Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
en:it-security:blog:buffer_overflow_x64 [2024/03/05 16:08] – psycore | en:it-security:blog:buffer_overflow_x64 [2024/08/02 12:31] (current) – psycore | ||
---|---|---|---|
Line 1: | Line 1: | ||
{{tag> | {{tag> | ||
- | ====== Buffer overflow in the 64-bit stack ====== | + | ====== Buffer overflow in the 64-bit stack - part 1 ====== |
- | <callout type=" | + | In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges.((https: |
- | The techniques and methods in this article are for learning purposes only! | + | |
- | </callout> | + | |
- | In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges. erlangen.((https:// | + | Technical details on buffer overflows, stack etc. can be found here((https:// |
- | + | ||
- | Technical details on buffer overflows, stack etc. can be found at hier((https:// | + | |
- | \\ | + | |
- | \\ | + | |
- | < | + | |
- | classDiagram | + | |
- | note for Buffer " | + | |
- | note for RBP " | + | |
- | note for RIP "place return address" | + | |
- | Buffer --> RBP | + | |
- | RBP --> RIP | + | |
- | RIP --> 0x00007FFFFFFFC19F | + | |
- | Buffer: AAAAAAAAAAAA | + | |
- | RBP: BBBBBBBBBBBBBB | + | |
- | RIP: 0x00007FFFFFFFFFC19F | + | |
- | class 0x00007FFFFFFFC19F{ | + | |
- | Shellcode() | + | |
- | root shell | + | |
- | } | + | |
- | </ | + | |
\\ | \\ | ||
\\ | \\ | ||
===== Dependencies ===== | ===== Dependencies ===== | ||
+ | |||
+ | {{page> | ||
+ | |||
+ | {{page> | ||
What is needed? | What is needed? | ||
Line 42: | Line 24: | ||
==== gdb-peda Exploit Tools ==== | ==== gdb-peda Exploit Tools ==== | ||
- | gdb-peda extends the debugger GDB with helpful commands to exploit | + | gdb-peda extends the debugger GDB with helpful commands to exploit.((https:// |
<code bash> | <code bash> | ||
Line 60: | Line 42: | ||
\\ | \\ | ||
==== Programme ==== | ==== Programme ==== | ||
+ | |||
+ | {{: | ||
<code c> | <code c> | ||
Line 92: | Line 76: | ||
\\ | \\ | ||
===== RIP Register ===== | ===== RIP Register ===== | ||
+ | |||
+ | < | ||
+ | classDiagram | ||
+ | note for Buffer " | ||
+ | note for RBP " | ||
+ | note for RIP "place return address" | ||
+ | Buffer --> RBP | ||
+ | RBP --> RIP | ||
+ | RIP --> 0x00007FFFFFFFC19F | ||
+ | Buffer: AAAAAAAAAAAA | ||
+ | RBP: BBBBBBBBBBBBBB | ||
+ | RIP: 0x00007FFFFFFFFFC19F | ||
+ | class 0x00007FFFFFFFC19F{ | ||
+ | Shellcode() | ||
+ | root shell | ||
+ | } | ||
+ | </ | ||
Of interest to us is the register '' | Of interest to us is the register '' | ||
Line 205: | Line 206: | ||
==== Attack ==== | ==== Attack ==== | ||
- | First we set root rights to the vulnerable file and start diese((https:// | + | First we set root rights to the vulnerable file and start it((https:// |
<code bash> | <code bash> | ||
Line 225: | Line 226: | ||
^ Size | 5.76 KB | | ^ Size | 5.76 KB | | ||
^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 | | ^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 | | ||
+ | |||
+ | ~~DISCUSSION~~ |