Skip to content

Very vulnerable ARM application (CTF style exploitation tutorial)

License

Notifications You must be signed in to change notification settings

netscylla/exploit_me

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

exploit_me

Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)

Why:

Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/others.

So, for training purposes, I thought: Why not :)

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Basic ROP
Level 13: Use-after-free

Quick-start using Vagrant VM (based on Lubuntu 17.10):

  1. Get and install VirtualBox (https://www.virtualbox.org)

  2. Get and install Vagrant (https://www.vagrantup.com)

  3. In any directory:

    Install virtual machine on host

    $ vagrant init bkerler/reversing
    

    Start virtual machine (Will take some time to download and init on first start) on host

    $ vagrant up
    

    For each session on host

    $ vagrant ssh
    

    Time to do exploit training on Guest (Password for user vagrant is "vagrant")

    vagrant@vagrant-VirtualBox:~$ cd exploit_me
    vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./disableaslr.sh
    vagrant@vagrant-VirtualBox:~/exploit_me$ qemu-arm-static -L /usr/arm-linux-gnueabi/ -g 1234 ./exploit hello &
    vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit
    

    Once you're done on Guest:

    vagrant@vagrant-VirtualBox:~$ logout
    

    To reset any changes :

    $ vagrant destroy 
    

    or to keep changes :

    $ vagrant halt
    

Usage hints:

  • For trying if it works : "qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit"

  • Example debugging session:

    $ sudo ./disableaslr.sh
    

    (Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

    In first terminal:

    $ qemu-arm-static -L /usr/arm-linux-gnueabi/ -g 1234 ./exploit [levelpassword] [options]
    

    In second terminal (make sure .gdbinit is in the same directory):

    $ gdb-multiarch ./exploit
    
  • GDB Basics:

    Use 
    "si" to step into functions or 
    "so" to step over functions, 
    "info functions" to print all functions, 
    "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
    "c" to continue program, 
    "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
    "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 
    
    Using pwndbg, you can use 
    "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
    See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
    
  • After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2":

    $ qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit Level2
    
  • For cheaters or people trying to understand with less instruction knowledge :

    See solution and source code in exploit.cpp
    
  • There are more solutions possible, even with rop chains, not just my example solutions given

  • There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

  • For cross-compiling the code for ARM:

     $ arm-linux-gnueabi-g++ -fno-stack-protector exploit.cpp -o exploit
    

    (Remove -fno-stack-protector for more fun)

Manual installation (if you don't trust vagrant):

Use either "python" or "pip" for python 2.x or "python3" or "pip3" accordingly for python 3.x (preferred)

Example: sudo pip install capstone for python 2.x or sudo pip3 install capstone for python 3.x

  1. Basic install (tested with Ubuntu/LUbuntu 17.10 64Bit)

    $ sudo apt-get update
    $ sudo apt-get install gdb-multiarch
    $ sudo apt-get install python2.7 python-dev python3 python3-dev python-pip python3-pip git libssl-dev libffi-dev build-essential
    $ pip install --upgrade capstone
    $ sudo apt-get install qemu-system-arm
    $ sudo apt-get install qemu-user-static
    $ sudo apt-get install python-capstone python3-capstone
    

    If you want to crosscompile:

    $ sudo apt-get install libc6-armel-cross libc6-dev-armel-cross
    $ sudo apt-get install binutils-arm-linux-gnueabi
    $ sudo apt-get install libncurses5-dev
    $ sudo apt-get install gcc-arm-linux-gnueabi
    $ sudo apt-get install g++-arm-linux-gnueabi
    
  2. Install latest ROPgadget:

    $ git clone https://github.com/JonathanSalwan/ROPgadget
    $ cd ROPgadget && python setup.py install && cd ..
    
  3. Install latest pwndbg:

    $ git clone https://github.com/pwndbg/pwndbg
    $ cd pwndbg && python setup.py install && cd ..
    
  4. Install pwntools (Note, currently Python3 version doesn't work !, thanks zachriggle):

    $ pip install --upgrade pip
    $ pip install --upgrade pwntools
    

Add this to .gdbinit in home directory:

set auto-load safe-path /

My .gdbinit from the repo:

set endian little
set architecture arm
target remote :1234

ToDo:

  • Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !
  • Port to ARM64

Some referrals to ARM reversing beginners :

  • Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
  • Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
  • Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
  • Read book "A Bug Hunter's Diary" By Tobias Klein

License:

MIT License (Share, modify and use as you like, but refer to the original author !)

About

Very vulnerable ARM application (CTF style exploitation tutorial)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 92.5%
  • Ruby 6.8%
  • Other 0.7%