Buffer Overflow: Shellcode Address

TL;DR

This guide shows you how to find the address of your shellcode in a vulnerable program so you can overwrite it and gain control. We’ll use GDB, a debugger, to inspect memory during runtime.

Finding Your Shellcode Address

1. Compile the Vulnerable Program: Make sure your program is compiled with debugging symbols (-g flag). This provides useful information in GDB. For example:

   gcc -g vulnerable_program.c -o vulnerable_program

2. Start GDB: Launch the debugger with your executable.

   gdb vulnerable_program

3. Set a Breakpoint: Identify the point in your code where the buffer is copied. Set a breakpoint just before this copy operation. This lets you examine memory *before* the overflow occurs.

   break main

4. Run the Program: Start the program within GDB.

   run

5. Inspect Memory: Once the breakpoint is hit, use the x command to examine memory around the buffer. You’ll need to know (or guess) where the buffer is located in memory. A common approach is to look at local variables.

   info locals

6. Find the Shellcode: Search for your shellcode within the examined memory region. You can use a hexadecimal dump or search for specific byte patterns from your shellcode.

   x/20bx $rsp

   (This example dumps 20 bytes in hexadecimal format starting at the stack pointer.)

7. Alternative: Search for Shellcode Pattern: If you’ve created a unique shellcode pattern, search for that specific pattern.

   x/100bx $rsp | grep 'your_shellcode_pattern_hex'

8. Confirm the Address: Once you find your shellcode in memory, note its address. This is the address you will overwrite with the return address during the buffer overflow exploit.
9. Repeat if Necessary: If you are unsure about the exact location of the buffer or shellcode, repeat steps 4-6 with different breakpoints and memory addresses until you locate it reliably.

Important Considerations

• Address Space Layout Randomization (ASLR): ASLR randomizes memory addresses each time the program runs. If ASLR is enabled, the shellcode address will change on each execution. You may need to disable ASLR for testing or use techniques to bypass it.

  echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

• Stack Growth: Be aware of how the stack grows in your system (upwards or downwards). This affects where you need to search for the shellcode.
• Shellcode Size: Know the exact size of your shellcode. This helps when searching memory and calculating offsets.