The ARM Exploit Laboratory


Saumil Shah

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest,, Hack-in-the-box and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book". Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.

Training Dates

24 - 27 March 2019


"There's an Intel on every desktop, but an ARM in every pocket."

The Internet of Things (IoT) universe comprises largely of ARM based systems. The ARM IoT Exploit Laboratory for 2019 brings you an intense 4-day course featuring a practical hands-on approach to exploit development on ARM based systems. This class is perfectly suited for students who are keen to dive into the world of modern ARM exploit development.

Our intermediate level class begins with an introduction to ARM architecture and ARM assembly language and moves quickly onto debugging techniques for ARM systems, exploiting buffer overflows on ARM devices running Linux, writing ARM shellcode from the ground up, and bypassing exploit mitigation techniques with ARM Return Oriented Programming (ROP). Our lab environment features both IOT hardware and virtual machine targets.

The class concludes with an end-to-end "Firmware-To-Shell" hack, testing out ARM exploitation skills against commercial ARM based SoHo routers and IP Cameras. Students will extract the manufacturer's firmware, learn how to analyse and debug them in virtual environments, build exploits involving tight ROP chaining and ASLR bypass, and finally succeed in getting shells on the actual hardware.

As with the popular Exploit Laboratory, all topics are delivered in a down-to-earth, learn-by-example methodology. The same trainers who brought you The Exploit Laboratory for over 13 years have been working hard in putting together an all new class based on past feedback!

Learning Objectives

  • Introduction to the ARM CPU architecture
  • Exploring ARM assembly language
  • Understanding how functions work in ARM
  • Debugging on ARM systems
  • Exploiting Stack Overflows on ARM
  • Writing ARM Shellcode from the ground up
  • Introduction to Return Oriented Programming
  • Bypassing exploit mitigation using ROP
  • Practical ARM ROP
  • An Introduction to extracting firmware from devices
  • Emulating and debugging a SoHo router's firmware in a virtual environment
  • "Firmware-To-Shell" - exploiting an actual SoHo router
  • The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.

Target Audience

  • Past Exploit Laboratory students who want to take their elite exploitation skills to the ARM platform.
  • Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
  • Red Team members, who want to pen-test custom binaries and exploit custom built applications.
  • Bug Hunters, who want to write exploits for all the crashes they find.
  • Members of military or government cyberwarfare units.
  • Members of reverse engineering research teams.
  • People frustrated at software to the point they want to break it!


Day 1 - Introduction to ARM and Smashing the ARM Stack

  • Introduction to the ARM CPU architecture
  • Exploring ARM assembly language
  • EXERCISE - Examples in ARM Assembly Language
  • Debugging on ARM systems
  • Understanding how functions work in ARM
  • Exploiting Stack Overflows on ARM
  • Writing ARM Shellcode
  • EXERCISE - ARM Stack Overflows

Day 2 - ARM Shellcode and ARM ROP

  • EXERCISE - ARM Reverse Shell from the ground up
  • EXERCISE - Embedded Web Server exploit
  • Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
  • Ret2System on ARM
  • ARM Return Oriented Programming techniques
  • Practical ROP Chains on ARM
  • EXERCISE - Implementing an mprotect ROP Chain

Day 3 - ARM IoT Firmware Extraction and Emulation

  • An Introduction to firmware extraction
  • Discovering an IoT devices' serial pins
  • Extracting the device\u2019s running firmware and NVRAM via serial console
  • Emulating and debugging a SoHo router's firmware in a virtual environment
  • EXERCISE - Attacking a DLINK DIR-880L ARM Router - from firmware to shell
  • Bypassing ASLR

Day 4 - Hands-on Exploit Exercises on the actual hardware

  • Overcoming constraints in the real world part 1 - bad characters
  • EXERCISE - Attacking a Trivision ARM IP Camera - from firmware to shell
  • Emulating NVRAM in QEMU via interception of library calls
  • Overcoming constraints in the real world part 2 - flushing the i-Cache
  • EXERCISE - Attacking a Netgear Nighthawk ARM Router - from firmware to shell

Course Requirements

Student Requirements

  • A conceptual understanding of how functions work in C programming
  • Knowledge of how a stack works, basic stack operations
  • Familiarity with debuggers (gdb, WinDBG)
  • Not be allergic to command line tools.
  • Have a working knowledge of shell scripts, cmd scripts or Perl.
  • If none of the above apply, then enough patience to go through the pre-class tutorials.

Pre-Class Tutorials

The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class.


Software Requirements

  • Linux / Windows / Mac OS X desktop operating systems
  • VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
  • Administrator / root access MANDATORY

Hardware Requirements

  • A working laptop (no Netbooks, no Tablets, no iPads)
  • Intel Core i3 (equivalent or superior) required
  • 8GB RAM required, at a minimum
  • Wireless network card
  • 40 GB free Hard disk space
  • If you're using a new Macbook or Macbook Pro, please bring your dongle-kit (especially for reading USB-A pen drives)


OUR TWITTER STREAM: @therealsaumil


Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a "Live Notes" system that provides a running transcript of the instructor's system to all the students. Our lab environment, plus about 700MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.