Ret2syscall - ARM64
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Find an introduction to arm64 in:
Introduction to ARM64v8Code
We are going to use the example from the page:
Ret2win - arm64Compile without pie and canary:
Gadgets
In order to prepare the call for the syscall it's needed the following configuration:
x8: 221 Specify sys_execve
x0: ptr to "/bin/sh" specify file to execute
x1: 0 specify no arguments passed
x2: 0 specify no environment variables passed
Using ROPgadget.py I was able to locate the following gadgets in the libc library of the machine:
With the previous gadgets we can control all the needed registers from the stack and use x5 to jump to the second gadget to call the syscall.
Note that knowing this info from the libc library also allows to do a ret2libc attack, but lets use it for this current example.
Exploit
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated