Exploit Exercises - ARM
Checkout this blog post for a Stack0 walk through - https://rotlogix.com/2016/05/03/arm-exploit-exercises/
I have taken all of the stack challenges from Protostar - https://exploit-exercises.com/protostar/- and compiled them for the ARM architecture. The QEMU setup I am using locally includes -> https://github.com/hugsy/gef, Capstone, ROPGadget, and the Radare2 Python Bindings.
SSH
# Password is raspberry
ssh pi@127.0.0.1 -p 5022
Socat
nc -vv 127.0.0.1 5023
localhost [127.0.0.1] 5023 (htuilsrv) open
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Total received bytes: 0
Total sent bytes: 155
pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ ulimit -c unlimited
pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ socat tcp-l:6666,reuseaddr,fork exec:"./stack0"
pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ ls
core stack0 stack0.c
GEF
pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ gdb -c core
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
gef loaded, `gef help' to start, `gef config' to configure
30 commands loaded (10 sub-commands), using Python engine 2.7
[New LWP 2672]
Core was generated by `./stack0'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414140 in ?? ()
gef> gef help
====================[ GEF - GDB Enhanced Features ]====================
aslr -- View/modify GDB ASLR behavior.
assemble -- AssembleCommand: using radare2 to assemble code (requires r2 Python bindings)
Architecture can be set in GEF runtime config (default is x86).
Use `list' subcommand to list architectures supported
checksec -- Checksec.sh (http://www.trapkit.de/tools/checksec.html) port.
context -- Display execution context.
cs-dis -- Use capstone disassembly framework to disassemble code.
ctf-exploit-templater -- Generates a ready-to-use exploit template for CTF.
deref -- Dereference recursively an address and display information
dump-memory -- Dump chunks of memory into raw file on the filesystem. Dump file
name template can be defined in GEF runtime config
elf-info -- Display ELF header informations.
entry-break -- Tries to find best entry point and sets a temporary breakpoint on it.
fd -- Enumerate file descriptors opened by process.
fmtstr-helper -- Exploitable format-string helper (experimental)
gef-alias -- GEF defined aliases
heap -- Get some information about the Glibc heap structure.
inspect-stack -- Exploiter-friendly top-down stack inspection command (peda-like)
invoke -- InvokeCommand: invoke an external command and display result.
ksymaddr -- Solve kernel symbols from kallsyms table.
patch -- Patch the instruction pointed by parameters with NOP. If the return option is
specified, it will set the return register to the specific value.
pattern -- Metasploit-like pattern generation/search
ps -- List and filter process.
reg -- Display full details on one, many or all registers value from current architecture.
reset-cache -- Reset cache of all stored data.
ropgadget -- ROPGadget (http://shell-storm.org/project/ROPgadget) plugin
shellcode -- ShellcodeCommand uses @JonathanSalwan simple-yet-awesome shellcode API to
download shellcodes
trace-run -- Create a runtime trace of all instructions executed from $pc to LOCATION specified.
vmmap -- Display virtual memory mapping
xd -- Display arranged hexdump (according to architecture endianness) of memory range.
xfiles -- Shows all libraries (and sections) loaded by binary (Truth is out there).
xinfo -- Get virtual section information for specific address
xor-memory -- XOR a block of memory.