You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wrote an exploit for an 32-bit ARM Little Endian Linux based system a while back, and came across a bug in the template used to generate binaries for ELF shared object binaries.
If you generate a payload via msfvenom for an ELF Shared Object (SO) like this:
We can note that the entry point is located as 0xF6, and the code at LOAD:000000F6 has failed to disassemble.
If we look at the documentation from ARM here we can note the following:
All A32 instructions are 32 bits long. Instructions are stored word-aligned, so the least significant two bits of instruction addresses are always zero in A32 state.
T32 instructions are either 16 or 32 bits long. Instructions are stored half-word aligned.
Note, on ARM a word here is 32 bits and a half-word is 16 bits (Confusing if you are used to Windows development, i.e. DWORD et. al.).
As the entry point is 0xF6, the least significant bit is not set, so we are not in Thumb mode (T32), however the alignment is wrong for Arm mode (A32), it should be either 0xF4 or 0xF8 (word aligned), but it cannot be 0xF6 (half-word aligned).
During my development, a shared object binary like this would fail to load and execute.
The solution was to honor the expected alignment requirements, by adding two extra null bytes before the _start label.
diff --git a/elf_dll_armle_template.s b/elf_dll_armle_template_fix.s
index d159a69..2c026b8 100644
--- a/elf_dll_armle_template.s+++ b/elf_dll_armle_template_fix.s@@ -88,5 +88,8 @@ strtab:
db 0
db 0
strtabsz equ $ - strtab
++ db 0x00, 0x00 ; add padding to honor T32 alignment+
global _start
_start:
The result of this was the entry point will be 0xF8 and the SO binary loaded as expected in my target system.
This should then work for both A32 and T32 code that gets placed in the SO.
The text was updated successfully, but these errors were encountered:
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
bcoles
added
not-stale
Label to stop an issue from being auto closed
and removed
Stale
Marks an issue as stale, to be closed if no action is taken
labels
Jan 17, 2025
I wrote an exploit for an 32-bit ARM Little Endian Linux based system a while back, and came across a bug in the template used to generate binaries for ELF shared object binaries.
If you generate a payload via
msfvenom
for an ELF Shared Object (SO) like this:$ ruby msfvenom --arch armle --platform linux --payload linux/armle/exec --format elf-so -o ~/hax1.so CMD="something"
A binary is created via a template (here in Ruby we get the template bin file, and here is the actual template source code).
If we load the resulting binary
hax1.so
into IDA, we can see the following:We can note that the entry point is located as
0xF6
, and the code atLOAD:000000F6
has failed to disassemble.If we look at the documentation from ARM here we can note the following:
Note, on ARM a word here is 32 bits and a half-word is 16 bits (Confusing if you are used to Windows development, i.e. DWORD et. al.).
As the entry point is
0xF6
, the least significant bit is not set, so we are not in Thumb mode (T32), however the alignment is wrong for Arm mode (A32), it should be either0xF4
or0xF8
(word aligned), but it cannot be0xF6
(half-word aligned).During my development, a shared object binary like this would fail to load and execute.
The solution was to honor the expected alignment requirements, by adding two extra null bytes before the
_start
label.The result of this was the entry point will be 0xF8 and the SO binary loaded as expected in my target system.
This should then work for both A32 and T32 code that gets placed in the SO.
The text was updated successfully, but these errors were encountered: