exploit_me

Very vulnerable ARM/ARM64[AARCH64] application (CTF style exploitation tutorial, portable to other platforms)

Why:

Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64[AARCH64]/others.

So, for training purposes, I thought: Why not :)

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Return oriented programming (ROP)
Level 13: Use-after-free
Level 14: Jump oriented programming (JOP)

Install on Debian/Ubuntu System:

Download the repo

git clone https://github.com/bkerler/exploit_me

Install needed tools on host (Ubuntu)

~$ cd exploit_me
~/exploit_me $ ./script/setup.sh

Usage hints:

See hints.txt for a start.
For trying if it works : *** 32-Bit:
```
$ ./bin/exploit
```
*** 64-Bit:
```
$ ./bin/exploit64
```

Example debugging session:

$ sudo ./scripts/disableaslr.sh

(Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

In first terminal:

*** 32-Bit:

$ ./bin/arm exploit [levelpassword] [options] &
$ gdb-multiarch ./exploit
pwndbg> set architecture arm

instead you can also add architecture in .gdbinit as "set architecture arm"

*** 64-Bit:

$ ./arm64 exploit64 [levelpassword] [options] &
$ gdb-multiarch ./exploit64
pwndbg> set architecture aarch64

instead you can also add architecture in .gdbinit as "set architecture aarch64"

*** Example .gdbinit

set endian little
#set architecture arm
#set architecture aarch64
target remote :1234

GDB Basics:

Use 
"si" to step into functions or 
"so" to step over functions, 
"info functions" to print all functions,
"p [function]" to print function address and information, if symbols exist
"b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
"c" to continue program, 
"x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
"x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 
Using pwndbg, you can use 
"rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !

After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:
```
$ ./bin/exploit Level2
```
*** 64-Bit:
```
$ ./bin/exploit64 Level2
```
For cheaters or people trying to understand with less instruction knowledge :
```
See solutions/solutions.txt and source code in src/exploit.cpp
```
There are more solutions possible, even with rop chains, not just my example solutions given
There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

ToDo:

Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !

Some referrals to ARM reversing beginners :

Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
Read book "A Bug Hunter's Diary" By Tobias Klein
Read ARMv8 (AARCH64) Opcode Manual : https://www.element14.com/community/servlet/JiveServlet/previewBody/41836-102-1-229511/ARM.Reference_Manual.pdf

License:

MIT License (Share, modify and use as you like, but refer to the original author !)

bkerler/exploit_me

bkerler

Reviews

Repository Details