ARM Shellcode

ARM machine이 많은데도 불구하고, x86나 mips 아키텍쳐에 비해서 ARM 쉘코드는 온라인에서 찾기 어렵습니다..

하쥐만 상길이형님께서 간지나게 ARM PoC shellcode를 뽑아내셨습니다 ㅋㅋ
(qemu-arm 에서 돌아가는것 확인!)


It is hard to find a very simple ARM shellcode. So I decided to make my own ARM shellcode.

is becoming more and more popular architecture as the number of smart
phones and ‘net books’ are expanding. Don’t forget! iPhone and Nokia
tablets are also running on ARM. :D

So what is the most important thing to consider to generate ARM shellcode?

the linux system call in ARM is little bit different from the x86
system call. Namely, the system call number is stored in r7 register
instead of r0 register. (eax register can be considered as r0 in ARM).
Thus, the arguments are stored in r0, r1, … in turn.

we need some trick to load 32bit immediate value into a memory address
in ARM. Here, I am using four sequential arm instructions to push 32bit
immediate into stack. Note that the exclamation mark in ARM assembly
code means that the index operation is performed before applying the
real instruction. For example, str r2, [r3, #-4]!  means: store r2
value to the ptr {r3-4} and r3 = r3 -4.

With the above facts in mind, I will present my own ARM shellcode here !!
This is just a simple example, and it contains null characters. So not applicable in most of the real cases. :)

You may also like...

2 Responses

  1. beist says:

    Hmm, I tested a shellcode that i got from metasploit years ago, and it worked very well on my iPod touch. By the way, nice work. :) (but maybe it’s needed to be non-null shellcode. cheers.)

    • Cai says:

      Hey beist, thanks for the comment :)
      As it says above, it was only for the test (PoC), so we didn’t really care about the null-characters.

      But it’s of course possible to remove those by having encoder/decoder :p

Leave a Reply

Your email address will not be published. Required fields are marked *