一款CTF AWD二进制通用防御补丁工具,目前仅支持x32/x64。
Ubuntu 16.04 x64,使用cmake编译:
cmake .
make
apt install cmake
apt install libelf-dev
https://github.com/lief-project/LIEF
下载源码,编译安装
wget https://github.com/lief-project/LIEF/archive/0.10.1.tar.gz
tar xvf 0.10.1.tar.gz
cd LIEF-0.10.1
LIEF在x32 NO-PIE的情况下,添加segment会导致BUG:
Inconsistency detected by ld.so: rtld.c: 1191: dl_main: Assertion `GL(dl_rtld_map).l_libname' failed!
解决方法: 在LIEF源码中添加section会添加一个Segment,添加完Segment后调用replace方法将此新段与PT_NOTE互换,即临时解决了此问题。
src/ELF/Binary.tcc 631行:
-Segment& segment_added = this->add(new_segment);
+Segment * p_segment_added = nullptr;
+if(this->type() == ELF_CLASS::ELFCLASS32 && this->header().file_type() != E_TYPE::ET_DYN)
+{
+ Segment & note = this->get(SEGMENT_TYPES::PT_NOTE);
+ p_segment_added = &this->replace(new_segment,note);
+}
+else
+{
+ p_segment_added = &this->add(new_segment);
+}
+Segment& segment_added = *p_segment_added;
打完补丁后
cmake .
make -j4
make install
https://github.com/keystone-engine/keystone
下载源码,编译安装
wget https://github.com/keystone-engine/keystone/archive/0.9.2.tar.gz
tar xvf 0.9.2.tar.gz
cd keystone-0.9.2
cmake .
make -j4
make install
https://github.com/aquynh/capstone
apt install libcapstone3 libcapstone-dev
或者下载源码,编译安装
wget https://github.com/aquynh/capstone/archive/4.0.2.tar.gz
tar xvf 4.0.2.tar.gz
cd capstone-4.0.2
./make.sh
https://github.com/Bwar/CJsonObject
这个工程稍微比较麻烦,因为开发者只提供了代码没有想发布链接库的意思,需要我们手工编译生成。
git clone https://github.com/Bwar/CJsonObject.git
cd demo
make
cd ..
ar crv libCJsonObject.a cJSON.o CJsonObject.o
cp CJsonObject.hpp /usr/local/include
cp cJSON.h /usr/local/include
cp libCJsonObject.a /usr/local/lib
https://github.com/bigBestWay/SilverPatcher/wiki
通过修改config.json配置文件,更新libc相关偏移量以及选择想要使用的策略。
{
"policys":
{
"enableNXPolicy":{
"comment":"开启NX。",
"level":"SECURE",
"enable":1
},
"BindNowPolicy":{
"comment":"修改PLTGOT懒加载为立即绑定,抵抗_dl_runtime_solve攻击。",
"level":"SECURE",
"enable":1
},
"RandomPLTGOTPolicy":{
"comment":"重新排列PLT/GOT表项。ELF文件大小不变,但变动较大。",
"level":"LOW",
"enable":0
},
"DisableFreePolicy":{
"comment":"禁用free达到通防。",
"level":"SECURE",
"enable":0
},
"RiseStackPolicy":{
"comment":"在函数的开头抬高栈,抵抗栈溢出攻击,可能要新加代码段。因有些函数代码限制,可能无法自动插入代码。如function列表中可填写函数地址,修改指定地址函数;如果不填写,会尝试修改所有函数。",
"level":"HIGH",
"enable":1,
"functions":[
"0x4008B0"
]
},
"setRPathPolicy":{
"comment":"修改ELF链接到指定目录下的libc.so.6(可以放置eglibc),需要添加段,这个策略过于UGLY。如果checker检查通过,理论上开启它就可以通防。它与ModifyLibcCodeProvider冲突。",
"level":"VERYHIGH",
"enable":0
},
"StartInjectPolicy":{
"comment":"start函数开头代码注入,代码来自下文的CodeProvider",
"level":"MEDIUM",
"enable":1
},
"FmtVulScanRepairPolicy":{
"comment":"该策略扫描格式串漏洞,如果配置了patch,则会打补丁。比如有指令0x40086c call printf存在格式化串漏洞,那么就在patch加一个元素:function=printf, callAddress=0x40086c",
"level":"MEDIUM",
"enable":0,
"patch":[
{
"function":"printf",
"callAddress":""
},
{
"function":"printf",
"callAddress":""
}
]
}
}
,
"codeProvider":{
"ModifyLibcCodeProvider":{
"comment":"对libc中的数据进行修改。它与setRPathPolicy冲突。",
"enable":0,
"modifyGlobalMaxFast":{
"comment":"修改global_max_fast,令malloc关闭或只使用fastbin。value取值范围[1,0x7fffffff]。为1,关闭;为超大值,就会只使用fastbin。",
"enable":0,
"value":"0"
},
"closeTcache":{
"comment":"修改mp_.tcache_count,令malloc关闭tcache或改变tcache的最大数量(默认是7)。",
"enable":0
},
"setNoBufStdout":{
"comment":"设置STDOUT为不缓冲,这个是配合Capture01CodeProvider使用的。",
"enable":0
},
"nopbinsh":{
"comment":"nop掉libc中的binsh字符串,使system/oneshot失效",
"enable":1
}
},
"ClearBackdoorCodeProvider":{
"comment":"当需要清理后门的时候打上一轮即可,下一轮去掉。",
"enable":0
},
"BindShellCodeProvider":{
"comment":"fork子进程,提供bindtcp_shell,密码固定是8字节。",
"enable":1,
"port":56789,
"password":"abcdefgh"
},
"Capture01CodeProvider":{
"comment":"fork子进程,抓取输入输出并保存到文件。",
"enable":0,
"forward_host":"117.78.9.13",
"forward_port":56789
}
},
"libcdb":{
"comment":"libcdb内容需要根据比赛环境即时修改",
"x64":{
"global_max_fast":"0x3ed940",
"malloc":"0x40c4b0",
"__libc_start_main":"0x20750",
"free":"0x40c620",
"_IO_2_1_stdout_":"0x3ec760",
"tcache_count":"0x3eb2e0",
"str_bin_sh":"0x18CE17"
},
"x32":{
"global_max_fast":"0x1d9904",
"malloc":"0x2067f0",
"__libc_start_main":"0x18d90",
"free":"0x206940",
"_IO_2_1_stdout_":"0x1d8d80",
"tcache_count":"0x1d8158",
"str_bin_sh":""
}
}
}