search

Buffer Overflows

hashtag
Finding the Offset

Let's casually find the offset by printing "A" in python and passing it to the binary until Segmentation fault.

python -c 'print("A" * 100)'|./leak

hashtag
Check the Security Properties of Binary

apt-get -y install checksec
checksec ./leak

hashtag
Ghidra Code Browser

fgets() is vulnerable to buffer overflow.

In GDB-PEDA, the command x/wx $rsp is used to examine the memory content at the address pointed to by the stack pointer ($rsp). Let's break down the command:

  • x: This is the "examine" command in GDB, used to inspect memory content.

  • /wx: These are the modifiers for the examine command. The /w specifies that we want to display the memory as a 32-bit word (4 bytes), and the /x specifies that we want to display the memory content in hexadecimal format.

  • $rsp: This is a GDB register variable representing the stack pointer. The stack pointer holds the memory address of the top of the stack.

Putting it all together, x/wx $rsp will show you the 32-bit word at the memory location pointed to by the stack pointer in hexadecimal format.

hashtag
Open Port using Socat on Target

hashtag
Create BOF exploit using PwnTools Library

hashtag
Execute Exploit and Gain shell

PreviousCrackingNextCloud Security

Last updated