728x90
반응형
bss 영역을 찾는 이유는
고정된 위치에 데이터를 넣을 필요가 있을때 bss영역을 사용한다.
여러 이유로, 특히 특정 주소의 위치를 찾기 힘들때 코드 영역과 맞닿아있는 고정된 주소를 가지는 bss 영역을 사용하는게 좋다.
bss 영역을 찾는 방법은 아래와 같다.
┌──(kali㉿kali)-[~/Downloads]
└─$ objdump -h ./validator_dist
./validator_dist: file format elf64-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .interp 0000001c 0000000000400238 0000000000400238 00000238 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.ABI-tag 00000020 0000000000400254 0000000000400254 00000254 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .note.gnu.build-id 00000024 0000000000400274 0000000000400274 00000274 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .gnu.hash 0000001c 0000000000400298 0000000000400298 00000298 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .dynsym 00000090 00000000004002b8 00000000004002b8 000002b8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynstr 00000049 0000000000400348 0000000000400348 00000348 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .gnu.version 0000000c 0000000000400392 0000000000400392 00000392 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version_r 00000020 00000000004003a0 00000000004003a0 000003a0 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .rela.dyn 00000030 00000000004003c0 00000000004003c0 000003c0 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rela.plt 00000048 00000000004003f0 00000000004003f0 000003f0 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .init 00000017 0000000000400438 0000000000400438 00000438 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
11 .plt 00000040 0000000000400450 0000000000400450 00000450 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .text 00000272 0000000000400490 0000000000400490 00000490 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .fini 00000009 0000000000400704 0000000000400704 00000704 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .rodata 00000004 0000000000400710 0000000000400710 00000710 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
15 .eh_frame_hdr 0000004c 0000000000400714 0000000000400714 00000714 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .eh_frame 00000140 0000000000400760 0000000000400760 00000760 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
17 .init_array 00000008 0000000000600e10 0000000000600e10 00000e10 2**3
CONTENTS, ALLOC, LOAD, DATA
18 .fini_array 00000008 0000000000600e18 0000000000600e18 00000e18 2**3
CONTENTS, ALLOC, LOAD, DATA
19 .dynamic 000001d0 0000000000600e20 0000000000600e20 00000e20 2**3
CONTENTS, ALLOC, LOAD, DATA
20 .got 00000010 0000000000600ff0 0000000000600ff0 00000ff0 2**3
CONTENTS, ALLOC, LOAD, DATA
21 .got.plt 00000030 0000000000601000 0000000000601000 00001000 2**3
CONTENTS, ALLOC, LOAD, DATA
22 .data 0000001b 0000000000601030 0000000000601030 00001030 2**3
CONTENTS, ALLOC, LOAD, DATA
23 .bss 00000005 000000000060104b 000000000060104b 0000104b 2**0
ALLOC
24 .comment 00000029 0000000000000000 0000000000000000 0000104b 2**0
CONTENTS, READONLY
더불어 해당 영역에 쓰기 가능한 권한이 있는지 확인해보아야 한다.
그 방법은 gef의 vmmap을 활용하면 된다.
gef➤ vmmap
[ Legend: Code | Heap | Stack ]
Start End Offset Perm Path
0x00000000400000 0x00000000401000 0x00000000000000 r-x /home/kali/Downloads/validator_dist
0x00000000600000 0x00000000601000 0x00000000000000 r-- /home/kali/Downloads/validator_dist
0x00000000601000 0x00000000602000 0x00000000001000 rw- /home/kali/Downloads/validator_dist
0x007ffff7dd6000 0x007ffff7dd8000 0x00000000000000 rw-
0x007ffff7dd8000 0x007ffff7dfe000 0x00000000000000 r-- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7dfe000 0x007ffff7f56000 0x00000000026000 r-x /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7f56000 0x007ffff7fa2000 0x0000000017e000 r-- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa2000 0x007ffff7fa3000 0x000000001ca000 --- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa3000 0x007ffff7fa6000 0x000000001ca000 r-- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa6000 0x007ffff7fa9000 0x000000001cd000 rw- /usr/lib/x86_64-linux-gnu/libc-2.33.so
0x007ffff7fa9000 0x007ffff7fb4000 0x00000000000000 rw-
0x007ffff7fc6000 0x007ffff7fca000 0x00000000000000 r-- [vvar]
0x007ffff7fca000 0x007ffff7fcc000 0x00000000000000 r-x [vdso]
0x007ffff7fcc000 0x007ffff7fcd000 0x00000000000000 r-- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7fcd000 0x007ffff7ff1000 0x00000000001000 r-x /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7ff1000 0x007ffff7ffb000 0x00000000025000 r-- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7ffb000 0x007ffff7ffd000 0x0000000002e000 r-- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffff7ffd000 0x007ffff7fff000 0x00000000030000 rw- /usr/lib/x86_64-linux-gnu/ld-2.33.so
0x007ffffffde000 0x007ffffffff000 0x00000000000000 rwx [stack]
또는 pwntools를 사용해도 된다.
from pwn import *
e = ELF('./file')
bss = e.bss()
이를 활용해서 bss 영역에 shellcode를 넣던, 참조할 데이터를 넣던 원하는대로~
728x90
반응형
'Tips & theory' 카테고리의 다른 글
seccomp 요약 (0) | 2022.08.05 |
---|---|
system call table & calling conventions (0) | 2022.08.05 |
유용한 사이트 (0) | 2022.08.03 |
patchelf 사용법. (0) | 2022.08.03 |
함수의 offset은 왜 strings로 찾아지지 않는가? (0) | 2022.08.03 |