»Make ARM Shellcode Great Again«
2018-10-17, 14:15–15:00, Europe

Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.

In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques. There will be demonstrations of my shellcode on ARM IoT devices featuring different types of ARM architecture.

DETAILED OUTLINE:

PART 1 - A short overview of currently employed ARM shellcoding techniques - Common tricks used currently - Switching to THUMB mode - Avoiding NULL bytes and bad characters - Invoking SYSCALLS - (Failed) attempts at polymorphic shellcode - Variations between different ARM architectures - ARMv5, ARMv6, ARMv7 - Differences in implementation of SYSCALLs across various Linux kernels - Invoking SYSCALLS via OABI vs EABI - SVC instruction usage in ARM mode vs Thumb mode - A wishlist of features from x86 shellcode - Self Modifying Shellcode - Egghunting - Cache (in)coherence and how it affects self-modifying ARM code

PART 2 - Practical considerations in implementing self-modifying code - Demo: Trivision NC-218WF IP Camera shellcode (ARMv5TE)

  • Overcoming Cache (in)coherence.
  • Forcibly flushing the I-Cache the NASA Space Pen way
  • Forcibly flushing the I-Cache the Soviet Pencil way
  • Demo: Netgear Nighthawk R6250 router (ROPchain + Shellcode on ARMv7)

PART 3 - Egghunter shellcode in ARM - Demo

PART 4 - A new approach to ARM shellcode polymorphism - Polyglot Shellcode - THUMB and ARM instructions - Different, but same same - A universal shellcode stub, independent of ARM or THUMB mode

CONCLUSION - Future directions in ARM shellcoding - How to evade detection and signatures (yet again - gosh this is boring) - END

Speaker