Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/others.

So, for training purposes, I thought: Why not :)

sudo pip install capstone for python 2.x or sudo pip3 install capstone for python 3.x

Use either "python" or "pip" for python 2.x or "python3" or "pip3" accordingly for python 3.x

1. Basic install (tested with Ubuntu 17.10 64Bit)

    $ sudo apt-get update
    $ sudo apt-get install gdb-multiarch
    $ sudo apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
    $ pip install --upgrade capstone
    $ sudo apt-get install qemu-system-arm
   

2. Install pwndbg:

   $ git clone https://github.com/pwndbg/pwndbg
   $ cd pwndbg && python setup.py install && cd ..
   

3. Install ROPgadget:

   $ git clone https://github.com/JonathanSalwan/ROPgadget
   $ cd ROPgadget && python setup.py install && cd ..
   

4. Install pwntools:

   $ pip install --upgrade pip
   $ pip install --upgrade pwntools
   

5. Install cross compilers (only needed if you want to add stuff or port to other platforms):

   $ sudo apt-get install libc6-armel-cross libc6-dev-armel-cross
   $ sudo apt-get install binutils-arm-linux-gnueabi
   $ sudo apt-get install libncurses5-dev
   $ sudo apt-get install gcc-arm-linux-gnueabi
   $ sudo apt-get install g++-arm-linux-gnueabi
   

• For cross-compiling the code for ARM:

   $ arm-linux-gnueabi-g++ -fno-stack-protector exploit.cpp -o exploit
  

  (Remove -fno-stack-protector for more fun)

• For trying if it works : "qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit"

• Example debugging session:

  $ sudo ./disableaslr.sh
  $ mkdir -p dir1/dir2
  

  (Disable aslr, don't run if you want more fun) (dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

  In first terminal:

  $ qemu-arm-static -L /usr/arm-linux-gnueabi/ -g 1234 ./exploit [levelpassword] [options]
  

  Add this to .gdbinit in home directory:

  set auto-load safe-path /
  

  In second terminal (make sure .gdbinit is in the same directory):

  $ gdb-multiarch ./exploit
  

• GDB Basics: Use "si" to step into functions or "so" to step over functions, "info functions" to print all functions, "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, "c" to continue program, "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". Using pwndbg, you can use "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !

• After you've exploited correctly, you will see the password for the next level So if level2 password would be "Level2":

  $ qemu-arm-static -L /usr/arm-linux-gnueabi/ ./exploit Level2
  

• For cheaters or people trying to understand with less instruction knowledge : See solution and source code in exploit.cpp

• There are more solutions possible, even with rop chains, not just mine

• There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

set endian little
set architecture arm
target remote :1234

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal

• Will add other vulnerabilities as I see them or have spare time (multi-thread and use-after-free vulnerabilities missing will follow soon)
• Port to ARM64

MIT License (Share, modify and use as you like, but refer to the original author !)