Recently I have tried for the first time an Arm pwn, a simple program vulnerable to buffer overflow. The only difference between an Arm pwn and a “normal” binary is the assembly code, but look this for see how exploit it. Here you can download the binary and source code.
First check that I have tried is checksec for see which protections this pwn implements:
the result is:
Ok, it is an Arm 32 bit with partial RELRO, stack not executable and without canary and pie. Now let’s see the execution, for run this binary on my machine (an Ubuntu 16.04 64 bit) I have used qemu-arm, for simulate an arm environment, using the libc and other library for arm that are in /usr/arm-linux-gnueabihf:
The result execution is:
Ok, maybe this program take a file root.txt for read it. Let’s see in more detail what it does using radare2.
Now type “vv” in radare for see all binary functions:
Yep, there is “get_password” function, maybe this function is used for open root.txt file. Let’s see this function in detail:
How can see, this three lines are used for open the file “/root/pwn/root.txt”. Try now to create this file in our “/root” directory and run the binary:
Ok, now try with a big input:
Ok, a segmentation fault occur! Let’s see what happened:
Oh yeah, how can see, the program counter point at 0x41414140 that is “AAA@”. Now for exploit it we can use a simple ret2libc. This program we will test it on Raspberry Pi, that has a 32 bit arm processor.
Therefore summarize the important points for use a ret2libc:
- First step: leak an address of libc, because I assume that there is aslr enable. For this purpose I can use puts function of libc for print an arbitrary address of the GOT table.
- Second step: now, using the address leaked, I can determine the libc version, but this step is optional because I already have the libc (I can download it from my Raspberry).
- Third step: can now calculate the base address of libc and then calculate the address of system and “/bin/sh”.
- Fourth step: now I put all these concept on script and exploit it!
But remember that the binary is 32 bit, then we can exploit it using a bruteforce of the libc system and bin sh addresses without leak any address! We can use gdb on Raspberry Pi for examine the addresses:
Cool, now we have the address of system function that is at 0x76eba598, now search where is bin sh:
Ok, bin sh is at 0x76fabed0. Now, next step is use ROP gadget to jump in system function. Normally, in 64 bit binary, the argument must be insert into rdi register, and the “ret” opcode jump in address that is in top of the stack. In an Arm binary the return address must be in “pc” register and the argument in “r0” register. Now we’re looking for a gadget using ROPGadget:
There are many gadgets but the interesting ones are:
Why these three? Because with pop {r3,pc} we put into r3 the address of system, and into pc the next gadget 0x00010788. With the second gadget we put in r7 the address of the bin sh string and in pc the address of the next gadget 0x00010778. Finally we move the address of bin sh in r0 and call the address that there is in r3 using blx r3 (call r3 in normal 64 bit). Whit this sequence we can alter the flow of program and open a shell!
Now, write a script for this purpose:
Note that we have add 0xFFFFFFFF in our payload for dummy data, request by second gadget. Now jump in Raspberry and run it!
Note that we have used while true for bruteforce asrl. Finally, after some iteration, we have spawn a shell!
Pwned it! 😉
Leave A Comment