Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
en:it-security:blog:buffer_overflow_x64-3 [2024/04/14 12:39] psycoreen:it-security:blog:buffer_overflow_x64-3 [2024/09/11 22:33] (current) – Discussion status changed psycore
Line 2: Line 2:
 ====== Buffer overflow in the 64-bit stack - Part 3 ====== ====== Buffer overflow in the 64-bit stack - Part 3 ======
  
-In [[en:it-security:blog:buffer_overflow_x64-2|Part 2]] we used the string ''/bin/zsh'' to the function ''System()'' function to open a root shell. To do this, however, we had to deactivate ASLR - ASLR changes function addresses every time the programme is restarted. Superkojiman describes in detail in his Blog((https://blog.techorganic.com/2016/03/18/64-bit-linux-stack-smashing-tutorial-part-3/)) how to circumvent this protection. But first we have to visualise a few things+In [[en:it-security:blog:buffer_overflow_x64-2|Part 2]] we used the string ''/bin/zsh'' to the function ''System()'' function to open a root shell. To do this, however, we had to deactivate ASLR - ASLR changes function addresses every time the programme is restarted. Superkojiman describes in detail [[https://blog.techorganic.com|in his Blog]] how to circumvent this protection. But first we have to visualise a few things
  
 The third part of the Buffer Overflow series. The third part of the Buffer Overflow series.
Line 8: Line 8:
 \\ \\
 ===== Introduction ===== ===== Introduction =====
 +
 +{{page>en:vorlagen:64_bit_stack_nav}}
  
 ==== Theory ==== ==== Theory ====
Line 19: Line 21:
 PLT (Procedure Linkage Table) and GOT (Global Offset Table) are responsible for the interaction during dynamic linking. The function ''write()'' function does not point to the actual function when called, but to ''write@plt''. The GOT entry for the function is then requested from the PLT. PLT (Procedure Linkage Table) and GOT (Global Offset Table) are responsible for the interaction during dynamic linking. The function ''write()'' function does not point to the actual function when called, but to ''write@plt''. The GOT entry for the function is then requested from the PLT.
  
-The GOT now contains all ''libc'' addresses and PLT redirects the execution to them. If the address does not yet exist, ''ld.so'' searches for it and saves it in the GOT. We can now utilise this principle machen.((https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got))+The GOT now contains all ''libc'' addresses and PLT redirects the execution to them. If the address does not yet exist, ''ld.so'' searches for it and saves it in the GOT. We can now utilise this principle.((https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got))
  
 === Leak and Overwrite === === Leak and Overwrite ===
Line 54: Line 56:
 ==== C Programme ==== ==== C Programme ====
  
-The source code and the compiled binary are also available on [[gh>psycore8/nosoc-bof/tree/main/part-3|Github]] available.+The source code and the compiled binary are also available on [[gh>psycore8/nosoc-bof/tree/main/part-3|Github]].
  
 <file c bof-part3.c> <file c bof-part3.c>
Line 92: Line 94:
 ===== Debug ===== ===== Debug =====
  
-{{page>vorlagen:attention}}+{{page>en:vorlagen:attention}}
  
 ==== Start socat Listener ==== ==== Start socat Listener ====
Line 446: Line 448:
 ^ Size | 9.93 KB | ^ Size | 9.93 KB |
 ^ Prüfsumme (SHA256) | d1212026504c7a90680e3f1e430244734695971c73f1461bed12605644c707d8 | ^ Prüfsumme (SHA256) | d1212026504c7a90680e3f1e430244734695971c73f1461bed12605644c707d8 |
 +
 +===== References =====
 +
 +  * [[https://blog.techorganic.com/2016/03/18/64-bit-linux-stack-smashing-tutorial-part-3/]]
  
 ~~DISCUSSION~~ ~~DISCUSSION~~