bkerler
exploit_me
C++

Very vulnerable ARM/AARCH64 application (CTF style exploitation tutorial with 29 vulnerability techniques)

Last updated Jul 10, 2026
1.1k
Stars
154
Forks
0
Issues
0
Stars/day
Attention Score
94
Language breakdown
No language data available.
โ–ธ Files click to expand
README

exploit_me

Very vulnerable ARM/ARM64[AARCH64] application (CTF style exploitation tutorial, portable to other platforms)
(c) B.Kerler 2018-2026

Why:


Some of my friends asked me if I could do some examples of exploitable stuff I've seen in real-world the past years for ARM/ARM64[AARCH64]/others.

So, for training purposes, I thought: Why not :)

Current vulnerabilities:


Level 1: Integer overflow Level 2: Stack overflow Level 3: Array overflow Level 4: Off by one Level 5: Stack cookie Level 6: Format string Level 7: Heap overflow Level 8: Structure redirection / Type confusion Level 9: Zero pointers Level 10: Command injection Level 11: Path Traversal Level 12: Return oriented programming (ROP) Level 13: Use-after-free Level 14: Jump oriented programming (JOP) Level 15: Stable format-string write Level 16: Double free Level 17: Signedness bug Level 18: Integer multiplication overflow Level 19: Null pointer bug Level 20: Uninitialized memory read Level 21: Out-of-bounds read Level 22: TOCTOU path race Level 23: Insecure temporary file / symlink attack Level 24: Environment variable injection Level 25: Unsafe parser / deserialization Level 26: Filtered command injection / quoting bypass Level 27: Heap metadata corruption Level 28: ROP-style function-pointer control flow Level 29: Dangling stack pointer

Install on Debian/Ubuntu System:


Download the repo
git clone https://github.com/bkerler/exploit_me

Install needed tools on host (Ubuntu)

~$ cd exploit_me    ~/exploit_me $ ./script/setup.sh
Usage hints:
  • See hints.txt for a start.
  • For trying if it works :
* 32-Bit:
$ ./bin/exploit
* 64-Bit:
$ ./bin/exploit64
  • Example debugging session:
$ sudo ./scripts/disableaslr.sh
(Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability) In first terminal: ------------------ * 32-Bit:
$ ./bin/arm exploit [levelpassword] [options] &     $ gdb-multiarch ./exploit     pwndbg> set architecture arm
instead you can also add architecture in .gdbinit as "set architecture arm" * 64-Bit:
$ ./arm64 exploit64 [levelpassword] [options] &     $ gdb-multiarch ./exploit64     pwndbg> set architecture aarch64
instead you can also add architecture in .gdbinit as "set architecture aarch64" * Example .gdbinit
set endian little     #set architecture arm     #set architecture aarch64     target remote :1234

  • GDB Basics:
Use 
  "si" to step into functions or 
  "so" to step over functions, 
  "info functions" to print all functions,
  "p [function]" to print function address and information, if symbols exist
  "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, 
  "c" to continue program, 
  "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and 
  "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". 
  Using pwndbg, you can use 
  "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. 
  See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
  • After you've exploited correctly, you will see the password for the next level.
So if level2 password would be "Level2": * 32-Bit:
$ ./bin/exploit Level2
* 64-Bit:
$ ./bin/exploit64 Level2
  • For cheaters or people trying to understand with less instruction knowledge :
See solutions/solutions.txt and source code in src/exploit.cpp
  • There are more solutions possible, even with rop chains, not just my example solutions given
  • There are some hints printed to console (information leak), which you normally wouldn't have, but these make things easier for beginners, that's why I added it
ToDo:
  • Will add other vulnerabilities as I see them or have spare time (like multi-thread vulnerability). But if you want to add some, I'd be happy to provide !
Some referrals to ARM reversing beginners :
  • Learn some ARM Assembly Basics and Shellcode stuff over here : https://azeria-labs.com/
  • Get Book "Beginner's Guide to Exploitation on ARM" by Billy Ellis and his YouTube tutorial videos
  • Read blog "ARM exploitation for IoT" Part 1 - 3 https://quequero.org/category/security/
  • Read book "A Bug Hunter's Diary" By Tobias Klein
  • Read ARMv8 (AARCH64) Opcode Manual : https://www.element14.com/community/servlet/JiveServlet/previewBody/41836-102-1-229511/ARM.Reference_Manual.pdf
License:
MIT License (Share, modify and use as you like, but refer to the original author !)
๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท bkerler/exploit_me ยท Updated daily from GitHub