bss 영역 찾기

728x90

bss 영역을 찾는 이유는

고정된 위치에 데이터를 넣을 필요가 있을때 bss영역을 사용한다.

여러 이유로, 특히 특정 주소의 위치를 찾기 힘들때 코드 영역과 맞닿아있는 고정된 주소를 가지는 bss 영역을 사용하는게 좋다.

bss 영역을 찾는 방법은 아래와 같다.

┌──(kali㉿kali)-[~/Downloads]
└─$ objdump -h ./validator_dist

./validator_dist:     file format elf64-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .interp       0000001c  0000000000400238  0000000000400238  00000238  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .note.ABI-tag 00000020  0000000000400254  0000000000400254  00000254  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .note.gnu.build-id 00000024  0000000000400274  0000000000400274  00000274  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .gnu.hash     0000001c  0000000000400298  0000000000400298  00000298  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynsym       00000090  00000000004002b8  00000000004002b8  000002b8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .dynstr       00000049  0000000000400348  0000000000400348  00000348  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .gnu.version  0000000c  0000000000400392  0000000000400392  00000392  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .gnu.version_r 00000020  00000000004003a0  00000000004003a0  000003a0  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .rela.dyn     00000030  00000000004003c0  00000000004003c0  000003c0  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .rela.plt     00000048  00000000004003f0  00000000004003f0  000003f0  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 10 .init         00000017  0000000000400438  0000000000400438  00000438  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 11 .plt          00000040  0000000000400450  0000000000400450  00000450  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 12 .text         00000272  0000000000400490  0000000000400490  00000490  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 13 .fini         00000009  0000000000400704  0000000000400704  00000704  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 14 .rodata       00000004  0000000000400710  0000000000400710  00000710  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 15 .eh_frame_hdr 0000004c  0000000000400714  0000000000400714  00000714  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 16 .eh_frame     00000140  0000000000400760  0000000000400760  00000760  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 17 .init_array   00000008  0000000000600e10  0000000000600e10  00000e10  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 18 .fini_array   00000008  0000000000600e18  0000000000600e18  00000e18  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 19 .dynamic      000001d0  0000000000600e20  0000000000600e20  00000e20  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 20 .got          00000010  0000000000600ff0  0000000000600ff0  00000ff0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 21 .got.plt      00000030  0000000000601000  0000000000601000  00001000  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 22 .data         0000001b  0000000000601030  0000000000601030  00001030  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 23 .bss          00000005  000000000060104b  000000000060104b  0000104b  2**0
                  ALLOC
 24 .comment      00000029  0000000000000000  0000000000000000  0000104b  2**0
                  CONTENTS, READONLY

더불어 해당 영역에 쓰기 가능한 권한이 있는지 확인해보아야 한다.

그 방법은 gef의 vmmap을 활용하면 된다.

gef➤  vmmap
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x00000000400000 0x00000000401000 0x00000000000000 r-x /home/kali/Downloads/validator_dist
0x00000000600000 0x00000000601000 0x00000000000000 r-- /home/kali/Downloads/validator_dist
0x00000000601000 0x00000000602000 0x00000000001000 rw- /home/kali/Downloads/validator_dist
0x007ffff7dd6000 0x007ffff7dd8000 0x00000000000000 rw-
0x007ffff7dd8000 0x007ffff7dfe000 0x00000000000000 r-- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7dfe000 0x007ffff7f56000 0x00000000026000 r-x /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7f56000 0x007ffff7fa2000 0x0000000017e000 r-- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa2000 0x007ffff7fa3000 0x000000001ca000 --- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa3000 0x007ffff7fa6000 0x000000001ca000 r-- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa6000 0x007ffff7fa9000 0x000000001cd000 rw- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa9000 0x007ffff7fb4000 0x00000000000000 rw-
0x007ffff7fc6000 0x007ffff7fca000 0x00000000000000 r-- [vvar]
0x007ffff7fca000 0x007ffff7fcc000 0x00000000000000 r-x [vdso]
0x007ffff7fcc000 0x007ffff7fcd000 0x00000000000000 r-- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7fcd000 0x007ffff7ff1000 0x00000000001000 r-x /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7ff1000 0x007ffff7ffb000 0x00000000025000 r-- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7ffb000 0x007ffff7ffd000 0x0000000002e000 r-- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7ffd000 0x007ffff7fff000 0x00000000030000 rw- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffffffde000 0x007ffffffff000 0x00000000000000 rwx [stack]

또는 pwntools를 사용해도 된다.

from pwn import *

e = ELF('./file')

bss = e.bss()

이를 활용해서 bss 영역에 shellcode를 넣던, 참조할 데이터를 넣던 원하는대로~

728x90

저작자표시 비영리 변경금지

'Tips & theory' 카테고리의 다른 글

seccomp 요약 (0)	2022.08.05
system call table & calling conventions (0)	2022.08.05
유용한 사이트 (0)	2022.08.03
patchelf 사용법. (0)	2022.08.03
함수의 offset은 왜 strings로 찾아지지 않는가? (0)	2022.08.03

bss 영역을 찾는 이유는

'Tips & theory' 카테고리의 다른 글

티스토리툴바