Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bkerler/exploit_me
Very vulnerable ARM/AARCH64 application (CTF style exploitation tutorial with 14 vulnerability techniques)
https://github.com/bkerler/exploit_me
arm ctf exploitation rop tutorial
Last synced: 9 days ago
JSON representation
Very vulnerable ARM/AARCH64 application (CTF style exploitation tutorial with 14 vulnerability techniques)
- Host: GitHub
- URL: https://github.com/bkerler/exploit_me
- Owner: bkerler
- License: mit
- Created: 2018-01-02T17:36:42.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2022-03-14T14:46:37.000Z (over 2 years ago)
- Last Synced: 2024-08-01T09:26:20.199Z (3 months ago)
- Topics: arm, ctf, exploitation, rop, tutorial
- Language: C++
- Homepage:
- Size: 1.34 MB
- Stars: 878
- Watchers: 49
- Forks: 136
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
- awesome-arm-exploitation - Exploit Me
README
# exploit_me
Very vulnerable ARM/ARM64[AARCH64] application (CTF style exploitation tutorial, portable to other platforms)
---------------------------------------------------------------------
(c) B.Kerler 2018-2020Why:
----
Some of my friends asked me if I could do some examples
of exploitable stuff I've seen in real-world the past years for ARM/ARM64[AARCH64]/others.So, for training purposes, I thought: Why not :)
Current vulnerabilities:
------------------------
```
Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Return oriented programming (ROP)
Level 13: Use-after-free
Level 14: Jump oriented programming (JOP)
```Install on Debian/Ubuntu System:
------------------------------------------------------
Download the repo
```
git clone https://github.com/bkerler/exploit_me
```Install needed tools on host (Ubuntu)
```
~$ cd exploit_me
~/exploit_me $ ./script/setup.sh
```
Usage hints:
------------
- See hints.txt for a start.- For trying if it works :
*** 32-Bit:
```
$ ./bin/exploit
```
*** 64-Bit:
```
$ ./bin/exploit64
```
- Example debugging session:
```
$ sudo ./scripts/disableaslr.sh
```
(Disable aslr, don't run if you want more fun)
(Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)
In first terminal:
------------------
*** 32-Bit:
```
$ ./bin/arm exploit [levelpassword] [options] &
$ gdb-multiarch ./exploit
pwndbg> set architecture arm
```
instead you can also add architecture in .gdbinit as "set architecture arm"
*** 64-Bit:
```
$ ./arm64 exploit64 [levelpassword] [options] &
$ gdb-multiarch ./exploit64
pwndbg> set architecture aarch64
```
instead you can also add architecture in .gdbinit as "set architecture aarch64"
*** Example .gdbinit
```
set endian little
#set architecture arm
#set architecture aarch64
target remote :1234```
- GDB Basics:
```
Use
"si" to step into functions or
"so" to step over functions,
"info functions" to print all functions,
"p [function]" to print function address and information, if symbols exist
"b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234,
"c" to continue program,
"x/[dwords]x" to print offsets, for example "x/4x 0x1234" and
"x/[dwords]x $reg" to print register contents, for example "x/4x $sp".
Using pwndbg, you can use
"rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3.
See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
```- After you've exploited correctly, you will see the password for the next level.
So if level2 password would be "Level2":
*** 32-Bit:
```
$ ./bin/exploit Level2
```
*** 64-Bit:
```
$ ./bin/exploit64 Level2
```
- For cheaters or people trying to understand with less instruction knowledge :
```
See solutions/solutions.txt and source code in src/exploit.cpp
```- There are more solutions possible, even with rop chains, not just my example solutions given
- There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it
ToDo:
-----
- Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !Some referrals to ARM reversing beginners :
-------------------------------------------
- Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
- Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
- Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
- Read book "A Bug Hunter's Diary" By Tobias Klein
- Read ARMv8 (AARCH64) Opcode Manual : https://www.element14.com/community/servlet/JiveServlet/previewBody/41836-102-1-229511/ARM.Reference_Manual.pdfLicense:
--------
MIT License
(Share, modify and use as you like, but refer to the original author !)