Skip to content

Very vulnerable ARM application (CTF style exploitation tutorial)

License

Notifications You must be signed in to change notification settings

iWangyongbo/exploit_me

 
 

Repository files navigation

exploit_me

Very vulnerable ARM/ARM64 application (CTF style exploitation tutorial for ARM/ARM64, but portable to other platforms)

(c) B.Kerler 2018

Why:

Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64/others.

So, for training purposes, I thought: Why not :)

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Basic ROP
Level 13: Use-after-free

Quick-start using Vagrant VM (based on Lubuntu 18.04):

  1. Get and install VirtualBox (https://www.virtualbox.org)

  2. Get and install Vagrant (https://www.vagrantup.com)

  3. In any directory:

    Install virtual machine on host

    $ vagrant init bkerler/reversing
    

    Start virtual machine (Will take some time to download and init on first start) on host

    $ vagrant up
    

    For each session on host

    $ vagrant ssh
    

    Time to do exploit training on Guest (Password for user vagrant is "vagrant")

    *** ARM32

    vagrant@vagrant-VirtualBox:~$ cd exploit_me
    vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./disableaslr.sh
    vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm exploit hello &
    vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit
    

    *** ARM64

    vagrant@vagrant-VirtualBox:~$ cd exploit_me
    vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./disableaslr.sh
    vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm64 ./exploit64 hello &
    vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit64
    

    Once you're done on Guest:

    vagrant@vagrant-VirtualBox:~$ logout
    

    To reset any changes :

    $ vagrant destroy 
    

    or to keep changes :

    $ vagrant halt
    

Usage hints:

  • For trying if it works : *** 32-Bit:

    $ ./exploit
    

    *** 64-Bit:

    $ ./exploit64
    
  • Example debugging session:

    $ sudo ./disableaslr.sh
    

    (Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

    In first terminal:

    *** 32-Bit:

    $ ./arm exploit [levelpassword] [options] &
    $ gdb-multiarch ./exploit
    

    Make sure to set architecture in .gdbinit to "arm"

    *** 64-Bit:

    $ ./arm64 exploit64 [levelpassword] [options] &
    $ gdb-multiarch ./exploit64
    

    Make sure to set architecture in .gdbinit to "aarch64"

  • GDB Basics:

    Use 
    "si" to step into functions or 
    "so" to step over functions, 
    "info functions" to print all functions,
    "p [function]" to print function address and information, if symbols exist
    "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
    "c" to continue program, 
    "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
    "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 
    
    Using pwndbg, you can use 
    "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
    See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
    
  • After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:

    $ ./exploit Level2
    

    *** 64-Bit:

    $ ./exploit64 Level2
    
  • For cheaters or people trying to understand with less instruction knowledge :

    See solution and source code in exploit.cpp
    
  • There are more solutions possible, even with rop chains, not just my example solutions given

  • There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

Manual installation (if you don't trust vagrant):

Use either "python" or "pip" for python 2.x or "python3" or "pip3" accordingly for python 3.x (preferred)

Example: sudo pip install capstone for python 2.x or sudo pip3 install capstone for python 3.x

  1. Basic install (tested with Ubuntu/LUbuntu 17.10 64Bit)

    $ sudo apt-get update
    $ sudo apt-get install gdb-multiarch
    $ sudo apt-get install python2.7 python-dev python3 python3-dev python-pip python3-pip git libssl-dev libffi-dev build-essential
    $ pip install --upgrade capstone
    $ sudo apt-get install qemu binfmt-support qemu-user-binfmt
    $ sudo systemctl restart systemd-binfmt
    $ sudo apt-get install python-capstone python3-capstone
    $ sudo apt-get install libncurses5-dev
    

    If you want to crosscompile:

    *** ARM

    $ sudo apt-get install g++-arm-linux-gnueabi
    $ sudo apt-get install gcc-arm-linux-gnueabi
    $ ./compile32.sh
    

    *** ARM64

    $ sudo apt-get install gcc-aarch64-linux-gnu
    $ sudo apt-get install g++-aarch64-linux-gnu
    $ ./compile64.sh
    

(Remove -fno-stack-protector for more fun) Add -marm to prevent compiling in thumb mode

  1. Install latest ROPgadget:

    $ git clone https://github.com/JonathanSalwan/ROPgadget
    $ cd ROPgadget && python setup.py install && cd ..
    
  2. Install latest pwndbg:

    $ git clone https://github.com/pwndbg/pwndbg
    $ cd pwndbg && python setup.py install && cd ..
    
  3. Install pwntools (Note, currently Python3 version doesn't work !, thanks zachriggle):

    $ pip install --upgrade pip
    $ pip install --upgrade pwntools
    

Add this to .gdbinit in home directory:

set auto-load safe-path /

My .gdbinit from the repo:

set endian little
set architecture arm << replace "arm" with "aarch64" for arm64 !!
target remote :1234

ToDo:

  • Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !

Some referrals to ARM reversing beginners :

  • Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
  • Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
  • Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
  • Read book "A Bug Hunter's Diary" By Tobias Klein

License:

MIT License (Share, modify and use as you like, but refer to the original author !)

About

Very vulnerable ARM application (CTF style exploitation tutorial)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 91.1%
  • Ruby 6.7%
  • Shell 1.9%
  • GDB 0.3%