ELF x64 — Stack buffer overflow — basic Rootme ( App-System)
This is a basic Buffer overflow challenge with x64 Machine. There is very little change in how x86 and x64 work. Let’s get into the challenge.
The Source code is given on the website.
This is similar to the x86 challenge. Let us try analyzing the code. The variable size is 256 bytes (buffer[256]) . Scanf is used here to get the input from the user for the variable “Buffer”. But there is no restriction to the number of bytes the user can input. So this is our place of attack.
We need to see how the stack is formed by using gdb.
Before scanf(), there is some allocation of memory for storing variable “buffer” . which is at “RBP-0x110” and for the variable “len”, it is at “RBP-0x4”. So now we shall see how this stack would look like.
Sorry for that bad drawing :) But this will be the stack structure for this challenge. I hope you understood this part.
And yes don’t worry about how those bytes appeared from nowhere. It’s just a basic calculation. You have 256 bytes for the buffer. But here 268 bytes are created ( RBP-0x110). For now, let us not worry about why these extra spaces which are created, That’s for another blog. And next for “len”, you can get the bytes the same way.
To change the “RIP” or “Return address” we need to overwrite “len” and “RBP”.
But how do we get the address of the callMeMaybe() function?
So the starting address is “0x00000000004005e7” which has to be converted to little-endian format ( Do see my write up on X86, I have explained everything in detail). So now we are ready to write our exploits.
Printing 268 + 4 + 8 = 280 bytes of any random character and then the address of callMeMaybe() function .
And we get our flag!
It is an easy challenge but requires some knowledge of how the stack works. Would highly recommend newbies like me to draw the entire stack structure to understand.
Do give some claps if you reached here :). And do feel free to ask your doubts in the comment section. It would help others too!
Goodbye :)