注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

去除iOS应用的ASLR功能(即PIE flag)  

2015-11-06 15:28:07|  分类: IOS安全 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
转自:http://blog.sina.com.cn/s/blog_45e2b66c0101cseh.html

方法-:
转自:http://danqingdani.blog.163.com/blog/static/186094195201343081726861/
碳基体(看雪有精贴,还是一mm?,没事多关注)

曾在《ASLR》中介绍了address space layout random的部分功能,如main可执行文件地址随机化。(ASLR具体可参照wiki介绍)iOS 4.3开始在预装的iOS应用中部分开启ASLR功能。而本文以iOS 5.1.1上的用户自安装应用为例,介绍如何去处掉ASLR。

首先,ssh到iOS设备中,使用otool命令查看任意mach-o可执行文件头的flag,本文以Facebook应用为例,可以看到开启了PIE,PIE的特性就是ASLR

dani-2:Downloads leedani$ ssh root@10.1.xx.xx(iOS设备的ip地址)
root@10.1.35.74's password:
danimato-iPod:~ root# cd /private/var/mobile/Applications/B313FF38-2CCD-4CA8-8422-7E4E01B43A19/Facebook.app/
danimato-iPod:/private/var/mobile/Applications/B313FF38-2CCD-4CA8-8422-7E4E01B43A19/Facebook.app root# otool -hV Facebook
Facebook:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM 9 0x00 EXECUTE 46 5100 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

接下来,我们使用removePIE,来使得ASLR实效,即关闭PIE,首先将removePIE拷贝到iOS设备中(removePIE源码

dani-2:Downloads leedani$ scp removePIE root@10.1.xx.xx(iOS设备的ip地址):/tmp/
root@10.1.35.74's password:
removePIE 100% 23KB 22.7KB/s 00:00
然后将存放在iOS设备/tmp目录下的removePIE拷贝到待去处ASLR功能的mach-o可执行文件所在的文件夹下,以Facebook应用为例

dani-2:Downloads leedani$ ssh root@10.1.xx.xx(iOS设备的ip地址)
root@10.1.35.74's password:
danimato-iPod:~ root# cp /tmp/removePIE /private/var/mobile/Applications/B313FF38-2CCD-4CA8-8422-7E4E01B43A19/Facebook.app/
danimato-iPod:~ root# cd /private/var/mobile/Applications/B313FF38-2CCD-4CA8-8422-7E4E01B43A19/Facebook.app/

运行removePIE,格式为./removePIE <<span style="line-height: 22px;">mach-o可执行文件名>,注意removePIE不能使用可执行文件的全路径作为参数

 


danimato-iPod:/private/var/mobile/Applications/B313FF38-2CCD-4CA8-8422-7E4E01B43A19/Facebook.app root# ./removePIE Facebook
loading header

backing up application binary...

binary backed up to: Facebook.bak

mach_header: cefaedfe0c00000009000000020000002e000000ec13000085802100
original flags: 85802100
Disabling ASLR/PIE ...
new flags: 85800100
ASLR has been disabled for Facebook

最后,我们检查去处后的结果,可以看到没有了PIE flag

danimato-iPod:/private/var/mobile/Applications/B313FF38-2CCD-4CA8-8422-7E4E01B43A19/Facebook.app root# otool -hV Facebook
Facebook:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM 9 0x00 EXECUTE 46 5100 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK

参考:
http://www.securitylearn.net/2013/05/23/disable-aslr-on-ios-applications/?utm_source=rss&utm_medium=rss&utm_campaign=disable-aslr-on-ios-applications
http://www.peterfillmore.com/2013/01/removepie-tool-for-disabling-aslr-on.html
https://github.com/peterfillmore/removePIE

方法2:
http://www.cnblogs.com/Proteas/archive/2013/06/28/3160704.html
Proteas(看雪也有精贴,都是牛人)

Disabling ASLR on individual iOS applications when using iOS 6.0.1

ASLR: Address Space Layout Randomization

查看应用是否进行了 ASLR 保护的方法:otool -hv ${File-Path}

I recently encountered issues decrypting applications for security analysis using iOS 6.0.1. Previously this was trivial using the previous version (5.1.1), yet when performing the same procedure on 6.0.1 i was encountering decrypted binaries which were full of zeros. 

After a while I discovered these issues were related to ASLR being used in applications compiled for later versions of iOS.

In this blog I will show the process of disabling ASLR on the free "Facebook" app available off the app store. This application has ASLR enabled which complicates decryption of the application using automated tools.

Tools required

otool
ldid for OS X
GDB for iOS
changemacho_flags.py
a jailbroken iphone and a copy of facebook off the app store

Details

Running the command

Desktop# otool -l Facebook |grep -A4 "LCENCRYPTIONINFO"

outputs:

cmd LCENCRYPTIONINFO

    cmdsize 20
    cryptoff  8192
    cryptsize 10027008
    cryptid   1
  
Indicating that the app is encrypted and when decrypted it is located in virtual memory from 0x3000(0x1000 + 0x2000) to 0x993000. However when we start the app, attach GDB and try to access the start address we find it throws an error:

(gdb) x/20x 0x3000
0x3000: Cannot access memory at address 0x3000

listing the memory that is mapped by the application:
(gdb) info mach-region 0x3000
Region from 0x94000 to 0xa26000 (r-x, max r-x; copy, private, not-reserved) (2 sub-regions)

This shows the executable is not located in memory where it should be indicating that ASLR is used.

ASLR is enabled for individual applications using the MHPIE flag located in the applications MACH-O header. By flipping this flag we turn off ASLR.

 

Copy the Facebook binary from the device to your desktop from the device directory

iPhone#/private/var/mobile/Application/[UUID]/Facebook.app
 

 

where [UUID] is the unique number of the directory for the app on the device.

 

Extract the entitlement xml file of the app:

Desktop# ldid -e Facebook > entitlements.xml
 

 

Disable the MHPIE bit using the changemachoflags.py

Desktop# python change
machoflags.py --no-pie Facebook

Re-sign the app

Desktop# ldid -Sentitlements.xml Facebook

backup the old copy on the device

iPhone# cp Facebook Facebook.bak

Copy the altered binary back to the device

now we reattach gdb and inspect the application memory again:
(gdb) x/20x 0x3000
0x3000: 0x00000000 0x00000000 0x00000000 0x00000000
0x3010: 0x00000000 0x00000000 0x00000000 0x00000000
0x3020: 0x00000000 0x00000000 0x00000000 0x00000000
0x3030: 0x00000000 0x00000000 0x00000000 0x00000000
0x3040: 0xe59d0000 0xe28d1004 0xe2804001 0xe0812104

(gdb) info mach-region 0x3000
Region from 0x3000 to 0x993000 (r-x, max r-x; copy, private, not-reserved)

Which confirms that ASLR is now disabled and we can now decrypt the application for further analysis.



RemovePIE源码地址:https://github.com/Naville/ASLR-Removal

  评论这张
 
阅读(77)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017