DEV Community

hextrace
hextrace

Posted on • Edited on

ARM shellcode

Lets transform the hello world code we wrote in the previous blog entry into a shellcode.

To remove all null bytes, we'll switch to THUMB mode. We also must find or apply some known tricks (e.g. init a register with zero).

This is our hello world in thumb without null bytes:

root@azeria-labs-arm:~/arm/hello# cat hello.s
.text
.global _start

_start:
    .code 32
    add r6, pc, #1
    bx r6

    .code 16
    mov r2, #6      @ strlen
    mov r1, pc      @ load pc
    add r1, #14     @ add str offset from pc
    mov r0, #1      @ stdout
    mov r7, #4      @ nr_write
    svc #1          @ syscall

    sub r4, r4, r4  @ r4 = 0
    mov r0, r4      @ exit 0
    mov r7, #1      @ nr_exit
    svc #1

.asciz "hello\n"    @ null terminated string
Enter fullscreen mode Exit fullscreen mode

We can assemble it and verify it has no null bytes:

root@azeria-labs-arm:~/arm/hello# as hello.s -o hello.o -mthumb
root@azeria-labs-arm:~/arm/hello# objdump -d hello.o

hello.o:     file format elf32-littlearm


Disassembly of section .text:

00000000 <_start>:
   0:   e28f6001    add r6, pc, #1
   4:   e12fff16    bx  r6
   8:   2206        movs    r2, #6
   a:   4679        mov r1, pc
   c:   310e        adds    r1, #14
   e:   2001        movs    r0, #1
  10:   2704        movs    r7, #4
  12:   df01        svc 1
  14:   1b24        subs    r4, r4, r4
  16:   1c20        adds    r0, r4, #0
  18:   2701        movs    r7, #1
  1a:   df01        svc 1
  1c:   6c6c6568    .word   0x6c6c6568
  20:   0a6f        .short  0x0a6f
    ...
Enter fullscreen mode Exit fullscreen mode

Ok let's try it:

root@azeria-labs-arm:~/arm/hello# ld hello.o -o hello
root@azeria-labs-arm:~/arm/hello# ./hello
hello
Enter fullscreen mode Exit fullscreen mode

Good now let's try to execute it from C code. First we retrieve opcodes:

root@azeria-labs-arm:~/arm/hello# objcopy -O binary hello.o hello.bin
root@azeria-labs-arm:~/arm/hello# xxd -i hello.bin
unsigned char hello_bin[] = {
  0x01, 0x60, 0x8f, 0xe2, 0x16, 0xff, 0x2f, 0xe1, 0x06, 0x22, 0x79, 0x46,
  0x0e, 0x31, 0x01, 0x20, 0x04, 0x27, 0x01, 0xdf, 0x24, 0x1b, 0x20, 0x1c,
  0x01, 0x27, 0x01, 0xdf, 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x0a, 0x00, 0x00
};
unsigned int hello_bin_len = 36;
root@azeria-labs-arm:~/arm/hello# hexdump -v -e ' "\\x" 1/1 "%02x"' hello.bin 
\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x06\x22\x79\x46\x0e\x31\x01\x20\x04\x27\x01\xdf\x24\x1b\x20\x1c\x01\x27\x01\xdf\x68\x65\x6c\x6c\x6f\x0a\x00\x00
Enter fullscreen mode Exit fullscreen mode

We can directly use that hello.bin in odzhan/shellcode:

root@azeria-labs-arm:~/arm/hello# ~/shellcode/runsc -f ./hello.bin -x

[ run shellcode v0.2
[ reading code from ./hello.bin
[ executing code...hello
Enter fullscreen mode Exit fullscreen mode

We now have a valid shellcode, ready to be used within string manipulation functions such as srtcpy or fgets as we encountered previously in this series.

Top comments (0)