Merge pull request #1333 from HackTricks-wiki/research_update_src_binary-exploitation_stack-overflow_ret2win_ret2win-arm64_20250825_082821

Research Update Enhanced src/binary-exploitation/stack-overf...

Author: carlospolop

src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md

@@ -33,9 +33,21 @@ int main() {
 Compile without pie and canary:
 
 ```bash
-clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie
+clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie -mbranch-protection=none
 ```
 
+- The extra flag `-mbranch-protection=none` disables AArch64 Branch Protection (PAC/BTI). If your toolchain defaults to enabling PAC or BTI, this keeps the lab reproducible. To check whether a compiled binary uses PAC/BTI you can:
+  - Look for AArch64 GNU properties:
+    - `readelf --notes -W ret2win | grep -E 'AARCH64_FEATURE_1_(BTI|PAC)'`
+  - Inspect prologues/epilogues for `paciasp`/`autiasp` (PAC) or for `bti c` landing pads (BTI):
+    - `objdump -d ret2win | head -n 40`
+
+### AArch64 calling convention quick facts
+
+- The link register is `x30` (a.k.a. `lr`), and functions typically save `x29`/`x30` with `stp x29, x30, [sp, #-16]!` and restore them with `ldp x29, x30, [sp], #16; ret`.
+- This means the saved return address lives at `sp+8` relative to the frame base. With a `char buffer[64]` placed below, the usual overwrite distance to the saved `x30` is 64 (buffer) + 8 (saved x29) = 72 bytes — exactly what we’ll find below.
+- The stack pointer must remain 16‑byte aligned at function boundaries. If you build ROP chains later for more complex scenarios, keep the SP alignment or you may crash on function epilogues.
+
 ## Finding the offset
 
 ### Pattern option
@@ -112,6 +124,8 @@ from pwn import *
 # Configuration
 binary_name = './ret2win'
 p = process(binary_name)
+# Optional but nice for AArch64
+context.arch = 'aarch64'
 
 # Prepare the payload
 offset = 72
@@ -187,6 +201,47 @@ print(p.recvline())
 p.close()
 ```
 
-{{#include ../../../banners/hacktricks-training.md}}
+### Notes on modern AArch64 hardening (PAC/BTI) and ret2win
+
+- If the binary is compiled with AArch64 Branch Protection, you may see `paciasp`/`autiasp` or `bti c` emitted in function prologues/epilogues. In that case:
+  - Returning to an address that is not a valid BTI landing pad may raise a `SIGILL`. Prefer targeting the exact function entry that contains `bti c`.
+  - If PAC is enabled for returns, naive return‑address overwrites may fail because the epilogue authenticates `x30`. For learning scenarios, rebuild with `-mbranch-protection=none` (shown above). When attacking real targets, prefer non‑return hijacks (e.g., function pointer overwrites) or build ROP that never executes an `autiasp`/`ret` pair that authenticates your forged LR.
+- To check features quickly:
+  - `readelf --notes -W ./ret2win` and look for `AARCH64_FEATURE_1_BTI` / `AARCH64_FEATURE_1_PAC` notes.
+  - `objdump -d ./ret2win | head -n 40` and look for `bti c`, `paciasp`, `autiasp`.
+
+### Running on non‑ARM64 hosts (qemu‑user quick tip)
 
+If you are on x86_64 but want to practice AArch64:
+
+```bash
+# Install qemu-user and AArch64 libs (Debian/Ubuntu)
+sudo apt-get install qemu-user qemu-user-static libc6-arm64-cross
+
+# Run the binary with the AArch64 loader environment
+qemu-aarch64 -L /usr/aarch64-linux-gnu ./ret2win
+
+# Debug with GDB (qemu-user gdbstub)
+qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./ret2win &
+# In another terminal
+gdb-multiarch ./ret2win -ex 'target remote :1234'
+```
 
+### Related HackTricks pages
+
+-
+{{#ref}}
+../../rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
+{{#endref}}
+-
+{{#ref}}
+../../rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md
+{{#endref}}
+
+
+
+## References
+
+- Enabling PAC and BTI on AArch64 for Linux (Arm Community, Nov 2024). https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/enabling-pac-and-bti-on-aarch64-for-linux
+- Procedure Call Standard for the Arm 64-bit Architecture (AAPCS64). https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
+{{#include ../../../banners/hacktricks-training.md}}