Linux's security measures against executing sh

2019-02-20 00:17发布

站内问答 / 前沿技术
1591 2 6

I'm learning the basics of computer security and I'm trying to execute some shellcode I've written. I followed the steps given here

http://dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf

http://webcache.googleusercontent.com/search?q=cache:O3uJcNhsksAJ:dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf+own+shellcode&cd=1&hl=nl&ct=clnk&gl=nl

$ cat pause.s
xor %eax,%eax
mov $29,%al     
int $0x80       
$ as -o pause.o pause.s
$ ld -o pause pause.o
ld: warning: cannot find entry symbol _start; defaulting to <<some address here>>
$ ./pause 
^C
$ objdump -d ./pause
pause:     file format elf64-x86_64
Disassembly of section .text:
      08048054 <.text>:
      8048054: 31 c0     xor    %eax,%eax
      8048056: b0 1d     mov    $0x1d,%al
      8048058: cd 80     int    $0x8
$

Since I got my pause program to work, I just copied the objdump output to a c file.

test.c:

int main()
{
    char s[] = "\x31\xc0\xb0\x1d\xcd\x80";
    (*(void(*)())s)();
}

But this produces a segfault. Now, this can only be due to security measures of Arch Linux (?). So how can I get this to work?

2条回答
看我几分像从前
2楼-- · 2019-02-20 00:20

The page s lives in isn't mapped with execute permissions. Since you're on x86_64 you definitely have NX support in hardware. By default these days code and data live in very separate pages, with data not having the execute permission.

You can work around this with either mmap() or mprotect() to allocate or alter pages to have the PROT_EXEC permission.

查看更多
0人赞 添加讨论(0) 举报
兄弟一词,经得起流年.
3楼-- · 2019-02-20 00:33

You can also use a #define to define your shellcode. This way the pre-processor will insert the code directly into main

  #define SHELLCODE "\x31\xc0\xb0\x1d\xcd\x80"
  int main()
  {
     (*(void(*)())SHELLCODE)();
  }

The older style of writing shellcode doesn't work on newer systems because of security measures. You will also probably have to compile with stack protection turned off:

 gcc -z execstack -fno-stack-protector shellcode.c -o shellcode

Here is a fully working example that uses exit system call that I've tested on 3.2.0.3 kernel x86_64:

 #include<stdio.h>

 #define SHELLCODE "\x48\xc7\xc0\x3c\x00\x00\x00\x48\xc7\xc7\xe7\x03\x00\x00\x0f\05"

  main() 
  {
  int (*function)();

   // cast shellcode as a function
   function = (int(*)())SHELLCODE;

   // execute shellcode function
   (int)(*function)();
   return 0;
   }

The shellcode is using 64 bit registers, so it won't work on 32bit machine. To verify that the code works, you can test it with strace:

strace shellcode
execve("./shellcode", ["shellcode"], [/* 38 vars */]) = 0
....
munmap(0x7ffff7fd5000, 144436)          = 0
_exit(999)        <---- we passed 999 to exit, our shellcode works!
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)