Skip to content
/ exploit_me Public
forked from bkerler/exploit_me

Very vulnerable ARM application (CTF style exploitation tutorial)

License

MIT license
1 star 136 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

CunningLogic/exploit_me

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
vagrant
vagrant
 
 
.gdbinit
.gdbinit
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
disableaslr.sh
disableaslr.sh
 
 
exploit
exploit
 
 
exploit.cpp
exploit.cpp
 
 

Repository files navigation

exploit_me

Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)

Why:

Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/others.

So, for training purposes, I thought: Why not :)

Installation (just recommended setup, not needed for exploitation):

Use either "python" or "pip" for python 2.x or "python3" or "pip3" accordingly for python 3.x (preferred)

Example: sudo pip install capstone for python 2.x or sudo pip3 install capstone for python 3.x

  1. Basic install (tested with Ubuntu/LUbuntu 17.10 64Bit)

     $ sudo apt-get update
 $ sudo apt-get install gdb-multiarch
 $ sudo apt-get install python2.7 python-dev python3 python3-dev python-pip python3-pip git libssl-dev libffi-dev build-essential
 $ pip install --upgrade capstone
 $ sudo apt-get install qemu-system-arm
 $ sudo apt-get install qemu-user-static
 $ sudo apt-get install python-capstone python3-capstone

    If you want to crosscompile:

    $ sudo apt-get install libc6-armel-cross libc6-dev-armel-cross
$ sudo apt-get install binutils-arm-linux-gnueabi
$ sudo apt-get install libncurses5-dev
$ sudo apt-get install gcc-arm-linux-gnueabi
$ sudo apt-get install g++-arm-linux-gnueabi

  2. Install latest ROPgadget:

    $ git clone https://github.com/JonathanSalwan/ROPgadget
$ cd ROPgadget && python setup.py install && cd ..

  3. Install latest pwndbg:

    $ git clone https://github.com/pwndbg/pwndbg
$ cd pwndbg && python setup.py install && cd ..

  4. Install pwntools:

    $ pip install --upgrade pip
$ pip install --upgrade pwntools

Add this to .gdbinit in home directory:

set auto-load safe-path /

My .gdbinit from the repo:

set endian little
set architecture arm
target remote :1234

Usage:

  • For cross-compiling the code for ARM:

     $ arm-linux-gnueabi-g++ -fno-stack-protector exploit.cpp -o exploit

    (Remove -fno-stack-protector for more fun)

  • For trying if it works : "qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit"

  • Example debugging session:

    $ sudo ./disableaslr.sh

    (Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

    In first terminal:

    $ qemu-arm-static -L /usr/arm-linux-gnueabi/ -g 1234 ./exploit [levelpassword] [options]

    In second terminal (make sure .gdbinit is in the same directory):

    $ gdb-multiarch ./exploit

  • GDB Basics: Use "si" to step into functions or "so" to step over functions, "info functions" to print all functions, "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, "c" to continue program, "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". Using pwndbg, you can use "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !

  • After you've exploited correctly, you will see the password for the next level So if level2 password would be "Level2":

    $ qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit Level2

  • For cheaters or people trying to understand with less instruction knowledge : See solution and source code in exploit.cpp

  • There are more solutions possible, even with rop chains, not just mine

  • There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

Quick-start using Vagrant VM (based on Lubuntu 17.10):

  1. Get and install VirtualBox (https://www.virtualbox.org)

  2. Get and install Vagrant (https://www.vagrantup.com)

  3. In any directory:

    Install virtual machine

    $ vagrant box add bkerler/reversing
$ vagrant init exploitbox

    Start virtual machine (Will take some time to download and init on first start)

    $ vagrant up

    For each session

    $ vagrant ssh
vagrant@vagrant-VirtualBox:~$ su exploit
exploit@vagrant-VirtualBox:~$ cd exploit_me

    Time to do exploit training

    exploit@vagrant-VirtualBox:~/exploit_me$ qemu-arm-static -L /usr/arm-linux-gnueabi/ -g 1234 ./exploit hello &
exploit@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit

    Once you're done :

    exploit@vagrant-VirtualBox:~$ logout

To reset any changes :

    $ vagrant destroy

    or to keep changes :

    $ vagrant halt

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal

ToDo:

  • Will add other vulnerabilities as I see them or have spare time (multi-thread and use-after-free vulnerabilities missing will follow soon)
  • Port to ARM64

License:

MIT License (Share, modify and use as you like, but refer to the original author !)

About

Very vulnerable ARM application (CTF style exploitation tutorial)

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 90.3%
  • Ruby 8.8%
  • Other 0.9%