Skip to content

Latest commit

 

History

History
executable file
·
143 lines (124 loc) · 4.34 KB

README.md

File metadata and controls

executable file
·
143 lines (124 loc) · 4.34 KB

exploit_me

Very vulnerable ARM/ARM64[AARCH64] application (CTF style exploitation tutorial, portable to other platforms)

(c) B.Kerler 2018-2020

Why:

Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64[AARCH64]/others.

So, for training purposes, I thought: Why not :)

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Return oriented programming (ROP)
Level 13: Use-after-free
Level 14: Jump oriented programming (JOP)

Install on Debian/Ubuntu System:

Download the repo

git clone https://github.com/bkerler/exploit_me

Install needed tools on host (Ubuntu)

~$ cd exploit_me
~/exploit_me $ ./script/setup.sh

Usage hints:

  • See hints.txt for a start.

  • For trying if it works : *** 32-Bit:

    $ ./bin/exploit
    

    *** 64-Bit:

    $ ./bin/exploit64
    
  • Example debugging session:

    $ sudo ./scripts/disableaslr.sh
    

    (Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

    In first terminal:

    *** 32-Bit:

    $ ./bin/arm exploit [levelpassword] [options] &
    $ gdb-multiarch ./exploit
    pwndbg> set architecture arm
    
    instead you can also add architecture in .gdbinit as "set architecture arm"
    

    *** 64-Bit:

    $ ./arm64 exploit64 [levelpassword] [options] &
    $ gdb-multiarch ./exploit64
    pwndbg> set architecture aarch64
    

    instead you can also add architecture in .gdbinit as "set architecture aarch64"

    *** Example .gdbinit

    set endian little
    #set architecture arm
    #set architecture aarch64
    target remote :1234
    
    
  • GDB Basics:

    Use 
    "si" to step into functions or 
    "so" to step over functions, 
    "info functions" to print all functions,
    "p [function]" to print function address and information, if symbols exist
    "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
    "c" to continue program, 
    "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
    "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 
    Using pwndbg, you can use 
    "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
    See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
    
  • After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:

    $ ./bin/exploit Level2
    

    *** 64-Bit:

    $ ./bin/exploit64 Level2
    
  • For cheaters or people trying to understand with less instruction knowledge :

    See solutions/solutions.txt and source code in src/exploit.cpp
    
  • There are more solutions possible, even with rop chains, not just my example solutions given

  • There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

ToDo:

  • Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !

Some referrals to ARM reversing beginners :

License:

MIT License (Share, modify and use as you like, but refer to the original author !)