:27
27 dst[i] = src[i];
(gdb) bt
#0 0x00001df2 in fooo (src=0x6161 "") at test.c:27
#1 0x61616161 in ?? ()
(gdb) info registers
eax 0x6177 24951
ecx 0x0 0
edx 0x16 22
ebx 0x1d93 7571
esp 0xbffff890 0xbffff890
ebp 0xbffff8b8 0xbffff8b8
esi 0x0 0
edi 0x0 0
eip 0x1df2 0x1df2
eflags 0x10206 66054
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) x/i $esp
0xbffff890: adc $0x1f,%al
(gdb) p/x $esp
$1 = 0xbffff890
(gdb)
#gdb调试core文件与程序
Mac:test 7all$ gdb ./test /cores/core.448
GNU gdb 6.3.50-20050815 (Apple version gdb-1346) (Fri Sep 18 20:33:58 UTC 2009)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"…Reading symbols for shared libraries .. done
Core was generated by `./test'.
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
#0 0x00001df2 in fooo (src=0x6161 "") at test.c:27
27 dst[i] = src[i];
(gdb) bt
#0 0x00001df2 in fooo (src=0x6161 "") at test.c:27
#1 0x61616161 in ?? ()
(gdb)
参考:
http://developer.apple.com/mac/library/documentation/DeveloperTools/gdb/gdb/gdb_6.html#SEC42