Arm Linux shellcode contains null bytes

[packmad]

Hi guys,

the linux arm shellcode contains null bytes:

"".join(" {:02x}".format(ord(c)) for c in asm(shellcraft.arm.linux.sh(), arch='arm'))
' 68 70 00 e3 41 71 44 e3 04 70 2d e5 2f 7f 02 e3 2f 73 47 e3 04 70 2d e5 2f 72 06 e3 69 7e 46 e3 04 70 2d e5 0d 00 a0 e1 73 78 06 e3 04 70 2d e5 0c c0 2c e0 04 c0 2d e5 04 10 a0 e3 0d 10 81 e0 01 c0 a0 e1 04 c0 2d e5 0d 10 a0 e1 02 20 22 e0 0b 70 a0 e3 00 00 00 ef'

This shellcode worked for me.

[zachriggle]

First, Pwntools' shellcraft arm.linux.sh is a compromise to provide maximum flexibility. The shellcode you linked to does not work against BusyBox, ToyBox, or Android shells. See #626 for more information. You can also see #406 to see earlier analysis and reasons why our ARM shellcode is NOT guaranteed to be NULL-free.

The shellcode you linked to also contains a NULL byte, specifically at 0x8071 / 0x8072 (depending on endianness; see below).

Finally, using svc 1 works on real hardware, but does not work under qemu-user emulation. See #1024 for more information. This is somewhat important for CTFs, but especially important for our shellcode testing purposes (which use e.g. qemu-arm-static). Because of this, we must use svc 0 which will always emit NULL bytes.

Shellcode from @packmad's link

    8054:   e28f3001    add r3, pc, #1  ; 0x1
    8058:   e12fff13    bx  r3
    805c:   4678        mov r0, pc
    805e:   300c        adds    r0, #12
    8060:   46c0        nop         (mov r8, r8)
    8062:   9001        str r0, [sp, #4]
    8064:   1a49        subs    r1, r1, r1
    8066:   1a92        subs    r2, r2, r2
    8068:   270b        movs    r7, #11
    806a:   df01        svc 1 <======= Won't work on QEMU
    806c:   622f        str r7, [r5, #32]
    806e:   6e69        ldr r1, [r5, #100]
    8070:   732f        strb    r7, [r5, #12]
    8072:   0068        lsls    r0, r5, #1 <===== NULL byte