A few days ago I wrote a simple hook / chariot by patching a single call instruction. It works on Ubuntu 12.XYZ (32 bit), now I have been updated to Linux Mint 17.1 (32 bit) and I get a division split.
I have two projects
- Goal Project
- Dielopian (that which has been loaded by calling the Library Project) targets call instruction app overwrite the offset is
Call Odres before overwriting the offset, I modified the security of this page:
mprotect (pageOf (address ), Pages, PROT_WRITE | PROT_EXEC | PROT_READ) This works fine (returns 0).
When I debug my program, it crashes when trying to write to the address of the call:
memcpy (zero *) (address + 1 ), (Zero *) & amp; CallOffset, 4); It seems that I do not have permission to overwrite the instructions, but why?
I used ALSR and with -z execstack -fno-stack-protector flag G ++.
Do you know how my application is allowed to write instructions?
Thanks, Alex
Edit
Sorry, here's the code:
Target Application:
#include & lt; Dlfcn.h & gt; # Include & lt; Stdio.h & gt; # Include & lt; Stdio.h & gt; # Include & lt; Iostream & gt; Zero Goodgue (); // Full Lib Path! Char LibPath [] = "INSER_YOUR_PATH_HERE / lib.so"; Int main () {dlopen (lbpith, rtld_no oo); Good boy (); Return 0; } Zero goodbye () {printf ("good man :) \ n"); } and shared lip code:
#include & lt; Stdio.h & gt; # Include & lt; Cstring & gt; # Include & lt; Stdint.h & gt; # Include & lt; Sys / mman.h & gt; # Include & lt; Unistd.h & gt; Zero (bad); Int pagesize = sysconf (_SC_PAGESIZE); Zero * Page (Zero * P) {Return (Zero *) ((unsigned integer) P & amp; (Pages-1)); } Extern "C" zero __attribute__ (constructor) DllLoad (zero) {uint32_t addressOfCall = 0x0804862a; // Address where the goodGuy is called the target app uint32_t address in the sequential = addressoffical + 5; Uint32_t calloffset = (uint32_t) badGuy - addressOfNextInstruction; Mprotect (pagef ((* Zero *) (addressOfCall + 1)), pages, PROT_WRITE | PROT_EXEC | PROT_READ; Memcpy ((Zero *) (addressOfCall + 1), (Zero *) and Calloffet, 4); } Void badGuy () {printf ("bad guy: (\ n");} To locate the address, go to the target application gdb gdb target the Open and the main code main disas main display and +29
Take a look at gdb $ disas main function for assembler code dump () 0x0804860d & lt; + 0 & gt; push EBP 0x0804860e & lt; + 1 & gt;: mov Ibp, esp 0x08048610 & lt; + 3 & gt;: and esp, 0xfffffff0 0x08048613 & lt; + 6 & gt;: sub esp, 0x10 0x08048616 & lt; + 9 & gt;: Mov DWORD PTR [esp + 0x4], 0x2 0x0804861e & lt; + 17 & gt;: mov DWORD PTR [esp], 0x804a060 0x08048625 & Lt; + 24>: Call on 0x80484f0 & lt; dlopen @ plt & gt; ; ___________ | 0x0804862a | & lt; + 29 & gt;: & call 0x8048636 & lt; Achchhaguy () gt; | __________ | 0x0804862f & lt; + 34 & gt;: mov EX, 0x0 0x08048634 & lt; +39 & gt ;: Skip 0x08048635 & lt; + 40 & gt; ret
No comments:
Post a Comment