Stack Shellcode
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Stack shellcode is a technique used in binary exploitation where an attacker writes shellcode to a vulnerable program's stack and then modifies the Instruction Pointer (IP) or Extended Instruction Pointer (EIP) to point to the location of this shellcode, causing it to execute. This is a classic method used to gain unauthorized access or execute arbitrary commands on a target system. Here's a breakdown of the process, including a simple C example and how you might write a corresponding exploit using Python with pwntools.
Let's start with a simple example of a vulnerable C program:
This program is vulnerable to a buffer overflow due to the use of the gets()
function.
To compile this program while disabling various protections (to simulate a vulnerable environment), you can use the following command:
-fno-stack-protector
: Disables stack protection.
-z execstack
: Makes the stack executable, which is necessary for executing shellcode stored on the stack.
-no-pie
: Disables Position Independent Executable, making it easier to predict the memory address where our shellcode will be located.
-m32
: Compiles the program as a 32-bit executable, often used for simplicity in exploit development.
Here's how you could write an exploit in Python using pwntools to perform a ret2shellcode attack:
This script constructs a payload consisting of a NOP slide, the shellcode, and then overwrites the EIP with the address pointing to the NOP slide, ensuring the shellcode gets executed.
The NOP slide (asm('nop')
) is used to increase the chance that execution will "slide" into our shellcode regardless of the exact address. Adjust the p32()
argument to the starting address of your buffer plus an offset to land in the NOP slide.
ASLR should be disabled for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
Stack Canaries should be also disabled or the compromised EIP return address won't never be followed.
NX stack protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html
64bit, ASLR with stack address leak, write shellcode and jump to it
https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html
32 bit, ASLR with stack leak, write shellcode and jump to it
https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html
32 bit, ASLR with stack leak, comparison to prevent call to exit(), overwrite variable with a value and write shellcode and jump to it
arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)