In this post we will set up a lab for ARM exploitation using
Raspberry Pi Model 3 B+.
Raspbian OS in a Raspberry Pi by following the instructions put in the following post. It should take only a few minutes.
It is recommended to use
Raspbian GNU/Linux 10 (buster) instead of the previous versions as the debugger (
gdb) has some issues especially in
Raspbian GNU/Linux 9 (stretch).
The details of the device is as follows:
pi@raspberry:~$ hostnamectl Static hostname: raspberrypi Icon name: computer Machine ID: 569839e402644ca38bef0b40a7832c8e Boot ID: fd208f512fd7418b9523bfde282383ca Operating System: Raspbian GNU/Linux 10 (buster) Kernel: Linux 4.19.66-v7+ Architecture: arm
Disable Security Features
Now, to exploit basic vulnerabilities, first we will disable some security features of the
kernel and the
Disable Kernel Security
Here we disable the
Address Space Layout Randomization (**ASLR**). It randomizes the base address of an executable. We will first discuss on different attacks by disabling ASLR. Later we will discuss how to bypass ASLR.
Now, to disable
ASLR, we create a configuration file in
/etc/sysctl.d/ directory and set the value
0 for randomization attribute.
pi@raspberry:~$ cd /etc/sysctl.d/ pi@raspberry:~$ sudo nano 1-aslr.conf kernel.randomize_va_space = 0 pi@raspberry:~$ reboot
After rebooting check the value as follows:
pi@raspberry:~$ sysctl kernel.randomize_va_space kernel.randomize_va_space = 0
Disable Compiler Security Features
We need to disable the
stack protection and enable execution within the stack to perform basic exploitation. So, we need to compile the vulnerable programs as follows:
pi@raspberry:~$ gcc -fno-stack-protector -z execstack overflow.c -o overflow
gef extension for
We will use
gdb for debugging the vulnerable programs. To enhance some feature (e.g., checking value in Registers),
gdb requires an extension named
gef using the following command:
pi@raspberry:~$ curl -s -L https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh
To generate shellcode from binary files, we use the following script named
#!/bin/bash if [ $# -eq 0 ] then echo "Enter Name of your executable" echo "Format: hexstring.sh <binary>" fi if [ $# -eq 1 ] then objcopy -O binary $1 tmp.bin hexdump -v -e '"\\""x" 1/1 "%02x" ""' tmp.bin fi rm -fr tmp.bin echo ""
We can also use the following python script from Azeria-labs.
#!/usr/bin/env python import sys binary = open(sys.argv,'rb') for byte in binary.read(): sys.stdout.write("\\x"+byte.encode("hex")) print ""
testf is a binary file and the shellcode can be generated using the script as follows:
pi@raspberrypi:~$ ./hexstring.sh testf \x0c\xb0\x8d\xe2\x04\x10\x9f\xe5\x01\xf4\x41\xe2