Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
en:it-security:blog:buffer_overflow_x64 [2024/03/07 20:03] psycoreen:it-security:blog:buffer_overflow_x64 [2024/08/02 12:31] (current) psycore
Line 3: Line 3:
 ====== Buffer overflow in the 64-bit stack - part 1 ====== ====== Buffer overflow in the 64-bit stack - part 1 ======
  
-{{:it-security:blog:bof-64-1.jpg|}}+In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges.((https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow))
  
-<callout type="danger" icon="glyphicon glyphicon-alert" title="Attention!"> +Technical details on buffer overflows, stack etc. can be found here((https://medium.com/@buff3r/basic-buffer-overflow-on-64-bit-architecture-3fb74bab3558))
-The techniques and methods in this article are for learning purposes only! +
-</callout> +
- +
-In this tutorial, we will create a buffer overflow on the 64-bit stack to gain root privileges. erlangen.((https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow)) +
- +
-Technical details on buffer overflows, stack etc. can be found at hier((https://medium.com/@buff3r/basic-buffer-overflow-on-64-bit-architecture-3fb74bab3558)) +
-\\ +
-\\ +
-<mermaid> +
-classDiagram +
-    note for Buffer "Overwrite Buffer" +
-    note for RBP "Overwrite RBP" +
-    note for RIP "place return address" +
-    Buffer --> RBP +
-    RBP --> RIP +
-    RIP --> 0x00007FFFFFFFC19F +
-    Buffer: AAAAAAAAAAAA +
-    RBP: BBBBBBBBBBBBBB +
-    RIP: 0x00007FFFFFFFFFC19F +
-    class 0x00007FFFFFFFC19F{ +
-      Shellcode() +
-      root shell +
-    } +
-</mermaid>+
 \\ \\
 \\ \\
 ===== Dependencies ===== ===== Dependencies =====
 +
 +{{page>en:vorlagen:64_bit_stack_nav}}
 +
 +{{page>en:vorlagen:attention}}
  
 What is needed? What is needed?
Line 44: Line 24:
 ==== gdb-peda Exploit Tools ==== ==== gdb-peda Exploit Tools ====
  
-gdb-peda extends the debugger GDB with helpful commands to exploit Entwicklung.((https://github.com/longld/peda/blob/master/README))+gdb-peda extends the debugger GDB with helpful commands to exploit.((https://github.com/longld/peda/blob/master/README))
  
 <code bash> <code bash>
Line 62: Line 42:
 \\ \\
 ==== Programme ==== ==== Programme ====
 +
 +{{:it-security:blog:bof-64-1.jpg|}}
  
 <code c> <code c>
Line 94: Line 76:
 \\ \\
 ===== RIP Register ===== ===== RIP Register =====
 +
 +<mermaid>
 +classDiagram
 +    note for Buffer "Overwrite Buffer"
 +    note for RBP "Overwrite RBP"
 +    note for RIP "place return address"
 +    Buffer --> RBP
 +    RBP --> RIP
 +    RIP --> 0x00007FFFFFFFC19F
 +    Buffer: AAAAAAAAAAAA
 +    RBP: BBBBBBBBBBBBBB
 +    RIP: 0x00007FFFFFFFFFC19F
 +    class 0x00007FFFFFFFC19F{
 +      Shellcode()
 +      root shell
 +    }
 +</mermaid>
  
 Of interest to us is the register ''RIP''. This contains a return address that points to another area in the code. We overwrite this return address with the buffer overflow. But first we have to find out how we can do this. Of interest to us is the register ''RIP''. This contains a return address that points to another area in the code. We overwrite this return address with the buffer overflow. But first we have to find out how we can do this.
Line 207: Line 206:
 ==== Attack ==== ==== Attack ====
  
-First we set root rights to the vulnerable file and start diese((https://blog.techorganic.com/2015/04/10/64-bit-linux-stack-smashing-tutorial-part-1/))+First we set root rights to the vulnerable file and start it((https://blog.techorganic.com/2015/04/10/64-bit-linux-stack-smashing-tutorial-part-1/))
  
 <code bash> <code bash>
Line 227: Line 226:
 ^ Size | 5.76 KB | ^ Size | 5.76 KB |
 ^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 | ^ Prüfsumme (SHA256) | 191e6f1811018970776e3bf035ff460033a47da62335fe5c9475a460b02a10d3 |
 +
 +~~DISCUSSION~~