3: Return to Win (Ret2Win) - Buffer Overflows - Intro to Binary Exploitation (Pwn)
ฝัง
- เผยแพร่เมื่อ 7 ก.ค. 2024
- 3rd video from the "Practical Buffer Overflow Exploitation" course covering the basics of Binary Exploitation. In this video we'll exploit a buffer overflow vulnerability and redirect the flow of execution to a function of our choice (return to win). We'll use checksec, ghidra, pwndbg and create a couple of pwntools scripts, automating finding the EIP/RIP offset and making use of ROP objects! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #BinaryExploitation #BufferOverflow #BinExp #RE #Pwn #PwnTools
Find the binary files, source code and scripts to go with the series @ github.com/Crypto-Cat/CTF/tre...
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
TH-cam: / cryptocat23
Twitch: / cryptocat23
↢Binary Exploitation / Reverse Engineering↣
Pwn.College: pwn.college
How2Heap: github.com/shellphish/how2heap
NightMare: guyinatuxedo.github.io
Ir0nstone: ir0nstone.gitbook.io/notes/ty...
PinkDraconian: • Pwn Zero To Hero
More: github.com/Crypto-Cat/CTF#readme
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
HackTricks: book.hacktricks.xyz/exploitin...
GTFOBins: gtfobins.github.io
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Basic File Checks: 0:41
Overflow the Buffer: 1:22
Review Source Code: 1:47
Demonstrate PIE with Radare: 3:28
ObjDump: 5:03
Disassemble with Ghidra: 5:32
Find EIP Offset with PwnDbg: 6:42
Dummy Payload to Visualise Attack: 8:02
Manually Exploit BOF to overwrite EIP: 9:31
Debug Exploit with GDB: 10:54
Custom PwnTools Template Explanation: 12:35
PwnTools Exploit Script: 15:01
Find EIP and use ROP Objects in PwnTools: 17:15
End: 19:24 - วิทยาศาสตร์และเทคโนโลยี
![[TH] VCT Pacific Stage 2 - Week 4 Day 3 // GEN vs TS | PRX vs ZETA](http://i.ytimg.com/vi/nspkjQuZve0/mqdefault.jpg)
I really like how you break down everything and teach it to beginners! Thanks!
tyty 🥰
I'm so grateful for your tutorials. This really helped and extended my knowledge. In uni they 've taught another way to perform this exploit but yours seems ..idk, just better :D
thank youuu 🙏🥰
This is an awesome video. So difficult to find content as straightforward, clear, and helpful as this video.
the best thing to hear! thanks mate 🥰
@@_CryptoCat I haven't watched through the entire series yet since I'm still working on some of this beginner stuff, is there any point where you cover how to do ret2win when PIE is enabled and you can't access the win function's address ahead of time?
@@gitpullday2472 yes mate! episode 8 we will have both PIE and ASLR enabled so we'll need to leak an address to find the base of the binary AND then leak an address to find the base of the lib-c library 😉
@@_CryptoCat Awesome, thanks!
Top content one more time, thanks for this!
Cheers bro!
Thnks alot this rlly helped 🤗
thank you brother
🥰
top tier tutorials
💜
i love it
banger
thksss broo go go
🙏
good one
and pls do a video about format string and how to overwrite the return address using it on x64 ❤
Thanks mate! Got a couple of format string videos coming up soon 😉
Awesome video brother. Learnt so much. Any tips or links on where we can download the ghidra_auto script to automate the whole ghidra process. Ghidra's a good tool but its such a pain having to wait for ghidra to load all the time. Thanks once again!
TY 🥰 Ghidra auto script available here: gist.github.com/liba2k/d522b4f20632c4581af728b286028f8f - I changed the auto-analysis time in mine to 1 second for an extra speed boost!
It's worth noting that we shou use python2 to print payload instead of python3. This is because python2 treat string as bytes while python3 treat string as a sequence of char. If we use python3 we won't get the result we want.
Exactly! You can do it with python3 but python2 is easier.
When using pwntools, you should use python 3 though 😊
@CryptoCat Hi, is it a problem with my system that I am not able to create corefiles. I'm quite confused because I am able to get corefiles when running some of my pwntools programs but for any that use cyclic it doesn't create a corefile for the cyclic process.
Good question mate! It's probably the permissions of the binary. I remember having these problems and I had to change it so the binary wasn't owned by root. I guess running the pwntools script as root would probably also work. Let me know if that helps!
Enjoyed your video but I have a doubt the buffer is only 16 bytes even ebp(4bytes) + return pointer(4bytes) is only 24 bytes but how could it be 28 bytes, is it was an eax's value that is pushed onto the stack before the function call and when I use normal pattern create script in gdb peda it only shows me 27 bytes how could it happen?
Thanks and good questions! If you around check 5:55 in the decompiler/disassembler, the buffer was assigned 20 bytes by the compiler, even though we specified 16 bytes in the C code. I'm not too sure why this happens in some cases but not others but if we add on the EBP + return pointer that should make the offset 28 bytes. I double-checked PEDA, which I haven't used in a long time (but I do really like their pattern_search functionality). For me it does show the correct offset to EIP is 28 bytes: imgur.com/a/BduYINn
@@_CryptoCat Thanks for your clarification brother 🤝
hey at 14:08 we can see the gdbscript variable.... we can put any payload their to run it on the remote server apps ? if yes we can change the ret address easily right ?
the gdbscript you can put in GDB commands, then when you run the script like "python exploit.py GDB" it will open GDB and run those commands e.g. breakpoints
Are RIP always points to the return address ? If it's not then what is the location RIP points to on the stack?
It points to the next instruction to be executed. At the end of the function, the "ret" intruction will pop the return address off the stack, into the RIP register.
As always a pleasure to watch 👌 One question: I do not know but some of my gdb settings are broken I think. When I set a breakpoint and hit it, it just stops the program and gdb says it has hit a breakpoint but does not show the stack. How can I enable it?
Thanks mate 🙂 You need to use a plugin like pwndbg, gef or peda. I have all three installed so i can easily switch between them: github.com/apogiatzis/gdb-peda-pwndbg-gef, but tbh I only use pwndbg these days: github.com/pwndbg/pwndbg#pwndbg
@@_CryptoCat Ahhh, so obvious but I forgot to install the plugin. Do you know why the normal dbg does not have implemented such a vital functionality? I mean thats what a debugger is all about haha
@@Dennis-bg7zo Very good question lol
wow
🤩
nice explanation i got some confused on 8:29 why the payload its A*32 + B*2 and so on that based on what , and how to know if i should make it like that
It's not really required, I just do that to visualise the payload on the stack and make sure we've worked out the offsets correctly. So in this case, we've identified that we need to write 32 bytes before we can overflow the instruction pointer - we send 32 * "A" + 4 * "B" just to make sure the B's end up in the EIP register (confirming that we're structuring our payload correctly) 😉
@@_CryptoCat and on 5:08 also same A*28 + '\x82.....\ + "AAAA" + "BBBB" + "CCCC" still confused with this i got the point yea i know its 28 from the offset but why you add "AAAA" + "BBBB" + "CCCC"
@@user-ej5dp4zt4j The A's visualise the bytes leading up to the EIP, the B's visualise the EIP that you'll control and then the C's might represent some shellcode that you'll jump to (through control of EIP). You'll see a clearer example of this later in the series 🙂
if i know the program has a buffer overflow vulnerability in a CTF challenge I a follow all the steps and can never get the program to give me the info so I can find the offset. I do cyclic 33 cause buffer is size 32. the issue is the program runs and you give input and it exits. so I never see the window in gdb-pwngdb showing the EIP to see the offset to run cyclic -l . do you have any suggestions? the best I can do is crash the program with a seg fault I then can see the EIP but it has malloc+419 in it which is useless. any advice would help thanks.
Hmmm weird 🤔 GDB is definitively using the PwnDbg plugin right? What if you use a longer input, e.g. 100 bytes when the buffer is 32?
@@_CryptoCatthe goal is to exploit a vulnerability. The buffer is 32 and I need to use the last byte as the exploit pointing to the address of the bin/sh so I can car /flag. I can’t figure out how to increment cause over a certain amount it crashes eh fault and just below it doesn’t seg fault but I’m still not triggering the address to get bin/sh.
@@_CryptoCatand yes using gdb-pwngdb just like video.
@@LandRoverLR3 Did you setup the gdb-pwndbg using the git repo at the start of the series? Does everything look the same as in the video? You can't find offset even on the challenges provided with this series?
@@_CryptoCat my issue is I need to figure out the offset. Would be so nice if I could to cyclic 100 then cyclic -l bbb
Hi there is option to download binary file from your github page, so I copy the code and save it in my linux but then all the proctections are alredy disable. Is there any way I get the binary file from your github page with all the protections enabled so that I can experiment with those protections by enabling and disabling them
Sure! Here's the binary: github.com/Crypto-Cat/CTF/blob/main/pwn/binary_exploitation_101/03-return_to_win/ret2win
Alternatively, you can compile the binary without protections, e.g. instead of this:
gcc vuln.c -o vuln -fno-stack-protector -z execstack -no-pie -m32
Do this:
gcc vuln.c -o vuln -m32
@@_CryptoCat Thanks mate, can you please also share the script how you setup the ghidra auto command
@@vaibhavsuri2389 Yes mate! liba2k gave me the script but I made a couple of small changes (e.g. shorten delay) - github.com/Crypto-Cat/CTF/blob/main/auto_ghidra.py
@@_CryptoCat Thanks really appriciate it
Is there a version of tutorial like that but for windows executables? is it even possible to "hack" windows apps like this?
Absolutely! If you do OSCP cert there is often a windows buffer overflow (it used to be mandatory). Check this out: tryhackme.com/room/bufferoverflowprep
@@_CryptoCat and also I want to say that your tutorials are great
Awesome video 💥💥💥. So can you show how to install gdb-pwndbg? Because I have only pwndbg not gdb-pwndbg and
It will be useful for a lot of viewers 😄
TY and yes bro! Touched on it in the intro/setup video: th-cam.com/video/wa3sMSdLyHw/w-d-xo.html but basically just follow the GitHub/blog post: github.com/apogiatzis/gdb-peda-pwndbg-gef - run the install.sh script and you're ready to go. TBH I never use PEDA/GEF these days, so as long as you have PwnDbg installed, it's all good 😉