GithubHelp home page GithubHelp logo

hhy5277 / exploit_me Goto Github PK

View Code? Open in Web Editor NEW

This project forked from bkerler/exploit_me

0.0 1.0 0.0 400 KB

Very vulnerable ARM application (CTF style exploitation tutorial)

License: MIT License

GDB 0.32% Shell 1.86% C++ 90.29% Ruby 7.53%

exploit_me's Introduction

exploit_me

Very vulnerable ARM/ARM64 application (CTF style exploitation tutorial for ARM/ARM64, but portable to other platforms)

(c) B.Kerler 2018

Why:

Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64/others.

So, for training purposes, I thought: Why not :)

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Basic ROP
Level 13: Use-after-free

Quick-start using Vagrant VM (based on Lubuntu 18.04):

  1. Get and install VirtualBox (https://www.virtualbox.org)

  2. Get and install Vagrant (https://www.vagrantup.com)

  3. In any directory:

    Install virtual machine on host

    $ vagrant init bkerler/reversing

    Start virtual machine (Will take some time to download and init on first start) on host

    $ vagrant up

    For each session on host

    $ vagrant ssh

    Time to do exploit training on Guest (Password for user vagrant is "vagrant")

    *** ARM32

    vagrant@vagrant-VirtualBox:~$ cd exploit_me
vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./disableaslr.sh
vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm exploit hello &
vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit

    *** ARM64

    vagrant@vagrant-VirtualBox:~$ cd exploit_me
vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./disableaslr.sh
vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm64 ./exploit64 hello &
vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit64

    Once you're done on Guest:

    vagrant@vagrant-VirtualBox:~$ logout

    To reset any changes :

    $ vagrant destroy

    or to keep changes :

    $ vagrant halt

Usage hints:

  • For trying if it works : *** 32-Bit:

    $ ./exploit

    *** 64-Bit:

    $ ./exploit64

  • Example debugging session:

    $ sudo ./disableaslr.sh

    (Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

    In first terminal:

    *** 32-Bit:

    $ ./arm exploit [levelpassword] [options] &
$ gdb-multiarch ./exploit

    Make sure to set architecture in .gdbinit to "arm"

    *** 64-Bit:

    $ ./arm64 exploit64 [levelpassword] [options] &
$ gdb-multiarch ./exploit64

    Make sure to set architecture in .gdbinit to "aarch64"

  • GDB Basics:

    Use 
"si" to step into functions or 
"so" to step over functions, 
"info functions" to print all functions,
"p [function]" to print function address and information, if symbols exist
"b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
"c" to continue program, 
"x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
"x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 

Using pwndbg, you can use 
"rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !

  • After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:

    $ ./exploit Level2

    *** 64-Bit:

    $ ./exploit64 Level2

  • For cheaters or people trying to understand with less instruction knowledge :

    See solution and source code in exploit.cpp

  • There are more solutions possible, even with rop chains, not just my example solutions given

  • There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

Manual installation (if you don't trust vagrant):

Use either "python" or "pip" for python 2.x or "python3" or "pip3" accordingly for python 3.x (preferred)

Example: sudo pip install capstone for python 2.x or sudo pip3 install capstone for python 3.x

  1. Basic install (tested with Ubuntu/LUbuntu 17.10 64Bit)

    $ sudo apt-get update
$ sudo apt-get install gdb-multiarch
$ sudo apt-get install python2.7 python-dev python3 python3-dev python-pip python3-pip git libssl-dev libffi-dev build-essential
$ pip install --upgrade capstone
$ sudo apt-get install qemu binfmt-support qemu-user-binfmt
$ sudo systemctl restart systemd-binfmt
$ sudo apt-get install python-capstone python3-capstone
$ sudo apt-get install libncurses5-dev

    If you want to crosscompile:

    *** ARM

    $ sudo apt-get install g++-arm-linux-gnueabi
$ sudo apt-get install gcc-arm-linux-gnueabi
$ ./compile32.sh

    *** ARM64

    $ sudo apt-get install gcc-aarch64-linux-gnu
$ sudo apt-get install g++-aarch64-linux-gnu
$ ./compile64.sh

(Remove -fno-stack-protector for more fun) Add -marm to prevent compiling in thumb mode

  1. Install latest ROPgadget:

    $ git clone https://github.com/JonathanSalwan/ROPgadget
$ cd ROPgadget && python setup.py install && cd ..

  2. Install latest pwndbg:

    $ git clone https://github.com/pwndbg/pwndbg
$ cd pwndbg && python setup.py install && cd ..

  3. Install pwntools (Note, currently Python3 version doesn't work !, thanks zachriggle):

    $ pip install --upgrade pip
$ pip install --upgrade pwntools

Add this to .gdbinit in home directory:

set auto-load safe-path /

My .gdbinit from the repo:

set endian little
set architecture arm << replace "arm" with "aarch64" for arm64 !!
target remote :1234

ToDo:

  • Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !

Some referrals to ARM reversing beginners :

  • Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
  • Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
  • Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
  • Read book "A Bug Hunter's Diary" By Tobias Klein

License:

MIT License (Share, modify and use as you like, but refer to the original author !)

exploit_me's People

Contributors

bkerler avatar hazardousparticle avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.