4
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

Linux の実行ファイルのセキュリティについて勉強した記録

Last updated at Posted at 2021-05-12

Linux の実行ファイルのセキュリティについて勉強した記録

$ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

ASLR

ASLR(Address Space Layout Randomization)

現在のASLRの確認(ASLR有効=デフォルト)

$ sudo sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2

ASLR有効化でのmalloc

# ./a.out '%08x'
[+] secret = 0x557f73997260
length = 2000
9245e5ce
# ./a.out '%08x'
[+] secret = 0x56391c287260
length = 2000
8fc8b5ce

ASLR無効

# sudo sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0

ASLR有効化でのmalloc

# ./a.out '%08x'
[+] secret = 0x555555756260
length = 2000
ffffe5ce
# ./a.out '%08x'
[+] secret = 0x555555756260
length = 2000
ffffe5ce
$ sudo sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2

SSP

SSP(Stack Smashing Protection)
WaniCTF 2020 pwn 02 var rewrite で検証

CANARY : ENABLED

$ gcc ./pwn02.c -o pwn021 -no-pie

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

$ (echo "AAAAAAAAAAWANI"; cat) | ./pwn021
What's your name?: target = HACKASE

***start stack dump***
0x7ffe63ddb4a0: 0x41487ffe0000000f <- rsp
0x7ffe63ddb4a8: 0x4141004553414b43
0x7ffe63ddb4b0: 0x4141414141414141
0x7ffe63ddb4b8: 0xbe456300494e4157
0x7ffe63ddb4c0: 0x00007ffe63ddb4d0 <- rbp
0x7ffe63ddb4c8: 0x0000000000400a49 <- return address
***end stack dump***

*** stack smashing detected ***: <unknown> terminated

ばれてる

CANARY : disabled

$ gcc ./pwn02.c -o pwn022 -no-pie -fno-stack-protector

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

$ (echo "AAAAAAAAAAWANI"; cat) | ./pwn022
What's your name?: Congratulation!
ls

NX bit

NX bit(No eXecute bit)

工事中

工事中

PIE

PIE (Position Independent Executable)
WaniCTF 2020 pwn 04 GOT rewriter で検証

PIE : ENABLED

$ gcc ./pwn04.c -o ./pwn041

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : ENABLED
RELRO     : FULL

$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x5623771a896a
Please input target address (0x600e10-0x6010b0):

$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x55e18140496a
Please input target address (0x600e10-0x6010b0):

win 関数のアドレスが毎回変わる

PIE : disabled

$ gcc ./pwn04.c -o ./pwn042 -no-pie

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):

$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):

win 関数のアドレスが変わらない

-no-pieオプションを付けると PIE だけでなく RELRO も変わる

-no-pieオプション無し
PIE       : ENABLED
RELRO     : FULL
-no-pieオプション有り
PIE       : disabled
RELRO     : Partial

RELRO

RELRO (RELocation Read Only)
WaniCTF 2020 pwn 04 GOT rewriter で検証

FULL RELRO

$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x562224ce396a
Please input target address (0x600e10-0x6010b0):

$ objdump -d -M intel ./pwn041 | less
0000000000000800 <printf@plt>:
 800:   ff 25 aa 17 20 00       jmp    QWORD PTR [rip+0x2017aa]        # 201fb0 <printf@GLIBC_2.2.5>
 806:   68 04 00 00 00          push   0x4
 80b:   e9 a0 ff ff ff          jmp    7b0 <.plt>

printf の GOTアドレス が書き換えることができる範囲と違う

Partial RELRO

$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):

$ objdump -d -M intel ./pwn042 | less
00000000004006d0 <printf@plt>:
  4006d0:       ff 25 62 09 20 00       jmp    QWORD PTR [rip+0x200962]        # 601038 <printf@GLIBC_2.2.5>
  4006d6:       68 04 00 00 00          push   0x4
  4006db:       e9 a0 ff ff ff          jmp    400680 <.plt>

printf の GOTアドレス が書き換えることができる範囲内にある

4
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
4
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?