ARM Exploitation with Raspberry Pi: Lab Setup

2 minute read

In this post we will set up a lab for ARM exploitation using Raspberry Pi Model 3 B+.

First, Install Raspbian OS in a Raspberry Pi by following the instructions put in the following post. It should take only a few minutes.

Install Raspbian Os Raspberry Pi Without Monitor and Keyboard

Device Information

It is recommended to use Raspbian GNU/Linux 10 (buster) instead of the previous versions as the debugger (gdb) has some issues especially in Raspbian GNU/Linux 9 (stretch). The details of the device is as follows:

pi@raspberry:~$ hostnamectl 
   Static hostname: raspberrypi
         Icon name: computer
        Machine ID: 569839e402644ca38bef0b40a7832c8e
           Boot ID: fd208f512fd7418b9523bfde282383ca
  Operating System: Raspbian GNU/Linux 10 (buster)
            Kernel: Linux 4.19.66-v7+
      Architecture: arm

Disable Security Features

Now, to exploit basic vulnerabilities, first we will disable some security features of the kernel and the compiler.

Disable Kernel Security

Here we disable the Address Space Layout Randomization (**ASLR**). It randomizes the base address of an executable. We will first discuss on different attacks by disabling ASLR. Later we will discuss how to bypass ASLR.

Now, to disable ASLR, we create a configuration file in /etc/sysctl.d/ directory and set the value 0 for randomization attribute.

pi@raspberry:~$ cd /etc/sysctl.d/
pi@raspberry:~$ sudo nano 1-aslr.conf
    kernel.randomize_va_space = 0
pi@raspberry:~$ reboot

After rebooting check the value as follows:

pi@raspberry:~$ sysctl kernel.randomize_va_space
    kernel.randomize_va_space = 0

Disable Compiler Security Features

We need to disable the stack protection and enable execution within the stack to perform basic exploitation. So, we need to compile the vulnerable programs as follows:

pi@raspberry:~$ gcc -fno-stack-protector -z execstack overflow.c -o overflow

Install gef extension for gdb

We will use gdb for debugging the vulnerable programs. To enhance some feature (e.g., checking value in Registers), gdb requires an extension named gef. Install gef using the following command:

pi@raspberry:~$ curl -s -L https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh

Shellcode Generator

To generate shellcode from binary files, we use the following script named hexstring.sh.

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo "Enter Name of your executable"
    echo "Format: hexstring.sh <binary>"
fi
if [ $# -eq 1 ]
  then
	objcopy -O binary $1 tmp.bin
	hexdump -v -e '"\\""x" 1/1 "%02x" ""' tmp.bin
fi
rm -fr tmp.bin
echo ""

We can also use the following python script from Azeria-labs.

#!/usr/bin/env python
import sys
binary = open(sys.argv[1],'rb')
for byte in binary.read():
 sys.stdout.write("\\x"+byte.encode("hex"))
print ""

For example, testf is a binary file and the shellcode can be generated using the script as follows:

pi@raspberrypi:~$ ./hexstring.sh testf
\x0c\xb0\x8d\xe2\x04\x10\x9f\xe5\x01\xf4\x41\xe2

Resources

  1. Azeria-labs ARM32 Exploitation Series
  2. introduction-to-exploit-development

Leave a Comment