Abstract
We describe a methodology to automatically turn arbitrary ARMv8 programs into alphanumeric executable polymorphic shellcodes. Shellcodes generated in this way can evade detection and bypass filters, broadening the attack surface of ARM-powered devices such as smartphones.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
See http://upx.sf.net.
- 2.
Each byte is 8 bits long.
- 3.
Which is 01011000001100000011000000110000 in binary. Incidentally, this instruction is alphanumeric and corresponds to the ASCII string 000X. Note the little endianness of the string.
- 4.
We used the options -D --architecture aarch64 --target binary.
- 5.
Alternatively, we could assume we were working on a Linux OS and perform the appropriate syscall, but again this instruction is not alphanumeric.
- 6.
Also know as the ‘effective power’ SMS exploit.
- 7.
Apple iOS enforces write xor exec.
References
ARM Limited, 110 Fulbourn Road, Cambridge, England: ARM Architecture Reference Manual. ARMv8, for ARMv8-A architecture profile (2013)
Basu, A., Mathuria, A., Chowdary, N.: Automatic generation of compact alphanumeric shellcodes for x86. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 399–410. Springer, Heidelberg (2014). doi:10.1007/978-3-319-13841-1_22
Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005, pp. 41–41. USENIX Association, Berkeley (2005). http://dl.acm.org/citation.cfm?id=1247360.1247401
Bontchev, V.: Future trends in virus writing. Int. Rev. Law Comput. Technol. 11(1), 129–146 (1997)
Cristofani, D.: A universal Turing machine. http://www.hevanet.com/cristofd/brainfuck/utm.b
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi:10.1007/978-3-642-18178-8_30
Eller, R.: Bypassing MSB data filters for buffer overflow exploits on Intel platforms (2000). https://web.archive.org/web/20070221035114/community.core-sdi.com/~juliano/bypass-msb.txt
Faase, F.: BF is Turing-complete. http://www.iwriteiam.nl/Ha_bf_Turing.html
Kernighan, B.W., Ritchie, D.M.: The M4 macro processor. Bell Laboratories (1977)
Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, pp. 524–533 (2009)
Metasploit Project: The Metasploit Framework. http://www.metasploit.com/
Obscou: Building IA32 Unicode-proof shellcodes. Phrack (61) (2003). http://phrack.org/issues/61/11.html
One, A.: Smashing the stack for fun and profit. Phrack (49) (1996). http://phrack.org/issues/49/14.html
Qualcomm: Dragonboard 410c. https://developer.qualcomm.com/hardware/dragonboard-410c
Raiter, B.: http://www.muppetlabs.com/~breadbox/bf/
RIX: Writing IA32 alphanumeric shellcodes. Phrack (57) (2001). http://phrack.org/issues/57/15.html
Detristan, T., Ulenspiegel, T., Malcom, Y., Von Underduk, M.S.: Polymorphic shellcode engine using spectrum analysis. Phrack (61) (2003). http://phrack.org/issues/61/9.html
Tan, G., Croft, J.: An empirical security study of the native code in the JDK. In: Usenix Security Symposium, pp. 365–378 (2008)
Xing, L., Bai, X., Li, T., Wang, X., Chen, K., Liao, X., Hu, S.M., Han, X.: Unauthorized cross-app. resource access on Mac OS X and iOS. arXiv preprint arXiv:1505.06836 (2015)
Younan, Y., Philippaerts, P.: Alphanumeric RISC ARM shellcode. Phrack 66 (2009), available at http://phrack.org/issues/66/12.html
Younan, Y., Philippaerts, P., Piessens, F., Joosen, W., Lachmund, S., Walter, T.: Filter-resistant code injection on ARM. J. Comput. Virol. 7(3), 173–188 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Source Code of Program 1
The following Haskell program generates all the possible combinations of 4 alphanumeric characters, and saves the result in a file.
B Alphanumeric Instructions
This appendix describes \(\mathcal A_1\), the set of all AArch64 opcodes that can give alphanumeric instructions for some operands.
-
Data processing instructions:
-
Load and store instructions:
-
Branch instructions:
-
Other (SIMD, floating point, crypto...):
C Alphanumeric AND
The and operation described in Sect. 4.2 can be automatically generated using the following code. To abstract register numbers and generate repetitive lines, the source code provided is pre-processed by m4 [9]. This allowed us to easily change a register number without changing every occurrence if we found that a specific register could not be used.
D Encoder’s Source Code
We give here the encoder’s full source code. This program is written in PHP.
E Decoder’s Source Code
We give here the decoder’s full source code. This code is pre-processed by m4 [9] which performs macro expansion. The payload program to decode has to be be placed at the pool offset.
F Hello World Shellcode
The following program prints “hello, world” when executed. It can be tested with QEMU using the options qemu-system-aarch64 -machine virt -cpu cortex-a57 -nographic -kernel shellcode.bin -m 2048 --append "cons ole=ttyAMA0". It was generated by the program described in Sect. 5. The notation means that X is repeated Y times.
G Polymorphic Engine
The following shows two modifications that make the code partly polymorphic. The first one is a modification of the encoder, that will randomize both the payload and the remaining blank space.
The second one is an example of adding polymorphism for zeroing a register using a Haskell engine.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Barral, H., Ferradi, H., Géraud, R., Jaloyan, GA., Naccache, D. (2016). ARMv8 Shellcodes from ‘A’ to ‘Z’. In: Bao, F., Chen, L., Deng, R., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2016. Lecture Notes in Computer Science(), vol 10060. Springer, Cham. https://doi.org/10.1007/978-3-319-49151-6_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-49151-6_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49150-9
Online ISBN: 978-3-319-49151-6
eBook Packages: Computer ScienceComputer Science (R0)