CET - Intel Control-flow Enforcement Technology
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Tööpõhimõte
TODO
Kasutamine - Ubuntu
TODO
Haavatavuse näide
Haavatavuse ilmestamise programm rop_lab.c
$ cat rop_lab.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
// This is our "Gadget". The program never calls this function honestly!
void malicious_gadget() {
printf("\n⚡ [ATTACK SUCCESS] Control flow hijacked! Malicious code executing.\n");
exit(0);
}
void vulnerable_function(char *str) {
char buffer[16];
// VULNERABILITY: strcpy does not check bounds.
// It will overwrite the buffer, the frame pointer, and the Return Address!
strcpy(buffer, str);
printf("[CPU] Function executing normally inside buffer layout.\n");
}
int main() {
// We are crafting a malicious payload payload manually.
// 16 bytes to fill the buffer + 8 bytes to smash the saved frame pointer
// + 8 bytes containing the exact memory address of malicious_gadget()
char payload[32];
// Fill the padding area with 'A's (0x41)
memset(payload, 'A', 24);
// Get the exact memory address of our target gadget
unsigned long target = (unsigned long)malicious_gadget;
// Append the target address onto the end of our overflow payload
memcpy(payload + 24, &target, 8);
printf("[Lab] Target Gadget Address is at: %p\n", (void*)target);
printf("[Lab] Launching attack payload against vulnerable function...\n");
vulnerable_function(payload);
printf("[CPU] Returned safely to main. (This should not happen if hacked!)\n");
return 0;
}
Väljakutsuvalt liberaalse binary kompileerimiseks sobib öelda
$ gcc -fno-stack-protector -z execstack -fcf-protection=none rop_lab.c -o lab_unhardened
kus
- -fno-stack-protector - ei moodustata nö tarkvarapõhist stack kaitset
- -z execstack - lisaks lülitatakse sisse stack'is oleva koodi käivitamise võimalus
- -fcf-protection=none - lülitatakse välja igasugune hardware-assisted st cet põhine stack kaitse
Kasulikud lisamaterjalid
- TODO
