Very vulnerable ARM/ARM64 application (CTF style exploitation tutorial for ARM/ARM64, but portable to other platforms)
(c) B.Kerler 2018
Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64/others.
So, for training purposes, I thought: Why not :)
Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Basic ROP
Level 13: Use-after-free
-
Get and install VirtualBox (https://www.virtualbox.org)
-
Get and install Vagrant (https://www.vagrantup.com)
-
In any directory:
Install virtual machine on host
$ vagrant init bkerler/reversing
Start virtual machine (Will take some time to download and init on first start) on host
$ vagrant up
For each session on host
$ vagrant ssh
Time to do exploit training on Guest (Password for user vagrant is "vagrant")
*** ARM32
vagrant@vagrant-VirtualBox:~$ cd exploit_me vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./disableaslr.sh vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm exploit hello & vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit
*** ARM64
vagrant@vagrant-VirtualBox:~$ cd exploit_me vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./disableaslr.sh vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm64 ./exploit64 hello & vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit64
Once you're done on Guest:
vagrant@vagrant-VirtualBox:~$ logout
To reset any changes :
$ vagrant destroy
or to keep changes :
$ vagrant halt
-
For trying if it works : *** 32-Bit:
$ ./exploit
*** 64-Bit:
$ ./exploit64
-
Example debugging session:
$ sudo ./disableaslr.sh
(Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)
*** 32-Bit:
$ ./arm exploit [levelpassword] [options] & $ gdb-multiarch ./exploit
Make sure to set architecture in .gdbinit to "arm"
*** 64-Bit:
$ ./arm64 exploit64 [levelpassword] [options] & $ gdb-multiarch ./exploit64
Make sure to set architecture in .gdbinit to "aarch64"
-
GDB Basics:
Use "si" to step into functions or "so" to step over functions, "info functions" to print all functions, "p [function]" to print function address and information, if symbols exist "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, "c" to continue program, "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". Using pwndbg, you can use "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
-
After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:
$ ./exploit Level2
*** 64-Bit:
$ ./exploit64 Level2
-
For cheaters or people trying to understand with less instruction knowledge :
See solution and source code in exploit.cpp
-
There are more solutions possible, even with rop chains, not just my example solutions given
-
There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it
Use either "python" or "pip" for python 2.x or "python3" or "pip3" accordingly for python 3.x (preferred)
Example:
sudo pip install capstone
for python 2.x
or
sudo pip3 install capstone
for python 3.x
-
Basic install (tested with Ubuntu/LUbuntu 17.10 64Bit)
$ sudo apt-get update $ sudo apt-get install gdb-multiarch $ sudo apt-get install python2.7 python-dev python3 python3-dev python-pip python3-pip git libssl-dev libffi-dev build-essential $ pip install --upgrade capstone $ sudo apt-get install qemu binfmt-support qemu-user-binfmt $ sudo systemctl restart systemd-binfmt $ sudo apt-get install python-capstone python3-capstone $ sudo apt-get install libncurses5-dev
If you want to crosscompile:
*** ARM
$ sudo apt-get install g++-arm-linux-gnueabi $ sudo apt-get install gcc-arm-linux-gnueabi $ ./compile32.sh
*** ARM64
$ sudo apt-get install gcc-aarch64-linux-gnu $ sudo apt-get install g++-aarch64-linux-gnu $ ./compile64.sh
(Remove -fno-stack-protector for more fun) Add -marm to prevent compiling in thumb mode
-
Install latest ROPgadget:
$ git clone https://github.com/JonathanSalwan/ROPgadget $ cd ROPgadget && python setup.py install && cd ..
-
Install latest pwndbg:
$ git clone https://github.com/pwndbg/pwndbg $ cd pwndbg && python setup.py install && cd ..
-
Install pwntools (Note, currently Python3 version doesn't work !, thanks zachriggle):
$ pip install --upgrade pip $ pip install --upgrade pwntools
Add this to .gdbinit in home directory:
set auto-load safe-path /
My .gdbinit from the repo:
set endian little
set architecture arm << replace "arm" with "aarch64" for arm64 !!
target remote :1234
- Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !
- Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
- Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
- Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
- Read book "A Bug Hunter's Diary" By Tobias Klein
MIT License (Share, modify and use as you like, but refer to the original author !)