Congratulations for the amazing step-by-step beginner-friendly tutorials! I just have a small question that might be silly. At minute 4:15, it seems that we have the buffer at the top of the stack, followed by the saved old_ebp (named as local_8 in Ghidra ?) and then we have the return address for the receive_feedback function. So, If I get it right we need to send 68 bytes to overwrite the buffer and then 4 more bytes to overwrite the old_ebp (local_8) value. So we need a total of 68+4=72 bytes. The next 4 bytes will overwrite the return address in the stack. I am a bit confused, since according to your analysis, it looks like we need 76 bytes as padding (and not 72) before we use the next 4 bytes to overwrite the return address. Where do these 4 extra bytes come from ? What am I missing ?
Thanks! Good question.. It's been a while since I did any pwn challs but upon review, this doesn't look correct. The buffer is definitely 68 bytes, then we have 4 byte EBP but ghidra is actually showing `local_8` and reserving 8 bytes on the stack. Perhaps this is just for alignment, inserted by the compiler 🤔
Why do you use jmp_esp to jump to the stack? Could we not jump to the stack by simply putting the address the EIP register (when receive_feedback returns)?
@@_CryptoCat I was trying to do it with the EIP register for hours, and couldn't understand why it wasn't working, when everything seemed fine when I was testing it through gdb(pwndbg). I just found out that gdb disables ASLR by default, so it seems like it is working, while it really isn't.
Loving this awesome series!! 8:09 One way around the issue you were having about not being able to read the corefile to find the 'padding' number is to make a copy of the binary without the setuid bit set. You can do this as a normal user (non root). You can then run this copy of the binary which will crash with a normal corefile and allow you to locate the offset of EIP. Once you have that offset you can then run the rest of your exploit on the normal binary which has the setuid bit set and grab that flag.
Hey, Im just having a problem, when you run gdb-pwndbg at 4:28 Im getting a problem where it says i dont have permission when you type in run after doing gdb-pwndbg server error 126 permission denied I set the chown and chmod the same as yours only runs when i chmod +x it
Hmmm is the game owned by root maybe? If so, try and change the perms or maybe possible to run gdb as root (although could be some security implications if the binary is not trusted)
Thanks! Might not be needed here but sometimes you need some slack space between your shellcode and the ESP, e.g. security.stackexchange.com/a/169622. It also doesn't matter that it's 16 NOPs 🙂
Why was making the payload manually with python2 - c 'print ..., however, for some reason, the program doesn't execute the commands in the payload. It looks like it does, but it isn't shown in the terminal. How do I solve this problem?
hello, there is a lot of things i've learned from this playlist, but i still cant get my head around registers and etc. one thing that i confused now is why we need jmp esp? is it because we dont know where in stack to execute a shellcode? thank you.
Yep, exactly! If there was another vulnerability, e.g. printf format vuln, we could leak the address of the stack and just provide that but in this case we don't know the address [of the stack] where our shellcode will be at so we just JMP ESP 🙂
Hey there thank you for the amazing series! i'm trying to ret2shellcode on a x86 binary i have and all security mitigations are off, my problem is that i can't find a JMP ESP or CALL ESP. Is there any other ways i can jump to the top of the stack without using these two? and can't I just write the address of the start of the shellcode ? Thanks again, you always inspire me!
Hi mate, thank you! I've not touched a pwn chall in so long but IIRC you got a couple of options: - you could add a JMP ESP instruction to the C file manually (like I did here: github.com/Crypto-Cat/CTF/blob/main/pwn/binary_exploitation_101/05-injecting_custom_shellcode/server.c) - you could look for a different gadget, e.g. can you find a JMP/CALL instruction to another register, then place the address of your shellcode in there - finally, as you said - you could just write the start address of the shellcode, the problem is for most binaries you wont be able to find that address easily without a leak or attaching some debugger (unless all protections are off)
Dude this is awesome! Just curious, how can i exploit it manually using python2 -c 'print 76 * "A" etc'? (./server < payload) I tried hard but I'm stuck right now trying to manually use the msfvenom shellcode. Any help will be awesome. Obviously your scrips worked fine. Love you bro.
Changed the "A" x "\x90" and also I had some double \ error on the 16 NOPs. Worked 😅 such a lame errors, but anyway thank you so much for your material.
Hey man, thanks for the amazing videos. I'm really confused about something, how do I know when the part before EIP will executed or not? I think I've seen challenges where they drop shellcode before the EIP, how does the shellcode get executed then? I don't understand when the processor decides to execute data or just deal with it as only saved on stack.
Thanks mate! If you know the address of the shellcode then you wouldn't need to jump to the EIP, e.g. if there is some way to leak to address of the buffer (where user input goes), you can put your shellcode in the buffer and then instead of using a JMP EIP gadget, you just provide the leaked address to start executing. Hope that makes sense. If not, give me an example of a challenge like that and I'll take a look 😉
Great series. I love all of your videos, Nice work!!❤ One question though: Normally there is no function like in your example with the instruction "jmp esp". What do I have to do in such a case? How do I get the shellcode to be executed if there is not such a gadget available?
Thank you!! 🙏🥰 You could look for some other gadgets, e.g. maybe youll find a JMP EBP and can put your shellcode at the bottom of the stack. In many cases though, the right gadgets won't be available (or NX will be enabled) and you'll have to consider using a ROP exploit. This is covered later in the series (ret2libc) and in more detail in my ROPEmporium series (although these are quite old, I wasn't very good at making videos at the time).
hey man i just wanted to ask you two question 1) how to install shellcraft 2) how your reverse_tcp connection turn you as a root user i mean when i did it in my pc it says permission not denied and showed my username when i ask who am i
Hey, I think shellcraft comes with pwntools but in order to use it from the CLI you need pwntools to be in your path. Second question will be due to the permissions of the binary, double check the commands I showed on github.
Great series. I'm trying this in ubuntu with shellcraft and msfvenom payloads. I'm only able to make it "work" with the shell option but I don't get root access so I'm not able to cat the flag.txt, probably the same reason I can't get "read_file" in msfvenom or "asm(shellcraft.cat('flag.txt'))" to work. Any ideas why? thanks, and keep up the good work.
@@_CryptoCat hello thanks for the swift reply :) yes I think perms are the same: -rw-rw-r-- 1 dbranco dbranco 321 abr 30 01:57 server.c -rw------- 1 600 root 30 abr 30 01:58 flag.txt -rw-rw-r-- 1 dbranco dbranco 2132 abr 30 02:02 exploit_msfvenom.py drwxrwxr-x 13 dbranco dbranco 4096 abr 30 02:08 .. -rwSr-xr-x 1 4655 root 15664 abr 30 19:20 server -rw-rw-r-- 1 dbranco dbranco 1 abr 30 19:40 peda-session-server.txt -rw------- 1 dbranco dbranco 44 abr 30 19:45 .gdb_history -rw-rw-r-- 1 dbranco dbranco 5089 abr 30 19:51 solving.html -rw-rw-r-- 1 dbranco dbranco 1709 mai 1 00:32 msfvenom_payloads.txt drwxrwxr-x 2 dbranco dbranco 4096 mai 1 00:47 . -rw-rw-r-- 1 dbranco dbranco 1505 mai 1 01:12 exploit_shellcraft.py -rw-rw-r-- 1 dbranco dbranco 166 mai 1 01:34 payload -rw-rw-r-- 1 dbranco dbranco 1119 mai 1 01:41 exploit.py I'm able to get the shell with shelcraft and msfvenom but I don't get root, and so I'm not able to cat the flag... for the purpose of the exploit I think the end purpose is achieved but it would be nice to do it all :) Is it ubuntu that has some safety that doesn't allow root?
bro if the source code does not have a gadget to jump to an esp there is no way to go to the stack? There has to be another way to jump to the stack without it
The reason we look for JMP ESP is because we don't know the stack addresses, if you could find a way to leak addresses, it wouldn't be needed. If you can't leak addresses and have no JMP ESP instruction, maybe you can ret2reg: ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg
A really big thanks for this playlist, I was looking for copper and found gold :) On my machine I wrote my own exploit using shellcraft but it does not work as yours too. I created another test.txt file and it could show it to me. I think this is because flag.txt have some kind of use restrictions and even server cannot access it? Nevertheless other stuff like echo "text" I'm able to execute from stack. I'm too new to all this stuff but I'm sure there is a way to bypass this restriction)
Thanks mate! Re: not being able to read the flag, here's the settings I used for the flag/binary: github.com/Crypto-Cat/CTF/tree/main/pwn/binary_exploitation_101#note-for-most-of-these-challenges-you-will-want-to-set-ownerpermissions-of-the-flag--binary-after-compiling - basically I wanted the flag to be only readable by the server binary, so made them both owned by root. It's not important though, as long as you got things working 🙌
great content! can you run your exploits using python3? my system doesnt allow me to download python2 since its depricated :/ Theres alot of different nuances using python3 since everything has to be changed to utf-8 before being sent. super wierd
thanks mate! you can run the exploits just fine with python3, the only time i use python2 is for printing hex bytes to screen, i.e. for a manual payload
Congratulations for the amazing step-by-step beginner-friendly tutorials!
I just have a small question that might be silly. At minute 4:15, it seems that we have the buffer at the top of the stack, followed by the saved old_ebp (named as local_8 in Ghidra ?) and then we have the return address for the receive_feedback function. So, If I get it right we need to send 68 bytes to overwrite the buffer and then 4 more bytes to overwrite the old_ebp (local_8) value. So we need a total of 68+4=72 bytes. The next 4 bytes will overwrite the return address in the stack. I am a bit confused, since according to your analysis, it looks like we need 76 bytes as padding (and not 72) before we use the next 4 bytes to overwrite the return address. Where do these 4 extra bytes come from ? What am I missing ?
Thanks! Good question.. It's been a while since I did any pwn challs but upon review, this doesn't look correct. The buffer is definitely 68 bytes, then we have 4 byte EBP but ghidra is actually showing `local_8` and reserving 8 bytes on the stack. Perhaps this is just for alignment, inserted by the compiler 🤔
Why do you use jmp_esp to jump to the stack? Could we not jump to the stack by simply putting the address the EIP register (when receive_feedback returns)?
Hey, good question - I think this answer provides a good explanation: security.stackexchange.com/a/181246 🙂
@@_CryptoCat AAAAAHHH I SEEE, cooool, thanks :)
@@_CryptoCat I was trying to do it with the EIP register for hours, and couldn't understand why it wasn't working, when everything seemed fine when I was testing it through gdb(pwndbg). I just found out that gdb disables ASLR by default, so it seems like it is working, while it really isn't.
Loving this awesome series!!
8:09 One way around the issue you were having about not being able to read the corefile to find the 'padding' number is to make a copy of the binary without the setuid bit set. You can do this as a normal user (non root).
You can then run this copy of the binary which will crash with a normal corefile and allow you to locate the offset of EIP.
Once you have that offset you can then run the rest of your exploit on the normal binary which has the setuid bit set and grab that flag.
thanks mate! good point on the binary copy 🙂
Hey,
Im just having a problem,
when you run gdb-pwndbg at 4:28
Im getting a problem where it says i dont have permission when you type in run after doing gdb-pwndbg server
error 126 permission denied
I set the chown and chmod the same as yours
only runs when i chmod +x it
Hmmm is the game owned by root maybe? If so, try and change the perms or maybe possible to run gdb as root (although could be some security implications if the binary is not trusted)
Nice, waiting for the more awesome stuff coming soon.
cheers bro 💜
This is very good series but 9:44 why you use 16 nop instruction after jmp_esp and why it's number is 16 ? Thanks.
Thanks! Might not be needed here but sometimes you need some slack space between your shellcode and the ESP, e.g. security.stackexchange.com/a/169622. It also doesn't matter that it's 16 NOPs 🙂
@@_CryptoCatthanks again , your videos are so educative.
@@mehmeteminmese979 🙏🥰
Why was making the payload manually with python2 - c 'print ..., however, for some reason, the program doesn't execute the commands in the payload. It looks like it does, but it isn't shown in the terminal. How do I solve this problem?
Not too sure what's missing here, sorry!
hello, there is a lot of things i've learned from this playlist, but i still cant get my head around registers and etc. one thing that i confused now is why we need jmp esp? is it because we dont know where in stack to execute a shellcode? thank you.
Yep, exactly! If there was another vulnerability, e.g. printf format vuln, we could leak the address of the stack and just provide that but in this case we don't know the address [of the stack] where our shellcode will be at so we just JMP ESP 🙂
Great content, learned a lot from this playlist
thanks mate 🙏🥰
cant we do this with python2 -c script
I would use pwntools with python3 but if you are just doing a payload manually (typing out the hex values) you'd want to use python2
Hey there thank you for the amazing series!
i'm trying to ret2shellcode on a x86 binary i have and all security mitigations are off, my problem is that i can't find a JMP ESP or CALL ESP.
Is there any other ways i can jump to the top of the stack without using these two? and can't I just write the address of the start of the shellcode ?
Thanks again, you always inspire me!
Hi mate, thank you! I've not touched a pwn chall in so long but IIRC you got a couple of options:
- you could add a JMP ESP instruction to the C file manually (like I did here: github.com/Crypto-Cat/CTF/blob/main/pwn/binary_exploitation_101/05-injecting_custom_shellcode/server.c)
- you could look for a different gadget, e.g. can you find a JMP/CALL instruction to another register, then place the address of your shellcode in there
- finally, as you said - you could just write the start address of the shellcode, the problem is for most binaries you wont be able to find that address easily without a leak or attaching some debugger (unless all protections are off)
Dude this is awesome! Just curious, how can i exploit it manually using python2 -c 'print 76 * "A" etc'? (./server < payload)
I tried hard but I'm stuck right now trying to manually use the msfvenom shellcode. Any help will be awesome. Obviously your scrips worked fine. Love you bro.
Changed the "A" x "\x90" and also I had some double \ error on the 16 NOPs. Worked 😅 such a lame errors, but anyway thank you so much for your material.
Figured out comparing my payload with the one of your msfvenom script 🙏🏼
Great job! 👏
Hey man, thanks for the amazing videos. I'm really confused about something, how do I know when the part before EIP will executed or not? I think I've seen challenges where they drop shellcode before the EIP, how does the shellcode get executed then? I don't understand when the processor decides to execute data or just deal with it as only saved on stack.
Thanks mate! If you know the address of the shellcode then you wouldn't need to jump to the EIP, e.g. if there is some way to leak to address of the buffer (where user input goes), you can put your shellcode in the buffer and then instead of using a JMP EIP gadget, you just provide the leaked address to start executing. Hope that makes sense. If not, give me an example of a challenge like that and I'll take a look 😉
Dude you actually 5Head, I love you
5Head? How very dare you sir, I have 1 head! 😅 ty bro 💜
Hi, I'm learning that we can also use NOP to spawn shells but after I tried it in this your c program why can't it work?
Hmmmm I don't fully understand the question.. Did you solve it already? Can you elaborate?
Great going man. After we are done with user land stuff, bring kernel land content too!
Thanks mate 🥰 Working through some heap stuff atm but i'll definitely move onto kernel at some stage!
Great content!
thanks mate 💜
best vids on the tube
🙏🥰
Great series. I love all of your videos, Nice work!!❤ One question though: Normally there is no function like in your example with the instruction "jmp esp". What do I have to do in such a case? How do I get the shellcode to be executed if there is not such a gadget available?
Thank you!! 🙏🥰 You could look for some other gadgets, e.g. maybe youll find a JMP EBP and can put your shellcode at the bottom of the stack. In many cases though, the right gadgets won't be available (or NX will be enabled) and you'll have to consider using a ROP exploit. This is covered later in the series (ret2libc) and in more detail in my ROPEmporium series (although these are quite old, I wasn't very good at making videos at the time).
hey man i just wanted to ask you two question
1) how to install shellcraft
2) how your reverse_tcp connection turn you as a root user i mean when i did it in my pc it says permission not denied and showed my username when i ask who am i
Hey, I think shellcraft comes with pwntools but in order to use it from the CLI you need pwntools to be in your path. Second question will be due to the permissions of the binary, double check the commands I showed on github.
Great series. I'm trying this in ubuntu with shellcraft and msfvenom payloads. I'm only able to make it "work" with the shell option but I don't get root access so I'm not able to cat the flag.txt, probably the same reason I can't get "read_file" in msfvenom or "asm(shellcraft.cat('flag.txt'))" to work. Any ideas why? thanks, and keep up the good work.
check the perms @ 1:30 are yours the same?
@@_CryptoCat hello thanks for the swift reply :) yes I think perms are the same:
-rw-rw-r-- 1 dbranco dbranco 321 abr 30 01:57 server.c
-rw------- 1 600 root 30 abr 30 01:58 flag.txt
-rw-rw-r-- 1 dbranco dbranco 2132 abr 30 02:02 exploit_msfvenom.py
drwxrwxr-x 13 dbranco dbranco 4096 abr 30 02:08 ..
-rwSr-xr-x 1 4655 root 15664 abr 30 19:20 server
-rw-rw-r-- 1 dbranco dbranco 1 abr 30 19:40 peda-session-server.txt
-rw------- 1 dbranco dbranco 44 abr 30 19:45 .gdb_history
-rw-rw-r-- 1 dbranco dbranco 5089 abr 30 19:51 solving.html
-rw-rw-r-- 1 dbranco dbranco 1709 mai 1 00:32 msfvenom_payloads.txt
drwxrwxr-x 2 dbranco dbranco 4096 mai 1 00:47 .
-rw-rw-r-- 1 dbranco dbranco 1505 mai 1 01:12 exploit_shellcraft.py
-rw-rw-r-- 1 dbranco dbranco 166 mai 1 01:34 payload
-rw-rw-r-- 1 dbranco dbranco 1119 mai 1 01:41 exploit.py
I'm able to get the shell with shelcraft and msfvenom but I don't get root, and so I'm not able to cat the flag... for the purpose of the exploit I think the end purpose is achieved but it would be nice to do it all :)
Is it ubuntu that has some safety that doesn't allow root?
hey how can i get the ghidra_auto ?
Here you go 🙂 github.com/Crypto-Cat/CTF/blob/main/auto_ghidra.py
@@_CryptoCat bro u r so much humble , thanks🗿
This so good💥
🥰🥰🥰
bro if the source code does not have a gadget to jump to an esp there is no way to go to the stack? There has to be another way to jump to the stack without it
The reason we look for JMP ESP is because we don't know the stack addresses, if you could find a way to leak addresses, it wouldn't be needed.
If you can't leak addresses and have no JMP ESP instruction, maybe you can ret2reg: ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg
@@_CryptoCat Thanks again bro for your help!
A really big thanks for this playlist, I was looking for copper and found gold :) On my machine I wrote my own exploit using shellcraft but it does not work as yours too. I created another test.txt file and it could show it to me. I think this is because flag.txt have some kind of use restrictions and even server cannot access it? Nevertheless other stuff like echo "text" I'm able to execute from stack.
I'm too new to all this stuff but I'm sure there is a way to bypass this restriction)
Thanks mate! Re: not being able to read the flag, here's the settings I used for the flag/binary: github.com/Crypto-Cat/CTF/tree/main/pwn/binary_exploitation_101#note-for-most-of-these-challenges-you-will-want-to-set-ownerpermissions-of-the-flag--binary-after-compiling - basically I wanted the flag to be only readable by the server binary, so made them both owned by root. It's not important though, as long as you got things working 🙌
@@_CryptoCat Big thanks for your reply!
thank you so much bro
THANK YOU THANK YOU THANK YOU
💜
great content! can you run your exploits using python3? my system doesnt allow me to download python2 since its depricated :/ Theres alot of different nuances using python3 since everything has to be changed to utf-8 before being sent. super wierd
thanks mate! you can run the exploits just fine with python3, the only time i use python2 is for printing hex bytes to screen, i.e. for a manual payload
@@_CryptoCat Ow so the script payloads could be python3
I didn't give that a try xD