My first Arm pwn14 min read

Recently I have tried for the first time an Arm pwn, a simple program vulnerable to buffer overflow. The only difference between an Arm pwn and a “normal” binary is the assembly code, but look this for see how exploit it. Here you can download the binary and source code.

First check that I have tried is checksec for see which protections this pwn implements:

Copy to Clipboard

the result is:

Copy to Clipboard

Ok, it is an Arm 32 bit with partial RELRO, stack not executable and without canary and pie. Now let’s see the execution, for run this binary on my machine (an Ubuntu 16.04 64 bit) I have used qemu-arm, for simulate an arm environment, using the libc and other library for arm that are in /usr/arm-linux-gnueabihf:

Copy to Clipboard

The result execution is:

Copy to Clipboard

Ok, maybe this program take a file root.txt for read it. Let’s see in more detail what it does using radare2.

Copy to Clipboard

Now type “vv” in radare for see all binary functions:

Copy to Clipboard

Yep, there is “get_password” function, maybe this function is used for open root.txt file. Let’s see this function in detail:

Copy to Clipboard

How can see, this three lines are used for open the file “/root/pwn/root.txt”. Try now to create this file in our “/root” directory and run the binary:

Copy to Clipboard

Ok, now try with a big input:

Copy to Clipboard

Ok, a segmentation fault occur! Let’s see what happened:

Copy to Clipboard

Oh yeah, how can see, the program counter point at 0x41414140 that is “AAA@”. Now for exploit it we can use a simple ret2libc. This program we will test it on Raspberry Pi, that has a 32 bit arm processor.

Therefore summarize the important points for use a ret2libc:

  • First step: leak an address of libc, because I assume that there is aslr enable. For this purpose I can use puts function of libc for print an arbitrary address of the GOT table.
  • Second step: now, using the address leaked, I can determine the libc version, but this step is optional because I already have the libc (I can download it from my Raspberry).
  • Third step: can now calculate the base address of libc and then calculate the address of system and “/bin/sh”.
  • Fourth step: now I put all these concept on script and exploit it!

But remember that the binary is 32 bit, then we can exploit it using a bruteforce of the libc system and bin sh addresses without leak any address! We can use gdb on Raspberry Pi for examine the addresses:

Copy to Clipboard

Cool, now we have the address of system function that is at 0x76eba598, now search where is bin sh:

Copy to Clipboard

Ok, bin sh is at 0x76fabed0. Now, next step is use ROP gadget to jump in system function. Normally, in 64 bit binary, the argument must be insert into rdi register, and the “ret” opcode jump in address that is in top of the stack. In an Arm binary the return address must be in “pc” register and the argument in “r0” register. Now we’re looking for a gadget using ROPGadget:

Copy to Clipboard

There are many gadgets but the interesting ones are:

Copy to Clipboard

Why these three? Because with pop {r3,pc} we put into r3 the address of system, and into pc the next gadget 0x00010788. With the second gadget we put in r7 the address of the bin sh string and in pc the address of the next gadget 0x00010778. Finally we move the address of bin sh in r0 and call the address that there is in r3 using blx r3 (call r3 in normal 64 bit). Whit this sequence we can alter the flow of program and open a shell!

Now, write a script for this purpose:

Copy to Clipboard

Note that we have add 0xFFFFFFFF in our payload for dummy data, request by second gadget. Now jump in Raspberry and run it!

Copy to Clipboard

Note that we have used while true for bruteforce asrl. Finally, after some iteration, we have spawn a shell!

Copy to Clipboard

Pwned it! 😉

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept
2018-08-17T21:48:52+00:00

About the Author:

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.