No announcement yet.

ARM ROP Know-how for x86 ROP Hackers

  • Filter
  • Time
  • Show
Clear All
new posts

  • ARM ROP Know-how for x86 ROP Hackers

    As most hackers already know, I want to share some know-how about ROP. If you are a newbie hacker already familiar with UAF and ROP on x86 (or x86_64) CPUs, you only need a few pieces of information to do ROP on ARM CPUs.

    <A "good tool" was always a life for hackers. Good tools don't make good hackers, but fast ones can. I like people who make good tools like great blacksmiths, rather than hackers who use good tools. I admire true blacksmiths.>

    1. Find and use a useful ROP tool to extract enough gadgets. The answer is a tool called "xrop". This tool is enough.

    <Methodology for ROP Chains>

    2. Use a instruction of the form "ldmXXXX rX, {rY, rY, rY, sp, lr, pc}" on the ARM CPU. If the r6 register is a UAF-controlled buffer, the "ldmXXXX r6, {rY, rY, rY, ..., sp, lr, pc}" instruction creates and binds the ROP chain. This instruction can change the stack (SP) register, the lr register (LR) and the pc register (Instruction Pointer / Program Counter) at once. Therefore, it is better to specify the return address in the lr register, the address to jump to in the pc register, and the buffer address controlled by the UAF in the sp register. All of this is done at once when this ROP gadget is run. The internal instructions of the official function you need to use are almost always returned by the "bx lr" instruction. This means that you must chain the ROP to the lr register in order to succeed. When you try to ROP on an ARM CPU, the "ldmXXXX" and "bx lr" instructions are paired. Fortunately, this is enough for you to understand. If you have ROP knowledge on "x86 (or x86_64)" CPUs as a base, it's too easy to master enough in a day or so. (Two or three days is enough, even if you only use the left brain to understand.) Also, use extra registers when using this gadget. If you call the mmap function using a gadget such as "ldmXXXX rX, {rY, rY, rY, ..., sp, lr, pc}", the registers used are from r0 to r4. In ARM function calling convention, only r0 ~ r4 is used for argument passing. If there are more arguments to pass, they are extracted from the stack. Therefore, the last argument of the mmap function can be passed over the stack because the sp value is already replaced when the ldmXXXX gadget is executed. All of this is solved by one ldmXXXX gadget instruction. I imagine a strong conspiracy theory against the background on which the ARM CPU was born. Perhaps it was intended to help hackers make ROP easier? It's a joke. I will continue the explanation. Roughly from r5 to r9, most register values ​​are retained even after the mmap function returns. Therefore, if you need additional values ​​for the next ROP chain, you can use r5 to r9 in the ldmXXXX gadget instruction. A gadget instruction can do many things at once. You can use the ldmXXXX ROP chain like this, and when you finally jump to shellcode, you can use the stack with a gadget like "pop {rY, rY, ..., pc}". You can use the pop gadget to set the value of a variable or to jump in one direction. The pop gadget instruction is good for simple one-way use. This explanation seems to be enough.

    <Cautions for ARM CPU Features. If you are a computer doctor, your patient is a binary file. To ensure that your patient binary does not die during your operation, you need to know about the special instructions when the CPU instruction is executed.>

    3. Verify that the ROP gadget on your ARM CPU is 4 bytes or 2 bytes. If the gadget you need to use is 2 bytes, add "+1" to the offset address you found. Because 2-byte instructions are executed in thumb mode, they only execute correctly when called with an odd address. Therefore, if you call a function from, for example, most likely it will only be executed with "offset + 1" added.