I just got SROP working on ARM and I've uploaded a PoC on a temporary bitbucket repository. I mention in my earlier blogposts how I've been running into problems with loading r0 when running the exploit. I've been running my tests on a Raspberry pi.
Solving the issue required fixing 2 things :-
1. The check related to the cpsr register at http://lxr.free-electrons.com/source/arch/arm/include/asm/ptrace.h#L50
2. The check related to the vfp context here. The checks are related to the vfp struct size(0x120) and the magic value(0x56465001).
The exploit in the bitbucket repository follows roughly the same control flow as the examples in the srop directory. The flow is roughly as follows :-
1. Overflow the buffer, overwrite the return address with the address of a sigreturn gadget.
2. Once the sigreturn system call is made, populate the registers with values that are required to make an mprotect call to make the stack executable.
3. Jump into the shellcode on the (now executable) stack to get a shell.
Solving the issue required fixing 2 things :-
1. The check related to the cpsr register at http://lxr.free-electrons.com/source/arch/arm/include/asm/ptrace.h#L50
2. The check related to the vfp context here. The checks are related to the vfp struct size(0x120) and the magic value(0x56465001).
The exploit in the bitbucket repository follows roughly the same control flow as the examples in the srop directory. The flow is roughly as follows :-
1. Overflow the buffer, overwrite the return address with the address of a sigreturn gadget.
2. Once the sigreturn system call is made, populate the registers with values that are required to make an mprotect call to make the stack executable.
3. Jump into the shellcode on the (now executable) stack to get a shell.