domingo, enero 06, 2008

mmap randomization bypass

Todays, people patch their kernels with grsecurity and then is very difficult to exploit his process remotely.

One of grsecurity protection is mmap() randomization, now, every address allocation will be pseudo randomized.


Now, we don't know where the shellcode is, we will have to make some things to diverting the execution flow to our code.

Well we know the local shellcode at environ trick, but it will not usseful with the space layout randomization.

simkin, a friend of badchecksum team, have seen a way to make relative jumps instead of absolute ones.

If you overwrite only one byte of the saved eip, really you are overwriting the two lsb of the address, that means that you can point to relative code where you know what there are.

I say two lsb becouse the null byte of final string will be writed at the second byte when you write the first.

Then you can use pop pop ret or similar tricks to jump to the shellcode without knowing the address of it.

Well, in modern kernels we have stack and heap randomization but have some problems, linux-gate, the new sistem call method, is not randomized, we can use this library to find jumppoints.

jesus@pwn3d:/$ ldd -d /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/i686/cmov/librt.so.1 (0xb7f65000)
libacl.so.1 => /lib/libacl.so.1 (0xb7f5e000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7f47000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7dfa000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7de2000)
/lib/ld-linux.so.2 (0xb7f85000)
libattr.so.1 => /lib/libattr.so.1 (0xb7dde000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7dda000)
libsepol.so.1 => /lib/libsepol.so.1 (0xb7d99000)
jesus@pwn3d:/$ ldd -d /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/i686/cmov/librt.so.1 (0xb7fbe000)
libacl.so.1 => /lib/libacl.so.1 (0xb7fb7000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7fa0000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7e53000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7e3b000)
/lib/ld-linux.so.2 (0xb7fde000)
libattr.so.1 => /lib/libattr.so.1 (0xb7e37000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7e330


I know that there are other tecniques in the wild to bypass PAX protections.