Load-time Hacking using LD_PRELOAD
Download as PPTX, PDF4 likes2,918 views
The document discusses techniques for reverse engineering and exploiting vulnerabilities in C programs using the LD_PRELOAD feature to hijack function calls. It provides detailed examples including modifying the behavior of the strcmp function and a scenario with a C program named 'cerberus' that demonstrates how to manipulate the execution flow and avoid termination. Key concepts include the use of assembly language to adjust stack pointers and return addresses in order to control program behavior dynamically.
![int main(int argc, char **argv) {
char passwd[] = "foobar";
if (argc < 2) {
printf("usage: %s <given-password>n", argv[0]);
return 0;
}
if (!strcmp(passwd, argv[1])) {
printf("Green light!n");
return 1;
}
printf("Red light!n");
return 0;
}
2
What if you do not know the passwd?
Reference: Reverse Engineering with LD_PRELOAD by Itzik Kotler](https://image.slidesharecdn.com/ldpreloadhacking-140505134934-phpapp01/85/Load-time-Hacking-using-LD_PRELOAD-2-320.jpg)
![/*
* cerberus.c, Impossible statement
*/
#include <stdio.h>
int main(int argc, char **argv) {
int a = 13, b = 17;
if (a != b) {
printf("Sorry!n");
return 0;
}
printf("On a long enough timeline,"
" the survival rate for everyone drops to zeron");
exit(1);
}
5
Can we avoid “Sorry” and print the “On a long…”?
[~]$ ./cerberus
On a long enough timeline, the survival rate
for everyone drops to zero](https://image.slidesharecdn.com/ldpreloadhacking-140505134934-phpapp01/85/Load-time-Hacking-using-LD_PRELOAD-5-320.jpg)
![ Create a shared lib of the wrapper:
gcc -c -m32 megatron.c -o megatron.o –ldl
gcc -shared -o megatron.so megatron.o -m32 –ldl
export LD_PRELOAD=./megatron.so
[~]$ ./cerberus
On a long enough timeline, the survival rate for
everyone drops to zero
10](https://image.slidesharecdn.com/ldpreloadhacking-140505134934-phpapp01/85/Load-time-Hacking-using-LD_PRELOAD-10-320.jpg)
![ The main function uses exit(1)
If we replace it by return(1) and run:
[~]$ gcc -o cerberus cerberus.c -m32
[~]$
[~]$ export LD_PRELOAD=./megatron.so
[~]$
[~]$ ./cerberus
On a long enough timeline, the survival rate for everyone drops to zero
^C
[~]$
11
Why the program is not terminating?](https://image.slidesharecdn.com/ldpreloadhacking-140505134934-phpapp01/85/Load-time-Hacking-using-LD_PRELOAD-11-320.jpg)
![[~]$ export LD_PRELOAD=./megatron.so
[~]$
[~]$ ./cerberus
On a long enough timeline, the survival rate for
everyone drops to zero
[~]$
[~]$ echo $?
1
20](https://image.slidesharecdn.com/ldpreloadhacking-140505134934-phpapp01/85/Load-time-Hacking-using-LD_PRELOAD-20-320.jpg)
Load-time Hacking using LD_PRELOAD
- 2. int main(int argc, char **argv) { char passwd[] = "foobar"; if (argc < 2) { printf("usage: %s <given-password>n", argv[0]); return 0; } if (!strcmp(passwd, argv[1])) { printf("Green light!n"); return 1; } printf("Red light!n"); return 0; } 2 What if you do not know the passwd? Reference: Reverse Engineering with LD_PRELOAD by Itzik Kotler
- 3. /* * strcmp, Fixed strcmp function -- Always equal! */ int strcmp(const char *s1, const char *s2) { printf("S1 eq %sn", s1); printf("S2 eq %sn", s2); // ALWAYS RETURN EQUAL STRINGS! return 0; } 3
- 4. gcc -fPIC -c strcmp-hijack.c -o strcmp-hijack.o gcc -shared -o strcmp-hijack.so strcmp-hijack.o ./strcmp-target redbull Output: “Red light!” Attack using LD_PRELOAD LD_PRELOAD="./strcmp-hijack.so" ./strcmp-target redbull Output: “Green light!” 4
- 5. /* * cerberus.c, Impossible statement */ #include <stdio.h> int main(int argc, char **argv) { int a = 13, b = 17; if (a != b) { printf("Sorry!n"); return 0; } printf("On a long enough timeline," " the survival rate for everyone drops to zeron"); exit(1); } 5 Can we avoid “Sorry” and print the “On a long…”? [~]$ ./cerberus On a long enough timeline, the survival rate for everyone drops to zero
- 6. 080483d4 <main>: 80483d4: 55 push %ebp 80483d5: 89 e5 mov %esp,%ebp 80483d7: 83 e4 f0 and $0xfffffff0,%esp 80483da: 83 ec 20 sub $0x20,%esp 80483dd: c7 44 24 18 0d 00 00 movl $0xd,0x18(%esp) 80483e4: 00 80483e5: c7 44 24 1c 11 00 00 movl $0x11,0x1c(%esp) 80483ec: 00 80483ed: 8b 44 24 18 mov 0x18(%esp),%eax 80483f1: 3b 44 24 1c cmp 0x1c(%esp),%eax 80483f5: 74 13 je 804840a <main+0x36> 80483f7: c7 04 24 f0 84 04 08 movl $0x80484f0,(%esp) 80483fe: e8 ed fe ff ff call 80482f0 <puts@plt> 8048403: b8 00 00 00 00 mov $0x0,%eax 8048408: eb 11 jmp 804841b <main+0x47> 804840a: c7 04 24 f8 84 04 08 movl $0x80484f8,(%esp) 8048411: e8 da fe ff ff call 80482f0 <puts@plt> 8048416: b8 01 00 00 00 mov $0x1,%eax 804841b: c9 leave 804841c: c3 ret 6 Note: puts is used for printf
- 7. Create our own “puts” wrapper Update the return address after the first puts Transfer control to the second puts Embed assembly code and adjust the ESP! 7
- 8. /* Pointer to the original puts call */ static int (*_puts)(const char *str) = NULL; int puts(const char *str) { if (_puts == NULL) { _puts = (int (*)(const char *str)) dlsym(RTLD_NEXT, "puts"); // Hijack the RET address and modify it to <main+xx> __asm__ __volatile__ ( "movl 0x4(%ebp), %eax n" "addl $7, %eax n" "movl %eax, 0x4(%ebp)" ); return 1; } __asm__ __volatile__ ( "addl $28, %%esp n“ “ jmp *%0 n" : : "g" (_puts) : "%esp" ); return -1; } 8 • Why add 7 to eax? • 0x804840a – 0x8048403 • Why add 28 to esp? • Answered in next slides
- 9. 00000000 <printf>: 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 83 ec 18 sub $0x18,%esp 6: a1 00 00 00 00 mov 0x0,%eax b: 85 c0 test %eax,%eax d: 75 2a jne 39 <printf+0x39> f: b8 00 00 00 00 mov $0x0,%eax 14: 89 44 24 04 mov %eax,0x4(%esp) 18: c7 04 24 ff ff ff ff movl $0xffffffff,(%esp) 1f: e8 fc ff ff ff call 20 <printf+0x20> 24: a3 00 00 00 00 mov %eax,0x0 29: 8b 45 04 mov 0x4(%ebp),%eax 2c: 83 c0 0f add $0xf,%eax 2f: 89 45 04 mov %eax,0x4(%ebp) 32: b8 01 00 00 00 mov $0x1,%eax 37: eb 00 jmp 39 <printf+0x39> 39: c9 leave 3a: c3 ret 9 Esp got adjusted: 4 bytes (push %ebp) 0x18 bytes (sub $0x18, %esp) Total: 0x18 + 4 = 24 + 4 = 28
- 10. Create a shared lib of the wrapper: gcc -c -m32 megatron.c -o megatron.o –ldl gcc -shared -o megatron.so megatron.o -m32 –ldl export LD_PRELOAD=./megatron.so [~]$ ./cerberus On a long enough timeline, the survival rate for everyone drops to zero 10
- 11. The main function uses exit(1) If we replace it by return(1) and run: [~]$ gcc -o cerberus cerberus.c -m32 [~]$ [~]$ export LD_PRELOAD=./megatron.so [~]$ [~]$ ./cerberus On a long enough timeline, the survival rate for everyone drops to zero ^C [~]$ 11 Why the program is not terminating?
- 12. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP ESP Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP ESP EBP (main)96 Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP ESP EBP (main)96 (a). Just before the 2nd printf. (b). In the wrapper puts. (c). After pointers rewinding. 12 100 96 92 88 84 80 76 52 80 76 100 96 92 88 84 80 100 96 92 88 84
- 13. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP of puts (wrapper) 76 ESP EBP Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP of puts (wrapper) 76 ESP EBP EIP (d). Inside the real puts. (e). After returning from real puts. 13 76 76 100 96 92 88 84 80 100 96 92 88 84 *80
- 14. Control comes back to main and will try to run return 1: mov %ebp, %esp pop %ebp Pop %eip (or ret) 14
- 15. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP of puts (wrapper) 76 ESP EBP 15 76 100 96 92 88 76 80 mov %ebp, %esp 84
- 16. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP of puts (wrapper) 76EBP ESP 16 76 100 96 92 88 80 pop %ebp 84
- 17. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP of puts (wrapper) 76EBP EIP 17 76 100 96 92 88 84 ret: pop %eip ESP • Now EIP points to leave-ret sequence! • Never ending because EBP of mains is lost *80
- 18. We lost main’s EBP along the way There is an infinite loop when the control comes to main mov %ebp, %esp pop %ebp Ret (or pop %eip) Program is not able to return to libc Fix:Why not restore the EBP! 18
- 19. OLD __asm__ __volatile__ ( "addl $28, %%esp n“ "jmp *%0 n" : : "g" (_puts) : "%esp" ); NEW __asm__ __volatile__ ( "addl $24, %%esp n" "popl %%ebp n" "jmp *%0 n" : : "g" (_puts) : "%esp" ); 19
- 20. [~]$ export LD_PRELOAD=./megatron.so [~]$ [~]$ ./cerberus On a long enough timeline, the survival rate for everyone drops to zero [~]$ [~]$ echo $? 1 20
- 21. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP ESP EBP (main) Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP, ESP EBP (main) (a). In the wrapper puts. (b). After ESP rewinding. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printfESP EBP (main) (c). After pop EBP. EBP 21 76 100 96 92 88 84 80 52 76 100 96 92 88 84 80 52 76 100 96 92 88 84 80 52
- 22. Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP of main (96) ESP EBP Ret2libc EBP (libc) 17 13 Ptr to printf input str ret address after printf EBP of main ESP EBP EIP (d). Inside the real puts. (e). After returning from real puts. 22 76 100 96 92 88 84 80 52 76 76 100 96 92 88 84 *80 52
- 23. LD_PRELOAD is a powerful way to hack Key idea:Wrapper to library functions Collect data such as input arguments! Modify control flow dynamically ESP and EBP rewinding is the core concept Try it out yourself Things to keep in mind: Number of byte adjustments in your wrapper 23
- 24. Itzik Kotler Reverse Engineering with LD_PRELOAD http://securityvulns.com/articles/reveng/ Dharma Ganesan and Itzik Kotler Reverse Engineering with LD_PRELOAD (Part 11) Article to be published 24