반응형
(반성하도록 하자.)
헤더 정보를 읽어서 어떻게 알 수 있을 거 같긴 한데.. 무심결에 넘어갔던 checksec의 동작을 살펴보며 암것도 없을 때 확인할 수 있도록 공부를 해본다.
코드를 살펴보니 생각보다 쉽다. 게다가 블랙펄 시큐리티 포스팅 글에 좋게 정리된 글도 존재하니 공부하기 딱 좋은 거 같다.
checksec code : https://github.com/slimm609/checksec.sh/blob/master/checksec bpsec posting : https://bpsecblog.wordpress.com/2016/06/28/memory_protect_linux_5/
NX
# check for NX support
$debug && echo -e "\n***function filecheck->nx"
if $readelf -W -l "$1" 2>/dev/null | grep -q 'GNU_STACK'; then
if $readelf -W -l "$1" 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
echo_message '\033[31mNX disabled\033[m ' 'NX disabled,' ' nx="no"' '"nx":"no",'
else
echo_message '\033[32mNX enabled \033[m ' 'NX enabled,' ' nx="yes"' '"nx":"yes",'
fi
else
echo_message '\033[31mNX disabled\033[m ' 'NX disabled,' ' nx="no"' '"nx":"no",'
fichecksec code를 보면 위와 같다. 결국 readelf 명령어를 사용해서 elf 파일의 정보를 읽어서 동작한다. readelf 명령어의 -W 옵션은 80글자 이상의 문자열도 끝까지 다 보여주게 하는 거고, -l 옵션은 프로그램 헤더랑 세그먼드들을 보여준다.
> readelf -W -l a
Elf file type is DYN (Shared object file)
Entry point 0x530
There are 9 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R 0x8
INTERP 0x000238 0x0000000000000238 0x0000000000000238 0x00001c 0x00001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x000830 0x000830 R E 0x200000
LOAD 0x000db8 0x0000000000200db8 0x0000000000200db8 0x000258 0x000260 RW 0x200000
DYNAMIC 0x000dc8 0x0000000000200dc8 0x0000000000200dc8 0x0001f0 0x0001f0 RW 0x8
NOTE 0x000254 0x0000000000000254 0x0000000000000254 0x000044 0x000044 R 0x4
GNU_EH_FRAME 0x0006ec 0x00000000000006ec 0x00000000000006ec 0x00003c 0x00003c R 0x4
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10
GNU_RELRO 0x000db8 0x0000000000200db8 0x0000000000200db8 0x000248 0x000248 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .dynamic .got .data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .init_array .fini_array .dynamic .got 저기 중간에 보이는 GNU_STACK 항목의 RWX를 보면 알 수 있다.
STACK CANARY
# check for stack canary support
$debug && echo -e "\n***function proccheck->canary"
if $readelf -s "$1/exe" 2>/dev/null | grep -q 'Symbol table'; then
if $readelf -s "$1/exe" 2>/dev/null | grep -Eq '__stack_chk_fail|__intel_security_cookie'; then
echo_message '\033[32mCanary found \033[m ' 'Canary found,' ' canary="yes"' '"canary":"yes",'
else
echo_message '\033[31mNo canary found \033[m ' 'No Canary found,' ' canary="no"' '"canary":"no",'
fi
else
if [[ "$1" == "1" ]] ; then
echo -n -e '\033[33mPermission denied \033[m '
else
echo -n -e '\033[33mNo symbol table found \033[m '
fi
fireadelf 의 -s 옵션은 symbol 정보를 출력한다.
실행하면 다음과 같은 결과를 얻을 수 있는데, checksec은 canary 판단을 __stack_chk_fail과 __intel_security_cookie로 진행한다.
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -s a
Symbol table '.dynsym' contains 9 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@GLIBC_2.2.5 (2)
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@GLIBC_2.4 (3)
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
5: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND gets@GLIBC_2.2.5 (2)
7: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
8: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.2.5 (2)
Symbol table '.symtab' contains 65 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000238 0 SECTION LOCAL DEFAULT 1
2: 0000000000000254 0 SECTION LOCAL DEFAULT 2
3: 0000000000000274 0 SECTION LOCAL DEFAULT 3
4: 0000000000000298 0 SECTION LOCAL DEFAULT 4
5: 00000000000002b8 0 SECTION LOCAL DEFAULT 5
6: 0000000000000390 0 SECTION LOCAL DEFAULT 6
7: 0000000000000432 0 SECTION LOCAL DEFAULT 7
8: 0000000000000448 0 SECTION LOCAL DEFAULT 8
9: 0000000000000478 0 SECTION LOCAL DEFAULT 9
10: 0000000000000538 0 SECTION LOCAL DEFAULT 10
11: 0000000000000580 0 SECTION LOCAL DEFAULT 11
12: 00000000000005a0 0 SECTION LOCAL DEFAULT 12
13: 00000000000005e0 0 SECTION LOCAL DEFAULT 13
14: 00000000000005f0 0 SECTION LOCAL DEFAULT 14
15: 00000000000007c4 0 SECTION LOCAL DEFAULT 15
16: 00000000000007d0 0 SECTION LOCAL DEFAULT 16
17: 00000000000007d4 0 SECTION LOCAL DEFAULT 17
18: 0000000000000810 0 SECTION LOCAL DEFAULT 18
19: 0000000000200da8 0 SECTION LOCAL DEFAULT 19
20: 0000000000200db0 0 SECTION LOCAL DEFAULT 20
21: 0000000000200db8 0 SECTION LOCAL DEFAULT 21
22: 0000000000200fa8 0 SECTION LOCAL DEFAULT 22
23: 0000000000201000 0 SECTION LOCAL DEFAULT 23
24: 0000000000201010 0 SECTION LOCAL DEFAULT 24
25: 0000000000000000 0 SECTION LOCAL DEFAULT 25
26: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
27: 0000000000000620 0 FUNC LOCAL DEFAULT 14 deregister_tm_clones
28: 0000000000000660 0 FUNC LOCAL DEFAULT 14 register_tm_clones
29: 00000000000006b0 0 FUNC LOCAL DEFAULT 14 __do_global_dtors_aux
30: 0000000000201010 1 OBJECT LOCAL DEFAULT 24 completed.7696
31: 0000000000200db0 0 OBJECT LOCAL DEFAULT 20 __do_global_dtors_aux_fin
32: 00000000000006f0 0 FUNC LOCAL DEFAULT 14 frame_dummy
33: 0000000000200da8 0 OBJECT LOCAL DEFAULT 19 __frame_dummy_init_array_
34: 0000000000000000 0 FILE LOCAL DEFAULT ABS a.c
35: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
36: 0000000000000914 0 OBJECT LOCAL DEFAULT 18 __FRAME_END__
37: 0000000000000000 0 FILE LOCAL DEFAULT ABS
38: 0000000000200db0 0 NOTYPE LOCAL DEFAULT 19 __init_array_end
39: 0000000000200db8 0 OBJECT LOCAL DEFAULT 21 _DYNAMIC
40: 0000000000200da8 0 NOTYPE LOCAL DEFAULT 19 __init_array_start
41: 00000000000007d4 0 NOTYPE LOCAL DEFAULT 17 __GNU_EH_FRAME_HDR
42: 0000000000200fa8 0 OBJECT LOCAL DEFAULT 22 _GLOBAL_OFFSET_TABLE_
43: 00000000000007c0 2 FUNC GLOBAL DEFAULT 14 __libc_csu_fini
44: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
45: 0000000000201000 0 NOTYPE WEAK DEFAULT 23 data_start
46: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@@GLIBC_2.2.5
47: 0000000000201010 0 NOTYPE GLOBAL DEFAULT 23 _edata
48: 00000000000007c4 0 FUNC GLOBAL DEFAULT 15 _fini
49: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@@GLIBC_2
50: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_
51: 0000000000201000 0 NOTYPE GLOBAL DEFAULT 23 __data_start
52: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
53: 0000000000201008 0 OBJECT GLOBAL HIDDEN 23 __dso_handle
54: 00000000000007d0 4 OBJECT GLOBAL DEFAULT 16 _IO_stdin_used
55: 0000000000000000 0 FUNC GLOBAL DEFAULT UND gets@@GLIBC_2.2.5
56: 0000000000000750 101 FUNC GLOBAL DEFAULT 14 __libc_csu_init
57: 0000000000201018 0 NOTYPE GLOBAL DEFAULT 24 _end
58: 00000000000005f0 43 FUNC GLOBAL DEFAULT 14 _start
59: 0000000000201010 0 NOTYPE GLOBAL DEFAULT 24 __bss_start
60: 00000000000006fa 79 FUNC GLOBAL DEFAULT 14 main
61: 0000000000201010 0 OBJECT GLOBAL HIDDEN 23 __TMC_END__
62: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
63: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@@GLIBC_2.2
64: 0000000000000580 0 FUNC GLOBAL DEFAULT 11 _initPIE
# check for PIE support
$debug && echo -e "\n***function filecheck->pie"
if $readelf -h "$1" 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then
echo_message '\033[31mNo PIE \033[m ' 'No PIE,' ' pie="no"' '"pie":"no",'
elif $readelf -h "$1" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
if $readelf -d "$1" 2>/dev/null | grep -q 'DEBUG'; then
echo_message '\033[32mPIE enabled \033[m ' 'PIE enabled,' ' pie="yes"' '"pie":"yes",'
else
echo_message '\033[33mDSO \033[m ' 'DSO,' ' pie="dso"' '"pie":"dso",'
fi
else
echo_message '\033[33mNot an ELF file\033[m ' 'Not an ELF file,' ' pie="not_elf"' '"pie":"not_elf",'
fi먼저 알아둬야 할 차이가 있다. elf 파일의 type을 보면 (-h 옵션으로 확인 가능) 해당 파일의 타입을 알 수 있는데, 각 각 재배치 파일(1), 실행 파일(2), 공유 파일(3), 코어(4)를 의미한다. PIE의 경우 링크가 가능한 공유 오브젝트 파일이므로 해당 Type이 DYN이고, 실행이 가능한 파일이므로 dynamic 섹션에 DEBUG entry가 존재하여, checksec은 이 정보를 토대로 PIE를 체크한다. (bpsec 글에 자세히 설명되어있으니 참고하도록 하자.)
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -h a_no-pie
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x4004c0
Start of program headers: 64 (bytes into file)
Start of section headers: 6480 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -h a
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x5f0
Start of program headers: 64 (bytes into file)
Start of section headers: 6536 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -h /lib/x86_64-linux-gnu/libc.so.6
ELF Header:
Magic: 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - GNU
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x21cb0
Start of program headers: 64 (bytes into file)
Start of section headers: 2025872 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 10
Size of section headers: 64 (bytes)
Number of section headers: 73
Section header string table index: 72
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -d /lib/x86_64-linux-gnu/libc.so.6
Dynamic section at offset 0x1eab80 contains 26 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [ld-linux-x86-64.so.2]
0x000000000000000e (SONAME) Library soname: [libc.so.6]
0x000000000000000c (INIT) 0x21920
0x0000000000000019 (INIT_ARRAY) 0x3e7630
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x0000000000000004 (HASH) 0x1e3638
0x000000006ffffef5 (GNU_HASH) 0x2b8
0x0000000000000005 (STRTAB) 0x119d0
0x0000000000000006 (SYMTAB) 0x3ee8
0x000000000000000a (STRSZ) 24286 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000003 (PLTGOT) 0x3eb000
0x0000000000000002 (PLTRELSZ) 1104 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x20b78
0x0000000000000007 (RELA) 0x18f28
0x0000000000000008 (RELASZ) 31824 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffc (VERDEF) 0x18af0
0x000000006ffffffd (VERDEFNUM) 29
0x000000000000001e (FLAGS) STATIC_TLS
0x000000006ffffffe (VERNEED) 0x18ef8
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x178ae
0x000000006ffffff9 (RELACOUNT) 1237
0x0000000000000000 (NULL) 0x0
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -h a
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x5f0
Start of program headers: 64 (bytes into file)
Start of section headers: 6536 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -d a
Dynamic section at offset 0xdb8 contains 27 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x580
0x000000000000000d (FINI) 0x7c4
0x0000000000000019 (INIT_ARRAY) 0x200da8
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x200db0
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x298
0x0000000000000005 (STRTAB) 0x390
0x0000000000000006 (SYMTAB) 0x2b8
0x000000000000000a (STRSZ) 162 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x200fa8
0x0000000000000002 (PLTRELSZ) 72 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x538
0x0000000000000007 (RELA) 0x478
0x0000000000000008 (RELASZ) 192 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000006ffffffe (VERNEED) 0x448
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x432
0x000000006ffffff9 (RELACOUNT) 3
0x0000000000000000 (NULL) 0x0RELRO
# check for RELRO support
$debug && echo "***function proccheck->RELRO"
if $readelf -l "$1/exe" 2>/dev/null | grep -q 'Program Headers'; then
if $readelf -l "$1/exe" 2>/dev/null | grep -q 'GNU_RELRO'; then
if $readelf -d "$1/exe" 2>/dev/null | grep -q 'BIND_NOW'; then
echo_message '\033[32mFull RELRO \033[m ' 'Full RELRO,' ' relro="full"' '"relro":"full",'
else
echo_message '\033[33mPartial RELRO\033[m ' 'Partial RELRO,' ' relro="partial"' '"relro":"partial",'
fi
else
echo_message '\033[31mNo RELRO \033[m ' 'No RELRO,' ' relro="no"' '"relro":"no",'
fi
else
echo -n -e '\033[31mPermission denied (please run as root)\033[m\n'
exit 1
fiProgram Header 문자열은 제대로 파싱이 안되는 경우를 체크하기 위함이고, 구분하는 부분은 결국 GNU_RELRO 문자열이 있으면 일단 RELRO이고, dynamic 섹션의 FLAGS entry 값이 BIND_NOW인지 아닌지가 FULL-RELRO와 PARTIAL-RELRO를 결정짓는다.
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -l a
Elf file type is DYN (Shared object file)
Entry point 0x5f0
There are 9 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R 0x8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000918 0x0000000000000918 R E 0x200000
LOAD 0x0000000000000da8 0x0000000000200da8 0x0000000000200da8
0x0000000000000268 0x0000000000000270 RW 0x200000
DYNAMIC 0x0000000000000db8 0x0000000000200db8 0x0000000000200db8
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000254 0x0000000000000254 0x0000000000000254
0x0000000000000044 0x0000000000000044 R 0x4
GNU_EH_FRAME 0x00000000000007d4 0x00000000000007d4 0x00000000000007d4
0x000000000000003c 0x000000000000003c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000000da8 0x0000000000200da8 0x0000000000200da8
0x0000000000000258 0x0000000000000258 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .dynamic .got .data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .init_array .fini_array .dynamic .got
ch4rli3kop@ch4rli3kop-pc ~/tmp > readelf -d a
Dynamic section at offset 0xdb8 contains 27 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x580
0x000000000000000d (FINI) 0x7c4
0x0000000000000019 (INIT_ARRAY) 0x200da8
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x200db0
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x298
0x0000000000000005 (STRTAB) 0x390
0x0000000000000006 (SYMTAB) 0x2b8
0x000000000000000a (STRSZ) 162 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x200fa8
0x0000000000000002 (PLTRELSZ) 72 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x538
0x0000000000000007 (RELA) 0x478
0x0000000000000008 (RELASZ) 192 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000006ffffffe (VERNEED) 0x448
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x432
0x000000006ffffff9 (RELACOUNT) 3
0x0000000000000000 (NULL) 0x0아니... lob에 checksec이 없어서 어라 갑자기 궁금하네..로 시작했는데, 하고나서 생각해보니 lob os인 redhat 6.2가 너무 옛날 거라서 저거를 쓸 수 없음...나온지 거의 20년 된거로 아는데 elf 파일 포맷도 조금 다르더라. 으걍
반응형
'Computer Science% > System' 카테고리의 다른 글
| LibFuzzer w\ OpenJpeg 코드 작성 후 퍼징 결과 제출 (0) | 2020.06.14 |
|---|---|
| Classic하지 않은 함수의 프롤로그와 에필로그 (0) | 2019.04.25 |
| 입출력 버퍼 사용하기 (0) | 2018.11.08 |
| Shellcode (0) | 2018.02.08 |
| 커널모드와 유저모드 (0) | 2017.08.31 |