Blog | G5 Cyber Security

Buffer Overflow: Shellcode Address

G5 Cyber Security

TL;DR

This guide shows you how to find the address of your shellcode in a vulnerable program so you can overwrite it and gain control. We’ll use GDB, a debugger, to inspect memory during runtime.

Finding Your Shellcode Address

  1. Compile the Vulnerable Program: Make sure your program is compiled with debugging symbols (-g flag). This provides useful information in GDB. For example: 
    gcc -g vulnerable_program.c -o vulnerable_program
  2. Start GDB: Launch the debugger with your executable. 
    gdb vulnerable_program
  3. Set a Breakpoint: Identify the point in your code where the buffer is copied. Set a breakpoint just before this copy operation. This lets you examine memory *before* the overflow occurs. 
    break main
  4. Run the Program: Start the program within GDB. 
    run
  5. Inspect Memory: Once the breakpoint is hit, use the x command to examine memory around the buffer. You’ll need to know (or guess) where the buffer is located in memory. A common approach is to look at local variables. 
    info locals
  6. Find the Shellcode: Search for your shellcode within the examined memory region. You can use a hexadecimal dump or search for specific byte patterns from your shellcode. 
    x/20bx $rsp

    (This example dumps 20 bytes in hexadecimal format starting at the stack pointer.)

  7. Alternative: Search for Shellcode Pattern: If you’ve created a unique shellcode pattern, search for that specific pattern. 
    x/100bx $rsp | grep 'your_shellcode_pattern_hex'
  8. Confirm the Address: Once you find your shellcode in memory, note its address. This is the address you will overwrite with the return address during the buffer overflow exploit.
  9. Repeat if Necessary: If you are unsure about the exact location of the buffer or shellcode, repeat steps 4-6 with different breakpoints and memory addresses until you locate it reliably.

Important Considerations

Exit mobile version