地狱怪客

设计MacosX的Fuzzer

文章原文:https://blog.csdn.net/fallblood/article/details/5489476

 

该个人项目起源于与一朋友的打赌事件,于是这段时间在做这方面的研究,

虽然很久之前(大约3年半)也接触过bsd系统,但osx下面的漏洞挖掘一

直没有搞过,也不知道该如何下手,于是花了一周时间搜集整理兼阅读了

很多的资料。

 

经过分析后确定了几个问题:

1,我有windows下的很多fuzzing小工具,而且都是使用python写的,

移植到osx应该问题不大;

2,调试器是一个问题,windows下面的除了使用突突写的那个挖地球以

外,还会使用pydbg或者windbg,但osx属于bsd分支,这些调试器

在它下面都属于“废物”

3,崩溃文件转储,这个很关键,至少我自己一直把崩溃文件作为漏洞分析

时的首要条件,有些漏洞具备很强的实时性,有了崩溃文件就可以很好

的继续重现漏洞的流程

 

问题解决方案:

1,调试器准备使用gdb,虽然pydbg已经开始有移植到osx的项目,但好像

不是很稳定,找到一个pygdb的开源项目,但无法解决我的一些实际问

题,需要重新使用python封装一下gdb;

2,异常捕获,捕获异常信号,gdb里面有两个命令:signals、handle

在发生异常的时候进行崩溃文件转储;

 

# 查看及设置core文件

Mac:~ 7all$ ulimit -a

core file size          (blocks, -c) 0

data seg size           (kbytes, -d) unlimited

file size               (blocks, -f) unlimited

max locked memory       (kbytes, -l) unlimited

max memory size         (kbytes, -m) unlimited

open files                      (-n) 256

pipe size            (512 bytes, -p) 1

stack size              (kbytes, -s) 8192

cpu time               (seconds, -t) unlimited

max user processes              (-u) 266

virtual memory          (kbytes, -v) unlimited

#设置core文件为无限制

Mac:~ 7all$ ulimit -S -c unlimited

Mac:~ 7all$ ulimit -a

core file size          (blocks, -c) unlimited

data seg size           (kbytes, -d) unlimited

file size               (blocks, -f) unlimited

max locked memory       (kbytes, -l) unlimited

max memory size         (kbytes, -m) unlimited

open files                      (-n) 256

pipe size            (512 bytes, -p) 1

stack size              (kbytes, -s) 8192

cpu time               (seconds, -t) unlimited

max user processes              (-u) 266

virtual memory          (kbytes, -v) unlimited

Mac:~ 7all$

#测试

Mac:test 7all$ ./test

i = 2

j = 3

foo() return: 106

src length: 84

Bus error (core dumped)

Mac:test 7all$

#osx存放core文件目录

Mac:test 7all$ ls -lh /cores

total 1090448

-r——–  1 7all  admin   266M  4 15 15:46 core.448

-r——–  1 7all  admin   266M  4 15 15:46 core.452

Mac:test 7all$ otool /cores/core.448

otool: one of -fahlLtdoOrTMRIHScis must be specified

Usage: otool [-fahlLDtdorSTMRIHvVcXm] <object file> …

-f print the fat headers

-a print the archive header

-h print the mach header

-l print the load commands

-L print shared libraries used

-D print shared library id name

-t print the text section (disassemble with -v)

-p <routine name>  start dissassemble from routine name

-s <segname> <sectname> print contents of section

-d print the data section

-o print the Objective-C segment

-r print the relocation entries

-S print the table of contents of a library

-T print the table of contents of a dynamic shared library

-M print the module table of a dynamic shared library

-R print the reference table of a dynamic shared library

-I print the indirect symbol table

-H print the two-level hints table

-v print verbosely (symbolicly) when possible

-V print disassembled operands symbolicly

-c print argument strings of a core file

-X print no leading addresses or headers

-m don’t use archive(member) syntax

-B force Thumb disassembly (ARM objects only)

Mac:test 7all$ otool -c /cores/core.448

/cores/core.448:

Argument strings on the stack at: c0000000

./test

./test

TERM_PROGRAM=Apple_Terminal

TERM=xterm-color

SHELL=/bin/bash

TMPDIR=/var/folders/GC/GCWQjeWoG3yiShS5tPYOlE+++TI/-Tmp-/

Apple_PubSub_Socket_Render=/tmp/launch-wNbi0I/Render

TERM_PROGRAM_VERSION=273

OLDPWD=/Users/7all/7fuzzall

USER=7all

COMMAND_MODE=unix2003

SSH_AUTH_SOCK=/tmp/launch-B9dhNR/Listeners

__CF_USER_TEXT_ENCODING=0x1F5:25:52

PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin

PWD=/Users/7all/7fuzzall/test

LANG=zh_CN.UTF-8

DIALOG_1_PORT_NAME=com.macromates.dialog_1.328

DIALOG_1=/Applications/TextMate.app/Contents/PlugIns/Dialog.tmplugin/Contents/Resources/tm_dialog

SHLVL=1

HOME=/Users/7all

DIALOG=/Applications/TextMate.app/Contents/PlugIns/Dialog2.tmplugin/Contents/Resources/tm_dialog2

LOGNAME=7all

DIALOG_PORT_NAME=com.macromates.dialog.328

DISPLAY=/tmp/launch-RVYzv3/org.x:0

_=./test

#gdb调试core文件,和windbg调试差不多

Mac:test 7all$ gdb -c /cores/core.448

GNU gdb 6.3.50-20050815 (Apple version gdb-1346) (Fri Sep 18 20:33:58 UTC 2009)

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type “show copying” to see the conditions.

There is absolutely no warranty for GDB.  Type “show warranty” for details.

This GDB was configured as “i386-apple-darwin”.

Core was generated by `./test’.

Reading symbols for shared libraries . done

Reading symbols for shared libraries … done

#0  0x00001df2 in fooo (src=0x6161 “”) at test.c:27

27 dst[i] = src[i];

(gdb) bt

#0  0x00001df2 in fooo (src=0x6161 “”) at test.c:27

#1  0x61616161 in ?? ()

(gdb) info registers

eax            0x6177 24951

ecx            0x0 0

edx            0x16 22

ebx            0x1d93 7571

esp            0xbffff890 0xbffff890

ebp            0xbffff8b8 0xbffff8b8

esi            0x0 0

edi            0x0 0

eip            0x1df2 0x1df2 <fooo+107>

eflags         0x10206 66054

cs             0x17 23

ss             0x1f 31

ds             0x1f 31

es             0x1f 31

fs             0x0 0

gs             0x37 55

(gdb) x/i $esp

0xbffff890: adc    $0x1f,%al

(gdb) p/x $esp

$1 = 0xbffff890

(gdb)

 

#gdb调试core文件与程序

Mac:test 7all$ gdb ./test /cores/core.448

GNU gdb 6.3.50-20050815 (Apple version gdb-1346) (Fri Sep 18 20:33:58 UTC 2009)

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type “show copying” to see the conditions.

There is absolutely no warranty for GDB.  Type “show warranty” for details.

This GDB was configured as “i386-apple-darwin”…Reading symbols for shared libraries .. done

 

Core was generated by `./test’.

Reading symbols for shared libraries . done

Reading symbols for shared libraries .. done

#0  0x00001df2 in fooo (src=0x6161 “”) at test.c:27

27 dst[i] = src[i];

(gdb) bt

#0  0x00001df2 in fooo (src=0x6161 “”) at test.c:27

#1  0x61616161 in ?? ()

(gdb)

码字很辛苦,转载请注明来自人生在世《设计MacosX的Fuzzer》

评论