Course: IoT Exploitation


Course Outline

  • General and Special Purpose Registers
  • Common AArch32 instructions
  • Conditional execution of instructions
  • Arm vs Thumb mode
  • PC-Relative Addressing and Literal Pools
  • Load and store addressing modes
  • Function calls and subroutines
  • Understanding stack frames
  • Taking control over the program flow
  • Memory Corruption vulnerabilities
  • Executing shellcode on the stack
  • Tracing and issuing system calls
  • Determining syscall numbers
  • ARM calling convention
  • Translation to assembly
  • Shellcode null-bytes
  • Converting assembly into hex string
  • NX Mitigation internals
  • NX Bypass techniques
  • System vs. Mprotect ROP chains
  • Gadget hunting and pitfalls
  • ROP chain restrictions and tricks
  • Firmware extraction process
  • Firmware emulation process
  • Debugging vulnerable services
  • Bypassing vulnerability restrictions
  • Exploiting vulnerability in D-Link router
  • Exploiting vulnerability in Tenda router
  • ASLR internals and bypass techniques
  • Format string vulnerabilities
  • Information leak exploit primitives
  • Bypassing ASLR
  • Stack Canary internals
  • Bypassing Stack Canaries
  • Glibc Heap internals
  • Heap-based vulnerabilities
  • Heap exploit primitives
  • Use-After-Free (UAF) Exploit
  • Building relative read exploit primitives
  • Building arbitrary read primitives
  • Build heap exploit chain
  • About this course

    This course teaches attendees the techniques hackers use to exploit memory corruption vulnerabilities on IoT devices running on the Arm Cortex-A processor. Based around two real-world routers, this course teaches students the process of analyzing and debugging vulnerabilities, building exploits from scratch, and bypassing common exploit mitigations along the way.

    Who is this course for?

    Security Researchers: Level up your skills and learn how to exploit IoT devices for research.
    Red Teams: Test your products using the techniques hackers use to exploit IoT devices.
    Forensic: Learn the techniques to look for when analyzing a compromised device.
    Developers: Learn what exploit mitigations protect against and harden your device.

    Our course begins with an introduction into the Arm architecture and assembly language, and how to build assembly shellcode. After an introduction to memory corruption vulnerabilites, students will analyze a stack-based buffer overflow and write their first exploit. The day ends with an intruction to the XN exploit mitigation, what it protects against, and the techniques hackers use to bypass it.

    The second day of the course focuses on exploiting two real-world routers, including the process of emulating firmware, debug and trigger vulnerabilities on these target devices. Several practical labs guide students through the process of writing exploits to take over the process using different ROP-chain techniques and run in-memory shellcode directly in the target process.

    The third day of the course provides a deeper study of exploit categories and techniques that make exploits reliable. Students will learn about ASLR and Stack Canary exploit mitigations and practice different bypass techniques in practical labs.

    The final day begins with an introduction to glibc heap, and teaches students how to construct exploit primitives that can be engineered together to build powerful and reliable exploits for heap-based vulnerabilities. The main lab guildes students through the process of writing an exploit against a network service containing a heap linear buffer overflow, how to turn this buffer overflow into a reliable relative-read exploit primitive to bypass exploit mitigations, how to construct arbitrary-read primitives to search target memory for useful binaries, and how to exploit and construct malicious vtables to fully take control of the target device.

    Learn how Hackers exploit vulnerabilities

    From Zero to Shell

    • 01

      Learn Arm Assembly

      Learn the internals of the A32 instruction set.

    • 02

      Analyze Vulnerabilities

      Dissect and exploit memory corruption vulnerabilities.

    • 03

      Write Exploits

      Develop and debug memory corruption exploits.

    • 04

      Bypass Exploit Mitigations

      Learn how to bypass common exploit mitigations.

    • 05

      Compromise the Device

      Write exploits and hack real-world router firmware.

    Workbook Pages


    Solution Slides

    Target Real Devices

    Tired of simple buffer overflow challenges? Waste no time and get your hands on real targets. This course takes attendees from the basics of Arm assembly to debugging vulnerabilities in real router firmware. By the end of this course attendees will have written N-day exploits and bypassed on-device exploit mitigations.


    Visual Learning

    Who wants to stare at boring text slides for days? Nobody. Azeria Labs courses are designed to improve the learning experience by addressing different learning styles. Packed with aesthetically pleasing visual explanations of complex technical concepts, the course material helps ensure attendees understand and retain more knowledge and learn faster.

    Lab Workbooks

    To keep participants engaged and on track, attendees will receive a physical workbook to guide them through each lab. This comprehensive training workbook is designed to take attendees step-by-step through every concept taught in class, reinforcing learning and making sure no step is overlooked.


    Lab Environments

    Lose no time on complicated installations, managing dependencies, or troubleshooting configuration problems on software before class. Attendees get pre-configured and ready-to-use lab environments with all necessary tools, scripts, exploit templates, and emulations, in form of a VM or cloud access.

    Request Details

    For detailed course outlines and price quotes, email contact [at] from your company email account. Please note that our private training sessions are available to corporations and government organizations with minimum class sizes of 10 people.