64bit Buffer Overflow Address Calculation

G5 Cyber Security

2 weeks ago

TL;DR

This guide explains how to calculate memory addresses for buffer overflow exploits on 64-bit systems, focusing on the stack. We’ll cover finding offsets and understanding address layouts.

Understanding 64-bit Memory Layout

On a 64-bit system, pointers are 8 bytes wide. This affects how we calculate addresses compared to 32-bit systems where pointers were 4 bytes wide. The stack grows downwards in memory.

Step-by-Step Address Calculation

Find the Base Address of the Stack:

Use a debugger (like GDB) to find the current stack pointer (rsp). This is your starting point.
In GDB, use the command info registers rsp. The output will show you the value of the rsp register in hexadecimal. For example:
```
rsp = 0x7ffeefbfd8a0
```

Identify the Target Variable’s Address:

Set a breakpoint just before the vulnerable function is called.
Step through the code until you reach the variable you want to overflow.
In GDB, use print &variable_name (replace ‘variable_name’ with the actual name of your target variable). This will display its address in hexadecimal. For example:
```
&buffer = 0x7ffeefbfd850
```

Calculate the Offset:

Subtract the target variable’s address from the base address of the stack. This gives you the offset in bytes.
```
offset = rsp - &buffer
```
Using the example values above:
```
offset = 0x7ffeefbfd8a0 - 0x7ffeefbfd850 = 0x50 (decimal 80)
```
This means the buffer is located 80 bytes before the current stack pointer.

Account for Return Address:

The return address is typically pushed onto the stack after local variables. You’ll need to add the size of a pointer (8 bytes on 64-bit systems) to your offset to overwrite it.
```
return_address_offset = offset + 8
```
In our example:
```
return_address_offset = 80 + 8 = 88
```
You’ll need to write 88 bytes into the buffer to reach the return address.

Consider Padding:

Compilers may add padding between variables on the stack for alignment purposes. Inspect the stack layout in your debugger to identify any padding.
Use x/20xg &variable_name (replace ‘variable_name’ with a variable near the target) to examine the stack contents around the target variable. This will show you 20 hexadecimal words (8 bytes each). Look for gaps in the expected sequence of values.

Address Calculation during Exploit Development:

When crafting your exploit, remember that the stack address can change with each execution due to ASLR (Address Space Layout Randomization). You’ll often need techniques like leaks to determine the current base address of the stack at runtime.

Example Scenario

Let’s say you have a vulnerable program with a buffer on the stack and want to overwrite the return address.

rsp (stack pointer) = 0x7ffeefbfd8a0
buffer address = 0x7ffeefbfd850
Offset to buffer: 0x7ffeefbfd8a0 – 0x7ffeefbfd850 = 0x50 (80 bytes)
Return address offset: 0x50 + 8 = 0x58 (88 bytes)

To overwrite the return address, you would need to send 88 bytes of data to the program.