1 概述
本文是这篇文章的笔记:
Return to VDSO using ELF Auxiliary Vectors
https://v0ids3curity.blogspot.jp/2014/12/return-to-vdso-using-elf-auxiliary.html
2 代码
section .text global _start jmp _start vuln: sub rsp, 8 mov rax, 0 ; sys_read mov rdi, 0 mov rsi, rsp mov rdx, 1024 syscall add rsp, 8 ret _start: call vuln mov rax, 60 ; sys_exit xor rdi, rdi syscall |
ld hello.o -o hello
objdump -D hello
3 EXP
3.1Auxv调试
#include <sys/auxv.h>
unsigned long getauxval(unsigned long type);
[8] |
sub rsp 8 |
addr_of_sys_exit |
mov rax, 60 ; sys_exit xor rdi, rdi syscall |
argc |
|
argv[0] |
|
argv[1] |
|
envp[28] |
|
auxv[40] |
|
millionsky@ubuntu-16:~/tmp/return-to-vdso$ gdb ./a.out (gdb) b *0x400082 Breakpoint 1 at 0x400082 (gdb) r (gdb) disass $rip, +0x30 Dump of assembler code from 0x400082 to 0x4000b2: => 0x0000000000400082: sub $0x8,%rsp 0x0000000000400086: mov $0x0,%eax 0x000000000040008b: mov $0x0,%edi 0x0000000000400090: mov %rsp,%rsi 0x0000000000400093: mov $0x400,%edx 0x0000000000400098: syscall 0x000000000040009a: add $0x8,%rsp 0x000000000040009e: retq 0x000000000040009f: callq 0x400082 0x00000000004000a4: mov $0x3c,%eax 0x00000000004000a9: xor %rdi,%rdi 0x00000000004000ac: syscall 0x00000000004000ae: add %ch,(%rsi) 0x00000000004000b0: jae 0x40011a End of assembler dump. (gdb) si 0x0000000000400086 in ?? () (gdb) b *0x000000000040009e Breakpoint 2 at 0x40009e (gdb) c Continuing. AAAAAAAAAAAAAAAA
Breakpoint 2, 0x000000000040009e in ?? () (gdb) info auxv 33 AT_SYSINFO_EHDR System-supplied DSO's ELF header 0x7ffff7ffd000 16 AT_HWCAP Machine-dependent CPU capability hints 0xfabfbff 6 AT_PAGESZ System page size 4096 17 AT_CLKTCK Frequency of times() 100 3 AT_PHDR Program headers for program 0x400040 4 AT_PHENT Size of program header entry 56 5 AT_PHNUM Number of program headers 1 7 AT_BASE Base address of interpreter 0x0 8 AT_FLAGS 标记 0x0 9 AT_ENTRY Entry point of program 0x40009f 11 AT_UID 真正用户id号 1000 12 AT_EUID Effective user ID 1000 13 AT_GID Real group ID 1000 14 AT_EGID Effective group ID 1000 23 AT_SECURE Boolean, was exec setuid-like? 0 25 AT_RANDOM Address of 16 random bytes 0x7fffffffe699 26 AT_HWCAP2 Extension of AT_HWCAP 0x0 31 AT_EXECFN File name of executable 0x7fffffffefce "/home/millionsky/tmp/return-to-vdso/a.out" 15 AT_PLATFORM String identifying platform 0x7fffffffe6a9 "x86_64" 0 AT_NULL End of vector 0x0
(gdb) x/72gx $rsp 0x7fffffffe458: 0x4141414141414141 0x000000000000000a main参数 0x7fffffffe468: 0x00007fffffffe6b0 0x0000000000000000 0x7fffffffe478: 0x00007fffffffe6da 0x00007fffffffe6ed 0x7fffffffe488: 0x00007fffffffe6fd 0x00007fffffffe708 0x7fffffffe498: 0x00007fffffffe736 0x00007fffffffe757 0x7fffffffe4a8: 0x00007fffffffe76b 0x00007fffffffe77b 0x7fffffffe4b8: 0x00007fffffffe7a5 0x00007fffffffed2d 0x7fffffffe4c8: 0x00007fffffffed39 0x00007fffffffedf3 0x7fffffffe4d8: 0x00007fffffffee0d 0x00007fffffffee1c 0x7fffffffe4e8: 0x00007fffffffee3d 0x00007fffffffee65 0x7fffffffe4f8: 0x00007fffffffee8c |