Lets transform the hello world code we wrote in the previous blog entry into a shellcode.
To remove all null bytes, we'll switch to THUMB mode. We also must find or apply some known tricks (e.g. init a register with zero).
This is our hello world in thumb without null bytes:
root@azeria-labs-arm:~/arm/hello# cat hello.s
.text
.global _start
_start:
.code 32
add r6, pc, #1
bx r6
.code 16
mov r2, #6 @ strlen
mov r1, pc @ load pc
add r1, #14 @ add str offset from pc
mov r0, #1 @ stdout
mov r7, #4 @ nr_write
svc #1 @ syscall
sub r4, r4, r4 @ r4 = 0
mov r0, r4 @ exit 0
mov r7, #1 @ nr_exit
svc #1
.asciz "hello\n" @ null terminated string
We can assemble it and verify it has no null bytes:
root@azeria-labs-arm:~/arm/hello# as hello.s -o hello.o -mthumb
root@azeria-labs-arm:~/arm/hello# objdump -d hello.o
hello.o: file format elf32-littlearm
Disassembly of section .text:
00000000 <_start>:
0: e28f6001 add r6, pc, #1
4: e12fff16 bx r6
8: 2206 movs r2, #6
a: 4679 mov r1, pc
c: 310e adds r1, #14
e: 2001 movs r0, #1
10: 2704 movs r7, #4
12: df01 svc 1
14: 1b24 subs r4, r4, r4
16: 1c20 adds r0, r4, #0
18: 2701 movs r7, #1
1a: df01 svc 1
1c: 6c6c6568 .word 0x6c6c6568
20: 0a6f .short 0x0a6f
...
Ok let's try it:
root@azeria-labs-arm:~/arm/hello# ld hello.o -o hello
root@azeria-labs-arm:~/arm/hello# ./hello
hello
Good now let's try to execute it from C code. First we retrieve opcodes:
root@azeria-labs-arm:~/arm/hello# objcopy -O binary hello.o hello.bin
root@azeria-labs-arm:~/arm/hello# xxd -i hello.bin
unsigned char hello_bin[] = {
0x01, 0x60, 0x8f, 0xe2, 0x16, 0xff, 0x2f, 0xe1, 0x06, 0x22, 0x79, 0x46,
0x0e, 0x31, 0x01, 0x20, 0x04, 0x27, 0x01, 0xdf, 0x24, 0x1b, 0x20, 0x1c,
0x01, 0x27, 0x01, 0xdf, 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x0a, 0x00, 0x00
};
unsigned int hello_bin_len = 36;
root@azeria-labs-arm:~/arm/hello# hexdump -v -e ' "\\x" 1/1 "%02x"' hello.bin
\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x06\x22\x79\x46\x0e\x31\x01\x20\x04\x27\x01\xdf\x24\x1b\x20\x1c\x01\x27\x01\xdf\x68\x65\x6c\x6c\x6f\x0a\x00\x00
We can directly use that hello.bin in odzhan/shellcode:
root@azeria-labs-arm:~/arm/hello# ~/shellcode/runsc -f ./hello.bin -x
[ run shellcode v0.2
[ reading code from ./hello.bin
[ executing code...hello
We now have a valid shellcode, ready to be used within string manipulation functions such as srtcpy or fgets as we encountered previously in this series.
Top comments (0)