HITB LAB: Azeria’s ARM Exploitation Lab (Part 1)

In four action-packed hours we will learn how to read and code in the Arm assembly language and exploit Arm binaries using buffer-overflow exploits. Our lab will involve debugging Arm binaries, executing shellcode from the stack, and how to find and use ROP gadgets to allow exploitation even on NX-protected stacks. This lab includes a detailed workbook and a lab VM.


• Basic experience with Linux and using the command line

• Basic understanding of how C functions work

What students should bring:

• Laptop with 8GB RAM and around 30GB free disk space

• VMware Player/Workstation/Fusion or VirtualBox installed


  • ARM 32-bit Architecture
  • Difference between Architecture and Microarchitecture
  • ARM processor types
  • RISC CPU features
  • Memory model, memory types, memory segments
  • ARM Assembly Language
  • Syntax of Assembly programs
  • User mode registers
  • Status registers (CPSR and SPSR)
  • Conditional execution
  • Thumb mode
  • Most common instructions
  • Data processing instructions
  • Load immediate restrictions
  • Literal pool
  • Load and store instructions
  • Load and store addressing modes and offset modes
  • Load and store multiple register processing
  • Function calls and subroutines (function prologue and epilogue)- Preserving runtime environment via stack
  • Writing ARM Shellcode
  • Overview of Shellcode writing process
  • Tracing system calls and determining Syscall number
  • Mapping out function parameters
  • Translation to assembly
  • Checking for null-bytes and avoiding them
  • Converting assembly into hex string
  • LAB: Reverse Shell – Students will translate the following function calls into assembly: socket, connect, execve, dup2. This exercise teaches them how system functions are being invoked in assembly and how to make use of the literal pool when trying to reference strings and values like IP addresses.

This lab continues after a break with Part 2

Location: Track 3 / HITB Labs Date: May 10, 2019 Time: 10:30 am - 12:30 pm Maria Markstedter