{"id":13540224,"url":"https://github.com/bkerler/exploit_me","last_synced_at":"2025-04-30T17:50:08.659Z","repository":{"id":62316805,"uuid":"116040782","full_name":"bkerler/exploit_me","owner":"bkerler","description":"Very vulnerable ARM/AARCH64 application (CTF style exploitation tutorial with 14 vulnerability techniques)","archived":false,"fork":false,"pushed_at":"2022-03-14T14:46:37.000Z","size":1409,"stargazers_count":918,"open_issues_count":0,"forks_count":139,"subscribers_count":48,"default_branch":"master","last_synced_at":"2025-04-02T07:35:18.176Z","etag":null,"topics":["arm","ctf","exploitation","rop","tutorial"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bkerler.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"custom":["https://paypal.me/viperbjk"]}},"created_at":"2018-01-02T17:36:42.000Z","updated_at":"2025-03-31T17:27:57.000Z","dependencies_parsed_at":"2022-10-30T16:45:21.920Z","dependency_job_id":null,"html_url":"https://github.com/bkerler/exploit_me","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkerler%2Fexploit_me","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkerler%2Fexploit_me/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkerler%2Fexploit_me/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bkerler%2Fexploit_me/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bkerler","download_url":"https://codeload.github.com/bkerler/exploit_me/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251756226,"owners_count":21638853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm","ctf","exploitation","rop","tutorial"],"created_at":"2024-08-01T09:01:43.089Z","updated_at":"2025-04-30T17:50:08.635Z","avatar_url":"https://github.com/bkerler.png","language":"C++","readme":"# exploit_me\nVery vulnerable ARM/ARM64[AARCH64] application (CTF style exploitation tutorial, portable to other platforms)\n---------------------------------------------------------------------\n(c) B.Kerler 2018-2020\n\nWhy:\n----\nSome of my friends asked me if I could do some examples\nof exploitable stuff I've seen in real-world the past years for ARM/ARM64[AARCH64]/others.\n\nSo, for training purposes, I thought: Why not :)\n\nCurrent vulnerabilities:\n------------------------\n```\nLevel 1: Integer overflow\nLevel 2: Stack overflow\nLevel 3: Array overflow\nLevel 4: Off by one\nLevel 5: Stack cookie\nLevel 6: Format string\nLevel 7: Heap overflow\nLevel 8: Structure redirection / Type confusion\nLevel 9: Zero pointers\nLevel 10: Command injection\nLevel 11: Path Traversal\nLevel 12: Return oriented programming (ROP)\nLevel 13: Use-after-free\nLevel 14: Jump oriented programming (JOP)\n```\n\nInstall on Debian/Ubuntu System:\n------------------------------------------------------\n   Download the repo\n   ```\n   git clone https://github.com/bkerler/exploit_me\n   ```\n\n   Install needed tools on host (Ubuntu)\n   ```\n   ~$ cd exploit_me\n   ~/exploit_me $ ./script/setup.sh\n   ```\n   \nUsage hints:\n------------\n- See hints.txt for a start.\n\n- For trying if it works :\n  *** 32-Bit:\n    ```\n    $ ./bin/exploit\n    ```\n  *** 64-Bit:\n    ```\n    $ ./bin/exploit64\n    ```\n- Example debugging session:\n  ```\n  $ sudo ./scripts/disableaslr.sh\n  ```\n  (Disable aslr, don't run if you want more fun)\n  (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)\n  \n  In first terminal:\n  ------------------\n  *** 32-Bit:\n    ```\n    $ ./bin/arm exploit [levelpassword] [options] \u0026\n    $ gdb-multiarch ./exploit\n    pwndbg\u003e set architecture arm\n    ```\n\t  instead you can also add architecture in .gdbinit as \"set architecture arm\"\n\t\n  *** 64-Bit:\n    ```\n    $ ./arm64 exploit64 [levelpassword] [options] \u0026\n    $ gdb-multiarch ./exploit64\n    pwndbg\u003e set architecture aarch64\n    ```\n    instead you can also add architecture in .gdbinit as \"set architecture aarch64\"\n\t\n  *** Example .gdbinit\n    ```\n    set endian little\n    #set architecture arm\n    #set architecture aarch64\n    target remote :1234\n\n    ```\n\n- GDB Basics: \n  ``` \n  Use \n  \"si\" to step into functions or \n  \"so\" to step over functions, \n  \"info functions\" to print all functions,\n  \"p [function]\" to print function address and information, if symbols exist\n  \"b [function]\" (Example: \"b main\" to set a breakpoint and \"b *0x1234\" to set a breakpoint at addr 0x1234, \n  \"c\" to continue program, \n  \"x/[dwords]x\" to print offsets, for example \"x/4x 0x1234\" and \n  \"x/[dwords]x $reg\" to print register contents, for example \"x/4x $sp\". \n  Using pwndbg, you can use \n  \"rop\" to list rop gadgets, for example \"rop --grep 'pop {r3'\" to list gadgets which pop values from stack to r3. \n  See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !\n  ```\n\n- After you've exploited correctly, you will see the password for the next level.\n  So if level2 password would be \"Level2\":\n  *** 32-Bit:\n    ```\n    $ ./bin/exploit Level2\n    ```\n  *** 64-Bit:\n    ```\n    $ ./bin/exploit64 Level2\n    ```\n    \n- For cheaters or people trying to understand with less instruction knowledge :\n  ```\n  See solutions/solutions.txt and source code in src/exploit.cpp\n  ```\n\n- There are more solutions possible, even with rop chains, not just my example solutions given\n\n- There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it\n\nToDo:\n-----\n- Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !\n\nSome referrals to ARM reversing beginners :\n-------------------------------------------\n- Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/\n- Get Book \"Beginner's Guide to Exploitation on ARM\" by Billy Ellis and his YouTube tutorial videos\n- Read blog \"ARM exploitation for IoT\" Part 1 - 3 https://quequero.org/category/security/\n- Read book \"A Bug Hunter's Diary\" By Tobias Klein\n- Read ARMv8 (AARCH64) Opcode Manual : https://www.element14.com/community/servlet/JiveServlet/previewBody/41836-102-1-229511/ARM.Reference_Manual.pdf\n\nLicense:\n--------\nMIT License\n(Share, modify and use as you like, but refer to the original author !)\n","funding_links":["https://paypal.me/viperbjk"],"categories":["C++","\u003ca id=\"761a373e2ec1c58c9cd205cd7a03e8a8\"\u003e\u003c/a\u003e靶机\u0026\u0026漏洞环境\u0026\u0026漏洞App","CTF / Training Binaries"],"sub_categories":["\u003ca id=\"3e751670de79d2649ba62b177bd3e4ef\"\u003e\u003c/a\u003e未分类-VulnerableMachine"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbkerler%2Fexploit_me","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbkerler%2Fexploit_me","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbkerler%2Fexploit_me/lists"}