Ret2syscall - ARM64
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Find an introduction to arm64 in:
We are going to use the example from the page:
Compile without pie and canary:
In order to prepare the call for the syscall it's needed the following configuration:
x8: 221 Specify sys_execve
x0: ptr to "/bin/sh" specify file to execute
x1: 0 specify no arguments passed
x2: 0 specify no environment variables passed
Using ROPgadget.py I was able to locate the following gadgets in the libc library of the machine:
With the previous gadgets we can control all the needed registers from the stack and use x5 to jump to the second gadget to call the syscall.
Note that knowing this info from the libc library also allows to do a ret2libc attack, but lets use it for this current example.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)