Edit

Stack Shellcode - arm64

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Find an introduction to arm64 in:

Introduction to ARM64v8

Code

#include <stdio.h>
#include <unistd.h>

void vulnerable_function() {
    char buffer[64];
    read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
    vulnerable_function();
    return 0;
}

Compile without pie, canary and nx:

No ASLR & No canary - Stack Overflow

To stop ASLR execute:

To get the offset of the bof check this link.

Exploit:

The only "complicated" thing to find here would be the address in the stack to call. In my case I generated the exploit with the address found using gdb, but then when exploiting it it didn't work (because the stack address changed a bit).

I opened the generated core file (gdb ./bog ./core) and checked the real address of the start of the shellcode.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
PreviousStack ShellcodeNextStack Pivoting - EBP2Ret - EBP chaining

Last updated