Writeup for a simple buffer overflow in a linux 32 bit system

This is a writeup on the simplest exploitable binary (buffer overflow, 32 bit, no ASLR, executable stack) but with (I think) a different approach with respect to the usual writeups.

In particular, how to calculate the address of a buffer knowing the environment variables contents.

The post is here: https://ktln2.org/2018/08/13/pratical-approach-exploitation/

4 Likes

G’evening fellow Italian! I have to say, your article was probably one of the clearest I’ve seen regarding basic buffer overflows, very beginner-friendly. Plus, that environment variable tip was new to me so thank you for sharing that.

I have to ask out of curiosity… are you using a 32 bits architecture because you haven’t written any 64 bits shellcode before or because of simplicity? If it’s because you still haven’t practiced shellcoding in a 64 bits environment I feel like sharing this simple local shellcode I wrote a few days ago as a little reference in case you wish to know more about more modern systems:

xor %rdx, %rdx                    ; RDX = 0
push %rdx                         ; pushes RDX to act as a string terminator
mov $0x68732f2f6e69622f, %rax     ; copies the /bin/sh string into RAX encoded in ASCII
push %rax                         ; pushes the string on the stack
mov %rsp, %rdi                    ; copies the address of the string inside RDI
push %rdx                         ; pushes RDX on the stack, it's the address to the environment string, NULL
push %rdi                         ; pushes the address of the string too
mov %rsp, %rsi                    ; RSI now contains the address of the string, which is also the address of the parameters, terminated by NULL
xor %rax, %rax                    ; RAX = 0
mov $0x3b, %al                    ; loads the ID of execve
syscall                           ; executes the system call

If you’re wondering, “syscall” is just the same as “int 0x80” :slight_smile:

3 Likes

thank you for the feedback

I’m using a 32bit architecture mainly because it’s the simplest to attack and I have in mind to create a series of posts exploring the different “computational models” and the ways of attacking them. I would like to summarize my knowledge with a little bit of pratical and theoretical approach.

P.S: I have already practiced exploiting 64bit architectures but also more “exotic” ones, like ARM and MIPS; also using ROP techniques.

Hi, just wondering this but doesn’t x64 architecture have a protection against shellcode or something like that? Been working on The Art of Exploitation and they’ve mentioned something about a protection in the kernel to prevent abuse or something… don’t quote me on that. lololol.

There are a certain numbers of protections in modern systems, also for 32 bit architectures.

In my post I don’t explain too much since the compilation flags used to generate the binary are such that the simplest memory configuration is created (i.e. executable stack, not randomized address, etc…) and seems unnecessary to me explain unncesserary stuffs.

In the future when I’ll need to explain the different memory models of a modern binary I’ll introduce them with some explanation.

There are hardware protections such as the NX bit but they are supported by x86 architectures as well, they’re not exclusives of x64. If you want to practice buffer overflows on an unprotected system you should try Protostar, but you’ll have to write all your exploits for a x86 system. It’s also possible to disable every protection manually if you want to play with x64 exploitation.

The protections the author mentioned (I have the book too) were non executable stacks (NX) and address randomization (ASLR), Protostar doesn’t have any of the two on purpose.

1 Like

I was speaking of ASLR, but couldn’t recall the exact name… lololol. I will look into Protostar since I have heard much great things about it.

Excellent article - it really helped me understand the fundamentals of buffer overflows. Thanks for sharing.