(c) B.Kerler 2018-2020
Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64[AARCH64]/others.
So, for training purposes, I thought: Why not :)
Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Return oriented programming (ROP)
Level 13: Use-after-free
Level 14: Jump oriented programming (JOP)
Download the repo
git clone https://github.com/bkerler/exploit_me
Install needed tools on host (Ubuntu)
~$ cd exploit_me
~/exploit_me $ ./script/setup.sh
See hints.txt for a start.
For trying if it works : *** 32-Bit:
$ ./bin/exploit
*** 64-Bit:
$ ./bin/exploit64
Example debugging session:
$ sudo ./scripts/disableaslr.sh
(Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)
*** 32-Bit:
$ ./bin/arm exploit [levelpassword] [options] &
$ gdb-multiarch ./exploit
pwndbg> set architecture arm
instead you can also add architecture in .gdbinit as "set architecture arm"
*** 64-Bit:
$ ./arm64 exploit64 [levelpassword] [options] &
$ gdb-multiarch ./exploit64
pwndbg> set architecture aarch64
instead you can also add architecture in .gdbinit as "set architecture aarch64"
*** Example .gdbinit
set endian little
#set architecture arm
#set architecture aarch64
target remote :1234
GDB Basics:
Use
"si" to step into functions or
"so" to step over functions,
"info functions" to print all functions,
"p [function]" to print function address and information, if symbols exist
"b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234,
"c" to continue program,
"x/[dwords]x" to print offsets, for example "x/4x 0x1234" and
"x/[dwords]x $reg" to print register contents, for example "x/4x $sp".
Using pwndbg, you can use
"rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3.
See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:
$ ./bin/exploit Level2
*** 64-Bit:
$ ./bin/exploit64 Level2
For cheaters or people trying to understand with less instruction knowledge :
See solutions/solutions.txt and source code in src/exploit.cpp
There are more solutions possible, even with rop chains, not just my example solutions given
There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it
MIT License (Share, modify and use as you like, but refer to the original author !)