An ideal introduction to vulnerability exploitation on 64-bit ARM Linux platform, spanning from ARM64 assembly all the way to ARM64 Return Oriented Programming (ROP). An ideal step up from the 32-bit ARM Exploit Laboratory.
ABSTRACT
The ARM64 Exploit Laboratory is a brand new class. 64-bit ARM CPUs, having already dominated the world of mobile devices, are starting to take centre stage in desktop and server computing.
This class is ideal for students who want to go from zero to deep in understanding and exploiting real world vulnerabilities on Linux ARM64. Students will study key differences between ARM32 and ARM64, dive into ARM64 assembly, debugging 64-bit processes and practically exploiting memory corruption vulnerabilities on ARM64. The class also covers practical Infoleak techniques, bypassing Stack Canaries and applying ARM64 Return Oriented Programming (ROP) techniques for exploiting real world software. Students will have ample time for hands on exercises to sharpen their exploitation skills.
INTENDED AUDIENCE
- Past ARM32 Exploit Laboratory students
- Pentesters working on ARM embedded environments (SoCs, IoT, etc.)
- Red Team members who want to pen-test custom binaries and exploit custom built applications
- Bug Hunters who want to write exploits for all the crashes they find
- Members of military or government cyberwarfare units
- Members of reverse engineering research teams
KEY LEARNING OBJECTIVES
- An introduction to ARM64 architecture and assembly
- Working with an emulated ARM64 instance
- Fundamental differences between ARM32 and ARM64 assembly
- The 64-bit process memory layout and addressing
- The ARM64 debugging environment
- Exploring memory corruption bugs on ARM64
- Practical ARM64 shellcode
- Return Oriented Programming techniques on ARM64
- Gadget limitations in ARM64
- Case Study - Exploiting a production web server on ARM64 with an Integer controlled overflow
- Defeating 64-bit ASLR via Infoleaks
- Case Study - Practical Infoleaks: Turning a memory corruption vulnerability into an Infoleak
- Case Study - Bypassing Stack Canaries
- End to end web server exploit with Infoleak, Stack Canary bypass, ARM64 ROP Chaining and Shellcode
- Exercises, exercises and more exercises!
COURSE DETAILS
Part 1 - Foundations
ARM64 Assembly, Debugging, 64-bit Memory Layout
- Introducing ARM64
- Registers and their behaviour on ARM64
- ARM64 vs ARM32 architecture and assembly language
- The 64-bit process memory layout and address space
- Case study: Memory corruption on ARM64
- The ARM64 debugging environment
- Analysing a stack overflow crash dump
- Introducing ARM64 assembly language
- Fundamental differences between ARM32 and ARM64 assembly language
- Practical approaches to exploiting memory corruption on ARM64
ARM64 Shellcode, Simple ROP Chains, End to End Exploit
- Simple ARM64 Shellcode
- ARM64 Bindshell
- Simple exploit, return to shellcode
- Introducing Data Execution Prevention
- Defeating Data Execution Prevention via Return Oriented Programming
- ROP gadgets on ARM64
- Practical Ret2System ROP chain on ARM64
- Understanding restrictions around ARM64 gadgets
- Case study: End to end exploit on ARM64
- Exercises
Part 2 - Real World Case Study - Exploiting a Production Web Server
Practical Infoleaks and bypassing 64-bit ASLR
- Understanding Integer Controlled Overflow vulnerabilities
- Understanding and diverting application flow via arbitrary paths
- Turning a memory corruption bug into an Infoleak
- Leaking stack and libc addresses
- Defeating 64-bit ASLR
Practical ARM64 ROP Chains
- A deeper dive into ARM64 ROP Gadgets
- Understanding Ret2CSU - a very reliable gadget source
- Ret2Mprotect ROP chain on ARM64
- Proof-of-concept Ret2Mprotect exploit without stack canaries
Bypassing Stack Cookies
- Understanding how Stack Smashing Protection (Stack Cookies) are implemented in ARM64
- Leveraging Integer Controlled Overflow to brute force stack cookies
- Final exploit - Stack Canary bypass + Infoleak + ROP Chains
Knowledge Prerequisites
- Familiarity with Assembly Language (ARM32 or x86 or both)
- Basic experience with disassembly and reverse engineering
- Working knowledge of GDB
- Ability to write simple Python scripts
Hardware Requirements
- A working laptop capable of running Docker or a Virtual Machine
- Intel Core i5 or Apple Silicon M1 (equivalent or superior) required
- 8GB RAM required, at a minimum
- Wireless network card
- 40 GB free Hard disk space
Software Requirements
- Linux / macOS desktop operating systems
- Docker installed and working
- Note: Docker works best under Linux!
- Command line git client installed and working
- Administrator / root access MANDATORY
YOUR INSTRUCTOR: Saumil Shah
Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-Box, Deepsec and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book".
Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world, and taking pictures.