Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
en:it-security:blog:buffer_overflow_x64 [2024/02/23 13:03] – psycore | en:it-security:blog:buffer_overflow_x64 [2024/08/02 12:31] (current) – psycore | ||
---|---|---|---|
Line 1: | Line 1: | ||
{{tag> | {{tag> | ||
- | ====== Buffer overflow in the 64-bit stack ====== | + | ====== Buffer overflow in the 64-bit stack - part 1 ====== |
- | <callout type=" | + | In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges.((https:// |
- | === Attention! === | + | |
- | The techniques and methods in this article are for learning purposes only! | + | Technical details on buffer overflows, stack etc. can be found here((https:// |
- | </ | + | |
- | + | ||
- | ^ Project files | {{ it-security: | + | |
- | ^ Size | 5.76 KB | | + | |
- | ^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 | | + | |
- | + | ||
- | In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges. erlangen.((https:// | + | |
- | + | ||
- | Technical details on buffer overflows, stack etc. can be found at hier((https:// | + | |
- | \\ | + | |
- | \\ | + | |
- | < | + | |
- | classDiagram | + | |
- | note for Buffer " | + | |
- | note for RBP " | + | |
- | note for RIP "place return address" | + | |
- | Buffer --> RBP | + | |
- | RBP --> RIP | + | |
- | RIP --> 0x00007FFFFFFFC19F | + | |
- | Buffer: AAAAAAAAAAAA | + | |
- | RBP: BBBBBBBBBBBBBB | + | |
- | RIP: 0x00007FFFFFFFFFC19F | + | |
- | class 0x00007FFFFFFFC19F{ | + | |
- | Shellcode() | + | |
- | root shell | + | |
- | } | + | |
- | </ | + | |
\\ | \\ | ||
\\ | \\ | ||
===== Dependencies ===== | ===== Dependencies ===== | ||
+ | |||
+ | {{page> | ||
+ | |||
+ | {{page> | ||
What is needed? | What is needed? | ||
Line 48: | Line 24: | ||
==== gdb-peda Exploit Tools ==== | ==== gdb-peda Exploit Tools ==== | ||
- | gdb-peda extends the debugger GDB with helpful commands to exploit | + | gdb-peda extends the debugger GDB with helpful commands to exploit.((https:// |
<code bash> | <code bash> | ||
- | wget http://ropshell.com/peda/peda.tar.gz | + | git clone https://github.com/longld/peda.git ~/peda |
- | tar zxvf peda.tar.gz | + | |
echo " | echo " | ||
</ | </ | ||
Line 67: | Line 42: | ||
\\ | \\ | ||
==== Programme ==== | ==== Programme ==== | ||
+ | |||
+ | {{: | ||
<code c> | <code c> | ||
Line 99: | Line 76: | ||
\\ | \\ | ||
===== RIP Register ===== | ===== RIP Register ===== | ||
+ | |||
+ | < | ||
+ | classDiagram | ||
+ | note for Buffer " | ||
+ | note for RBP " | ||
+ | note for RIP "place return address" | ||
+ | Buffer --> RBP | ||
+ | RBP --> RIP | ||
+ | RIP --> 0x00007FFFFFFFC19F | ||
+ | Buffer: AAAAAAAAAAAA | ||
+ | RBP: BBBBBBBBBBBBBB | ||
+ | RIP: 0x00007FFFFFFFFFC19F | ||
+ | class 0x00007FFFFFFFC19F{ | ||
+ | Shellcode() | ||
+ | root shell | ||
+ | } | ||
+ | </ | ||
Of interest to us is the register '' | Of interest to us is the register '' | ||
Line 212: | Line 206: | ||
==== Attack ==== | ==== Attack ==== | ||
- | First we set root rights to the vulnerable file and start diese((https:// | + | First we set root rights to the vulnerable file and start it((https:// |
<code bash> | <code bash> | ||
Line 229: | Line 223: | ||
\\ | \\ | ||
\\ | \\ | ||
+ | ^ Project files | {{ it-security: | ||
+ | ^ Size | 5.76 KB | | ||
+ | ^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 | | ||
+ | |||
+ | ~~DISCUSSION~~ |