SROP(SigReturn Oriented Programming)

SROP는 (SigReturn Oriented Programming) ROP, RTL보다 성공확률이 높은 메모리 공격기법이다.

보통 ROP(Return oriented programming)은 ret가 포함된 가젯(Gaget)을 이용하여 작성을 하는데

SROP는 가젯대신 sysreturn system call을 이용하여 ROP 공격을 한다.

sigreturn system call는 시그널을 받은 프로세스가 커널모드로 동작한 후에 유저모드로 돌아올때 사용하는 system call이다

프로그램 실행 중에 Signal 이 발생하게 되면 커널은 CPU의 정보를 커널영역에 복사하고 프로그램의 실행을 멈춘 후 Signal을 처리한다.

처리된 Signal이 처리되고 나서 다시 프로그램을 실행하기 위해 커널영역에 저장된 CPU의 정보(Context)를 스택에 복사하여

프로그램을 실행한다.

취약점은 커널이 Sigreturn System call을 호출하여 스택으로 커널영역으로 복사했던 Context를 복사하여 실행할 때 재검증을 하지 않을 때

발생된다.

sigreturn의 스템 콜 번호

  1 #ifndef __ASM_SH_UNISTD_H
  2 #define __ASM_SH_UNISTD_H
  3 
  4 /*
  5  * Copyright (C) 1999  Niibe Yutaka
  6  */
  7 
  8 /*
  9  * This file contains the system call numbers.
 10  */
 11 
 12 #define __NR_restart_syscall      0
 13 #define __NR_exit                 1
 14 #define __NR_fork                 2
 15 #define __NR_read                 3
 16 #define __NR_write                4
 17 #define __NR_open                 5
 18 #define __NR_close                6
 19 #define __NR_waitpid              7
 20 #define __NR_creat                8
 21 #define __NR_link                 9
 22 #define __NR_unlink              10
 23 #define __NR_execve              11
 24 #define __NR_chdir               12
 25 #define __NR_time                13
 26 #define __NR_mknod               14
 27 #define __NR_chmod               15
 28 #define __NR_lchown              16
 29 #define __NR_break               17
 30 #define __NR_oldstat             18
 31 #define __NR_lseek               19
 32 #define __NR_getpid              20
 33 #define __NR_mount               21
 34 #define __NR_umount              22
 35 #define __NR_setuid              23
 36 #define __NR_getuid              24
 37 #define __NR_stime               25
 38 #define __NR_ptrace              26
 39 #define __NR_alarm               27
 40 #define __NR_oldfstat            28
 41 #define __NR_pause               29
 42 #define __NR_utime               30
 43 #define __NR_stty                31
 44 #define __NR_gtty                32
 45 #define __NR_access              33
 46 #define __NR_nice                34
 47 #define __NR_ftime               35
 48 #define __NR_sync                36
 49 #define __NR_kill                37
 50 #define __NR_rename              38
 51 #define __NR_mkdir               39
 52 #define __NR_rmdir               40
 53 #define __NR_dup                 41
 54 #define __NR_pipe                42
 55 #define __NR_times               43
 56 #define __NR_prof                44
 57 #define __NR_brk                 45
 58 #define __NR_setgid              46
 59 #define __NR_getgid              47
 60 #define __NR_signal              48
 61 #define __NR_geteuid             49
 62 #define __NR_getegid             50
 63 #define __NR_acct                51
 64 #define __NR_umount2             52
 65 #define __NR_lock                53
 66 #define __NR_ioctl               54
 67 #define __NR_fcntl               55
 68 #define __NR_mpx                 56
 69 #define __NR_setpgid             57
 70 #define __NR_ulimit              58
 71 #define __NR_oldolduname         59
 72 #define __NR_umask               60
 73 #define __NR_chroot              61
 74 #define __NR_ustat               62
 75 #define __NR_dup2                63
 76 #define __NR_getppid             64
 77 #define __NR_getpgrp             65
 78 #define __NR_setsid              66
 79 #define __NR_sigaction           67
 80 #define __NR_sgetmask            68
 81 #define __NR_ssetmask            69
 82 #define __NR_setreuid            70
 83 #define __NR_setregid            71
 84 #define __NR_sigsuspend          72
 85 #define __NR_sigpending          73
 86 #define __NR_sethostname         74
 87 #define __NR_setrlimit           75
 88 #define __NR_getrlimit           76     /* Back compatible 2Gig limited rlimit */
 89 #define __NR_getrusage           77
 90 #define __NR_gettimeofday        78
 91 #define __NR_settimeofday        79
 92 #define __NR_getgroups           80
 93 #define __NR_setgroups           81
 94 #define __NR_select              82
 95 #define __NR_symlink             83
 96 #define __NR_oldlstat            84
 97 #define __NR_readlink            85
 98 #define __NR_uselib              86
 99 #define __NR_swapon              87
100 #define __NR_reboot              88
101 #define __NR_readdir             89
102 #define __NR_mmap                90
103 #define __NR_munmap              91
104 #define __NR_truncate            92
105 #define __NR_ftruncate           93
106 #define __NR_fchmod              94
107 #define __NR_fchown              95
108 #define __NR_getpriority         96
109 #define __NR_setpriority         97
110 #define __NR_profil              98
111 #define __NR_statfs              99
112 #define __NR_fstatfs            100
113 #define __NR_ioperm             101
114 #define __NR_socketcall         102
115 #define __NR_syslog             103
116 #define __NR_setitimer          104
117 #define __NR_getitimer          105
118 #define __NR_stat               106
119 #define __NR_lstat              107
120 #define __NR_fstat              108
121 #define __NR_olduname           109
122 #define __NR_iopl               110
123 #define __NR_vhangup            111
124 #define __NR_idle               112
125 #define __NR_vm86old            113
126 #define __NR_wait4              114
127 #define __NR_swapoff            115
128 #define __NR_sysinfo            116
129 #define __NR_ipc                117
130 #define __NR_fsync              118
131 #define __NR_sigreturn          119
132 #define __NR_clone              120
133 #define __NR_setdomainname      121
134 #define __NR_uname              122
135 #define __NR_cacheflush         123
136 #define __NR_adjtimex           124
137 #define __NR_mprotect           125
138 #define __NR_sigprocmask        126
139 #define __NR_create_module      127
140 #define __NR_init_module        128
141 #define __NR_delete_module      129
142 #define __NR_get_kernel_syms    130
143 #define __NR_quotactl           131
144 #define __NR_getpgid            132
145 #define __NR_fchdir             133
146 #define __NR_bdflush            134
147 #define __NR_sysfs              135
148 #define __NR_personality        136
149 #define __NR_afs_syscall        137 /* Syscall for Andrew File System */
150 #define __NR_setfsuid           138
151 #define __NR_setfsgid           139
152 #define __NR__llseek            140
153 #define __NR_getdents           141
154 #define __NR__newselect         142
155 #define __NR_flock              143
156 #define __NR_msync              144
157 #define __NR_readv              145
158 #define __NR_writev             146
159 #define __NR_getsid             147
160 #define __NR_fdatasync          148
161 #define __NR__sysctl            149
162 #define __NR_mlock              150
163 #define __NR_munlock            151
164 #define __NR_mlockall           152
165 #define __NR_munlockall         153
166 #define __NR_sched_setparam             154
167 #define __NR_sched_getparam             155
168 #define __NR_sched_setscheduler         156
169 #define __NR_sched_getscheduler         157
170 #define __NR_sched_yield                158
171 #define __NR_sched_get_priority_max     159
172 #define __NR_sched_get_priority_min     160
173 #define __NR_sched_rr_get_interval      161
174 #define __NR_nanosleep          162
175 #define __NR_mremap             163
176 #define __NR_setresuid          164
177 #define __NR_getresuid          165
178 #define __NR_vm86               166
179 #define __NR_query_module       167
180 #define __NR_poll               168
181 #define __NR_nfsservctl         169
182 #define __NR_setresgid          170
183 #define __NR_getresgid          171
184 #define __NR_prctl              172
185 #define __NR_rt_sigreturn       173
186 #define __NR_rt_sigaction       174
187 #define __NR_rt_sigprocmask     175
188 #define __NR_rt_sigpending      176
189 #define __NR_rt_sigtimedwait    177
190 #define __NR_rt_sigqueueinfo    178
191 #define __NR_rt_sigsuspend      179
192 #define __NR_pread64            180
193 #define __NR_pwrite64           181
194 #define __NR_chown              182
195 #define __NR_getcwd             183
196 #define __NR_capget             184
197 #define __NR_capset             185
198 #define __NR_sigaltstack        186
199 #define __NR_sendfile           187
200 #define __NR_streams1           188     /* some people actually want it */
201 #define __NR_streams2           189     /* some people actually want it */
202 #define __NR_vfork              190
203 #define __NR_ugetrlimit         191     /* SuS compliant getrlimit */
204 #define __NR_mmap2              192
205 #define __NR_truncate64         193
206 #define __NR_ftruncate64        194
207 #define __NR_stat64             195
208 #define __NR_lstat64            196
209 #define __NR_fstat64            197
210 #define __NR_lchown32           198
211 #define __NR_getuid32           199
212 #define __NR_getgid32           200
213 #define __NR_geteuid32          201
214 #define __NR_getegid32          202
215 #define __NR_setreuid32         203
216 #define __NR_setregid32         204
217 #define __NR_getgroups32        205
218 #define __NR_setgroups32        206
219 #define __NR_fchown32           207
220 #define __NR_setresuid32        208
221 #define __NR_getresuid32        209
222 #define __NR_setresgid32        210
223 #define __NR_getresgid32        211
224 #define __NR_chown32            212
225 #define __NR_setuid32           213
226 #define __NR_setgid32           214
227 #define __NR_setfsuid32         215
228 #define __NR_setfsgid32         216
229 #define __NR_pivot_root         217
230 #define __NR_mincore            218
231 #define __NR_madvise            219
232 #define __NR_getdents64         220
233 #define __NR_fcntl64            221
234 /* 223 is unused */
235 #define __NR_gettid             224
236 #define __NR_readahead          225
237 #define __NR_setxattr           226
238 #define __NR_lsetxattr          227
239 #define __NR_fsetxattr          228
240 #define __NR_getxattr           229
241 #define __NR_lgetxattr          230
242 #define __NR_fgetxattr          231
243 #define __NR_listxattr          232
244 #define __NR_llistxattr         233
245 #define __NR_flistxattr         234
246 #define __NR_removexattr        235
247 #define __NR_lremovexattr       236
248 #define __NR_fremovexattr       237
249 #define __NR_tkill              238
250 #define __NR_sendfile64         239
251 #define __NR_futex              240
252 #define __NR_sched_setaffinity  241
253 #define __NR_sched_getaffinity  242
254 #define __NR_set_thread_area    243
255 #define __NR_get_thread_area    244
256 #define __NR_io_setup           245
257 #define __NR_io_destroy         246
258 #define __NR_io_getevents       247
259 #define __NR_io_submit          248
260 #define __NR_io_cancel          249
261 #define __NR_fadvise64          250
262 
263 #define __NR_exit_group         252
264 #define __NR_lookup_dcookie     253
265 #define __NR_epoll_create       254
266 #define __NR_epoll_ctl          255
267 #define __NR_epoll_wait         256
268 #define __NR_remap_file_pages   257
269 #define __NR_set_tid_address    258
270 #define __NR_timer_create       259
271 #define __NR_timer_settime      (__NR_timer_create+1)
272 #define __NR_timer_gettime      (__NR_timer_create+2)
273 #define __NR_timer_getoverrun   (__NR_timer_create+3)
274 #define __NR_timer_delete       (__NR_timer_create+4)
275 #define __NR_clock_settime      (__NR_timer_create+5)
276 #define __NR_clock_gettime      (__NR_timer_create+6)
277 #define __NR_clock_getres       (__NR_timer_create+7)
278 #define __NR_clock_nanosleep    (__NR_timer_create+8)
279 #define __NR_statfs64           268
280 #define __NR_fstatfs64          269
281 #define __NR_tgkill             270
282 #define __NR_utimes             271
283 #define __NR_fadvise64_64       272
284 #define __NR_vserver            273
285 #define __NR_mbind              274
286 #define __NR_get_mempolicy      275
287 #define __NR_set_mempolicy      276
288 #define __NR_mq_open            277
289 #define __NR_mq_unlink          (__NR_mq_open+1)
290 #define __NR_mq_timedsend       (__NR_mq_open+2)
291 #define __NR_mq_timedreceive    (__NR_mq_open+3)
292 #define __NR_mq_notify          (__NR_mq_open+4)
293 #define __NR_mq_getsetattr      (__NR_mq_open+5)
294 #define __NR_kexec_load         283
295 #define __NR_waitid             284
296 #define __NR_add_key            285
297 #define __NR_request_key        286
298 #define __NR_keyctl             287
299 #define __NR_ioprio_set         288
300 #define __NR_ioprio_get         289
301 #define __NR_inotify_init       290
302 #define __NR_inotify_add_watch  291
303 #define __NR_inotify_rm_watch   292
304 /* 293 is unused */
305 #define __NR_migrate_pages      294
306 #define __NR_openat             295
307 #define __NR_mkdirat            296
308 #define __NR_mknodat            297
309 #define __NR_fchownat           298
310 #define __NR_futimesat          299
311 #define __NR_fstatat64          300
312 #define __NR_unlinkat           301
313 #define __NR_renameat           302
314 #define __NR_linkat             303
315 #define __NR_symlinkat          304
316 #define __NR_readlinkat         305
317 #define __NR_fchmodat           306
318 #define __NR_faccessat          307
319 #define __NR_pselect6           308
320 #define __NR_ppoll              309
321 #define __NR_unshare            310
322 #define __NR_set_robust_list    311
323 #define __NR_get_robust_list    312
324 #define __NR_splice             313
325 #define __NR_sync_file_range    314
326 #define __NR_tee                315
327 #define __NR_vmsplice           316
328 #define __NR_move_pages         317
329 #define __NR_getcpu             318
330 #define __NR_epoll_pwait        319
331 #define __NR_utimensat          320
332 #define __NR_signalfd           321
333 #define __NR_timerfd_create     322
334 #define __NR_eventfd            323
335 #define __NR_fallocate          324
336 #define __NR_timerfd_settime    325
337 #define __NR_timerfd_gettime    326
338 #define __NR_signalfd4          327
339 #define __NR_eventfd2           328
340 #define __NR_epoll_create1      329
341 #define __NR_dup3               330
342 #define __NR_pipe2              331
343 #define __NR_inotify_init1      332
344 #define __NR_preadv             333
345 #define __NR_pwritev            334
346 #define __NR_rt_tgsigqueueinfo  335
347 #define __NR_perf_event_open    336
348 #define __NR_fanotify_init      337
349 #define __NR_fanotify_mark      338
350 #define __NR_prlimit64          339
351 
352 /* Non-multiplexed socket family */
353 #define __NR_socket             340
354 #define __NR_bind               341
355 #define __NR_connect            342
356 #define __NR_listen             343
357 #define __NR_accept             344
358 #define __NR_getsockname        345
359 #define __NR_getpeername        346
360 #define __NR_socketpair         347
361 #define __NR_send               348
362 #define __NR_sendto             349
363 #define __NR_recv               350
364 #define __NR_recvfrom           351
365 #define __NR_shutdown           352
366 #define __NR_setsockopt         353
367 #define __NR_getsockopt         354
368 #define __NR_sendmsg            355
369 #define __NR_recvmsg            356
370 #define __NR_recvmmsg           357
371 #define __NR_accept4            358
372 #define __NR_name_to_handle_at  359
373 #define __NR_open_by_handle_at  360
374 #define __NR_clock_adjtime      361
375 #define __NR_syncfs             362
376 #define __NR_sendmmsg           363
377 #define __NR_setns              364
378 #define __NR_process_vm_readv   365
379 #define __NR_process_vm_writev  366
380 
381 #define NR_syscalls 367
382 
383 #ifdef __KERNEL__
384 
385 #define __ARCH_WANT_IPC_PARSE_VERSION
386 #define __ARCH_WANT_OLD_READDIR
387 #define __ARCH_WANT_OLD_STAT
388 #define __ARCH_WANT_STAT64
389 #define __ARCH_WANT_SYS_ALARM
390 #define __ARCH_WANT_SYS_GETHOSTNAME
391 #define __ARCH_WANT_SYS_IPC
392 #define __ARCH_WANT_SYS_PAUSE
393 #define __ARCH_WANT_SYS_SGETMASK
394 #define __ARCH_WANT_SYS_SIGNAL
395 #define __ARCH_WANT_SYS_TIME
396 #define __ARCH_WANT_SYS_UTIME
397 #define __ARCH_WANT_SYS_WAITPID
398 #define __ARCH_WANT_SYS_SOCKETCALL
399 #define __ARCH_WANT_SYS_FADVISE64
400 #define __ARCH_WANT_SYS_GETPGRP
401 #define __ARCH_WANT_SYS_LLSEEK
402 #define __ARCH_WANT_SYS_NICE
403 #define __ARCH_WANT_SYS_OLD_GETRLIMIT
404 #define __ARCH_WANT_SYS_OLD_UNAME
405 #define __ARCH_WANT_SYS_OLDUMOUNT
406 #define __ARCH_WANT_SYS_SIGPENDING
407 #define __ARCH_WANT_SYS_SIGPROCMASK
408 #define __ARCH_WANT_SYS_RT_SIGACTION
409 #define __ARCH_WANT_SYS_RT_SIGSUSPEND
410 
411 /*
412  * "Conditional" syscalls
413  *
414  * What we want is __attribute__((weak,alias("sys_ni_syscall"))),
415  * but it doesn't work on all toolchains, so we just do it by hand
416  */
417 #ifndef cond_syscall
418 #define cond_syscall(x) asm(".weak\t" #x "\n\t.set\t" #x ",sys_ni_syscall")
419 #endif
420 
421 #endif /* __KERNEL__ */
422 #endif /* __ASM_SH_UNISTD_H */
423 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us

Context의 값이 스택에 어떤순으로 들어가는지는 sigcontext.h의 구조체를 참조하면 알 수 있다.

sigcontext.h

struct sigcontext {

unsigned short gs, __gsh;

unsigned short fs, __fsh;

unsigned short es, __esh;

unsigned short ds, __dsh;

unsigned long edi;

unsigned long esi;

unsigned long ebp;

unsigned long esp;

unsigned long ebx;

unsigned long edx;

unsigned long ecx;

unsigned long eax;

unsigned long trapno;

unsigned long err;

unsigned long eip;

unsigned short cs, __csh;

unsigned long eflags;

unsigned long esp_at_signal;

unsigned short ss, __ssh;

struct _fpstate *fpstate;

unsigned long oldmask;

unsigned long cr2;

};

첫 ret을 덮기 위해서 20개의 dummy가 필요

참고 : 

1, https://www.google.co.kr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB4QFjAAahUKEwj9nOnO7-fIAhUHG6YKHWwdCG8&url=http%3A%2F%2Ferr0rless313.tistory.com%2Fattachment%2Fcfile23.uf%402379F14B54DF08BC083B9C.pdf&usg=AFQjCNHfSE2JFSMkPnsGQZVSDjfCLzZbxA&sig2=CAfKcMnH0Jn63saCrk2yMg&bvm=bv.106130839,d.dGY

2. http://lxr.free-electrons.com/source/arch/sh/include/asm/unistd_32.h?v=3.3