2017-12-09 13:27:34 +07:00
|
|
|
|
# 4.6 one-gadget RCE
|
2017-12-09 19:52:23 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
one-gadget RCE 是在 libc 中存在的一些执行 `execve('/bin/sh', NULL, NULL)` 的片段。当我们知道 libc 的版本,并且可以通过信息泄露得到 libc 的基址,则可以通过控制 EIP 执行该 gadget 来获得 shell。这个方法的优点是不需要控制调用函数的参数,在 64 位程序中,也就是 rdi、rsi、rdx 等寄存器的值。
|
|
|
|
|
|
|
|
|
|
可以使用工具 [one_gadget](https://github.com/david942j/one_gadget) 很方便地查找 one-gadget:
|
|
|
|
|
```
|
2018-04-18 21:15:42 +07:00
|
|
|
|
$ sudo gem install one_gadget
|
|
|
|
|
```
|
|
|
|
|
```
|
2017-12-09 19:52:23 +07:00
|
|
|
|
$ file /usr/lib/libc-2.26.so
|
|
|
|
|
/usr/lib/libc-2.26.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /usr/lib/ld-linux-x86-64.so.2, BuildID[sha1]=466056d0995495995ad1a1fe696c9dc7fb3d421b, for GNU/Linux 3.2.0, not stripped
|
|
|
|
|
$ one_gadget -f /usr/lib/libc-2.26.so
|
|
|
|
|
0x41e92 execve("/bin/sh", rsp+0x30, environ)
|
|
|
|
|
constraints:
|
|
|
|
|
rax == NULL
|
|
|
|
|
|
|
|
|
|
0x41ee7 execve("/bin/sh", rsp+0x30, environ)
|
|
|
|
|
constraints:
|
|
|
|
|
[rsp+0x30] == NULL
|
|
|
|
|
|
|
|
|
|
0xe2c20 execve("/bin/sh", rsp+0x60, environ)
|
|
|
|
|
constraints:
|
|
|
|
|
[rsp+0x60] == NULL
|
|
|
|
|
```
|
|
|
|
|
经过验证,第一个似乎不可用,另外两个如下,通常,我们都使用 `do_system` 函数里的那个:
|
|
|
|
|
```
|
|
|
|
|
[0x00021080]> pd 7 @ 0x41ee7
|
|
|
|
|
| 0x00041ee7 488b056aff36. mov rax, qword [0x003b1e58] ; [0x3b1e58:8]=0
|
|
|
|
|
| 0x00041eee 488d3d409313. lea rdi, str._bin_sh ; 0x17b235 ; "/bin/sh"
|
|
|
|
|
| 0x00041ef5 c70521253700. mov dword [obj.lock_4], 0 ; [0x3b4420:4]=0
|
|
|
|
|
| 0x00041eff c7051b253700. mov dword [obj.sa_refcntr], 0 ; [0x3b4424:4]=0
|
|
|
|
|
| 0x00041f09 488d742430 lea rsi, [local_30h] ; sym.lm_cache ; 0x30
|
|
|
|
|
| 0x00041f0e 488b10 mov rdx, qword [rax]
|
|
|
|
|
| 0x00041f11 67e8c9260800 call sym.execve
|
|
|
|
|
[0x00021080]> pd 5 @ 0xe2c20
|
|
|
|
|
| 0x000e2c20 488b0531f22c. mov rax, qword [0x003b1e58] ; [0x3b1e58:8]=0
|
|
|
|
|
| 0x000e2c27 488d742460 lea rsi, [local_60h] ; sym.buffer_14 ; 0x60 ; "0\x02"
|
|
|
|
|
| 0x000e2c2c 488d3d028609. lea rdi, str._bin_sh ; 0x17b235 ; "/bin/sh"
|
|
|
|
|
| 0x000e2c33 488b10 mov rdx, qword [rax]
|
|
|
|
|
| 0x000e2c36 67e8a419feff call sym.execve
|
|
|
|
|
```
|
|
|
|
|
当然,你也可以通过 build ID 来查找对应 libc 里的 one-gadget。
|
|
|
|
|
```
|
|
|
|
|
$ one-gadget -b 466056d0995495995ad1a1fe696c9dc7fb3d421b
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## 参考资料
|
|
|
|
|
- [Pwning (sometimes) with style](http://j00ru.vexillium.org/blog/24_03_15/dragons_ctf.pdf)
|