exploit_me: Very vulnerable ARM application (CTF style exploitation tutorial)

exploit_me

Very vulnerable ARM/ARM64 application (CTF style exploitation tutorial for ARM/ARM64, but portable to other platforms).

Why:

Some of my friends asked me if I could do some examples of exploitable stuff I’ve seen in real-world the past years for ARM/others.

So, for training purposes, I thought: Why not 🙂

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Basic ROP
Level 13: Use-after-free

Usage hints:

• For trying if it works : “qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit”
• Example debugging session:
  $ sudo ./disableaslr.sh
  (Disable aslr, don’t run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)
  In the first terminal:
  $ qemu-arm-static -L /usr/arm-linux-gnueabi/ -g 1234 ./exploit [levelpassword] [options]
  In the second terminal (make sure .gdbinit is in the same directory):
  $ gdb-multiarch ./exploit
• GDB Basics:
  

  Use 
  
  "si" to step into functions or 
  
  "so" to step over functions, 
  
  "info functions" to print all functions, 
  
  "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
  
  "c" to continue program, 
  
  "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
  
  "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 
  
  
  
  Using pwndbg, you can use 
  
  "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
  
  See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !

   

   

   

• After you’ve exploited correctly, you will see the password for the next level. So if level2 password would be “Level2”:$ qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit Level2
• For cheaters or people trying to understand with less instruction knowledge :See solution and source code in exploit.cpp
• There are more solutions possible, even with rop chains, not just my example solutions are given
• There are some hints printed to console (information leak), which you normally wouldn’t have, but these make things easier for beginners, that’s why I added it
• For cross-compiling the code for ARM:$ arm-linux-gnueabi-g++ –fno-stack-protector exploit.cpp -o exploit

Copyright (c) 2018 Bjoern Kerler

Download & Install