64-Bit NX Bypass

In this article, we’re going to be looking at a simple way of bypassing NX on a 64-bit Kali Linux system. NX (aka DEP) prevents code from executing from stack or heap memory.

The primary difference between doing this on a 64-bit system, as opposed to a 32-bit system is called functions will require their parameters to be populated in registers, instead of being placed on the stack.

The below sample code will be exploited;

Compile with:

Disable ASLR:

Analysing the Crash

Let’s start by determining which offsets overwrites interesting registers:

We can see the RBP (stack base pointer) register is overwritten after 48 bytes. On 64-bit systems, the instruction pointer (RIP) will only be overwritten if the address it points to is valid. As such, our random pattern will not overwrite it. However, we know RIP will be 8 bytes from RBP, so the correct offset is 56.

Locating Useful Gadgets

We’re going to go attempt to execute the system function from libc. Let’s find the addresses of the “system” function, in addition to a string reference to “/bin/sh”

Finally, as previously discussed we need need to ensure the function (in this case “system”) is loaded into the RDI register. Using the “ropper” application, we can find a suitable instruction in the binary:

The Exploit

With the necessary information collected, we can now write the exploit:

We can now run the payload to achieve command execution:

The use of “cat” command twice is necessary to prevent the application from exiting before user input is accepted.