Raspberry Pi & ARM Shellcoding

Lately I was playing with my Raspberry Pi B with a Raspian GNU/Linux 7 and this is a short walkthrough with a hello world example.

For a more in depth introduction for ARM shellcoding look here:
http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/

Adopted from that article here is the example:

.section .text
.global _start

_start:

.code 32
add r6, pc, #1
bx r6

.code 16
# write
mov r2, #12
mov r1, pc
add r1, #14
mov r0, $0x1
mov r7, $0x4
svc 1

# exit
sub r4, r4, r4
mov r0, r4
mov r7, $0x1
svc 1

.ascii "hello world\n"

Building:

$ as -mthumb -o hello.o hello.s
$ ld -o hello hello.o

With the following script it is easy to dump the shellcode:

# dump ARM shellcode
# for 32bit code
# call: ./dumpsc.sh binaryfile

#!/bin/bash
objdump -d $1 | cut -d ":" -f2 | cut -d " " -f1 | tr -d ' \t\r\f' > sctempfile.txt.tmp

while read line
  do
  l=${#line}
  if [ $l = "4" ];
    then echo "\"\\x${line:2:2}\\x${line:0:2}\""
  fi
  if [ $l = "8" ];
    then echo "\"\\x${line:6:2}\\x${line:4:2}\\x${line:2:2}\\x${line:0:2}\""
  fi

done <sctempfile.txt.tmp

rm sctempfile.txt.tmp

And the corresponding c program:

#include <stdio.h>
#include <string.h>

char *sc =
"\x01\x60\x8f\xe2"
"\x16\xff\x2f\xe1"
"\x0c\x22"
"\x79\x46"
"\x0e\x31"
"\x01\x20"
"\x04\x27"
"\x01\xdf"
"\x24\x1b"
"\x20\x1c"
"\x01\x27"
"\x01\xdf"
"\x68\x65\x6c\x6c"
"\x6f\x20\x77\x6f"
"\x72\x6c\x64\x0a"

int main(void)
{
  (*(void(*)()) sc)();
  return 0;
}

That was it for now, hope I will have some time to port a bindshellcode to ARM.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s