SqrtreV

Ethical Hacker and Researching A.I with Keras ๐Ÿ˜ƒ

LD_PRELOAD Bypass Technics

Outline

  • Intro
  • Analysis
    • What is .so file
    • LD_PRELOAD
    • How to get shell with LD_PRELOAD and .so
  • Practice

    • Vulnerable PHP Source
    • making .so file
    • exploit
  • Vulnerable Functions

Intro

์˜ฌํ•ด ๋“ค์–ด CTF์— ์ž์ฃผ ๋“ฑ์žฅํ•˜๋Š”๊ฒŒ PHP์˜ disabled_functions๋ฅผ ์šฐํšŒํ•˜์—ฌ ์‰˜์„ ๋”ฐ๋Š” ๋ฌธ์ œ์ด๋‹ค.

PHPํŠน์ • ๋ฒ„์ „์— ๋Œ€ํ•ด์„œ๋Š” disabled_function์„ pwnํ•˜๋Š” php exploit์ฝ”๋“œ๊ฐ€ ๊ตฌ๊ธ€์— ๊ฒ€์ƒ‰ํ•ด๋ณด๋ฉด ๊ฝค๋‚˜ ๋งŽ์ด ๊ณต๊ฐœ๋˜์–ด ์žˆ๋‹ค.

์ด ๊ธ€์—์„œ๋Š” LD_PRELOAD๋ฅผ ์ด์šฉํ•˜์—ฌ ์‰˜ ๋”ฐ๋Š”๋ฒ•์„ ์ •๋ฆฌํ•  ์˜ˆ์ •์ด๋‹ค.

Analysis

What is .so file?

์šฐ์„  .so ํŒŒ์ผ์ด ๋ฌด์—‡์ธ์ง€ ์•Œ์•„์•ผ ํ•œ๋‹ค.

๋ฆฌ๋ˆ…์Šค์—์„œ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋Š” ํฌ๊ฒŒ ๋‘๊ฐ€์ง€๋กœ ๋‚˜๋‰œ๋‹ค.

  • Static Library (.a)
  • Dynamic Library (.so)

์—ฌ๊ธฐ์„œ ์šฐ๋ฆฌ๋Š” Dynamic Library์— ๋Œ€ํ•ด์„œ ์ด์•ผ๊ธฐ ํ•  ๊ฒƒ์ด๋‹ค.

Static linking๋œ ํ”„๋กœ๊ทธ๋žจ์˜ ๊ฒฝ์šฐ, ํ”„๋กœ๊ทธ๋žจ ์ž์ฒด์— ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์˜ ํ•จ์ˆ˜๋“ค์ด ํ”„๋กœ๊ทธ๋žจ์— ๊ธฐ๋ก ๋œ๋‹ค.

ํ•˜์ง€๋งŒ Dynamic linking๋œ ํ”„๋กœ๊ทธ๋žจ์˜ ๊ฒฝ์šฐ, ํ”„๋กœ๊ทธ๋žจ์˜ ์‹คํ–‰ ๊ณผ์ •์—์„œ PLT, GOT์˜ ๋งํ‚น ๊ณผ์ •์„ ๊ฑฐ์ณ์„œ ํ•จ์ˆ˜๋ฅผ ๋ถˆ๋Ÿฌ์˜ค๋Š”๋ฐ, ์—ฌ๊ธฐ์„œ ๋งํ‚น ๊ณผ์ •์— ๋“ค์–ด๊ฐ€๋Š” ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๊ฐ€ Dynamic Library ์ด๋‹ค.

์ข€ ๋” ์‰ฌ์šด ์ดํ•ด๋ฅผ ์œ„ํ•ด ์ง์ ‘ ๋งŒ๋“ค์–ด ๋ณด์ž.

// test.c
#include <stdio.h>

int lib_test(void){
    printf("Library Executed!\n");
}

Compile

gcc -c -fPIC test.c -o test
gcc -shared test -o test.so

์ถ”๊ฐ€ ์˜ˆ์ •.