Investigacion documental de proyecto de investigacion basada en la carrera de ingenieria mecatronica
cylinder armFull description
arm cortex m microcontrollersFull description
cc1
Dinosaur Arm Training
BandarmologyFull description
analysis of rocker arm
Descripción completa
ARM CoreFull description
The evolution of Internet of Things has been tremendous in today's generation. A Promising and challenging mission is the use of autonomous robot systems to automate tasks in the field of maintenance. Major concern of evolution in robotics involves r
Descripción completa
arm cortex m microcontrollers
asdFull description
WRITING ARM SHELLCODE SAUMIL SHAH @therealsaumil THE ARM EXPLOIT LABORATORY 44CON 2017
Saumil Shah CEO Net-square. Hacker, Speaker, Trainer, Author. M.S. Computer Science •
•
Purdue University. •
•
LinkedIn: saumilshah Twitter: @therealsaumil
Saumil Shah CEO Net-square. Hacker, Speaker, Trainer, Author. M.S. Computer Science •
•
Purdue University. •
•
LinkedIn: saumilshah Twitter: @therealsaumil
Azeria •
•
•
•
•
•
•
Hacker O! ensive ensive Security Reverse Engineering Malware Research ARM Tutorials Azeria-Labs Twitter: @Fox0x01
There is an Intel on every desktop, but an ARM in every pocket.
ARM CPU Features •
•
•
•
•
•
•
RISC CPU Load/Store architecture. 32bit ARM mode / 16bit Thumb mode. Conditional Execution (ARM mode only). Inline Barrel Shifter. Fully aligned memory access. Bi-Endian (Data).
ARM CPU Registers R0
Accumulator
R8
R1
R9
R2
R10
R3
R11
FP
Frame Pointer (if used)
R4
R12
IP
Intra Procedural Call scratch register
R5
R13
SP Stack Pointer
R6
R14
LR Link Register
R15
PC Program Counter
R7
Syscall Number
CPSR
Current Program Status Register
CPSR
31
30
29
28
27
24
N
Z
C
V
Q
J
GE
9
8
7
6
5
E
A
I
F
T
4
0
M privilege mode
e v i t a g e N
w y o o r " r r r e a e Z C V o
w o " r e d n u
e l l e z a J
Greater than or Equal for SIMD
s s e n n a i d n E
e l b a s i d t r o b A
e l b a s i d Q R I
cpsr = 0x??????30 = user, thumb cpsr = 0x??????10 = user, arm
Bitwise AND Bitwise OR Bitwise XOR NOT (Move Negative)
r0, r0, r0, r0,
r1, r2 r1, r2 r1, r2 r1
Branches •
Can be used to switch to Thumb mode and vice versa. –
•
Branch with Exchange
Can save the value of PC into LR before branching. –
Branch with Link
Branches Instruction
Operation
b offset
pc = pc + o! set
Branch
bx Rm
pc = Rm LSB(pc) = 1: Thumb Mode LSB(pc) = 0: ARM Mode
Branch and Exchange
bl offset
lr = pc pc = pc + o! set
Branch and Link
blx Rm
lr = pc pc = Rm LSB(pc) = 1: Thumb Mode LSB(pc) = 0: ARM Mode
Branch, Link and Exchange
Load/Store Instructions Instruction
Operation
ldr r0, [r1] ldr r0, [r1, #4] ldr r0, [r1, r2]
r0 = [r1] r0 = [r1 + 4] r0 = [r1 + r2]
str r0, [r1] str r0, [r1, #4] str r0, [r1, r2]
[r1] = r0 [r1 + 4] = r0 [r1 + r2] = r0
ldrb / strb
Load / Store single byte
ldrh / strh
Load / Store half-word (2 bytes)
Load Immediate - limitations •
•
•
ARM instructions are 4 bytes wide. This includes OPCODE + OPERANDS. How do we load a 32 bit value into a 32 bit register? –
•
e.g. r0 = 0x41424344
mov r0, 0x41424344 won't work. opcode
operand
PC Relative Addressing •
•
•
•
For Immediate values larger than what can be contained in a single instuction... ...the assembler places them in a LITERAL POOL. Literal Pool = part of code region set aside for storing literals/constants. Literal Pool is accessed using a relative o! set from the current program
PC Relative Addressing current instruction address + 8 = 0x8108
0x8100
ldr r0, [pc, #12]
0x8104
add r1, pc, #12
0x8108
...
0x810c
...
0x8110
...
0x8114
0x41414141
0x8118
0x42424242
r0 = [0x8108 + 12] = [0x8114]
literal pool
PC Relative Addressing - MUSTs •
•
Literal Pools MUST BE 4 byte aligned. PC Relative o! sets MUST BE multiples of 4 bytes. (even in THUMB mode). : 8: a: c: e: 10: 12: 14: 16:
Self contained code. No absolute addresses. Be independent of the process being executed/attacked. Avoid library calls. All OS services accessed via syscalls. Compact. Free of NULL bytes.
Shellcode alignment with sp binary / library
bx sp
A A A A A A A A A A ... A A A A A A A A A A
pc
SHELLCODE...
sp
Better placement for shellcode. Need to locate a proper branch
Placeholder Shellcode •
Intel x86 – INT3 instruction –
•
ARM – BKPT instruction (4 bytes) –
–
–
•
opcode 0xCC. opcode 0xe1200070. NULL byte problem. bkpt 0x! f – opcode 0xe120! 7f. bkpt ignores the operand.
Thumb - BKPT instruction (2 bytes) –
bkpt 0x! – opcode 0xbe!
ARM or Thumb? •
•
•
•
Thumb instructions are always preferred over ARM instructions. Greater probability of #nding 2 byte sequences. Thumb keeps shellcode compact. Also easier to avoid NULL bytes.
Returning to "bx sp" 0xb6e9c000
libc-2.13.so + 0x5530
T bx
sp
0xb6ea1530 (Thumb)
How does the CPU know which mode to switch into?
Switching between ARM/Thumb •
BX / BLX instructions, depending upon the operand. –
–
PC with LSB = 1 forces Thumb mode. PC with LSB = 0 forces ARM mode.
Returning to Thumb "bx sp" 0xb6e9c000
libc-2.13.so + 0x5530
T bx
sp
0xb6ea1530 (Thumb)
Set return address = libc_base + o! set + 1 (force Thumb)
Shellcode alignment with sp libc
bx sp
switch to Thumb mode
switch back to ARM mode since data is 4 byte aligned, and sp will have LSB = 0
pc
A A A A A A A A A ... A A A A A A A A A A
b6ea1531
SHELLCODE
sp
Deliberately forcing a return-to-thumb "bx sp" instruction by setting PC LSB = 1