search

zardus / preeny

Some helpful preload libraries for pwning stuff.
BSD 2-Clause "Simplified" License
1.57k stars 170 forks source link

Adding support for arm in setcanary #58

Closed sudhackar closed 5 years ago

sudhackar commented 5 years ago

As discussed in #54 I have added support for arm in setcanary. I have tested it on a raspberry pi.

pi@exos-pi:~ $ head -n 40 z.c
#include <stdio.h>
#include <stdint.h>

#ifdef __x86_64__
#define canary_t     uint64_t
#define INSN_READ    "movq %%fs:0x28, %0;"
#define FMT          "Found canary: %#lx\n"

#elif __i386__
#define canary_t     uint32_t
#define INSN_READ    "movl %%gs:0x14, %0;"
#define FMT          "Found canary: %#x\n"

#elif __arm__
#define canary_t     uint32_t
#define INSN_READ    "ldr r0, =__stack_chk_guard; ldr r0, [r0]; mov %0, r0;"
#define FMT          "Found canary: %#x\n"
#endif

canary_t read_canary()
{
    canary_t val = 0;

    __asm__(INSN_READ
        : "=r"(val)
        :
        :);

    return val;
}

int main(int argc, char **argv)
{
    printf(FMT, read_canary());
    return 0;
}

pi@exos-pi:~ $ gcc -no-pie -fno-pic z.c -o z
pi@exos-pi:~ $ PREENY_DEBUG=1 PREENY_INFO=1 PREENY_ERROR=1 CANARY=1094795585 LD_PRELOAD=~/preeny/build/lib/libsetcanary.so:~/preeny/build/lib/libgetcanary.so ./z
--- Found canary: 0xe14d2500
+++ Overwriting canary with 0x41414141...
Found canary: 0x41414141

As for arm64, it still needs some testing. I'll do it in some time.

zardus commented 5 years ago

Thanks!