{"id":2242,"date":"2022-10-18T11:08:23","date_gmt":"2022-10-18T02:08:23","guid":{"rendered":"https:\/\/derrylab.com\/?p=2242"},"modified":"2022-10-18T11:16:03","modified_gmt":"2022-10-18T02:16:03","slug":"how-to-do-buffer-overflow-attack-on-64bit-machine","status":"publish","type":"post","link":"https:\/\/blog.derrylab.com\/index.php\/2022\/10\/18\/how-to-do-buffer-overflow-attack-on-64bit-machine\/","title":{"rendered":"How to Do Buffer Overflow Attack on 64bit Machine"},"content":{"rendered":"\n

Professor’s course material was out of date. He made an example of a buffer overflow attack several years ago. Then here I am, asked to fix the code to work on a modern machine, 64bit Kali Linux.<\/p>\n\n\n\n

There should be no difference with other Linux; you can practice this on any 64bit Linux machine.<\/p>\n\n\n\n

Prerequisite<\/h2>\n\n\n\n

First, you need GCC and GDB; on Kali, GCC is already installed, so you just need to install the GDB.<\/p>\n\n\n\n

sudo apt install gdb<\/code><\/pre>\n\n\n\n
Then we go to write the vulnerable code. Let’s create a file called demo.c.<\/p>\n\n\n\n
$ vi demo.c<\/code><\/pre>\n\n\n\n
\/\/demo.c\u200b\n#include<stdio.h> \u200b\n\nvoid getinput()\u200b\n{ \u200b\n       char buffer[8];\u200b\n       gets(buffer);\u200b\n       puts(buffer);\u200b\n}\u200b\n\nint main()\u200b\n{\u200b\n       getinput();\u200b\n       return 0;\u200b\n}\u200b<\/code><\/pre>\n\n\n\n
This program waits for a string input of 8 characters from the user and then writes it back. However, it has no check for boundaries. So when the user inputs a string with more than 8 characters, something unpredictable will happens.<\/p>\n\n\n\n
Now let’s install GDB and compile our demo.c<\/code> without a stack protector. Why? Because by default, GCC already protects the program from stack smashing caused by a non-educated developer who doesn’t care about the input boundary.<\/p>\n\n\n\n
$ sudo apt install gdb\u200b\n$ gcc -ggdb -fno-stack-protector -o demo demo.c\u200b<\/code><\/pre>\n\n\n\n
Run the program and input more than 8 characters; try 16 characters and hit Enter.<\/p>\n\n\n\n
$ .\/demo\u200b<\/code><\/pre>\n\n\n\n
That should cause the program to be terminated by a segmentation fault.<\/p>\n\n\n\n
What happens?<\/h2>\n\n\n\n
Look at the stack layout below. The buffer starts from the lowest memory, it will be filled from low to high memory. What will happen when the user fills the buffer with more than 8 bytes? The Base Pointer (RBP) and return address (RET) are in danger, and they will be smashed by the user input.<\/p>\n\n\n\n
\"\"
Stack layout<\/figcaption><\/figure>\n\n\n\n
Closer Look<\/h2>\n\n\n\n
Let’s take a closer look by using GDB.<\/p>\n\n\n\n
$ gdb demo<\/code><\/pre>\n\n\n\n
Create a breakpoint at getinput()<\/code> function, and run the program.<\/p>\n\n\n\n
(gdb) b getinput\n(gdb) run<\/code><\/pre>\n\n\n\n
The program will run and stop at the prologue of getinput() function. Here we can check the return address in current condition.<\/p>\n\n\n\n
(gdb) x\/8xg $rsp<\/code><\/pre>\n\n\n\n
\"\"
Where is 0x5555555517f ?<\/figcaption><\/figure>\n\n\n\n
That address should be pointing to the line after the getinput()<\/code> function is called. Let’s confirm it by using disassembly<\/code>. Note that this return address on different machines may be different.<\/p>\n\n\n\n
(gdb) disas 0x55555555517f<\/code><\/pre>\n\n\n\n
\"\"
0x55555555517f is the line after getinput()<\/code> function is called<\/figcaption><\/figure>\n\n\n\n
As expected, the return address points to the line right after the getinput()<\/code> function is called.<\/p>\n\n\n\n
Buffer Overflow!<\/h2>\n\n\n\n
Use n<\/code> to go to the next instruction, the program will wait for input. Let’s input more than 8 characters to trigger a buffer overflow and hit Enter.<\/p>\n\n\n\n
(gdb) n\n1234567890abcdefghijklmn<\/code><\/pre>\n\n\n\n
At this time, we already overflow the buffer, lets check the stack values.<\/p>\n\n\n\n
(gdb) x\/8xg $rsp<\/code><\/pre>\n\n\n\n
\"\"
The return address is smashed by overflowing user input<\/figcaption><\/figure>\n\n\n\n
The figure above shows that the first 8 bytes of our input are put in the buffer space, but the other 16 smashes through the RBP and return the address. This means we can modify our last 8-byte input to a value that points to another address which concludes that we can jump to any address we want after getinput()<\/code> function is called.<\/p>\n\n\n\n
\"\"
Smashed stack layout and current values<\/figcaption><\/figure>\n\n\n\n
If you continue the program, it will be terminated by segmentation fault because the address 0x6e6d6c6b6a696867<\/code> is invalid and does not exist in our program.<\/p>\n\n\n\n
We are Free to Travel Anywhere<\/h2>\n\n\n\n
The return address can be replaced by any values we want. Let’s use it to jump to a hidden function that can never be called. Create a new demo called demo2.c<\/code><\/p>\n\n\n\n
\/\/demo2.c\u200b\n\u200b\n#include<stdio.h> \u200b\nvoid canneverexecute()\u200b\n{  \n   printf(\u201dI can never be executed in normal case!\\n\u201d);\u200b\n}\u200b\n\nvoid getinput()\u200b\n{ \u200b\n   char buffer[8];\u200b\n   gets(buffer);\u200b\n   puts(buffer);\u200b\n}\u200b\n\nint main()\u200b\n{ \u200b\n   printf(\u201cSecret function at %p\\n\u201d, (void *) canneverexecute);\u200b\n   getinput();\u200b\n   return 0;\u200b\n}\u200b<\/code><\/pre>\n\n\n\n
Compile just like before without a stack protector and run.<\/p>\n\n\n\n
\u200b$\u00a0gcc\u00a0-ggdb\u00a0-fno-stack-protector -o demo2 demo2.c\n$ .\/demo2<\/code><\/pre>\n\n\n\n
Each time you run the program, the address keeps changing, so we\u00a0will disable the user address randomization to make it easier\u200b.<\/p>\n\n\n\n
$ sudo bash -c 'echo 0 > \/proc\/sys\/kernel\/randomize_va_space\u2019\u200b<\/code><\/pre>\n\n\n\n
Run the program again, and it will show that the address of the hidden function does not change anymore. We will use this address as input to replace the return address in the stack so that after the getinput()<\/code> function is called, the hidden function will run.<\/p>\n\n\n\n
\"\"
Jumping to another function that is never called<\/figcaption><\/figure>\n\n\n\n
Congratulations! Now you understand how the buffer overflow works. Even if this technique is classic, there are still many legacy machines out there living with this vulnerability. Even the newest machine can still suffer from this vulnerability. See it in CVE<\/a>.<\/p>\n\n\n\n
\"\"
Even the newest machine still suffers from this classic vulnerability<\/figcaption><\/figure>\n\n\n\n
I hope this post can help you understand the classic vulnerability. See you in another post, and have a nice day! \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Professor’s course material was out of date. He made an example of a buffer overflow attack several years ago. Then here I am, asked to fix the code to work on a modern machine, 64bit Kali Linux. There should be no difference with other Linux; you can practice this on any 64bit Linux machine. Prerequisite […]<\/p>\n","protected":false},"author":1,"featured_media":2294,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5,149],"tags":[190,183,182,186,185,187,189,36,188,191,64,184],"class_list":["post-2242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-programming","category-security","tag-64bit","tag-buffer-overflow-attack","tag-buffer-overlflow","tag-cve","tag-exploit","tag-hacking","tag-kali-linux","tag-linux","tag-reverse-engineer","tag-stack-smashing","tag-tutorial","tag-vulnerability"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2022\/10\/pexels-photo-9156792.jpeg?fit=1880%2C1154&ssl=1","jetpack-related-posts":[{"id":2538,"url":"https:\/\/blog.derrylab.com\/index.php\/2023\/01\/31\/how-to-install-alfa-awus036nh-driver-for-kali-linux\/","url_meta":{"origin":2242,"position":0},"title":"How to Install Alfa AWUS036NH Driver for Kali Linux","author":"derry","date":"January 31, 2023","format":false,"excerpt":"This wifi adapter is an important weapon for penetration testers due to its feature that supports monitor and packet injection mode on a 2.4Ghz network. However, even if Alfa said it is already supported out of the box in Kali Linux, I found it unstable out of the box. Sometimes\u2026","rel":"","context":"In "Hardware"","block_context":{"text":"Hardware","link":"https:\/\/blog.derrylab.com\/index.php\/category\/hardware\/"},"img":{"alt_text":"Computer desktop","src":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/czNmcy1wcml2YXRlL3Jhd3BpeGVsX2ltYWdlcy93ZWJzaXRlX2NvbnRlbnQvbHIvZnJ3bGFuX3dpZmlfbmV0d29ya19tb2RlbS1pbWFnZS1reWJjZThvZC5qcGc.jpg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/czNmcy1wcml2YXRlL3Jhd3BpeGVsX2ltYWdlcy93ZWJzaXRlX2NvbnRlbnQvbHIvZnJ3bGFuX3dpZmlfbmV0d29ya19tb2RlbS1pbWFnZS1reWJjZThvZC5qcGc.jpg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/czNmcy1wcml2YXRlL3Jhd3BpeGVsX2ltYWdlcy93ZWJzaXRlX2NvbnRlbnQvbHIvZnJ3bGFuX3dpZmlfbmV0d29ya19tb2RlbS1pbWFnZS1reWJjZThvZC5qcGc.jpg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/czNmcy1wcml2YXRlL3Jhd3BpeGVsX2ltYWdlcy93ZWJzaXRlX2NvbnRlbnQvbHIvZnJ3bGFuX3dpZmlfbmV0d29ya19tb2RlbS1pbWFnZS1reWJjZThvZC5qcGc.jpg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/czNmcy1wcml2YXRlL3Jhd3BpeGVsX2ltYWdlcy93ZWJzaXRlX2NvbnRlbnQvbHIvZnJ3bGFuX3dpZmlfbmV0d29ya19tb2RlbS1pbWFnZS1reWJjZThvZC5qcGc.jpg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":2555,"url":"https:\/\/blog.derrylab.com\/index.php\/2023\/01\/31\/how-to-find-and-connect-to-hidden-wifi-network\/","url_meta":{"origin":2242,"position":1},"title":"How to Find and Connect to Hidden Wifi Network","author":"derry","date":"January 31, 2023","format":false,"excerpt":"Suppose you have a device that communicates using wifi, and you already know the password, but you can't find the SSID name on your phone or computer. How can you connect? In this post, I will show you how to find and connect to the hidden network using Kali Linux.\u2026","rel":"","context":"In "Hardware"","block_context":{"text":"Hardware","link":"https:\/\/blog.derrylab.com\/index.php\/category\/hardware\/"},"img":{"alt_text":"photo of a wi fi tower under a blue sky","src":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/pexels-photo-7862565.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/pexels-photo-7862565.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/pexels-photo-7862565.jpeg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/pexels-photo-7862565.jpeg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/01\/pexels-photo-7862565.jpeg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":39,"url":"https:\/\/blog.derrylab.com\/index.php\/2020\/03\/30\/install-hangeul-korean-font-support-on-raspberry-pi-4\/","url_meta":{"origin":2242,"position":2},"title":"Install Hangeul\/Korean Font Support on Raspberry Pi 4","author":"derry","date":"March 30, 2020","format":false,"excerpt":"No need to talk, just type: $ sudo apt install ibus ibus-hangul fonts-unfonts-core That's it, now reboot, $ sudo reboot and go to naver.com to check. :)","rel":"","context":"In "linux"","block_context":{"text":"linux","link":"https:\/\/blog.derrylab.com\/index.php\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2789,"url":"https:\/\/blog.derrylab.com\/index.php\/2023\/04\/25\/how-to-ssh-with-proxyjump-in-linux\/","url_meta":{"origin":2242,"position":3},"title":"How to SSH with ProxyJump in Linux","author":"derry","date":"April 25, 2023","format":false,"excerpt":"Secure Shell (SSH) is a widely used protocol for remotely connecting to a computer system, typically over a network. It provides encrypted communication and authentication to ensure secure access to a remote machine. In this article, we will discuss how to SSH with ProxyJump in Linux. ProxyJump is a feature\u2026","rel":"","context":"In "linux"","block_context":{"text":"linux","link":"https:\/\/blog.derrylab.com\/index.php\/category\/linux\/"},"img":{"alt_text":"photo of jumping man","src":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/04\/pexels-photo-2736809.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/04\/pexels-photo-2736809.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/04\/pexels-photo-2736809.jpeg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/04\/pexels-photo-2736809.jpeg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2023\/04\/pexels-photo-2736809.jpeg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":552,"url":"https:\/\/blog.derrylab.com\/index.php\/2022\/03\/15\/how-to-run-linux-on-riscv-in-arty-a7-100t-fpga\/","url_meta":{"origin":2242,"position":4},"title":"How to Run Linux on RISCV in Arty A7-100T FPGA","author":"derry","date":"March 15, 2022","format":false,"excerpt":"It's been tempting for me to try running open-source software on top of open-source hardware. SiFive provides a bitstream for Arty A7 called Freedom, but it seems that the repository is dead now. The other interesting alternative to try is VexRiscv, and everyone keeps posting about Arty A7 35T while\u2026","rel":"","context":"In "linux"","block_context":{"text":"linux","link":"https:\/\/blog.derrylab.com\/index.php\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2022\/03\/pexels-rone-ferreira-3690005-1-scaled.jpg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2022\/03\/pexels-rone-ferreira-3690005-1-scaled.jpg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2022\/03\/pexels-rone-ferreira-3690005-1-scaled.jpg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2022\/03\/pexels-rone-ferreira-3690005-1-scaled.jpg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/blog.derrylab.com\/wp-content\/uploads\/2022\/03\/pexels-rone-ferreira-3690005-1-scaled.jpg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":120,"url":"https:\/\/blog.derrylab.com\/index.php\/2020\/11\/04\/install-xilinx-in-batch-mode\/","url_meta":{"origin":2242,"position":5},"title":"How to Install Xilinx using Command Line in Four Steps","author":"derry","date":"November 4, 2020","format":false,"excerpt":"I just got some problem with Xilinx 2020.1 installation on my Pop OS. The installer was stuck and gives me an error message: ibndias@shaheen:~\/Downloads$ .\/Xilinx_Unified_2020.1_0602_1208_Lin64.bin Verifying archive integrity... All good. Uncompressing Xilinx Installer............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... Exception in thread \"SPLASH_LOAD_MESSAGE\" java.lang.IllegalStateException: no splash screen available at java.desktop\/java.awt.SplashScreen.checkVisible(Unknown Source) at java.desktop\/java.awt.SplashScreen.getBounds(Unknown Source) at java.desktop\/java.awt.SplashScreen.getSize(Unknown\u2026","rel":"","context":"In "linux"","block_context":{"text":"linux","link":"https:\/\/blog.derrylab.com\/index.php\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/posts\/2242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/comments?post=2242"}],"version-history":[{"count":5,"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/posts\/2242\/revisions"}],"predecessor-version":[{"id":2295,"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/posts\/2242\/revisions\/2295"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/media\/2294"}],"wp:attachment":[{"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/media?parent=2242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/categories?post=2242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.derrylab.com\/index.php\/wp-json\/wp\/v2\/tags?post=2242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}