Skip to content
Very vulnerable ARM application (CTF style exploitation tutorial)
Branch: master
Clone or download
Bjoern Kerler
Latest commit 07eee8f Sep 4, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
dir1/dir2 Add dir1/dir2 needed for Path traversal Jan 3, 2018
arm Test aarch64 exploits :) Updated readme. Sep 4, 2018
arm64 Test aarch64 exploits :) Updated readme. Sep 4, 2018
exploit64 Test aarch64 exploits :) Updated readme. Sep 4, 2018


Very vulnerable ARM/ARM64 application (CTF style exploitation tutorial for ARM/ARM64, but portable to other platforms)

(c) B.Kerler 2018


Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64/others.

So, for training purposes, I thought: Why not :)

Current vulnerabilities:

Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Basic ROP
Level 13: Use-after-free

Quick-start using Vagrant VM (based on Lubuntu 18.04):

  1. Get and install VirtualBox (

  2. Get and install Vagrant (

  3. In any directory:

    Install virtual machine on host

    $ vagrant init bkerler/reversing

    Start virtual machine (Will take some time to download and init on first start) on host

    $ vagrant up

    For each session on host

    $ vagrant ssh

    Time to do exploit training on Guest (Password for user vagrant is "vagrant")

    *** ARM32

    vagrant@vagrant-VirtualBox:~$ cd exploit_me
    vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./
    vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm exploit hello &
    vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit

    *** ARM64

    vagrant@vagrant-VirtualBox:~$ cd exploit_me
    vagrant@vagrant-VirtualBox:~/exploit_me$ sudo ./
    vagrant@vagrant-VirtualBox:~/exploit_me$ ./arm64 ./exploit64 hello &
    vagrant@vagrant-VirtualBox:~/exploit_me$ gdb-multiarch ./exploit64

    Once you're done on Guest:

    vagrant@vagrant-VirtualBox:~$ logout

    To reset any changes :

    $ vagrant destroy 

    or to keep changes :

    $ vagrant halt

Usage hints:

  • For trying if it works : *** 32-Bit:

    $ ./exploit

    *** 64-Bit:

    $ ./exploit64
  • Example debugging session:

    $ sudo ./

    (Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)

    In first terminal:

    *** 32-Bit:

    $ ./arm exploit [levelpassword] [options] &
    $ gdb-multiarch ./exploit

    Make sure to set architecture in .gdbinit to "arm"

    *** 64-Bit:

    $ ./arm64 exploit64 [levelpassword] [options] &
    $ gdb-multiarch ./exploit64

    Make sure to set architecture in .gdbinit to "aarch64"

  • GDB Basics:

    "si" to step into functions or 
    "so" to step over functions, 
    "info functions" to print all functions,
    "p [function]" to print function address and information, if symbols exist
    "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
    "c" to continue program, 
    "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
    "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 
    Using pwndbg, you can use 
    "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
    See for more details !
  • After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:

    $ ./exploit Level2

    *** 64-Bit:

    $ ./exploit64 Level2
  • For cheaters or people trying to understand with less instruction knowledge :

    See solution and source code in exploit.cpp
  • There are more solutions possible, even with rop chains, not just my example solutions given

  • There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it

Manual installation (if you don't trust vagrant):

Use either "python" or "pip" for python 2.x or "python3" or "pip3" accordingly for python 3.x (preferred)

Example: sudo pip install capstone for python 2.x or sudo pip3 install capstone for python 3.x

  1. Basic install (tested with Ubuntu/LUbuntu 17.10 64Bit)

    $ sudo apt-get update
    $ sudo apt-get install gdb-multiarch
    $ sudo apt-get install python2.7 python-dev python3 python3-dev python-pip python3-pip git libssl-dev libffi-dev build-essential
    $ pip install --upgrade capstone
    $ sudo apt-get install qemu binfmt-support qemu-user-binfmt
    $ sudo systemctl restart systemd-binfmt
    $ sudo apt-get install python-capstone python3-capstone
    $ sudo apt-get install libncurses5-dev

    If you want to crosscompile:

    *** ARM

    $ sudo apt-get install g++-arm-linux-gnueabi
    $ sudo apt-get install gcc-arm-linux-gnueabi
    $ ./

    *** ARM64

    $ sudo apt-get install gcc-aarch64-linux-gnu
    $ sudo apt-get install g++-aarch64-linux-gnu
    $ ./

(Remove -fno-stack-protector for more fun) Add -marm to prevent compiling in thumb mode

  1. Install latest ROPgadget:

    $ git clone
    $ cd ROPgadget && python install && cd ..
  2. Install latest pwndbg:

    $ git clone
    $ cd pwndbg && python install && cd ..
  3. Install pwntools (Note, currently Python3 version doesn't work !, thanks zachriggle):

    $ pip install --upgrade pip
    $ pip install --upgrade pwntools

Add this to .gdbinit in home directory:

set auto-load safe-path /

My .gdbinit from the repo:

set endian little
set architecture arm << replace "arm" with "aarch64" for arm64 !!
target remote :1234


  • Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !

Some referrals to ARM reversing beginners :

  • Learn some ARM Assembly Basics and Shellcode stuff over here :
  • Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
  • Read blog "ARM exploitation for IoT" Part 1 - 3
  • Read book "A Bug Hunter's Diary" By Tobias Klein


MIT License (Share, modify and use as you like, but refer to the original author !)

You can’t perform that action at this time.