Proj 17: ARM Stack Overflow Exploit (20 pts)

Purpose

Practice ARM assembly and binary exploitation

What You Need

Background

ARM processors are used in cell phones, and soon they will replace Intel in Mac computers and servers, because they are more efficient than Intel processors.

In this project, we'll use a two-stage virtual environment from Azeria Lab, which consists of an Ubuntu Linux virtual machine which uses the QEMU virtualization software to run a virtual Raspberry Pi on ARM inside it.

It emulates a 32-bit ARMv6 processor, as shown below.


17.1: ARM Lab Setup (10 pts)

Download the VM

In a Web browser, go to

http://azeria-labs.com/arm-lab-vm/ Download, unzip, and double-click the Azeria-Lab-v1.vmx fine to run the VM in VMware.

You see a desktop, as shown below.

Note: if the machine times out due to inactivity, you'll need to enter the password azerialabs to wake it up.

On the left side, click the "Emulate Raspbian" icon, as shown in the image above.

The Raspberry Pi boots into its "Raspbian" OS, as shown below.

On the bottom right, click the 1/4 box. In the list that pops up, click "Workspace 2", as shown in the image above.

A new workspace appears.

On the left side, click the "SSH into Raspbian" icon, as shown in the image below.

At the "pi@raspberrypi:~ $" prompt, execute these commands:

git clone https://github.com/azeria-labs/ARM-challenges.git
cd ARM-challenges/
chmod +x stack*
ls -l
A list of challenge files appears, as shown below.

Troubleshooting Internet Access

If Raspbian cannot connect to the Internet, at the top left of the Azeria-Lab desktop, click Applications, Terminator, and test the internet with these commands:
ping google.com
ifconfig
If the Azeria-Lab machine is not connected to the Internet, try disconnecting and reconnecting the network adapter from the VMware settings.

Once the Azeria-Lab machine is connected, close and restart the Raspberry Pi emulator. Note that "ping" does not work inside QEMU, which allows only TCP and UDP.

Screen Blanking

To stop the screen going blank, I recommend this:

Click the icon at the bottom on the left side, that consists of nine dots.

On the right side, click the lower of the two dots to see the second page of icons.

Click the Settings icon.

Click the Power icon.

Set "Blank screen" to Never, as shown below.

Viewing the README

In your emulated Raspberry Pi, at the "pi@raspberrypi:~ $" prompt, execute this command:
cat README.md
A message appears, as shown below.

17.1: Recording Your Success (10 pts.)

Some text is covered by a red rectangle in the image above. Enter that text into the form below to record your score in Canvas.

Name or Email:
Text:

17.2 Reversing stack0 (10 pts.)

Source Code

Here's the source code for stack0, from exploit-exercises.com.

It defines an integer variable named modified and sets it to zero in line 10, as shown below.

It then calls gets() to read user input into a buffer that is 64 bytes long, and checks to see if the modified variable has been changed.

Running stack0

The "stack0" program demonstrates the simplest sort of buffer overflow, changing the value of an integer variable.

In your emulated Raspberry Pi, at the "pi@raspberrypi:~ $" prompt, execute this command:

./stack0
The program runs, waiting for user input. Type in HELLO and press the Enter key.

A "Try again?" message appears, as shown below.

Run the program again and enter this long string. The program prints "you have changed the 'modified' variable", as shown above.

AAAAABBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLLMMMMM

Loading stack0 in gdb

We'll use gdb with the gef "enhanced features", which is already installed in our emulator.

In your emulated Raspberry Pi, at the "pi@raspberrypi:~ $" prompt, execute this command:

gdb -q stack0
The gdb debugger starts, as shown below.

In the debugger, at the gef> prompt, execute these commands to load "start0", breaking at the start of main():

break main
run
When the program breaks, it automatically prints out a whole page of information, as shown below.

The first section shows the registers.

As shown below, the registers are similar to x86 registers.

The most important registers for us are:

After the registers, gdb shows these sections, as shown below.

Disassembling stack0

In the debugger, at the gef> prompt, execute this command to disassemble main():
disassemble main
Comparing the assembly code to the C source code, the easiest parts to spot are the references to the immediate constant "0", as shown below.

From context, it's apparent that 0x102e8 is gets() and 0x102f4 is printf().

You can use x to see the code at those addresses, but it's not very helpful, as shown below.

Continuing the Program in gdb

In gdb, execute this command:
continue
The program waits for input. Enter HELLO and press Enter.

The program says "Try again?", and exits normally, as shown below.

Overflowing the Stack

In gdb, execute these commands:
run
continue
The program waits for input. Enter the line shown below and press Enter.
AAAAABBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLLMMMMM
The program The program prints "you have changed the 'modified' variable", and exits normally, as shown below.

The input overflowed the buffer and changed the integer variable after it, but did not corrupt the stored registers required for the program to exit.

In gdb, execute these commands:

run
continue
The program waits for input. Enter the line shown below and press Enter.
AAAAABBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLLMMMMMAAAAAAAAAAAAAAAA
The program crashes, as shown below.

Notice that $r11 contains 0x41414141, as it does when overflowing the stack on a x86 processor, but $pc contains 0x41414140, as shown below.

The last bit of the address controls the processing mode, as explained here. This is one reason it's confusing to exploit buffer overflows in main(), and we generally use code with overflows in other "leaf" functions.

Viewing the "code:arm:thumb" Section

In the gdb output, find the "code:arm:thumb" section, as shown below.

Find the text that is covered by the blue box in the image below.

Enter that text into the form below.


17.2: Recording Your Success (10 pts.)

Some text is covered by a blue rectangle in the image above. Enter that text into the form below to record your score in Canvas.

Name or Email:
Text:

Sources

https://azeria-labs.com/part-3-stack-overflow-challenges/
MEMORY INSTRUCTIONS: LOAD AND STORE
ARM Assembly: ldr versus mov - Raspberry Pi Forums

Posted 9-3-18