编程知识 cdmana.com

How to avoid file submission: making large files

background

understand hids Our readers should know hids agent There will be a lot of information reported , Some of them agent Suspicious files will be reported to the cloud for malicious analysis .

My colleague asked me a question : If the file is very large , Will it also be reported ? Won't it affect performance ?

This question reminds me of Can your scanner bypass the firewall ( 3、 ... and ) Medium and large package bypass waf Scene , Then it's easy to think : If agent If you encounter a large file, you won't upload it , It's easy to bypass the malicious analysis of the cloud .

in addition , If a malicious file is too large , Maybe for security researchers " Sample analysis " Cause some difficulties , For example, you can't download files to your local computer ( Network speed 、 There may not be enough disk space )、ida And other static analysis software occupy too much memory .

Based on the above " Safe attack and defense " Business scenario of , In addition, I've been learning some knowledge about operating system recently , So study " How to let elf The file gets bigger ".

As the file gets bigger , The following conditions should also be met :

  • No effect elf File execution
  • From a practical point of view , The attack team will not generate a large file , Then upload to the target . It's best to upload a small file , Upload to the target machine , Then make the local file larger .

Say first conclusion , There are the following ways to make " file size " Bigger :

  • Append data at the end of the file
  • sparse file
  • modify inode Metadata
  • towards elf Fill the file section with garbage data

Explain the test environment : The test procedure is id command , Copied to /tmp/y Under the table of contents

[root@instance-fj5pftdp y]# \cp /usr/bin/id /tmp/y

Append data at the end of the file

  • How to achieve ?

    This approach is very simple , as follows

    [root@instance-fj5pftdp y]# echo 1111 >> ./id
    [root@instance-fj5pftdp y]# ./id
    uid=0(root) gid=0(root)  Group =0(root)

    The key is the modified file , It can be executed normally .

sparse file

  • " sparse file " What is it? ?

    " sparse file " Of " file size " It is inconsistent with the actual disk space , such as :

    [root@instance-fj5pftdp y]# ll -h id
    -rwxr-xr-x 1 root root 10T 9 month    6 20:03 id
    [root@instance-fj5pftdp y]# du -sh id
    40K id

    As you can see from the above command :" file size " yes 10T, But the actual data only occupy 40K The disk size of .

    Readers interested in principles , You can refer to Depth analysis Linux cp The secret of This article .

  • How to change it to " sparse file "?

    You can use fallocate、truncate command .

    It's easy to use , With truncate give an example :

    [root@instance-fj5pftdp y]# ls -alh id
    -rwxr-xr-x 1 root root 37K 9 month    5 20:18 id
    [root@instance-fj5pftdp y]# time truncate -s 10T id   //  take id The program is sparse into 10T size

    real 0m0.007s
    user 0m0.000s
    sys 0m0.007s
    [root@instance-fj5pftdp y]# ls -alh id
    -rwxr-xr-x 1 root root 10T 9 month    5 20:02 id    //  The file size has become 10T
    [root@instance-fj5pftdp y]# ./id
    uid=0(root) gid=0(root)  Group =0(root)

    Modifying files in this way has two characteristics :

    The file changes very quickly , In the example above id Expand the file size to "10T" It only took 1s Less than

    The maximum file size can be 10T above , But you don't need local disk space. There is really 10T

    When you want to download or read this file ( such as cat) when , But there will be real 10T Traffic .10T Traffic , according to "10M/s" The speed of download , It also needs to be downloaded 291 Hours .

modify inode Metadata

  • Why modify "inode Metadata " You can modify the file size information ?

    inode Metadata contains file size information , and inode Metadata is also stored in disk sectors , So it should be possible to modify inode Metadata comes from " forge " file size .

    In fact, it's not just size information ,inode Metadata also includes Whether to delete the file 、 Creation time 、 Modification time 、 Access time Etc , So these can be forged .

    Can pass stat Command view inode Metadata :

    [root@instance-fj5pftdp y]# stat id
       file :"id"
       size :37400       block :80         IO block :4096    Ordinary documents
    equipment :fd01h/64769d Inode:171252       Hard links :1
    jurisdiction :(0755/-rwxr-xr-x)  Uid:(    0/    root)   Gid:(    0/    root)
    Recently visited :2021-09-06 20:27:26.224913458 +0800
    Recent changes :2021-09-06 20:27:26.218913032 +0800
    Recent changes :2021-09-06 20:27:26.224913458 +0800
    Creation time :-
  • How to modify "inode Metadata "?

    utilize debugfs command , as follows :

    [root@instance-fj5pftdp ~]# debugfs -w /dev/vda1
    debugfs:  mi /tmp/y/id
                              Mode    [0100755]
                           User ID    [0]
                          Group ID    [0]
                              Size    [37400] 100000      //  Here, change the file size to 100000
                     Creation time    [1630929039]
                 ...
    debugfs:  quit
    [root@instance-fj5pftdp ~]# ll /tmp/y/id
    -rwxr-xr-x 1 root root 37400 9 month    6 19:50 /tmp/y/id
    [root@instance-fj5pftdp ~]# echo 3 > /proc/sys/vm/drop_caches   //  clear inode After cache , The modification takes effect
    [root@instance-fj5pftdp ~]# ll /tmp/y/id
    -rwxr-xr-x 1 root root 100000 9 month    6 19:50 /tmp/y/id    //  The file size becomes 100000
    [root@instance-fj5pftdp ~]# /tmp/y/id
    uid=0(root) gid=0(root)  Group =0(root)

    During the test , What needs the reader's attention is :

    Because it will write to the disk data , So it's best to find a machine without data to test

    Remember to clean up inode cache

    When testing, if you use files as devices , Modify the file size when mounting the file system Will not take effect . Unknown cause

towards elf Add garbage data to the file section

  • What is it? ?

    elf The file contains a lot of section , such as :

    .text Store code

    .data Store initialized global variables and static variables

    Can be directed to elf The festival of ( such as .data、.text、.bss etc. ) Write garbage data in , Without affecting the normal operation of the program .

    The difference between this method and the other three methods is : Because you can delete useless sections , So it's easy to put " Three other ways " Modified elf Come back .

    such as strip after , The file size is restored

    [root@instance-fj5pftdp y]# ll -h id
    -rwxr-xr-x 1 root root 10T 9 month    6 20:03 id
    [root@instance-fj5pftdp y]# strip id
    [root@instance-fj5pftdp y]# ll -h id
    -rwxr-xr-x 1 root root 37K 9 month    6 20:27 id


    PS:   About elf File format , For more information, please refer to 《 Self cultivation of programmers — link 、 Loading and storage 》 The third chapter elf File structure description .

  • Yes? " towards elf Add garbage data to the file section "?

    Can't find linux The order that comes with you , find patch elf Tools -patchkit[1].

    It's a little troublesome to read the documents , There was no test .

summary

" Append data at the end of the file " and " towards elf Fill the file section with garbage data " These two methods really modify the contents of the file , Therefore, limited by the size of disk space, it is impossible to generate several T Size file .

" sparse file " This way, , It can easily and quickly generate several T Size file , And let me upload 、 Download this file It takes a lot of time , Even impossible to succeed .

" modify inode Metadata ", Although you can quickly change the file size to a few T, But it won't let you upload 、 Download this file It takes a lot of time , The file size transferred is still the actual size .

If you encounter an oversized elf file , Just use it first strip See if it gets smaller .

The means mentioned in this article have not been practiced in real confrontation , Just my own research , Welcome to communicate with me .

Reference material

[1]

patch elf Tools -patchkit: https://firmianay.gitbook.io/ctf-all-in-one/3_topics/reverse/3.2.1_patch_binary#patchkit


版权声明
本文为[leveryd]所创,转载请带上原文链接,感谢
https://cdmana.com/2021/09/20210909124908589M.html

Scroll to Top