-
-
[原创]对念茜的iOS安全攻防ASLR特性的一点补充
-
2014-7-25 12:02
-
很感谢念茜的IOS安全攻防带来的收获,在其中也遇到了些许不解的地方,于是便有了以下补充。
1. 首先会用的的工具是otool, 查看该文件的相关信息:
查看是否是Fat headers的文件,通常该文件包含了,兼容各个版本的(armv7, armv7s等)
amoytekiMac-mini:Desktop amoy$ otool -fv PPAppInstall
Fat headers
fat_magic FAT_MAGIC
nfat_arch 2
architecture armv7s
cputype CPU_TYPE_ARM
cpusubtype CPU_SUBTYPE_ARM_V7S
capabilities 0x0
offset 16384
size 3004112
align 2^14 (16384)
architecture armv7
cputype CPU_TYPE_ARM
cpusubtype CPU_SUBTYPE_ARM_V7
capabilities 0x0
offset 3031040
size 2987792
align 2^14 (16384)
查看Mach header头信息的flags值(是否有ASLR的特性, 格式化值后显示为PIE)
amoytekiMac-mini:Desktop amoy$ otool -h PPAppInstall
PPAppInstall (architecture armv7s):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedface 12 11 0x00 2 35 4236 0x00210085
PPAppInstall (architecture armv7):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedface 12 9 0x00 2 35 4236 0x00210085
amoytekiMac-mini:Desktop amoy$ otool -hv PPAppInstall
PPAppInstall (architecture armv7s):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM V7S 0x00 EXECUTE 35 4236 NOUNDEFS DYLDLINK TWOLEVEL BINDS_TO_WEAK PIE
PPAppInstall (architecture armv7):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM V7 0x00 EXECUTE 35 4236 NOUNDEFS DYLDLINK TWOLEVEL BINDS_TO_WEAK PIE
2. 使用lopo <filename> -thin armv7/armv7s -output <filename-armv7/armv7s>从FAT中剥离
在<mach-o/fat.h>中定义fat_header如下:
#define FAT_MAGIC 0xcafebabe
#define FAT_CIGAM 0xbebafeca /* NXSwapLong(FAT_MAGIC) */
struct fat_header {
uint32_t magic; /* FAT_MAGIC */
uint32_t nfat_arch; /* number of structs that follow */
};
struct fat_arch {
cpu_type_t cputype; /* cpu specifier (int) */
cpu_subtype_t cpusubtype; /* machine specifier (int) */
uint32_t offset; /* file offset to this object file */
uint32_t size; /* size of this object file */
uint32_t align; /* alignment as a power of 2 */
};
3.使用RemovPIE去除ASLR特性mh.flags &= ~MH_PIE / mh64.flags &= ~MH_PIE
在<mach-o/loader.h>中定义mach_header/mach_header_64如下:
/*
* The 32-bit mach header appears at the very beginning of the object file for
* 32-bit architectures.
*/
struct mach_header {
uint32_t magic; /* mach magic number identifier */
cpu_type_t cputype; /* cpu specifier */
cpu_subtype_t cpusubtype; /* machine specifier */
uint32_t filetype; /* type of file */
uint32_t ncmds; /* number of load commands */
uint32_t sizeofcmds; /* the size of all the load commands */
uint32_t flags; /* flags */
};
/* Constant for the magic field of the mach_header (32-bit architectures) */
#define MH_MAGIC 0xfeedface /* the mach magic number */
#define MH_CIGAM 0xcefaedfe /* NXSwapInt(MH_MAGIC) */
/*
* The 64-bit mach header appears at the very beginning of object files for
* 64-bit architectures.
*/
struct mach_header_64 {
uint32_t magic; /* mach magic number identifier */
cpu_type_t cputype; /* cpu specifier */
cpu_subtype_t cpusubtype; /* machine specifier */
uint32_t filetype; /* type of file */
uint32_t ncmds; /* number of load commands */
uint32_t sizeofcmds; /* the size of all the load commands */
uint32_t flags; /* flags */
uint32_t reserved; /* reserved */
};
/* Constant for the magic field of the mach_header_64 (64-bit architectures) */
#define MH_MAGIC_64 0xfeedfacf /* the 64-bit mach magic number */
#define MH_CIGAM_64 0xcffaedfe /* NXSwapInt(MH_MAGIC_64) */
#define MH_PIE 0x200000 /* When this bit is set, the OS will
此图贴的例子,移除前: 0x00210085 移除后:0x00010085
PDF下载: Mach-O程序的ASLR特性(查看及修改PIE).pdf
详细请参考removpie的源码: https://github.com/peterfillmore/removePIE/blob/master/removePIE.c
1. 首先会用的的工具是otool, 查看该文件的相关信息:
查看是否是Fat headers的文件,通常该文件包含了,兼容各个版本的(armv7, armv7s等)
amoytekiMac-mini:Desktop amoy$ otool -fv PPAppInstall
Fat headers
fat_magic FAT_MAGIC
nfat_arch 2
architecture armv7s
cputype CPU_TYPE_ARM
cpusubtype CPU_SUBTYPE_ARM_V7S
capabilities 0x0
offset 16384
size 3004112
align 2^14 (16384)
architecture armv7
cputype CPU_TYPE_ARM
cpusubtype CPU_SUBTYPE_ARM_V7
capabilities 0x0
offset 3031040
size 2987792
align 2^14 (16384)
查看Mach header头信息的flags值(是否有ASLR的特性, 格式化值后显示为PIE)
amoytekiMac-mini:Desktop amoy$ otool -h PPAppInstall
PPAppInstall (architecture armv7s):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedface 12 11 0x00 2 35 4236 0x00210085
PPAppInstall (architecture armv7):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedface 12 9 0x00 2 35 4236 0x00210085
amoytekiMac-mini:Desktop amoy$ otool -hv PPAppInstall
PPAppInstall (architecture armv7s):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM V7S 0x00 EXECUTE 35 4236 NOUNDEFS DYLDLINK TWOLEVEL BINDS_TO_WEAK PIE
PPAppInstall (architecture armv7):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM V7 0x00 EXECUTE 35 4236 NOUNDEFS DYLDLINK TWOLEVEL BINDS_TO_WEAK PIE
2. 使用lopo <filename> -thin armv7/armv7s -output <filename-armv7/armv7s>从FAT中剥离
在<mach-o/fat.h>中定义fat_header如下:
#define FAT_MAGIC 0xcafebabe
#define FAT_CIGAM 0xbebafeca /* NXSwapLong(FAT_MAGIC) */
struct fat_header {
uint32_t magic; /* FAT_MAGIC */
uint32_t nfat_arch; /* number of structs that follow */
};
struct fat_arch {
cpu_type_t cputype; /* cpu specifier (int) */
cpu_subtype_t cpusubtype; /* machine specifier (int) */
uint32_t offset; /* file offset to this object file */
uint32_t size; /* size of this object file */
uint32_t align; /* alignment as a power of 2 */
};
3.使用RemovPIE去除ASLR特性mh.flags &= ~MH_PIE / mh64.flags &= ~MH_PIE
在<mach-o/loader.h>中定义mach_header/mach_header_64如下:
/*
* The 32-bit mach header appears at the very beginning of the object file for
* 32-bit architectures.
*/
struct mach_header {
uint32_t magic; /* mach magic number identifier */
cpu_type_t cputype; /* cpu specifier */
cpu_subtype_t cpusubtype; /* machine specifier */
uint32_t filetype; /* type of file */
uint32_t ncmds; /* number of load commands */
uint32_t sizeofcmds; /* the size of all the load commands */
uint32_t flags; /* flags */
};
/* Constant for the magic field of the mach_header (32-bit architectures) */
#define MH_MAGIC 0xfeedface /* the mach magic number */
#define MH_CIGAM 0xcefaedfe /* NXSwapInt(MH_MAGIC) */
/*
* The 64-bit mach header appears at the very beginning of object files for
* 64-bit architectures.
*/
struct mach_header_64 {
uint32_t magic; /* mach magic number identifier */
cpu_type_t cputype; /* cpu specifier */
cpu_subtype_t cpusubtype; /* machine specifier */
uint32_t filetype; /* type of file */
uint32_t ncmds; /* number of load commands */
uint32_t sizeofcmds; /* the size of all the load commands */
uint32_t flags; /* flags */
uint32_t reserved; /* reserved */
};
/* Constant for the magic field of the mach_header_64 (64-bit architectures) */
#define MH_MAGIC_64 0xfeedfacf /* the 64-bit mach magic number */
#define MH_CIGAM_64 0xcffaedfe /* NXSwapInt(MH_MAGIC_64) */
#define MH_PIE 0x200000 /* When this bit is set, the OS will
此图贴的例子,移除前: 0x00210085 移除后:0x00010085
PDF下载: Mach-O程序的ASLR特性(查看及修改PIE).pdf
详细请参考removpie的源码: https://github.com/peterfillmore/removePIE/blob/master/removePIE.c
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
