WWW2Exec - atexit()

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

__atexit Structures

Sasa ni ajabu sana kutumia hii!

atexit() ni kazi ambayo kazi nyingine zinapewa kama vigezo. Hizi kazi zita tekelezwa wakati wa kutekeleza exit() au kurudi kwa main. Ikiwa unaweza kubadilisha anwani ya yoyote ya hizi kazi ili kuelekeza kwenye shellcode kwa mfano, utapata udhibiti wa mchakato, lakini hii kwa sasa ni ngumu zaidi. Kwa sasa anwani za kazi zitakazotekelezwa zime fichwa nyuma ya muundo kadhaa na hatimaye anwani ambayo inaelekeza si anwani za kazi, bali zime sifishwa kwa XOR na uhamasishaji na funguo za nasibu. Hivyo kwa sasa hii njia ya shambulio si ya manufaa sana angalau kwenye x86 na x64_86. Kazi ya usimbuaji ni PTR_MANGLE. Mifumo mingine kama m68k, mips32, mips64, aarch64, arm, hppa... hazitekelezi kazi ya usimbuaji kwa sababu inarudisha kile kile ilichopokea kama pembejeo. Hivyo mifumo hii ingekuwa na uwezo wa kushambuliwa kupitia njia hii.

Unaweza kupata maelezo ya kina juu ya jinsi hii inavyofanya kazi katika https://m101.github.io/binholic/2017/05/20/notes-on-abusing-exit-handlers.html

link_map

Kama ilivyoelezwa katika chapisho hili, Ikiwa programu inatoka kwa kutumia return au exit() itatekeleza __run_exit_handlers() ambayo itaita waondoa walioandikishwa.

Ikiwa programu inatoka kupitia _exit() kazi, itaita exit syscall na waondoa wa kutoka hawatafanywa. Hivyo, ili kuthibitisha __run_exit_handlers() inatekelezwa unaweza kuweka breakpoint juu yake.

Kazi muhimu ni (chanzo):

ElfW(Dyn) *fini_array = map->l_info[DT_FINI_ARRAY];
if (fini_array != NULL)
{
ElfW(Addr) *array = (ElfW(Addr) *) (map->l_addr + fini_array->d_un.d_ptr);
size_t sz = (map->l_info[DT_FINI_ARRAYSZ]->d_un.d_val / sizeof (ElfW(Addr)));

while (sz-- > 0)
((fini_t) array[sz]) ();
}
[...]




// This is the d_un structure
ptype l->l_info[DT_FINI_ARRAY]->d_un
type = union {
Elf64_Xword d_val;	// address of function that will be called, we put our onegadget here
Elf64_Addr d_ptr;	// offset from l->l_addr of our structure
}

Note how map -> l_addr + fini_array -> d_un.d_ptr is used to kuhesabu the position of the array ya kazi za kuita.

There are a mchache wa chaguzi:

Overwrite the value of map->l_addr to make it point to a bandia fini_array with instructions to execute arbitrary code
Overwrite l_info[DT_FINI_ARRAY] and l_info[DT_FINI_ARRAYSZ] entries (which are more or less consecutive in memory), to make them point to a forged Elf64_Dyn structure that will make again array point to a memory zone the attacker controlled.
Hii andiko overwrites l_info[DT_FINI_ARRAY] with the address of a controlled memory in .bss containing a fake fini_array. This fake array contains kwanza a one gadget address which will be executed and then the tofauti between in the address of this fake array and the thamani ya map->l_addr so *array will point to the fake array.
According to main post of this technique and hii andiko ld.so leave a pointer on the stack that points to the binary link_map in ld.so. With an arbitrary write it's possible to overwrite it and make it point to a fake fini_array controlled by the attacker with the address to a one gadget for example.

Following the previous code you can find another interesting section with the code:

/* Next try the old-style destructor.  */
ElfW(Dyn) *fini = map->l_info[DT_FINI];
if (fini != NULL)
DL_CALL_DT_FINI (map, ((void *) map->l_addr + fini->d_un.d_ptr));
}

Katika kesi hii, itakuwa inawezekana kubadilisha thamani ya map->l_info[DT_FINI] ikielekeza kwenye muundo wa ElfW(Dyn) uliofanywa. Pata maelezo zaidi hapa.

TLS-Storage dtor_list overwrite katika `__run_exit_handlers`

Kama ilivyoelezwa hapa, ikiwa programu inatoka kupitia return au exit(), itatekeleza __run_exit_handlers() ambayo itaita kazi yoyote ya destructor iliyosajiliwa.

Code kutoka _run_exit_handlers():

/* Call all functions registered with `atexit' and `on_exit',
in the reverse of the order in which they were registered
perform stdio cleanup, and terminate program execution with STATUS.  */
void
attribute_hidden
__run_exit_handlers (int status, struct exit_function_list **listp,
bool run_list_atexit, bool run_dtors)
{
/* First, call the TLS destructors.  */
#ifndef SHARED
if (&__call_tls_dtors != NULL)
#endif
if (run_dtors)
__call_tls_dtors ();

Msimbo kutoka __call_tls_dtors():

typedef void (*dtor_func) (void *);
struct dtor_list //struct added
{
dtor_func func;
void *obj;
struct link_map *map;
struct dtor_list *next;
};

[...]
/* Call the destructors.  This is called either when a thread returns from the
initial function or when the process exits via the exit function.  */
void
__call_tls_dtors (void)
{
while (tls_dtor_list)		// parse the dtor_list chained structures
{
struct dtor_list *cur = tls_dtor_list;		// cur point to tls-storage dtor_list
dtor_func func = cur->func;
PTR_DEMANGLE (func);						// demangle the function ptr

tls_dtor_list = tls_dtor_list->next;		// next dtor_list structure
func (cur->obj);
[...]
}
}

Kwa kila kazi iliyosajiliwa katika tls_dtor_list, itachambua kiashiria kutoka cur->func na kuikalia na hoja cur->obj.

Kwa kutumia kazi ya tls kutoka kwa fork ya GEF, inawezekana kuona kwamba kwa kweli dtor_list iko karibu sana na stack canary na PTR_MANGLE cookie. Hivyo, kwa kujaa kwenye hiyo, itakuwa inawezekana kuandika upya cookie na stack canary. Kwa kuandika upya PTR_MANGLE cookie, itakuwa inawezekana kuzidi kazi ya PTR_DEMANLE kwa kuipatia 0x00, itamaanisha kwamba xor inayotumika kupata anwani halisi ni tu anwani iliyowekwa. Kisha, kwa kuandika kwenye dtor_list inawezekana kuunganisha kazi kadhaa na anwani ya kazi hiyo na hoja yake.

Hatimaye, zingatia kwamba kiashiria kilichohifadhiwa hakitakuwa kiki xored tu na cookie bali pia kitageuzwa 17 bits:

0x00007fc390444dd4 <+36>:	mov    rax,QWORD PTR [rbx]      --> mangled ptr
0x00007fc390444dd7 <+39>:	ror    rax,0x11		        --> rotate of 17 bits
0x00007fc390444ddb <+43>:	xor    rax,QWORD PTR fs:0x30	--> xor with PTR_MANGLE

Hivyo unahitaji kuzingatia hili kabla ya kuongeza anwani mpya.

Pata mfano katika post ya asili.

Pointers nyingine zilizochanganywa katika `__run_exit_handlers`

Tekniki hii imeelezewa hapa na inategemea tena programu kutoka kwa kuita return au exit() hivyo __run_exit_handlers() inaitwa.

Hebu tuangalie zaidi msimbo wa kazi hii:

while (true)
{
struct exit_function_list *cur;

restart:
cur = *listp;

if (cur == NULL)
{
/* Exit processing complete.  We will not allow any more
atexit/on_exit registrations.  */
__exit_funcs_done = true;
break;
}

while (cur->idx > 0)
{
struct exit_function *const f = &cur->fns[--cur->idx];
const uint64_t new_exitfn_called = __new_exitfn_called;

switch (f->flavor)
{
void (*atfct) (void);
void (*onfct) (int status, void *arg);
void (*cxafct) (void *arg, int status);
void *arg;

case ef_free:
case ef_us:
break;
case ef_on:
onfct = f->func.on.fn;
arg = f->func.on.arg;
PTR_DEMANGLE (onfct);

/* Unlock the list while we call a foreign function.  */
__libc_lock_unlock (__exit_funcs_lock);
onfct (status, arg);
__libc_lock_lock (__exit_funcs_lock);
break;
case ef_at:
atfct = f->func.at;
PTR_DEMANGLE (atfct);

/* Unlock the list while we call a foreign function.  */
__libc_lock_unlock (__exit_funcs_lock);
atfct ();
__libc_lock_lock (__exit_funcs_lock);
break;
case ef_cxa:
/* To avoid dlclose/exit race calling cxafct twice (BZ 22180),
we must mark this function as ef_free.  */
f->flavor = ef_free;
cxafct = f->func.cxa.fn;
arg = f->func.cxa.arg;
PTR_DEMANGLE (cxafct);

/* Unlock the list while we call a foreign function.  */
__libc_lock_unlock (__exit_funcs_lock);
cxafct (arg, status);
__libc_lock_lock (__exit_funcs_lock);
break;
}

if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called))
/* The last exit function, or another thread, has registered
more exit functions.  Start the loop over.  */
goto restart;
}

*listp = cur->next;
if (*listp != NULL)
/* Don't free the last element in the chain, this is the statically
allocate element.  */
free (cur);
}

__libc_lock_unlock (__exit_funcs_lock);

The variable f inashikilia muundo wa initial na kulingana na thamani ya f->flavor kazi tofauti zitaanzishwa. Kulingana na thamani, anwani ya kazi ya kuita itakuwa mahali tofauti, lakini itakuwa demangled kila wakati.

Zaidi ya hayo, katika chaguo ef_on na ef_cxa pia inawezekana kudhibiti argument.

Inawezekana kuangalia initial structure katika kikao cha ufuatiliaji na GEF ikikimbia gef> p initial.

Ili kutumia hii unahitaji ama leak au kufuta PTR_MANGLEcookie na kisha kuandika tena kipengee cha cxa katika initial na system('/bin/sh'). Unaweza kupata mfano wa hii katika blogu ya asili kuhusu mbinu.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousWrite What Where 2 Exec NextWWW2Exec - .dtors & .fini_array

Last updated 5 days ago

__atexit Structures

link_map

TLS-Storage dtor_list overwrite katika __run_exit_handlers

Pointers nyingine zilizochanganywa katika __run_exit_handlers

__atexit Structures

link_map

TLS-Storage dtor_list overwrite katika __run_exit_handlers

Pointers nyingine zilizochanganywa katika __run_exit_handlers

TLS-Storage dtor_list overwrite katika `__run_exit_handlers`

Pointers nyingine zilizochanganywa katika `__run_exit_handlers`

TLS-Storage dtor_list overwrite katika `__run_exit_handlers`

Pointers nyingine zilizochanganywa katika `__run_exit_handlers`