Merge pull request #3 from pwncollege/arm-rop-changes

Edits to support arm64
pwncollege · Sep 20, 2024 · 664525a · 664525a
2 parents f044301 + 2fae90a
commit 664525a
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 3 deletions.
diff --git a/pwnshop/challenges/__init__.py b/pwnshop/challenges/__init__.py
@@ -44,6 +44,7 @@ class Challenge:
     COMPILER = "gcc"
     PIE = None
     RELRO = "full"
+    MASM_FLAG = "-masm=intel"
     CANARY = None
     FRAME_POINTER = None
     STATIC = False
@@ -143,7 +144,8 @@ def build_compiler_cmd(self):
         if self.STRIP:
             cmd.append("-s")
 
-        cmd.append("-masm=intel")
+        if self.MASM_FLAG:
+            cmd.append(self.MASM_FLAG)
 
         cmd.append("-w")
 

diff --git a/pwnshop/challenges/base/base.c b/pwnshop/challenges/base/base.c
@@ -80,12 +80,12 @@
             printf("  Your effective user id is not 0!\n");
             printf("  You must directly run the suid binary in order to have the correct permissions!\n");
         }
-        return;
+        exit(-1);
     }
     flag_length = read(flag_fd, flag, sizeof(flag));
     if (flag_length <= 0) {
         printf("\n  ERROR: Failed to read the flag -- %s!\n", strerror(errno));
-        return;
+        exit(-1);
     }
     {% set stdout = "fileno(thread_stdout)" if challenge.threaded_server else "1"%}
     write({{ stdout }}, flag, flag_length);

diff --git a/pwnshop/challenges/disassemble_rop_aarch64.c b/pwnshop/challenges/disassemble_rop_aarch64.c
@@ -0,0 +1,53 @@
+
+#include <errno.h>
+#include <capstone/capstone.h>
+
+#define CAPSTONE_ARCH CS_ARCH_ARM64
+#define CAPSTONE_MODE CS_MODE_ARM
+
+void print_gadget(unsigned long *gadget_addr)
+{
+  csh handle;
+  cs_insn *insn;
+  size_t count;
+  unsigned char vec[64];
+
+  if (cs_open(CAPSTONE_ARCH, CAPSTONE_MODE, &handle) != CS_ERR_OK) {
+    printf("ERROR: disassembler failed to initialize.\n");
+    return;
+  }
+
+  printf("| 0x%016lx: ", (unsigned long)gadget_addr);
+
+  int r = mincore((void *) ((uintptr_t)gadget_addr & ~0xfff), 64, vec);
+  if (r < 0 && errno == ENOMEM) {
+    printf("(UNMAPPED MEMORY)");
+  }
+  else {
+    count = cs_disasm(handle, (void *)gadget_addr, 64, (uint64_t)gadget_addr, 0, &insn);
+    if (count > 0) {
+      for (size_t j = 0; j < count; j++) {
+        printf("%s %s ; ", insn[j].mnemonic, insn[j].op_str);
+        if (strcmp(insn[j].mnemonic, "ret") == 0 || strcmp(insn[j].mnemonic, "blr") == 0) break;
+      }
+
+      cs_free(insn, count);
+    }
+    else {
+      printf("(DISASSEMBLY ERROR) ");
+      for (int k = 0; k < 16; k++) printf("%02hhx ", ((uint8_t*)gadget_addr)[k]);
+    }
+  }
+  printf("\n");
+
+  cs_close(&handle);
+}
+
+void print_chain(unsigned long **chain_addr, int chain_length)
+{
+  printf("\n+--- Printing %ld gadgets of ROP chain at %p.\n", chain_length, chain_addr);
+  for (int i = 0; i < chain_length; i++) {
+    print_gadget(*(chain_addr + i));
+  }
+  printf("\n");
+}
diff --git a/pwnshop/challenges/stack_recon_aarch64.c b/pwnshop/challenges/stack_recon_aarch64.c
@@ -0,0 +1,27 @@
+uint64_t sp_;
+uint64_t bp_;
+uint64_t sz_;
+uint64_t cp_;
+uint64_t cv_;
+uint64_t si_;
+uint64_t rp_;
+
+#define GET_SP(sp) asm volatile ("mov %0, SP" : "=r"(sp) : : );
+#define GET_BP(bp) asm volatile ("mov %0, FP" : "=r"(bp) : : );
+#define GET_FRAME_WORDS(sz_, sp, bp, rp_) GET_SP(sp); GET_BP(bp); sz_ = (bp-sp)/8+2; rp_ = bp+0x8;
+
+void DUMP_STACK(uint64_t sp, uint64_t n)
+{
+  printf("+---------------------------------+-------------------------+--------------------+\n");
+  printf("| %31s | %23s | %18s |\n", "Stack location", "Data (bytes)", "Data (LE int)");
+  printf("+---------------------------------+-------------------------+--------------------+\n");
+  for (si_ = 0; si_ < n; si_++) {
+    printf("| 0x%016lx (rsp+0x%04x) | %02x %02x %02x %02x %02x %02x %02x %02x | 0x%016lx |\n",
+           sp+8*si_, 8*si_,
+           *(uint8_t *)(sp+8*si_+0), *(uint8_t *)(sp+8*si_+1), *(uint8_t *)(sp+8*si_+2), *(uint8_t *)(sp+8*si_+3),
+           *(uint8_t *)(sp+8*si_+4), *(uint8_t *)(sp+8*si_+5), *(uint8_t *)(sp+8*si_+6), *(uint8_t *)(sp+8*si_+7),
+           *(uint64_t *)(sp+8*si_)
+           );
+  }
+  printf("+---------------------------------+-------------------------+--------------------+\n");
+}