Differences

This shows you the differences between two versions of the page.

--- en:it-security:blog:buffer_overflow_x64-3 [2024/04/08 21:06] – created psycore
+++ en:it-security:blog:buffer_overflow_x64-3 [2024/09/11 22:33] (current) – Discussion status changed psycore
@@ Line 2: / Line 2: @@
 ====== Buffer overflow in the 64-bit stack - Part 3 ======
-{{it-security:blog:bof-part3-header.jpg?800|}}
+In [[en:it-security:blog:buffer_overflow_x64-2|Part 2]] we used the string ''/bin/zsh'' to the function ''System()'' function to open a root shell. To do this, however, we had to deactivate ASLR - ASLR changes function addresses every time the programme is restarted. Superkojiman describes in detail [[https://blog.techorganic.com|in his Blog]] how to circumvent this protection. But first we have to visualise a few things
 The third part of the Buffer Overflow series.
@@ Line 8: / Line 8: @@
 \\
 ===== Introduction =====
+{{page>en:vorlagen:64_bit_stack_nav}}
 ==== Theory ====
-In [[en:it-security:blog:buffer_overflow_x64-2|Part 2]] we used the string ''/bin/zsh'' to the function ''System()'' function to open a root shell. To do this, however, we had to deactivate ASLR - ASLR changes function addresses every time the programme is restarted. Superkojiman describes in detail in his Blog((https://blog.techorganic.com/2016/03/18/64-bit-linux-stack-smashing-tutorial-part-3/)) how to circumvent this protection. But first we have to visualise a few things
+{{it-security:blog:bof-part3-header.jpg?500 |}}
 In Linux systems, dynamic programme libraries are usually used. This has the advantage that we do not have to rewrite every function in every programme, but can simply access the function of the system, which, for example, is stored in ''libc'' for example. If ASLR is now activated, the addresses are changed each time the programme is started.
@@ Line 19: / Line 21: @@
 PLT (Procedure Linkage Table) and GOT (Global Offset Table) are responsible for the interaction during dynamic linking. The function ''write()'' function does not point to the actual function when called, but to ''write@plt''. The GOT entry for the function is then requested from the PLT.
-The GOT now contains all ''libc'' addresses and PLT redirects the execution to them. If the address does not yet exist, ''ld.so'' searches for it and saves it in the GOT. We can now utilise this principle machen.((https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got))
+The GOT now contains all ''libc'' addresses and PLT redirects the execution to them. If the address does not yet exist, ''ld.so'' searches for it and saves it in the GOT. We can now utilise this principle.((https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got))
 === Leak and Overwrite ===
@@ Line 54: / Line 56: @@
 ==== C Programme ====
-The source code and the compiled binary are also available on [[gh>psycore8/nosoc-bof/tree/main/part-3|Github]] available.
+The source code and the compiled binary are also available on [[gh>psycore8/nosoc-bof/tree/main/part-3|Github]].
 <file c bof-part3.c>
@@ Line 92: / Line 94: @@
 ===== Debug =====
-{{page>vorlagen:attention}}
+{{page>en:vorlagen:attention}}
 ==== Start socat Listener ====
@@ Line 447: / Line 449: @@
 ^ Prüfsumme (SHA256) | d1212026504c7a90680e3f1e430244734695971c73f1461bed12605644c707d8 |
+===== References =====
+  * [[https://blog.techorganic.com/2016/03/18/64-bit-linux-stack-smashing-tutorial-part-3/]]
+~~DISCUSSION~~