The ARM64 Exploit Laboratory 2023 (Brand New)
Saumil Shah

Introduction

The ARM64 Exploit Laboratory is a brand new class. 64-bit ARM CPUs, having already dominated the world of mobile devices, are starting to take centre stage in desktop and server computing.

This class is ideal for students who want to go from zero to deep in understanding and exploiting real world vulnerabilities on Linux ARM64. Students shall study key differences between ARM32 and ARM64, dive into ARM64 assembly, debugging 64-bit processes and practically exploiting memory corruption vulnerabilities on ARM64. The class also covers practical Infoleak techniques, bypassing Stack Canaries and applying ARM64 Return Oriented Programming (ROP) techniques for exploiting real world software. Students shall have ample time for hands on exercises to sharpen their exploitation skills.

• Key Learning Objectives

• An introduction to ARM64 architecture and assembly
• Working with an emulated ARM64 instance
• Fundamental differences between ARM32 and ARM64 assembly
• The 64-bit process memory layout and addressing
• The ARM64 debugging environment
• Exploring memory corruption bugs on ARM64
• Practical ARM64 shellcode
• Return Oriented Programming techniques on ARM64
• Gadget limitations in ARM64
• Case Study - Exploiting a production web server on ARM64 with an Integer controlled overflow
• Defeating 64-bit ASLR via Infoleaks
• Case Study - Practical Infoleaks: Turning a memory corruption vulnerability into an Infoleak
• Case Study - Bypassing Stack Canaries
• End to end web server exploit with Infoleak, Stack Canary bypass, ARM64 ROP Chaining and shellcode
• Exercises, exercises and more exercises!

• Who Should Attend

• Past ARM32 Exploit Laboratory students
• Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
• Red Team members, who want to pen-test custom binaries and exploit custom built applications
• Bug Hunters, who want to write exploits for all the crashes they find
• Members of military or government cyberwarfare units
• Members of reverse engineering research teams

Part 1 - Foundations

• ARM64 Assembly, Debugging, 64-bit memory layout

• ARM32 architecture and assembly language refresher
• Introducing ARM64
• Registers and their behaviour on ARM64
• The 64-bit process memory layout and address space
• Case study: Memory corruption on ARM64
• The ARM64 debugging environment
• Analysing a stack overflow crash dump
• Introducing ARM64 assembly language
• Fundamental differences between ARM32 and ARM64 assembly language
• Practical approaches to exploiting memory corruption on ARM64

• ARM64 Shellcode, Simple ROP chains, End to end exploit

• Simple ARM64 Shellcode
• ARM64 Bindshell
• Simple exploit, return to shellcode
• Introducing Data Execution Prevention
• Defeating Data Execution Prevention via Return Oriented Programming
• ROP gadgets on ARM64
• Practical Ret2System ROP chain on ARM64
• Understanding restrictions around ARM64 gadgets
• Case study: End to end exploit on ARM64
• Exercises

Part 2 - Real World Case Study - Exploiting a production web server

• Practical Infoleaks and bypassing 64-bit ASLR

• Understanding Integer Controlled Overflow vulnerabilities
• Understanding and diverting application flow via arbitrary paths
• Turning a memory corruption bug into an Infoleak
• Leaking stack and libc addresses
• Defeating 64-bit ASLR

• Practical ARM64 ROP Chains

• A deeper dive into ARM64 ROP Gadgets
• Understanding Ret2CSU - a very reliable gadget source
• Ret2Mprotect ROP chain on ARM64
• Proof-of-concept Ret2Mprotect exploit without stack canaries

• Bypassing Stack Cookies

• Understanding how Stack Smashing Protection (Stack Cookies) are implemented in ARM64
• Leveraging Integer Controlled Overflow to brute force stack cookies
• Final exploit - Stack Canary bypass + Infoleak + ROP Chains

Bio