关于如何将PIE的executable转为lib并通过C加载执行特定函数。
参考文章:
https://blahcat.github.io/2018/03/11/fuzzing-arbitrary-functions-in-elf-binaries/
https://lief.quarkslab.com/doc/latest/tutorials/08_elf_bin2lib.html
LIEF
LIEF提供了将bin转为lib的一种方法,需要bin打开了PIE,没开PIE的bin无法转为lib。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| import lief, sys
if len(sys.argv) < 3:
print("[-] invalid syntax")
exit(1)
infile = sys.argv[1]
elf = lief.parse(infile)
for arg in sys.argv[2:]:
addr, name = arg.split(":", 1)
addr = int(addr, 16)
print("[+] exporting '%s' to %#x" % (name, addr,))
elf.add_exported_function(addr, name)
outfile = "%s.so" % infile
print("[+] writing shared object as '%s'" % (outfile,))
elf.write(outfile)
print("[+] done")
|
使用C语言调用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| #include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <alloca.h>
#include <string.h>
typedef size_t(*func_t)(void);
int is_loaded = 0;
void* h = NULL;
void CloseLibrary() {
if(h) {
dlclose(h);
h = NULL;
}
return;
}
int LoadLibrary() {
h = dlopen("./bin.so", RTLD_LAZY);
atexit(CloseLibrary);
return h != NULL;
}
int main (int argc, char** argv) {
if (!is_loaded) {
if(!LoadLibrary()) {
printf("Load Error\n");
return -1;
}
is_loaded = 1;
printf("Load Success\n");
}
func_t func = (func_t)dlsym(h, "export_name");
func();
return 0;
}
|