Very vulnerable ARM/AARCH64 application (CTF style exploitation tutorial with 29 vulnerability techniques)
Last updated Jul 10, 2026
1.1k
Stars
154
Forks
0
Issues
0
Stars/day
Attention Score
94
Language breakdown
No language data available.
โธ Files
click to expand
README
exploit_me
Very vulnerable ARM/ARM64[AARCH64] application (CTF style exploitation tutorial, portable to other platforms)(c) B.Kerler 2018-2026
Why:
Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64[AARCH64]/others.
So, for training purposes, I thought: Why not :)
Current vulnerabilities:
Level 1: Integer overflow Level 2: Stack overflow Level 3: Array overflow Level 4: Off by one Level 5: Stack cookie Level 6: Format string Level 7: Heap overflow Level 8: Structure redirection / Type confusion Level 9: Zero pointers Level 10: Command injection Level 11: Path Traversal Level 12: Return oriented programming (ROP) Level 13: Use-after-free Level 14: Jump oriented programming (JOP) Level 15: Stable format-string write Level 16: Double free Level 17: Signedness bug Level 18: Integer multiplication overflow Level 19: Null pointer bug Level 20: Uninitialized memory read Level 21: Out-of-bounds read Level 22: TOCTOU path race Level 23: Insecure temporary file / symlink attack Level 24: Environment variable injection Level 25: Unsafe parser / deserialization Level 26: Filtered command injection / quoting bypass Level 27: Heap metadata corruption Level 28: ROP-style function-pointer control flow Level 29: Dangling stack pointer
Install on Debian/Ubuntu System:
Download the repo
git clone https://github.com/bkerler/exploit_me
Install needed tools on host (Ubuntu)
~$ cd exploit_me ~/exploit_me $ ./script/setup.sh Usage hints: - See hints.txt for a start.
- For trying if it works :
$ ./bin/exploit * 64-Bit: $ ./bin/exploit64 - Example debugging session:
$ sudo ./scripts/disableaslr.sh (Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability) In first terminal: ------------------ * 32-Bit: $ ./bin/arm exploit [levelpassword] [options] & $ gdb-multiarch ./exploit pwndbg> set architecture arm instead you can also add architecture in .gdbinit as "set architecture arm" * 64-Bit: $ ./arm64 exploit64 [levelpassword] [options] & $ gdb-multiarch ./exploit64 pwndbg> set architecture aarch64 instead you can also add architecture in .gdbinit as "set architecture aarch64" * Example .gdbinit set endian little #set architecture arm #set architecture aarch64 target remote :1234
- GDB Basics:
Use
"si" to step into functions or
"so" to step over functions,
"info functions" to print all functions,
"p [function]" to print function address and information, if symbols exist
"b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234,
"c" to continue program,
"x/[dwords]x" to print offsets, for example "x/4x 0x1234" and
"x/[dwords]x $reg" to print register contents, for example "x/4x $sp".
Using pwndbg, you can use
"rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3.
See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
- After you've exploited correctly, you will see the password for the next level.
$ ./bin/exploit Level2
* 64-Bit:
$ ./bin/exploit64 Level2
- For cheaters or people trying to understand with less instruction knowledge :
See solutions/solutions.txt and source code in src/exploit.cpp
- There are more solutions possible, even with rop chains, not just my example solutions given
- There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it
- Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !
- Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
- Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
- Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
- Read book "A Bug Hunter's Diary" By Tobias Klein
- Read ARMv8 (AARCH64) Opcode Manual : https://www.element14.com/community/servlet/JiveServlet/previewBody/41836-102-1-229511/ARM.Reference_Manual.pdf
MIT License (Share, modify and use as you like, but refer to the original author !)
๐ More in this category