Practical ARM Exploitation (2-Day Boot Camp)

Senrio/Xipiter | July 22-23 & July 24-25


Section 1: Laying the Ground Work (with an eye to exploitation)

Slide Deck: "Intro"
Instructor Bios, Course Outline/Schedule, Course Goals

Slide Deck: "Introduction to the ARM Architecture"
Architecture Summary/Layout, Instructions/Registers, Instructions Modes, nuances

Lab: "Basics 1":"GDB"
Use GDB to debug/modify a faulty ARM app, rudimentary code injection.

Lab: "Basics 1B": "IDA"
Use IDA Pro to get familiar with ARM-isms: calling convention, IDA's ARM quirks.

Slide Deck: "Tools and the Lab Environment"
Intro to the QEMU ARM setup, intro to the exercises, intro to custom tools to assist with labs.)

Lab: "Basics 3": "IDA and GDB tag-team"
Use IDA and GDB in tandem to comprehend application flow subvert the app.

Lab: "Basics 4"
Trace through ARM app (dealing with ARM-isms: calling conventions, parameters) to reverse engineer and subvert a blackbox password app with embedded crypto.

Slide Deck: Shellcoding, ELFs, Dynamic Linking
Review of dynamic linking in ELFs. Intro to authoring ARM shellcode.

Lab: "Basics 5": "Shellcoding"
Participants will write their own ARM shellcode FROM SCRATCH and observe it exploit a native ARM process.

Slide Deck: "Stack Overflows"
Basics of Stack Overflows (NOP sleds, bouncepoints, etc). Intro to defensive countermeasures: stack cookies, and subverting with "ROP-lite" return-to-libc. Finding bouncepoints on ARM. Nuances of stack overflows on ARM. The rediculousness of NOP sleds...

Lab: "Simple Stack Overflow"
Find and exploit a stack overflow bug in a vulnerable app. Students modify a "test harness" that both triggers the vulnerabilty and injects the payload. Modification of the harness with apppropriate addresses demonstrates comprehension.

Section 2: Basic to Intermediate Techniques

Slide Deck: "Stack Overflows and Ret2Libc"
Introduce Non executable stack (XN)" and how to subvert it with Return-to-Text or commonly inaccurately referred to as (Return-to-LibC" or as we call it: "ROP Lite". Students get stepped through a vulnerability to see how this works step-by-step. (We come back to the nuances of ROP gadget finding later in the course)

Lab: "Simple Stack Overflow: XN Stack"
Using a "test harness" containing gadgets we give to the student (expecting them to just accept them for now until we come back to go into ROP-gadget finding in more detail later) to find and exploit a XN stack app by returning to mprotect()

Slide Deck: "Advanced Stack Overflows"
Introduction to XN, ASLR, and Stack cookies on on ARM. Discuss and see examples of ways to subvert stack cookies. (overwriting __stack_chk_guard, info disclosure bug, partial/full pointer overwrites, exception-handler overwrites)

Lab: "Advanced Stack XN"
Students exploit network based service that uses XN and Stack Cookies using partial pointer overwrites and ROP-Lite techniques

Slide Deck: "ROP"
Discuss reason for ROP (Code signing, ASLR, cookies). techniques/tools for manually finding gadgets manually on ARM. A walkthrough of useful gadgets found on our target. Structure of Gadgets"Chaining versus non-Chaining gadgets". Some ROP tricks/nuances on ARM.

Lab: "Custom ROP simplified"
Students find and exploit a vulnerable application by building a custom payload by stringing together a bunch of ROP gadgets (found for them by the instructors on the target).

Day 3 & 4: Intermediate to Advanced Techniques

Slide Deck: "Basic Heaps"
Intro to Heap Overflows on ARM: How stuff goes wrong, grooming/feng-shui-ing, etc. examining a toy heap implementation, TCMalloc's thread-cache freelist, and ways we can exploit all of these.

Lab: "Simple Heap Unlink"
Student will exploit a contrived network server, associating "protocol" events with heap events. Students will groom the target and exploit it with provided payload.

Slide Deck: "Application Level Heap Attacks"
Introduce application level exploitation: Techniques for investigating these kinds of vulnerabilities. Exploiting VTable overwrites, partial/full pointer overwrites.

Slide Deck: "Stack Flipping"
Combining concepts introduced earlier (XN, ROP, and heap overflows) students will be introduced and shown how to evade XN by "flipping" the call stack into forged stack frames on the heap. Students will also be introduced to techniques and "gotchas" around finding "pivots" and nuances about ARM that make this more interesting.

Lab: "MultiHeap XN"
Students will use a heapspray or similar technique to overwrite a C++ object to create a fake vtable entry that redirects the stack pointer into the heap...executing their ROP payload to get a shell.

Slide Deck: "Defeating ASLR"
Students will be introduced to ASLR and how it is implemented as well as many of the nuances of how to defeat ASLR (infoleaks, developer debug code, RPC/RMI leaks, predictable ASLR PRNG, uninitialized mem, JIT, etc).

Slide Deck: "Conclusions - Closing"

More detail is available at:

Who Should Take this Course

"Makers," Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.

Student Requirements

Students taking the "Practical ARM Exploitation" course should have a intermediate software exploitation background on another architecture (such as x86). They should have hands-on familiarity with the following concepts:

  • exploitation of stack overflows
  • exploitation of heap overflows
  • basic experience with IDA
  • basic experience with a debugger
  • cursory knowledge of Python or some equivalent high-level scripting language (Java, Ruby, etc)
  • C++ and C coding experience.

What Students Should Bring

  • A laptop (running their favorite OS) capable of connecting to wired and wireless networks.
  • An installed valid VMWare
  • An installed copy of at least IDA Standard.
  • An SSH/Telnet client to access the hosted QEMU images and class hardware devices.

What Students Will Be Provided With

  • 70+ page Coil bound lab manual
  • Access to the embedded systems that comprise the class environment
  • Some students will receive free portable embedded ARM computers to continue their research with.
  • Undoubtedly some Xipiter swag of some kind ;-)


The Senrio Research Team cumulatively has decades of experience in software/hardware reverse engineering and exploitation. The team is responsible for finding and disclosing numerous public and private critical vulnerabilities in software and embedded devices. The Senrio Research Team's device vulnerability disclosures have been found to effect millions of devices worldwide. Along the way the team has written and edited several seminal books and pioneered exploitation techniques . The team largely comes from Xipiter LLC which developed the industry renown courses and which have sold out at every public offering (including Blackhat) for over five years!