- Complete title: return-to-csu: A New Method to Bypass 64-bit Linux ASLR
- PDF: de2792f69f394c398a1aef57e1f3ceb322a901a2_asia-18-Marco-return-to-csu-a-new-method-to-bypass-the-64-bit-Linux-ASLR-wp.pdf
The paper is presenting two rop gadgets present in
__libc_csu_init, in the
ctr0 (called "attached code" in the
It's public knowledge (at least in the CTF/wargames world) that there are some
gadgets there, and was even greatly detailed
by Reno Robert on v0id s3curity in 2013, presented at
documented by hatena
in 2014, documented on x64 by math1as in 2016,
and likely present in your favourite modern wargame.
This construction is irrelevant in the real world: if the binary is non-PIE, you always have better gadgets to use, and if the binary is PIE, you can't use this one anyway.
The variants of the gadgets in the paper being:
pop %rbx pop %rbp pop %r12 pop %r13 pop %r14 pop %r15 retq
mov %r13, %rdx mov %r14, %rsi mov %r15d, %edi callq *(%r12, %rbx, 8)
There are some proposed solutions to get rid of it, like moving it into libc, or an partial rewriting of the binary.
Apparently, the author patched ropper to make it detect the gadgets, but since there is no code in the paper, and no patch upstream, who knows…
The only ASLR "bypass" present in the paper is a bruteforce of a forking server, again without code:
./exploit-server_64_PIE.py -s 10.0.2.15 -p 9999 [+] Exploit ASLR 64 bit systems [+] Trying to find out the canary offset [+] Offset is 56 bytes [+] Brute forcing stack canary [+] SSP value is 0x0e8e6dc24e458900 [+] Brute forcing EBP [+] EBP value is 0x00007ffd694d4158 [+] Brute forcing Saved EIP [+] EIP value is 0x0000555cd2686ff4 [+] Text Base at 0x0000555cd2686000 Libc write function is at 0x00007fda3c12a0b0
This seems to be yet another instance of return-to-Blackhat paper.