- 19
- 103 988
RazviOverflow
เข้าร่วมเมื่อ 10 ก.ค. 2018
Exploit code, not people.
Reverse Engineering: Cutter installation, configuration and customization
Using a great reversing platform is key when it comes to making your life easier while trying to understand the intricate inner workings of any program. In this video, we will see how easy it is to install, configure and customize Cutter, a reverse engineering framework based on Rizin. Additionally, we will discuss and (hopefully) understand the changes introduced some versions ago about how variables are referenced. That is, the newer stack vs the older rbp/rsp - offset.
Cutter - cutter.re/
Cutter on GitHub - github.com/rizinorg/cutter
Reverse Engineering question on Stack Exchange - reverseengineering.stackexchange.com/questions/32317/cutter-shows-addresses-relative-to-stack-but-not-rbp-how-to-change-it
Rizin - github.com/rizinorg/rizin
00:00 - Intro
00:28 - Some reversing tools
01:51 - Downloading Cutter
02:24 - "Installing" Cutter
03:44 - Compiling a toy example
04:17 - Launching Cutter for the first time
05:54 - Moving tabs to the top
06:12 - Exploring the disassembly
06:21 - Exploring the graph view
06:21 - Exploring the decompiler
07:01 - Adding graph overview
07:24 - Adding console and comments
07:33 - Adding memory sections
07:50 - Rearranging windows
08:23 - Adding memory segments
08:46 - Changing interface theme
09:38 - Changing color theme
10:22 - Customizing disassembly
11:04 - Adding opcode to disassembly
11:52 - Adding comments to disassembly
12:01 - Adding x-refs (cross references)
12:10 - Modifying graph options
12:23 - Displaying functions horizontally
13:17 - Clarifying variable referencing
14:03 - Addresses relatives to stack not rbp
16:33 - Recap
16:56 - Outro[*]
Exploit code, not people.
GitHub: github.com/RazviOverflow
Twitter: @Razvieu
*Outro track: AM 1984 - T-800
GG
Cutter - cutter.re/
Cutter on GitHub - github.com/rizinorg/cutter
Reverse Engineering question on Stack Exchange - reverseengineering.stackexchange.com/questions/32317/cutter-shows-addresses-relative-to-stack-but-not-rbp-how-to-change-it
Rizin - github.com/rizinorg/rizin
00:00 - Intro
00:28 - Some reversing tools
01:51 - Downloading Cutter
02:24 - "Installing" Cutter
03:44 - Compiling a toy example
04:17 - Launching Cutter for the first time
05:54 - Moving tabs to the top
06:12 - Exploring the disassembly
06:21 - Exploring the graph view
06:21 - Exploring the decompiler
07:01 - Adding graph overview
07:24 - Adding console and comments
07:33 - Adding memory sections
07:50 - Rearranging windows
08:23 - Adding memory segments
08:46 - Changing interface theme
09:38 - Changing color theme
10:22 - Customizing disassembly
11:04 - Adding opcode to disassembly
11:52 - Adding comments to disassembly
12:01 - Adding x-refs (cross references)
12:10 - Modifying graph options
12:23 - Displaying functions horizontally
13:17 - Clarifying variable referencing
14:03 - Addresses relatives to stack not rbp
16:33 - Recap
16:56 - Outro[*]
Exploit code, not people.
GitHub: github.com/RazviOverflow
Twitter: @Razvieu
*Outro track: AM 1984 - T-800
GG
มุมมอง: 1 593
วีดีโอ
Making stack executable with malicious mprotect call - pwn110 - PWN101 | TryHackMe
มุมมอง 2.1Kปีที่แล้ว
Abusing a buffer overflow to craft a malicious call to mprotect(2) and change the stack protections making it executable in order to spawn a shell (shellcode). This will bypass the NX bit, which the binary was compiled with. Step-by-step resolution of the pwn110 challenge of TryHackMe's PWN101 room. We will also understand what an aligned address is by calculating the page boundary of the memor...
How to debug your exploit and payloads - Binary Exploitation PWN101
มุมมอง 1.6Kปีที่แล้ว
In this video we will attach a debugger to our exploit and debug the various payloads and crafted inputs we may need in order to successfully exploit the binary. Debugging the exploit is extremely useful whenever you want to know if your payload is arranged in memory how you expect, or if you are parsing and correctly crafting a given payload. This technique is useful for every debugger, but es...
Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe
มุมมอง 7Kปีที่แล้ว
Return to libc (ret2libc) fully explained from scratch. In this video we will see and understand how to perform a ret2libc in a multistaged exploit. First, we will abuse a buffer overflow in order to hijack the execution flow and leak addresses from the global offset table (GOT). We will create a tailored ROP chain to jump to PLT, passing as parameters addresses from the GOT. Once we obtained t...
Exploiting Return Oriented Programming (ROP) tutorial - Binary Exploitation PWN101
มุมมอง 18K2 ปีที่แล้ว
ROP tutorial step by step, explained in detail. We will understand how Return Oriented Programming works and how to use this exploitation technique to abuse (exploit) vulnerable binaries. We will understand the theory behind the technique and later put it into practice by exploiting an actual challenge from ROPEmporium. In order to understand ROP, the most important thing is to understand what ...
GOT overwrite with Format String - pwn108 - PWN101 | TryHackMe
มุมมอง 5K2 ปีที่แล้ว
In this video we will see step by step how to overwrite GOT (Global Offset Table) entries by abusing a Format String vulnerability, hence hijacking the execution flow of the program. We will see in detail how to overwrite memory with the %n format specifier from the printf family of functions, understanding how to write 4 or less bytes with the values we desire at the address we want. Besides, ...
Global Offset Table (GOT) and Procedure Linkage Table (PLT) - Binary Exploitation PWN101
มุมมอง 6K2 ปีที่แล้ว
In this video we will see how the Global Offset Table (GOT) and the Procedure Linkage Table (PLT) work together in order to make the execution of the binary possible. We will dig into the GOT and PLT from a binary exploitation (PWN) perspective, aiming at understanding how attacks like ret2plt or GOT overwrites are carried on. We will also debug the invocation of the Dynamic Linker when it is t...
PIE and Canary bypass with Format String - pwn107 - PWN101 | TryHackMe
มุมมอง 5K2 ปีที่แล้ว
Bypassing stack canaries and PIE/PIC by abusing a Format String vulnerability. In this step-by-step tutorial we will understand what a canary is, what is its main purpose and how can we bypass it in order to hijack the program's execution flow. At the same time, we will dig into Position Independent Executable (PIE) or Position Independent Code (PIC) and learn how to bypass it as well, exploiti...
Exploiting Format String vulnerabilities tutorial - pwn106 - PWN101 | TryHackMe
มุมมอง 4.9K2 ปีที่แล้ว
Understanding the format string vulnerability step by step in this thorough tutorial explaining its very foundations, the underlying concepts. How do format string vulnerabilities happen, why and how can we abuse them. Format String vulnerabilities allow an attacker to both leak memory and corrupt it by writing arbitrary values. In this video we will learn how to leak memory by abusing a Format...
Shellcode Execution (ret2shellcode) - pwn104 - PWN101 | TryHackMe
มุมมอง 4.2K2 ปีที่แล้ว
Hijacking the program's execution flow in order to execute our payload, which conveniently corresponds to assembly instructions/code that spawn a shell (Shellcode), an attack that is commonly referred to as ret2shellcode or simply shellcode execution. This time we are abusing a buffer overflow caused by the misuse of read. The address of the buffer on the stack (where we want to jump to in orde...
Exploiting Integer Overflow (IOF) / Underflow tutorial - pwn105 - PWN101 | TryHackMe
มุมมอง 3.1K2 ปีที่แล้ว
We will see what an Integer Overflow (IOF) is and how to abuse them. Exploiting an integer overflow so as to spawn a shell. In this video we are exploring the binary world and how the CPU treats numbers. We will discuss their representation in memory (both positive and negative numbers) and how basic arithmetic (addition and subtraction) is carried out, which will inevitably lead us to integer ...
Buffer Overflow to Modify Variable Values - pwn102 - PWN101 | TryHackMe
มุมมอง 4.7K2 ปีที่แล้ว
Overflowing a buffer due to the use of scanf function. We are overwriting memory in such a way that we're placing specific values at specific addresses hence spawning a shell. Step-by-step tutorial solving pwn102 from PWN101 binary exploitation room on TryHackMe. Endianness video: th-cam.com/video/T8E_JRqN0fY/w-d-xo.html PWN101 Room: tryhackme.com/room/pwn101 Binary Exploitation PWN101 Playlist...
Intro - Binary Exploitation (PWN101) room on TryHackMe
มุมมอง 3.8K2 ปีที่แล้ว
Welcome to PWN101 video series. We will see how to solve Binary Exploitation (PWN101) room from TryHackMe. Join me in this new stack-based pwn adventure! PWN101 Room: tryhackme.com/room/pwn101 Binary Exploitation PWN101 Playlist: th-cam.com/play/PLchBW5mYosh_F38onTyuhMTt2WGfY-yr7.html Binary Exploitation PWN101 Webpage: razvioverflow.github.io/tryhackme/pwn101 Exploit code, not people. Twitter:...
Exploiting Buffer Overflow (BOF) tutorial - pwn101 - PWN101 | TryHackMe
มุมมอง 11K2 ปีที่แล้ว
In this video we will see what a buffer overflow is, why does it happen and how to exploit it. Abusing a call to a vulnerable function (gets) in order to perform a buffer overflow and overwrite the value of a given variable stored in the stack. Since the value of this variable is later checked in the code, by overwriting it we manage to spawn a shell. Step-by-step walkthrough solving pwn101 fro...
Execution Flow Hijacking (ret2win) - pwn103 - PWN101 | TryHackMe
มุมมอง 4.2K2 ปีที่แล้ว
Hijacking the program's execution flow in order to execute a function of our choice, which is usually called ret2win (because we are returning to win() or any equivalent function) . We are abusing a buffer overflow caused by the use of scanf. A detailed explanation is given about how the stack behaves and what is happening in memory during the execution, so as to understand the underlying conce...
Endianness Explained. Little-Endian and Big-Endian for 32 and 64 bits - Binary Exploitation PWN101
มุมมอง 2.8K2 ปีที่แล้ว
Endianness Explained. Little-Endian and Big-Endian for 32 and 64 bits - Binary Exploitation PWN101
TryHackMe | Dear QA - Binary Exploitation (PWN)
มุมมอง 2K2 ปีที่แล้ว
TryHackMe | Dear QA - Binary Exploitation (PWN)
Compiling Crypto++ in Microsoft Visual Studio 2019/2017 (with Cryptopp-PEM)
มุมมอง 16K2 ปีที่แล้ว
Compiling Crypto in Microsoft Visual Studio 2019/2017 (with Cryptopp-PEM)
Seccomp nanosleep pwn binary exploitation | DekraCTF 2020 WeirdChall
มุมมอง 6473 ปีที่แล้ว
Seccomp nanosleep pwn binary exploitation | DekraCTF 2020 WeirdChall
Hi, the binaries i compiled on my machine, they don't have "pop rdi" gadget even
I'm not sure what binaries are you talking about, but you can place arbitrary instructions with the asm() function.
Very very good explained broo
Thank you :)
i got an error not a valid win32 application ?
Thank you so much! I couldn't find anything else on this. Only crypto bros trying to sell me their coins
You are welcome. Yes, unfortunately cryptobros trying to scam people are flooding the internet nowadays.
Thanks for a great video! I have one question: because we overwrited the RBP with 'B'*0x8, wouldn't the "leave" assembly code set RSP = RBP, sending the stack pointer into an invalid location and failing the code?
Hi there. Yes, that's totally correct. Overwriting old rbp with random padding bytes implies the old stack frame (the one about to be restored with mov rsp, rbp; pop rbp) becoming invalid. Depending on what you are trying to achieve, you may or may not have to care about the state of the stack. In this case, it is irrelevant.
"If there is something you want to say, leave it in a comment" I want to say thank you man for this great series, I have learned a lot from you. your explanations are very clear.
Thank you for your kind words. I'm happy my videos helped you :)
Every single one of your videos has taught me 10 x anything I have ever learned from any other instructor. Your approach with explaining each subject and all of the complex details is just phenomenal. So grateful to have stumbled across you. Working my way through your content and loving every minute.
Thank you for your kind words ❤Glad my videos are useful to you :)
Why did you use ret "0x000000000040101a"? like based on what you chose it? do we use any ret gadget cuz it won't modify the code? just pop the address and go to it? Thank you <3
Any ret instruction would have the same effect.
trying to understand how to make the payload was the roughest part for me tbh. but after a couple of hours, I managed to understand it entirely. alhamdulillah Thanks, brother <3
You're welcome :)
take another heart <3
Glad to receive it (again)
take a heart <3
Glad to receive it :)
exelent 🥸
Thank you :)
At some point you found an address that persist over multiple execution. But i tried and cant find it. What am i missing😢
You should be able to replicate the video, that's weird.
You are the perfect man, my friend. I am very happy to have found someone who explains it as logically and comprehensively as you, because you speak the only language I understand, and that is logic!
Glad to help :) Thank you for your kind words!
Excellent video dude, thanks!
You are welcome :)
The king has returned
Hey i am getting, stopped with exit code -11 (SIGSEGV) error while trying this example. Welcome admin 😄 [*] Got EOF while reading in interactive i am getting this output but not able to use the shell for anything and "payload = b"A"*0x28 + admins_only_address" is my payload anyway thanks for the help, really helpful videos
At 9:25, you mentioned about changing the whole memory page protection (in order to be able to execute the shellcode), but how did you know that the shellcode is within the memory page of __libc_stack_end (and not in some other page of the stack which will make the stack not executable)?
17:55 - Aligning the leaked address Usually the stack isn't that large. However, you can always debug and check it.
@@RazviOverflow Thanks for the tip. I ran the debugger in IDA several times (ASLR enabled) and noticed that you’re right in terms of the standard input and __libc_stack_end are always in the same page. Specifically, the offset between rbp-20h (the beginning of the buffer for standard input) and the virtual address of __libc__stack_end is always 0x148 bytes, which is good enough for a page size of 4096 bytes
Hey Razvi, great video as always. So I got the virtual address of puts() from libc and I subtracted this address by its offset (last 3 hex values) so I should get the base address of libc. However, jumping to the resulting address in IDA does not show the text segment but some random data bytes. I wanna ask you if you think using a (virtual address + offset) is an unreliable way to obtain the base address of a segment, thanks!
If the library is loaded and you got its dynamic base address you should be able to see it.
@@RazviOverflow Thanks for the reply Razvi! The issue with the offset bits in a virtual address is that they are only 12 bits long. But you can have a starting virtual address of 0x7FABCDEF0000A000 in the text segment and a virtual address within the segment at 0x7FABCDEF0000B000. So the real offset here is not “000” but 0x1000, which is more than 12 bits.
@@rgb123-jm5mc I think I'm not fully understanding your problem. In order to get the offset, you shouldn't care about how many bits are used for this specific addressing. If you know the base address and the dynamic address, simply subtract them. Now, where does it say the offset has to be 12 bits? Could you link some docs?
@@RazviOverflow Hey Razvi, I think I might have mistaken the segment offset with page offset (lower 12 bits in virtual address). Since TH-cam filters link, I found it in the first entry from the Google search “Cornell virtual address 12 bit offset”. Even though it uses 32-bit architecture, 12 bit virtual address offset is still used in 64-bit systems
@@RazviOverflow I think YT has deleted my comment for some reason, but I searched up Cornell Linux Virtual Address Offset and clicked on the first entry. Even though the webpage talks about 32-bit architecture, the offset is still 12 bits in 64-bit architecture.
It's hard. But thanx.
I know it is, but it's worth the effort.
thank you so much once again, I've been doing 1-2 of the PWN101 tasks per day. By the way what would you rate the difficulty of pwn108, pwn109, and pwn110?
You are welcome :) Difficulty is something very hard to estimate. It is relative and subject to each one of us. However, I can tell you they're harder than a simple BOF. Specially pwn107, that requires you to know and understand what GOT and PLT are, and how do they work. (I have a video on that topic as well).
your explanations are very very good! Towards the end when you mentioned about padding an extra 'ret' to the stack (by overwriting the stack using buffer overflow vulnerability), I assume this extra return instruction's address is popped so code execution will begin at that address, which is just another return instruction. Once this executes, it will pop the stack again and direct code execution to the admins_only function. Is that right? By the way, it seems like with PIE disabled, ASLR still applies to other non-text segments. Also, is there a way to tell if the stack is 16-byte aligned, or is this 'ret' padding method a technique that may or may not work? Thank you!
Thank you :) The extra ret instruction has no effect from the operational point of view, it just aligns some stuff within the stack frames. It is usually needed in ubuntu 18.04, give to the MOVAPS issue (which I briefly speak about in the ROP video)
Best ROP explanation I found on internet. Seriously most of contents on internet are all about using rop gadget tool. First 2 challenges on ropemporium are great too. I learned a lot from them (and simple login on pwnable kr)
I love your way of explaining things, I've been checking several sources for this stuff and so far this is the best for my way of thinking. GG
Thank you Javier. I'm glad my videos could help you :) Gracias
how do you know this 216f is format specify?
What do you mean?
Thank you so much, was stressing and struggling with this implementation and library inclusion. Success with Visual Studio 2022👍
You are welcome, glad I could help :)
Why do you minus shellcode? why do you not add them all together like in the previous videos?
I'm not doing -shellcode, I'm doing - len(shellcode). That's because I want to pad with A's 0x50 minus the bytes of the shellcode, and I don't want to manually count them. So I use 0x50 - len(shellcode)
@@RazviOverflow Oh ok what is the purpose of subtracting 0x50 from the length of the shellcode ?
ignore me I think I figured it out.
@@davidmohan2698 No worries at all. If you still have any doubt ask me, I'll do my best to clarify it.
Thanks A LOT!!!
You are welcome
Man these are great! Please make more.
Thank you :)
If anyone wonders how to configure Cutter to look like the instance you see in the video, I have prepared a step-by-step configuration video: th-cam.com/video/zrXA3AC_658/w-d-xo.html Hope this helps!
polino mi manchi
You know what u doing hehe
I wish -.-'
Ciao POLIMI
i dont understand a shit from all of this, i don't know what is the flow or next instruction when you talk about things, i don't see the context
You are the first one (so far) pointing out the context is missing. Please tell me why and how the video could be improved.
@@RazviOverflow Just look at the illustration at 12:30, it may be not even your fault, just assembly is ... insane, everything goes everywhere all the time and i fail to map this in my brain
@@ragnarlothbrok367 Ok, then the problem is not the video. Have you tried watching easier videos?
Promo SM 😜
Wow - this is by far the best explanation if seen on the topic so far. Thank you very much!
Glad you liked the video :)
Hello Razvi! Thank you very much for your videos, the explanations are very clear, thanks again 😁
You are more than welcome. I'm happy you like my videos and they help in any way :)
Thanks!
I'm happy you liked the video :) And thank you very much for the super!
Did everything in the video unfortunately it did not work.. I was still getting error about visual studio not being able to find header files the only fix for me was installing it via vcpkg
Bro thank you man
You are welcome
Thank you very much! It works for me in Visual Studio Code 2022.
You are welcome :)
Can you edit the video with visual studio 2022? I get many errors.
I don't think I will... Why don't you try using VS2019?
@@RazviOverflow It's done, thank you. Is it also valid for Cryptlib and not for others, for example, when I look on the internet, they import the Cryptopp library. Can you post videos for others? Again, health to your hands, labor and mouth. You are a life saver <3
@@kinezi7898 I don't think I will record videos on this topic, but I will sure do in the areas of binary exploitation and reverse engineering. Glad my video helped you. Cheers :)
@@RazviOverflow Can I ask two more questions? I've been trying to download OpenSSL lately and I'm getting errors, maybe it's because of what the guy did or maybe it's outdated because I'm typing exactly what he said in the terminal. Can you make a separate openssl installation video? Also, you made the Cryptlib library in this video, can you make others like Cryptopp Cryptest?
The chef is back to cook 🔥, could u start with heap exploitation also your series is the best for pwn in youtube
Hi there! I will consider getting into heap exploitation once I'm done with all the stack stuff I got in mind :) Thank you
legend is back
🫂
Thanks a lot for this, really needed this, was really confused when I was watching your pwn101 series and my disassembly code had variables relative to stack and not rbp, thanks a lot for this video sir.
Glad it helped, that's the main purpose of my videos :)
we need more videos from you.......why did u stop mnaking them??
I did not stop, nor do I plan to stop... only that making videos takes some time. Time that I do not always have. Thank you for your support :)
Wow Razvi. Soo glad you posted this video! Do you have plans to go down the reverse engineering route of videos? Or are you going to continue down the path of more complex exploitation techniques? Either way, I’m all here for it!
Regarding reversing, it's something that has been on my mind for some time now. If so, what would you like to see?
@@RazviOverflow awesome. I’d like to see how you would approach reversing both Linux and PE files and how you would translate the assembly instructions back to C pseudo code to understand overall program logic. Maybe also do some Windows Keygen challenges where you write Key generators for various executables. I’m sure many others like myself would like to improve their overall reversing skills so a clear cut methodology on how to approach different challenges would be really cool to see and learn from. Thanks Razvi.
@@CHRISTIVN.OFFICIAL Thank you for your ideas, I'll definitely give it a thought. Although I cannot promise any specific video (at least in the short team), there is nevertheless a video I'd like to do anytime soon, reversing related.
@@RazviOverflow sure. at the end of the day the video choice is all yours. Make do with it as you please and please take your time. 🙏🏾💯. This is top tier content
@@CHRISTIVN.OFFICIAL Thank you for your support :)
Ooooff new video ❤🔥 Yesterday by the morning I did all the pwn101 series with your videos on the side and I was thinking about you and wondering about your next video, and here it is! Thanks for sharing men!
You are welcome :) I'm happy my videos helped you
Thanks !!!!
You are welcome :)
Each video goes up in quality, thank you so much for sharing!
You are welcome, thank you :)