Buffer Overflows and Exploit Development

So after making my video for my "Can You Hack It" series on the system Smasher from hack the box I realized that there is a lot of room to dig deeper and have more specialized tops related to the challenges from that system. So I decided that I would post that video up (which I have done now, link at the bottom) and afterward I would start planning some videos and blog entries that are focused on some of the finer details of the challenges on that box.

Hopefully as long as I have enough time I will be releasing some more videos on buffer overflows and exploit development in the coming weeks and we will use the challenges on Smasher as the exercise we will be demonstrating on. One of the big things from this challenge that I saw a lot of people asking on the forums for hackthebox was if anyone had managed to get a root shell, which from what I have seen so far no one had (although a comment Ippsec made suggests maybe someone was able to bruteforce an address and get something to work) so I am going to take a few days this week and see if I can't manage to get something to work hoping that if I can I'll get some good content for a video and blog post.

Getting code execution with the buffer overflow in the 'checker' executable presents at least a few challenges that I see. First is that it is using strcpy which will terminate when it sees a null byte, which since this is a 64 bit system any memory addresses will contain 2 null bytes at the top of the address. Second is that there are some register move instructions that dereference some locations in the buffer which are stored in registers, this means overwriting the buffer with "A"s or something like that will result in the registers being dereferenced containing non-canonical addresses which causes an exception. Since it is the input buffer we can get around that by engineering the payload to have something like 0x0000424242424242 in that location but then we have the issue of having null bytes and the strcpy terminates when it see's them. I haven't done the math yet but it's possible we can engineer a valid address and still get an overflow but these are a few of the challenges that came up from a brief look so we'll see what we can do with it.

If you haven't seen the video yet check it out, feel free to use the links in the description to bounce around (it is an insanely long video)

Ben Grewell

Ben Grewell