Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Paper notes: return-to-csu: A New Method to Bypass 64-bit Linux ASLR
Tue 27 March 2018 — download

The paper is presenting two rop gadgets present in __libc_csu_init, in the ctr0 (called "attached code" in the paper). It's public knowledge (at least in the CTF/wargames world) that there are some gadgets there, and was even greatly detailed by Reno Robert on v0id s3curity in 2013, presented at avtokyo, documented by hatena in 2014, documented on x64 by math1as in 2016, and likely present in your favourite modern wargame.

This construction is irrelevant in the real world: if the binary is non-PIE, you always have better gadgets to use, and if the binary is PIE, you can't use this one anyway.

The variants of the gadgets in the paper being:

pop %rbx
pop %rbp
pop %r12
pop %r13
pop %r14
pop %r15
retq

and

mov %r13, %rdx
mov %r14, %rsi
mov %r15d, %edi
callq *(%r12, %rbx, 8)

There are some proposed solutions to get rid of it, like moving it into libc, or an partial rewriting of the binary.

Apparently, the author patched ropper to make it detect the gadgets, but since there is no code in the paper, and no patch upstream, who knows…

The only ASLR "bypass" present in the paper is a bruteforce of a forking server, again without code:

./exploit-server_64_PIE.py -s 10.0.2.15 -p 9999
[+] Exploit ASLR 64 bit systems
[+] Trying to find out the canary offset
[+] Offset is 56 bytes
[+] Brute forcing stack canary
[+] SSP value is 0x0e8e6dc24e458900
[+] Brute forcing EBP
[+] EBP value is 0x00007ffd694d4158
[+] Brute forcing Saved EIP
[+] EIP value is 0x0000555cd2686ff4
[+] Text Base at 0x0000555cd2686000
Libc write function is at 0x00007fda3c12a0b0

This seems to be yet another instance of return-to-Blackhat paper.