Rechercher dans la communauté

Hello Un peu de lecture si ça intéresse certains, par Yifan Lu : Reversing Gateway Ultra First Stage (Part 1) And now for something completely different As a break from Vita hacking, Ive decided to play around with the Nintendo 3DS exploit released by Gateway yesterday. The 3DS is a much easier console to hack, but unfortunately, the scene is dominated by a piracy company who, ironically, implement various features to protect their intellectual property (one such feature purposely bricks any user of a cloned piracy cartand also legitimate users too). Ethics aside, it would be useful to reverse Gateways exploits and use them for homebrew loading so I took a quick look at it. The first stage of the exploit is an entry-point into the system that allows code to run in the unprivileged user-mode. It is usually used to exploit a kernel vulnerability, which is the second stage. In the unique case of Gateway, the first stage is broken up into two parts (in order for them to obfuscate their payload). I am only going to look at the first part for now. Vulnerability The userland vulnerability is a known use-after-free bug in WebKit found in April last year (and no, the latest Vita firmware is not vulnerable). Depending on the user-agent of the 3DS visiting the exploit page, a different payload for that browser version is sent. A GBATemp user has dumped all the possible payloads, and I used the 4.x one in my analysis (although I believe the only difference in the different payloads are memory offsets). Details This is what the initial first stage payload does: void *_this = 0x08F10000; int *read_len = 0x08F10020; int *buffer = 0x08F01000; int state = 0; int i = 0; FS_MOUNTSDMC("dmc:"); IFile_Open(_this, L"dmc:/Launcher.dat", 0x1); *((int *)_this + 1) = 0x00012000; // fseek according to sm on #3dsdev IFile_Read(_this, read_len, buffer, 0x4000); for (i = 0; i < 0x4000/4; i++){state += 0xD5828281;buffer[i] += state;} The important part here is that the rest of the payload is decrypted from Launcher.dat by creating a stream cipher from a (crappy) PRNG that just increments by 0xD5828281 every iteration. Instead of an xor-pad, it uses an add-pad. Otherwise it is pretty standard obfuscation. A neat trick in this ROP payload is the casting of ARM code as Thumb to get gadgets that were not originally compiled into code (I am unsure if they also tried casting RO data as Thumb code, as that is also a way of getting extra gadgets). Another neat trick is emulating loops by using ARM conditional stores to conditionally set the stack pointer to some value (although I was told they used this trick in the original Gateway payload too). Future The first part was very simple and straightforward and was easy to reverse. I am expecting that the second part would involve a lot more code so I may need to work on a tool to extract the gadgets from code. (By the way, thanks to sbJFn5r on #3dsdev for providing me with the WebKit code to look at and sm for the hint about fseek). It is likely that I wont have the time to continue this though (still working on the Vita) but it seems like many others are farther ahead than me anyways. Payload (For those who care, the raw (annotated) payload for 4.X ) : Reversing Gateway Ultra First Stage (Part 2) When we last left off, we looked at the ROP code that loaded a larger second-part of the payload. Now we will walk through what was loaded and how userland native code execution was achieved. I am still an amateur at 3DS hacking so I am sure to get some things wrong, so please post any corrections you have in the comments and I will update the post as needed. Pseudocode Some of the hard coded addresses are inside the stack payload loaded by the first part from Launcher.dat (at 0x08F01000). Details The first part, Im not too sure about. I think its either some required housekeeping or needless calls to obfuscate the exploit (found later). I couldnt find any documentation on the 0x1F4XXXXX region except that is it in the VRAM. (EDIT: plutoo tells me its the framebuffer. Likely the screen is cleared black for debugging or something.) I am also unsure of the use of setting 0×08000838 to some location in the payload that is filled with 0x002CAFE4″. In the second part, version specific information for each released kernel version is copied to a global space for use by both the first stage and the second stage exploit code. (This includes specific kernel addresses and stuff). The meat of the exploit is an unchecked GPU DMA write that allows the attacker to overwrite read-only executable pages in memory. This is the same exploit used by smealum in his ninjhax and he gives a much better explanation of gspwn in his blog. In short, certain areas of the physical memory are mapped at some virtual address as read-only executable (EDIT: yellows8 tells me specifically, this is in a CRO, which is something like shared libraries for 3DS) but when the physical address of the same location is written to by the GPU, it does not go through the CPUs MMU (since it is a different device) and can write to it. The need for thread sleep (and maybe the weird useless memcpys) is because the CPUs various levels of cache needs some time to see the changes that it did not expect from the GPU. The second stage of the payload is the ARM code copied from Launcher.dat (3.0.0) offset 0x1B90 for a length of 0x21F0 (remember to decrypt it using the add-pad stream cipher described in the first post). Raw ROP Payload Annotated It is a huge mess, but for those who are curious, here it is. The bulk of the code are useless obfuscation (for example, it would pop 9 registers full of junk data and then fill the same 9 registers with more junk data afterwards). However, the obfuscation is easy to get past if you just ignore everything except gadgets that do 1) memory loads, 2) memory stores, 3) set flags, or 4) function call. Every other gadget is useless. They also do this weird thing where they memcpy one part of the stack to another part (which goes past the current SP). However, comparing the two blocks of data (before and after the copy) shows nothing different aside from some garbage values. Reversing Gateway Ultra Stage 2: Owning ARM11 Kernel Its been a couple of days since my initial analysis of Gateway Ultra, released last week to enable piracy on 3DS. I spent most of this time catching up on the internals of the 3DS. I cant thank the maintainers of 3dbrew enough (especially yellows8, the master of 3DS reversing) for the amount of detailed and technical knowledge found on the wiki. The first stage was a warmup and did not require any specific 3DS knowledge to reverse. The problem with the second stage is that while it is easy to see the exploit triggered and code to run, the actual exploit itself was not as clear. I looked at all the function calls made and made a couple of hypothesis of where the vulnerability resided, and reversed each function to the end to test my hypothesis. Although I many dead ends and false leads, the process of reversing all these functions solidified my understanding of the system. Code As always, I like to post the reversed code first so those with more knowledge than me dont have to read my verbose descriptions. I will explain the interesting parts afterwards. I am including the full Gateway reverse of the shellcode including parts that are irrelevant either because it is used as obfuscation, to provide stability, or as setup for later parts. Vulnerability The main vulnerability is actually still gspwn. Whereas in the first stage, it was used to overwrite (usually read-only) code from a CRO dynamic library to get userland code execution, it is now used to overwrite a heap free pointer so when the next memory page is freed, it would overwrite kernel memory. 3DS Memory Layout To understand how the free pointer write corruption works, lets first go over how the 3DS memory is laid out (in simple terms). You can get the full picture here, but I want to go over some key points. First, the main memory (used by applications and services) called the FCRAM is located at physical address 0×20000000 to 0×28000000. It is mapped in virtual memory in many places. First, the main application which is at around FCRAM 0x23xxxxxx (or higher if it is a system process or applet like the web browser) is mapped to 0×00100000 as read-only. Next we have some pages in the FCRAM 0x24xxxxxx region that can be mapped by the application on demand to virtual address 0x18xxxxxx through the syscall ControlMemory. Finally, the entire FCRAM is mapped in kernel 0xF0000000 0xF8000000 (this is for 4.1, different in other versions). Another note about memory is that the ARM11 kernel is not located in the FCRAM, but in something called the AXI WRAM. The name is not important, but what is important is that its physical address 0x1FF80000 is mapped twice in kernel memory space. 0xFFF60000 is marked read-only executable and 0xEFF80000 is marked read-write non-executable. However, writing to 0xEFF80000 will allow you to execute the code at 0xFFF60000, which defeats the whole purpose of marking the pages non-executable. Since these mappings only apply in kernel mode, you would still need to perform a write to that address with kernel permissions. ControlMemory Unchecked Write The usual process for handling user controlled pointers in a syscall is to use the special ARM instructions LDRT and STRT, which performs the pointer dereference with user privileges in kernel mode. However, what if we overwrite a pointer that the developers did not think is user controlled? The goal is achieved by the ControlMemory syscall along with gspwn. The ControlMemory syscall is used to allocate and free pages of memory from the heap region of the FCRAM. When it is called to free, like most heap allocators, certain pointers are stored in the newly freed memory block (to point to the next and previous free blocks). Like most heap allocators, it also performs coalescing, which means two free blocks will be combined to form a larger free block (and the pointers to and from it is updated accordantly). The plan here is to free a block of memory, which places certain pointers in the freed block. This is usually safe since once the user frees the block, it is unmapped from the user virtual memory space and they cannot access the memory any more. However, we can with gspwn, so we overwrite the free pointer with gspwn to overwrite the code in the 0xEFF80000 region. And that is possible because the pointer dereference is done with kernel permissions because the pointers stored here is not normally user accessible. The data stored in the freed region is as follows: struct{int some_count;struct free_data *next_free_block;struct free_data *prev_free_block;int unk_C;int unk_10;} free_data; When the first ControlMemory call happens in the exploit, it frees FCRAM 0×24451000 and writes the free_data structure to it. We then use gspwn to overwrite next_free_block to point to the kernel code we want to overwrite. Next we call ControlMemory to free the page immediately before (FCRAM 0×24450000). This will coalesce the block with ((struct free_data *)0x24450000)->next_free_block = ((struct free_data *)0x24451000)->next_free_block; ((struct free_data *)0x24451000)->next_free_block->prev_free_block = (struct free_data *)0x24450000; As you can see, we control next_free_block of 0×24451000 and therefore control the write. But were not done yet. The above pseudocode was an artist rendition of what happens. Obviously, physical addresses are not used here. The user region virtual address (0x18xxxxxx) is not used either. The pointers here are the kernel virtual address 0xF4450000 and 0xF4451000. Since we can only write the value 0xF4450000 (or on 9.2, it is 0xE4450000), this poses a problem. Ideally, we want to write some ARM instruction that allows us to jump to code we control (BX R0 for example), however, 0xF4450000 assembles to vst4.8{d16-d19}, [r5], r0″ (dont worry, I dont know what that is either) and 0xE4450000 assembles to strb r0, [r5], #-0″. Both of which cant be used (obviously) to control code execution. Now of course, we can try another address and see if we get lucky and the address happens to compile to a branch instruction, but we are not lucky. None of the user mappable/unmappable regions would give us a branch. Unaligned Code Corruption Here is the clever idea. What if we stop thinking of the problem as: how do I write an instruction that gives us execution control? but instead as: how do I corrupt the code to control it? I dont usually like to post assembly listings, but it is impossible to dodge ARM assembly if you made it this far. A note to systems programmers: There is a feature of ARMv6 that the 3DS enabled called unaligned read/write. This means a pointer does NOT have to be word aligned. In other words, you are allowed to write 4 bytes arbitrary to any address including something like 0×1003″. Now if youre not a systems designer and dont know about the problem of unaligned reads/writes (C nicely hides this from you), dont worry, it just means everything works as you expect it to. Lets take a look at an arbitrary syscall, CreateThread. The actual syscall doesnt matter, we only care about the assembly code that it runs: 0: e52de004 push {lr} ; (str lr, [sp, #-4]!) 4: e24dd00c sub sp, sp, #12 8: e58d4004 str r4, [sp, #4] c: e58d0000 str r0, [sp] 10: e28d0008 add r0, sp, #8 14: eb001051 bl 0x4160 18: e59d1008 ldr r1, [sp, #8] 1c: e28dd00c add sp, sp, #12 20: e49df004 pop {pc} ; (ldr pc, [sp], #4) How do we patch this to control code flow? What if we get ride of the add on line 0x1c? Then we have on line 0xc, *SP = R0 and on line 0×20, PC = *SP, and since we trivially control R0 in a syscall, we can pass in a function pointer and run it. Now if we replace the code at 0×18 with either 0xF4450000 or 0xE4450000, another problem arises. Both of those instructions (and there may be others from other firmware versions) try to dereference R5, which we dont control. However, what if we write 0xF4450000/0xE4450000 starting at 0×17? It would now corrupt two instructions instead of just one, but both are safe instructions. ... 14: eb001051 bl 0x4160 18: 009d1008 addseq r1, sp, r8 1c: e2e44500 rsc r4, r4, #0, 10 ... The actual code that is there isnt particularly useful/important, which is exactly what we want. We successfully patched the kernel to jump to our code with a single syscall. Now making SVC 8 with R0 pointing to some function would run it in ARM11 kernel mode.Closing Although some may call this exploit stupid or simple, I thought the way it was exploited was very novel. It involved overwriting pointers that are meant to be inaccessible to users, then a type confusion of pointer to ARM code, and finally abusing unaligned writes to corrupt instructions in a safe way. Next time, I hope to conclude this series by reversing the ARM9 kernel exploit next (for those unfamiliar, the 3DS has two kernels, one for applications and one for security, ARM9 is the interesting one). I want to thank, again, sbJFn5r for providing me with various dumps. http://yifan.lu/2015/01/15/reversing-gateway-ultra-stage-2-owning-arm11-kernel/