Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
en:it-security:blog:buffer_overflow_x64 [2024/03/05 16:08] psycoreen:it-security:blog:buffer_overflow_x64 [2024/08/02 12:31] (current) psycore
Line 1: Line 1:
 {{tag>english linux kali it-security pentest blog}} {{tag>english linux kali it-security pentest blog}}
  
-====== Buffer overflow in the 64-bit stack ======+====== Buffer overflow in the 64-bit stack - part 1 ======
  
-<callout type="danger" icon="glyphicon glyphicon-alert" title="Attention!"> +In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges.((https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow))
-The techniques and methods in this article are for learning purposes only! +
-</callout>+
  
-In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges. erlangen.((https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow)) +Technical details on buffer overflows, stack etc. can be found here((https://medium.com/@buff3r/basic-buffer-overflow-on-64-bit-architecture-3fb74bab3558))
- +
-Technical details on buffer overflows, stack etc. can be found at hier((https://medium.com/@buff3r/basic-buffer-overflow-on-64-bit-architecture-3fb74bab3558)) +
-\\ +
-\\ +
-<mermaid> +
-classDiagram +
-    note for Buffer "Overwrite Buffer" +
-    note for RBP "Overwrite RBP" +
-    note for RIP "place return address" +
-    Buffer --> RBP +
-    RBP --> RIP +
-    RIP --> 0x00007FFFFFFFC19F +
-    Buffer: AAAAAAAAAAAA +
-    RBP: BBBBBBBBBBBBBB +
-    RIP: 0x00007FFFFFFFFFC19F +
-    class 0x00007FFFFFFFC19F{ +
-      Shellcode() +
-      root shell +
-    } +
-</mermaid>+
 \\ \\
 \\ \\
 ===== Dependencies ===== ===== Dependencies =====
 +
 +{{page>en:vorlagen:64_bit_stack_nav}}
 +
 +{{page>en:vorlagen:attention}}
  
 What is needed? What is needed?
Line 42: Line 24:
 ==== gdb-peda Exploit Tools ==== ==== gdb-peda Exploit Tools ====
  
-gdb-peda extends the debugger GDB with helpful commands to exploit Entwicklung.((https://github.com/longld/peda/blob/master/README))+gdb-peda extends the debugger GDB with helpful commands to exploit.((https://github.com/longld/peda/blob/master/README))
  
 <code bash> <code bash>
Line 60: Line 42:
 \\ \\
 ==== Programme ==== ==== Programme ====
 +
 +{{:it-security:blog:bof-64-1.jpg|}}
  
 <code c> <code c>
Line 92: Line 76:
 \\ \\
 ===== RIP Register ===== ===== RIP Register =====
 +
 +<mermaid>
 +classDiagram
 +    note for Buffer "Overwrite Buffer"
 +    note for RBP "Overwrite RBP"
 +    note for RIP "place return address"
 +    Buffer --> RBP
 +    RBP --> RIP
 +    RIP --> 0x00007FFFFFFFC19F
 +    Buffer: AAAAAAAAAAAA
 +    RBP: BBBBBBBBBBBBBB
 +    RIP: 0x00007FFFFFFFFFC19F
 +    class 0x00007FFFFFFFC19F{
 +      Shellcode()
 +      root shell
 +    }
 +</mermaid>
  
 Of interest to us is the register ''RIP''. This contains a return address that points to another area in the code. We overwrite this return address with the buffer overflow. But first we have to find out how we can do this. Of interest to us is the register ''RIP''. This contains a return address that points to another area in the code. We overwrite this return address with the buffer overflow. But first we have to find out how we can do this.
Line 205: Line 206:
 ==== Attack ==== ==== Attack ====
  
-First we set root rights to the vulnerable file and start diese((https://blog.techorganic.com/2015/04/10/64-bit-linux-stack-smashing-tutorial-part-1/))+First we set root rights to the vulnerable file and start it((https://blog.techorganic.com/2015/04/10/64-bit-linux-stack-smashing-tutorial-part-1/))
  
 <code bash> <code bash>
Line 225: Line 226:
 ^ Size | 5.76 KB | ^ Size | 5.76 KB |
 ^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 | ^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 |
 +
 +~~DISCUSSION~~