Skip to main content

ARM buffer overflow: chapter 8 ಠ-ಠ (day 83) (from heap to shellcode)

 

Previously in the arm exploitation series, we take a look at how we can perform buffer overflow and format string attack in ARM binary, both of them prove to be powerful enough to take control of program execution if it correctly utilizes, furthermore it can also bypass anti-exploit mechanism.

But both of the attack methods are conducted in stack region of memory and today lets try to explore the other attack mechanism in ARM binary which is heap exploit.

I already introduced how to get a start in the heap exploitation binary, in this post and this post so I will not cover it again. This post is meant to give an idea of how heap exploitation happens in arm binary and how we can leverage this exploit to be able to take control of the program workflow and drop a shell.

For the POC, I will take the source code from protostar heap0 challenge, compiled it in raspberry pi qemu and try to exploit it



source: https://exploit.education/protostar/heap-zero/



just like in the protostar challenge we will try to turn off all the anti-exploit mechanisms. We will try to bypass the anti-exploit mechanism in heap exploit later in the next post, from now on let's try to make it simple so you get the concept first.



from the figure below, let's try to put three breakpoints in the program the first two breakpoints will stop at the call function of malloc() in the program whereas the third one will stop at the strcpy() function in the program.





The first breakpoint will take use to the first malloc which is used to reserved memory in the heap for "data" struct which contains the variable "name" with type string



we can see that the first and only parameter was passed with value 0x40(equivalent to 64 in decimal) that act as a size reservation in heap



Once the heap finish allocating the memory it will store the return value which is the location of the allocated memory in register R0



You can check the result by typing "vmmap" and dump the memory location of the heap. Same as the second breakpoint which is the second malloc for allocating "fp" structure variable, the first parameter used to define how big is the memory allocation in the heap



now on to the third breakpoint, we can see that the strcpy function used to copy the value of our supplied argument and stored it to the heap.



the first param (R0) will be the destination where the first malloc happen and the second param (R1) will be the source which is our input



once it has done try to check the heap memory now, we can see it know contain our input and from we know a strcpy function doesn't have a bound limitation in the input with this we can overflow the heap memory and take control of the execution.

how we can take control of the execution? since there are not instruction pointer in the heap memory

notice that before strcpy function there is:

f->fp = nowinner;

this is used to store the nowinner location to fp struct variable in the heap we can see the program put it at (0x21050) and then the program called it again after the strcpy function

  f->fp();

so it becomes clear all we need to do is to overwrite the location of nowinner() function in the heap memory and replace it with our new location.

I get it!

most of you will probably just gonna overwrite the nowinner function value in the heap memory with the winner() function location. Well i'm not saying is wrong but we are hacker lets try to do more than just changing the direction of the program instruction.

let's try to combine shellcode so by the end of the exploit we got a shell and take control of the program :)

first, let's try to determine how much we need to overwrite the function call in heap.



okay so we need 0x48(72) of bytes to overwrite the address and we are going to redirect the execution to the beginning of our input which is located in 0x2100c and you don't have to worry about with ASLR since it will now affect memory location in heap.

the first few bytes of our input will contain a shellcode and rest will be just padding to overwrite the function address. Now we can create python script to generate our payload like this:



the shellcode I used will be from the previous post that I make couple of weeks ago.



run the exploit as the argument of the program and as you can see we got shell :), cool!

 



the first figure shows you the heap condition after the payload is inserted to the heap memory we can see that at 0x21050 we overwrite it with a new address which is pointing to the beginning of our shellcode and the second figure show the result of the exploit if it runs outside the GDB and apparently it still works

so that's all folks I hope you have a great weekend and see you around at the next post.

Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »