ARM64 ROP


CSE 598 AVR - Fall 2024.

ARM64 has a number of differences in the calling convention, prologues, and epilogues that cause ROP to be different than on x86_64.

Because these challenges are running on an x86-64 host, you might need any of the aarch64-linux-gnu-* tools, such as aarch64-linux-gnu-objdump.

gdb is now a 2-step process:

In one terminal / tmux window:

$ /usr/bin/qemu-aarch64-static -g 1234 /challenge/level-1-0

In another:

$ gdb-multiarch /challenge/level-1-0
(gdb) target remote localhost:1234

The goal of this level is quite simple: redirect control flow to the win function.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

The goal of this level is quite simple: redirect control flow to the win function.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Now let's see about redirect control flow to multiple functions.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Now let's see about redirect control flow to multiple functions.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

What about passing arguments to multiple functions?

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

What about passing arguments to multiple functions?

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

If you did the last one correctly this should be easy.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

If you did the last one correctly this should be easy.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Now, let's just pop stuff

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Now, let's just pop stuff

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Now that you have the hang of things, how about you pop a statically compiled binary with no inserted gadgets?

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Other compilers are different, let's now do a few levels that are compiled by gcc instead of clang to see the difference.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

It seems that compilers can do very strange things, including breaking things, yet I have faith in the hackers...

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score