关于系统随机化和pie的一些记录
11 Sep 2019
|
查看系统开启随机化的情况:
cat /proc/sys/kernel/randomize_va_space
0 = 关闭
1 = 半随机。共享库、栈、mmap() 以及 VDSO 将被随机化。(PIE会影响heap的随机化。。)
2 = 全随机。除了1中所述,还有heap。
系统默认开启随机化 2模式
gcc 编译开启随机化 : -fpie -pie
关闭随机化:-no-pie
pie开启之后影响的是程序的.bss,.text,.data段的地址,关闭随机化,程序的基地址为0x00400000 而[vsyscall]地址是一直固定的,里面包含几个无需参数的系统调用,rop利用时可以用里面的ret指令
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
(1)系统ASLR 2,开启pie
共享库、栈、mmap() 、VDSO、堆、程序 .bss,.text,.data段地址全部开启随机化
(2)系统ASLR 2,关闭pie
共享库、栈、mmap() 、VDSO、堆开启随机化,程序 .bss,.text,.data段地址固定
(3)系统ASLR 1,开启pie
共享库、栈、mmap() 、VDSO、堆、程序 .bss,.text,.data段地址全部开启随机化
(4)系统ASLR 1, 关闭pie
共享库、栈、mmap() 、VDSO、开启随机化,程序 .bss,.text,.data段,堆地址固定
(5)系统ASLR 0
共享库、栈、mmap() 、VDSO、程序 .bss,.text,.data段,堆地址固定,不开启随机化
作者一开始使用(1)系统ASLR 2,开启pie的条件下用gdb打开程序,发现入口地址一直不变,查找资料发现gdb是默认关闭随机化的,此时程序加载的基地址为0x0000555555554000,并且共享库、栈、mmap() 、VDSO、堆的地址也是固定的。
gdb关闭ASLR:
set disable-randomization on
开启ASLR:
set disable-randomization off
查看ASLR状态:
show disable-randomization
所以查看地址用cat /proc/pid/maps来验证是否随机化。
总结:系统ASLR 2,开启pie和系统ASLR 1,开启pie效果是一样的,系统ASLR模式1和2的区别在于关闭pie编译程序时,堆是否开启随机化。同时关于gcc编译是否默认开启随机化和gcc和系统版本有关,我测试了:
(1)Ubuntu 16.04 自带版本 默认不开启随机化
Linux osboxes 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)
(2)Ubuntu18.04 默认开启随机化
Linux osboxes 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
gcc version 8.3.0 (Ubuntu 8.3.0-7ubuntu1)
所以调试一个程序,得关注 系统->gcc编译->gdb设置 三个地方的随机化开启情况
我们一般情况下说程序开没开随机化是指程序编译时是否开启了pie,即程序基地址是否变化,查看是否开启随机化的方法:
(1)file 命令
ELF 64-bit LSB executable :未开启随机化
ELF 64-bit LSB shared object:开启随机化
(2)readelf -l
Elf file type is EXEC (Executable file)
Entry point 0x401060 :未开启随机化
Elf file type is DYN (Shared object file)
Entry point 0x1070 :开启随机化
(3)安装gdb插件:peda、gef、pwndbg ,使用checksec命令
几种情况的比较具体见如下:
(1)系统ASLR 2,开启pie
共享库、栈、mmap() 、VDSO、堆、程序 .bss,.text,.data段地址全部开启随机化
5614ee073000-5614ee074000 r--p 00000000 08:04 13371757 /home/osboxes/test
5614ee074000-5614ee075000 r-xp 00001000 08:04 13371757 /home/osboxes/test
5614ee075000-5614ee076000 r--p 00002000 08:04 13371757 /home/osboxes/test
5614ee076000-5614ee077000 r--p 00002000 08:04 13371757 /home/osboxes/test
5614ee077000-5614ee078000 rw-p 00003000 08:04 13371757 /home/osboxes/test
5614ee1ba000-5614ee1db000 rw-p 00000000 00:00 0 [heap]
7f965c0b2000-7f965c0d7000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f965c0d7000-7f965c24a000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f965c24a000-7f965c293000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f965c293000-7f965c296000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f965c296000-7f965c299000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f965c299000-7f965c29f000 rw-p 00000000 00:00 0
7f965c2b7000-7f965c2b8000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f965c2b8000-7f965c2d9000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f965c2d9000-7f965c2e1000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f965c2e1000-7f965c2e2000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f965c2e2000-7f965c2e3000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f965c2e3000-7f965c2e4000 rw-p 00000000 00:00 0
7ffc8f310000-7ffc8f331000 rw-p 00000000 00:00 0 [stack]
7ffc8f362000-7ffc8f365000 r--p 00000000 00:00 0 [vvar]
7ffc8f365000-7ffc8f367000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
5646b7a04000-5646b7a05000 r--p 00000000 08:04 13371757 /home/osboxes/test
5646b7a05000-5646b7a06000 r-xp 00001000 08:04 13371757 /home/osboxes/test
5646b7a06000-5646b7a07000 r--p 00002000 08:04 13371757 /home/osboxes/test
5646b7a07000-5646b7a08000 r--p 00002000 08:04 13371757 /home/osboxes/test
5646b7a08000-5646b7a09000 rw-p 00003000 08:04 13371757 /home/osboxes/test
5646b8387000-5646b83a8000 rw-p 00000000 00:00 0 [heap]
7fe3629f2000-7fe362a17000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fe362a17000-7fe362b8a000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fe362b8a000-7fe362bd3000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fe362bd3000-7fe362bd6000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fe362bd6000-7fe362bd9000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fe362bd9000-7fe362bdf000 rw-p 00000000 00:00 0
7fe362bf7000-7fe362bf8000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fe362bf8000-7fe362c19000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fe362c19000-7fe362c21000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fe362c21000-7fe362c22000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fe362c22000-7fe362c23000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fe362c23000-7fe362c24000 rw-p 00000000 00:00 0
7ffd93fb0000-7ffd93fd1000 rw-p 00000000 00:00 0 [stack]
7ffd93fe2000-7ffd93fe5000 r--p 00000000 00:00 0 [vvar]
7ffd93fe5000-7ffd93fe7000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
(2)系统ASLR 2,关闭pie
共享库、栈、mmap() 、VDSO、堆开启随机化,程序 .bss,.text,.data段地址固定
00400000-00401000 r--p 00000000 08:04 13371757 /home/osboxes/test
00401000-00402000 r-xp 00001000 08:04 13371757 /home/osboxes/test
00402000-00403000 r--p 00002000 08:04 13371757 /home/osboxes/test
00403000-00404000 r--p 00002000 08:04 13371757 /home/osboxes/test
00404000-00405000 rw-p 00003000 08:04 13371757 /home/osboxes/test
01e03000-01e24000 rw-p 00000000 00:00 0 [heap]
7f711e120000-7f711e145000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f711e145000-7f711e2b8000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f711e2b8000-7f711e301000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f711e301000-7f711e304000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f711e304000-7f711e307000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f711e307000-7f711e30d000 rw-p 00000000 00:00 0
7f711e325000-7f711e326000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f711e326000-7f711e347000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f711e347000-7f711e34f000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f711e34f000-7f711e350000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f711e350000-7f711e351000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f711e351000-7f711e352000 rw-p 00000000 00:00 0
7ffdfb1ae000-7ffdfb1cf000 rw-p 00000000 00:00 0 [stack]
7ffdfb1d5000-7ffdfb1d8000 r--p 00000000 00:00 0 [vvar]
7ffdfb1d8000-7ffdfb1da000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
00400000-00401000 r--p 00000000 08:04 13371757 /home/osboxes/test
00401000-00402000 r-xp 00001000 08:04 13371757 /home/osboxes/test
00402000-00403000 r--p 00002000 08:04 13371757 /home/osboxes/test
00403000-00404000 r--p 00002000 08:04 13371757 /home/osboxes/test
00404000-00405000 rw-p 00003000 08:04 13371757 /home/osboxes/test
00788000-007a9000 rw-p 00000000 00:00 0 [heap]
7fc6b4420000-7fc6b4445000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fc6b4445000-7fc6b45b8000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fc6b45b8000-7fc6b4601000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fc6b4601000-7fc6b4604000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fc6b4604000-7fc6b4607000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fc6b4607000-7fc6b460d000 rw-p 00000000 00:00 0
7fc6b4625000-7fc6b4626000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fc6b4626000-7fc6b4647000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fc6b4647000-7fc6b464f000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fc6b464f000-7fc6b4650000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fc6b4650000-7fc6b4651000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fc6b4651000-7fc6b4652000 rw-p 00000000 00:00 0
7ffc26898000-7ffc268b9000 rw-p 00000000 00:00 0 [stack]
7ffc269ed000-7ffc269f0000 r--p 00000000 00:00 0 [vvar]
7ffc269f0000-7ffc269f2000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
(3)系统ASLR 1,开启pie
共享库、栈、mmap() 、VDSO、堆、程序 .bss,.text,.data段地址全部开启随机化
556aa5a0a000-556aa5a0b000 r--p 00000000 08:04 13371757 /home/osboxes/test
556aa5a0b000-556aa5a0c000 r-xp 00001000 08:04 13371757 /home/osboxes/test
556aa5a0c000-556aa5a0d000 r--p 00002000 08:04 13371757 /home/osboxes/test
556aa5a0d000-556aa5a0e000 r--p 00002000 08:04 13371757 /home/osboxes/test
556aa5a0e000-556aa5a0f000 rw-p 00003000 08:04 13371757 /home/osboxes/test
556aa5a0f000-556aa5a30000 rw-p 00000000 00:00 0 [heap]
7fb5f9386000-7fb5f93ab000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fb5f93ab000-7fb5f951e000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fb5f951e000-7fb5f9567000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fb5f9567000-7fb5f956a000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fb5f956a000-7fb5f956d000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7fb5f956d000-7fb5f9573000 rw-p 00000000 00:00 0
7fb5f958b000-7fb5f958c000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fb5f958c000-7fb5f95ad000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fb5f95ad000-7fb5f95b5000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fb5f95b5000-7fb5f95b6000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fb5f95b6000-7fb5f95b7000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7fb5f95b7000-7fb5f95b8000 rw-p 00000000 00:00 0
7ffefbc0d000-7ffefbc2e000 rw-p 00000000 00:00 0 [stack]
7ffefbd4a000-7ffefbd4d000 r--p 00000000 00:00 0 [vvar]
7ffefbd4d000-7ffefbd4f000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
55ebbbe2e000-55ebbbe2f000 r--p 00000000 08:04 13371757 /home/osboxes/test
55ebbbe2f000-55ebbbe30000 r-xp 00001000 08:04 13371757 /home/osboxes/test
55ebbbe30000-55ebbbe31000 r--p 00002000 08:04 13371757 /home/osboxes/test
55ebbbe31000-55ebbbe32000 r--p 00002000 08:04 13371757 /home/osboxes/test
55ebbbe32000-55ebbbe33000 rw-p 00003000 08:04 13371757 /home/osboxes/test
55ebbbe33000-55ebbbe54000 rw-p 00000000 00:00 0 [heap]
7f7b8cc09000-7f7b8cc2e000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f7b8cc2e000-7f7b8cda1000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f7b8cda1000-7f7b8cdea000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f7b8cdea000-7f7b8cded000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f7b8cded000-7f7b8cdf0000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f7b8cdf0000-7f7b8cdf6000 rw-p 00000000 00:00 0
7f7b8ce0e000-7f7b8ce0f000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f7b8ce0f000-7f7b8ce30000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f7b8ce30000-7f7b8ce38000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f7b8ce38000-7f7b8ce39000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f7b8ce39000-7f7b8ce3a000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f7b8ce3a000-7f7b8ce3b000 rw-p 00000000 00:00 0
7fffee33e000-7fffee35f000 rw-p 00000000 00:00 0 [stack]
7fffee3d7000-7fffee3da000 r--p 00000000 00:00 0 [vvar]
7fffee3da000-7fffee3dc000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
(4)系统ASLR 1, 关闭pie
共享库、栈、mmap() 、VDSO、开启随机化,程序 .bss,.text,.data段,堆地址固定
00400000-00401000 r--p 00000000 08:04 13371757 /home/osboxes/test
00401000-00402000 r-xp 00001000 08:04 13371757 /home/osboxes/test
00402000-00403000 r--p 00002000 08:04 13371757 /home/osboxes/test
00403000-00404000 r--p 00002000 08:04 13371757 /home/osboxes/test
00404000-00405000 rw-p 00003000 08:04 13371757 /home/osboxes/test
00405000-00426000 rw-p 00000000 00:00 0 [heap]
7f0829586000-7f08295ab000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f08295ab000-7f082971e000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f082971e000-7f0829767000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f0829767000-7f082976a000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f082976a000-7f082976d000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f082976d000-7f0829773000 rw-p 00000000 00:00 0
7f082978b000-7f082978c000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f082978c000-7f08297ad000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f08297ad000-7f08297b5000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f08297b5000-7f08297b6000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f08297b6000-7f08297b7000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f08297b7000-7f08297b8000 rw-p 00000000 00:00 0
7ffcd2a4c000-7ffcd2a6d000 rw-p 00000000 00:00 0 [stack]
7ffcd2aaf000-7ffcd2ab2000 r--p 00000000 00:00 0 [vvar]
7ffcd2ab2000-7ffcd2ab4000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
00400000-00401000 r--p 00000000 08:04 13371757 /home/osboxes/test
00401000-00402000 r-xp 00001000 08:04 13371757 /home/osboxes/test
00402000-00403000 r--p 00002000 08:04 13371757 /home/osboxes/test
00403000-00404000 r--p 00002000 08:04 13371757 /home/osboxes/test
00404000-00405000 rw-p 00003000 08:04 13371757 /home/osboxes/test
00405000-00426000 rw-p 00000000 00:00 0 [heap]
7f125425e000-7f1254283000 r--p 00000000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f1254283000-7f12543f6000 r-xp 00025000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f12543f6000-7f125443f000 r--p 00198000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f125443f000-7f1254442000 r--p 001e0000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f1254442000-7f1254445000 rw-p 001e3000 08:01 11540916 /lib/x86_64-linux-gnu/libc-2.29.so
7f1254445000-7f125444b000 rw-p 00000000 00:00 0
7f1254463000-7f1254464000 r--p 00000000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f1254464000-7f1254485000 r-xp 00001000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f1254485000-7f125448d000 r--p 00022000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f125448d000-7f125448e000 r--p 00029000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f125448e000-7f125448f000 rw-p 0002a000 08:01 11540819 /lib/x86_64-linux-gnu/ld-2.29.so
7f125448f000-7f1254490000 rw-p 00000000 00:00 0
7ffea9240000-7ffea9261000 rw-p 00000000 00:00 0 [stack]
7ffea92dd000-7ffea92e0000 r--p 00000000 00:00 0 [vvar]
7ffea92e0000-7ffea92e2000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
(5)系统ASLR 0
共享库、栈、mmap() 、VDSO、程序 .bss,.text,.data段,堆地址固定,不开启随机化