Ret2vDSO
Basic Information
There might be gadgets in the vDSO region, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region.
Following the example from https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/ it's possible to see how it was possible to dump the vdso section and move it to the host with:
ROP gadgets found:
Note therefore how it might be possible to bypass ASLR abusing the vdso if the kernel is compiled with CONFIG_COMPAT_VDSO as the vdso address won't be randomized: https://vigilance.fr/vulnerability/Linux-kernel-bypassing-ASLR-via-VDSO-11639
ARM64
After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) except a way to call a SROP. Check more info int eh example from the page:
SROP - ARM64Last updated