Linux の実行ファイルのセキュリティについて勉強した記録
$ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ASLR
ASLR(Address Space Layout Randomization)
現在のASLRの確認(ASLR有効=デフォルト)
$ sudo sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2
ASLR有効化でのmalloc
# ./a.out '%08x'
[+] secret = 0x557f73997260
length = 2000
9245e5ce
# ./a.out '%08x'
[+] secret = 0x56391c287260
length = 2000
8fc8b5ce
ASLR無効
# sudo sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
ASLR有効化でのmalloc
# ./a.out '%08x'
[+] secret = 0x555555756260
length = 2000
ffffe5ce
# ./a.out '%08x'
[+] secret = 0x555555756260
length = 2000
ffffe5ce
$ sudo sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2
SSP
SSP(Stack Smashing Protection)
WaniCTF 2020 pwn 02 var rewrite で検証
CANARY : ENABLED
$ gcc ./pwn02.c -o pwn021 -no-pie
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
$ (echo "AAAAAAAAAAWANI"; cat) | ./pwn021
What's your name?: target = HACKASE
***start stack dump***
0x7ffe63ddb4a0: 0x41487ffe0000000f <- rsp
0x7ffe63ddb4a8: 0x4141004553414b43
0x7ffe63ddb4b0: 0x4141414141414141
0x7ffe63ddb4b8: 0xbe456300494e4157
0x7ffe63ddb4c0: 0x00007ffe63ddb4d0 <- rbp
0x7ffe63ddb4c8: 0x0000000000400a49 <- return address
***end stack dump***
*** stack smashing detected ***: <unknown> terminated
ばれてる
CANARY : disabled
$ gcc ./pwn02.c -o pwn022 -no-pie -fno-stack-protector
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
$ (echo "AAAAAAAAAAWANI"; cat) | ./pwn022
What's your name?: Congratulation!
ls
NX bit
NX bit(No eXecute bit)
工事中
工事中
PIE
PIE (Position Independent Executable)
WaniCTF 2020 pwn 04 GOT rewriter で検証
PIE : ENABLED
$ gcc ./pwn04.c -o ./pwn041
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : ENABLED
RELRO : FULL
$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x5623771a896a
Please input target address (0x600e10-0x6010b0):
$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x55e18140496a
Please input target address (0x600e10-0x6010b0):
win 関数のアドレスが毎回変わる
PIE : disabled
$ gcc ./pwn04.c -o ./pwn042 -no-pie
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):
$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):
win 関数のアドレスが変わらない
-no-pieオプションを付けると PIE だけでなく RELRO も変わる
-no-pieオプション無し
PIE : ENABLED
RELRO : FULL
-no-pieオプション有り
PIE : disabled
RELRO : Partial
RELRO
RELRO (RELocation Read Only)
WaniCTF 2020 pwn 04 GOT rewriter で検証
FULL RELRO
$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x562224ce396a
Please input target address (0x600e10-0x6010b0):
$ objdump -d -M intel ./pwn041 | less
0000000000000800 <printf@plt>:
800: ff 25 aa 17 20 00 jmp QWORD PTR [rip+0x2017aa] # 201fb0 <printf@GLIBC_2.2.5>
806: 68 04 00 00 00 push 0x4
80b: e9 a0 ff ff ff jmp 7b0 <.plt>
printf の GOTアドレス が書き換えることができる範囲と違う
Partial RELRO
$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):
$ objdump -d -M intel ./pwn042 | less
00000000004006d0 <printf@plt>:
4006d0: ff 25 62 09 20 00 jmp QWORD PTR [rip+0x200962] # 601038 <printf@GLIBC_2.2.5>
4006d6: 68 04 00 00 00 push 0x4
4006db: e9 a0 ff ff ff jmp 400680 <.plt>
printf の GOTアドレス が書き換えることができる範囲内にある