hello, came in here a bit late i guess lol. Thanks for the video. One question, Is there a chance for glibc not to support the dollar sign as in "%14$n". I've read it's actually a posix extension to the C standard. Idk, i'm working on the stuff in phoenix (replacement for protostar in exploit education) and the dollar sign hasnt worked in any of those. I had to painfully spam %x to go through the stack in order to get the exploits to work lol
What do i need to get enought good to approach this level of CTF? Because watching you videos is not enought evev if u explai clearly and in a easy manner specially because uexplaing thing that i may have stadied in university and i can relate the stuffs but if u put myself in fromnt of this lvl of CTF i dont know where to put my hands. Atm im practicing easy binary exploitation but still not stasfying because they arent realistic. If you have any reccomandation about tutorial or courses where i can actually grow (specially the mindset) it would really help me :).
I tried to solve it on my own first. I wanted to overwrite the got entry of puts with the address of execve. I would have to place the execve parameters on the stack too right? Is that even possible? Also, why is system not linked to the program dynamically? Also also, why is it that when I instead of using telnet, use s.send("id ") s.recv(1024) That then I get no response?
hey liveoverflow! don't know if you are still here but can I ask, if ASLR is enabled, how would u pwn this challenge! Is there any resource you can recommend (or make) to show how to overcome ASLR! thank you so much!
I tried to replace the GOT address of `syslog` first, which caused a lot of segfaults (obviously). It made it so I couldn't attach a debugger to the process which made it really difficult for me to troubleshoot memory and do calculations. Even after I got the exploit working with the recommended `strncmp` method, replacing the `strncmp` GOT address with the `syslog` one resulted in segfaults. I suppose that means there are some finicky functions out there :\ If I replace the `strncmp` with `printf`'s GOT address, /bin/sh will keep trying to run "/bin/sh [final1]".
instead of overwriting GOT with other function (like system or execve), can you overwrite GOT with address of shellcode (with nop sled) placed in environment variable ?
+Albertus Farley we do the GOT -> libC thing, because the stack is not executable anymore. And the environment variables are on the stack. Also I think it's more elegant than shellcode :)
Can anyone help me understand the part of code where he writes the lower half of the system address and then the upper half. username = pad + "BBBB" + STRCMP + "%17$65407x %18$08n " + STRCMP2 + "%17$47157x %24$08n" So after writing the lower half , can't we just write STRCMP2 and then %18$30x and then %19$n I dont understand why %17 and %24 for writing the higher part of the address.
can anyone explain how to write upper address ? I know offset it at 17 so after writing this STRNCMP+'%17$65407x %18$08n' ... I get right address 0xffb0 which is lower addr of system. Now when I try to write to upper address using this STRNCMP2+'%18$47x %19$08n' (Where I think is upper address is at 18th offset and writing at 19th) ! But I get seg fault... Also I tried changing values of offset for upper address but still no luck :( Anyone like to correct me ?
Hey I also faced the same problem like you have mentioned then i tried the method he used in format string exploit video i first placed the STRNCMP and STRNCMP2 on stack then tried to manipulate the address at GOT try using:- username = pad+ "BBBB"+ STRNCMP + STRNCMP2 +"%17$65403x %18$08n %18$47158x %19$08n" you may have to fiddle around with the address but it works for me
@@evildead7845 I don't know exactly how he did it in video but when I tried change %n with %x in order to view the syslog file to view stack the position of the address when i tried the placing (STRNCMP + address + STRNCMP2 + address) the address of(strncmp) were not printed (i don't exactly know why) but when i tried (STR... + STR.. +address +address) and then printed the the stack the address were placed as expected . I think the padding in %x shifts the address in the stack he used %24$( padding)n in the vid @13:14 .
Hey, I really love your videos, they are a ton of help for me! I never like to simply carry on with something until I understand it completely. So on to the question: You say it's very useful to use the custom function "read_until()" in these kind of remote service challenges, but you don't really explain why and I can't think of any reasoning at the moment (I might be missing out something here...) Why do we not care if the server sends us more than that? (is it because the prompt would repeat if line is bigger than 128?)
It's just that we somehow have to detect when the server is done with sending. We want to know when we received what we wanted and when we can respond back. So read_until allows us to specify a point until we want to keep reading from the server. There is no other good way to detect when the server is done with sending stuff. Except timeouts, but that is not nice either - timing can always vary.
Lern Englisch alter o.O Mit englischen Videos hat er erstens eine größere Zielgruppe und zweitens ist Englisch die Fachsprache in der Informatik, also sollte man das eh lernen wenn man in dem Gebiet tätig sein will...
![[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F](http://i.ytimg.com/vi/2GVi8_9u5TY/mqdefault.jpg)
![[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F](/img/tr.png)
thank you for your vids..
dont be a script kiddie
You right !
Something tells me that by the end of 2017 you will be quite close to 100k.
+alcapwn unrealistic, but thank you :)
alcapwn eehm im afraid not, only a few People Come to this level, most go down the Kali path
Almost right. 101k now !
Felipe Rocha 110k already now!
@@einsteinx2 223k now :D
Thanks for the tutorial :) Will you make tutorials for the "Fusion"- Exercises too?
hello, came in here a bit late i guess lol. Thanks for the video. One question, Is there a chance for glibc not to support the dollar sign as in "%14$n". I've read it's actually a posix extension to the C standard. Idk, i'm working on the stuff in phoenix (replacement for protostar in exploit education) and the dollar sign hasnt worked in any of those. I had to painfully spam %x to go through the stack in order to get the exploits to work lol
I just want say thank you for all these great videos which you made.
*to
What do i need to get enought good to approach this level of CTF?
Because watching you videos is not enought evev if u explai clearly and in a easy manner specially because uexplaing thing that i may have stadied in university and i can relate the stuffs but if u put myself in fromnt of this lvl of CTF i dont know where to put my hands.
Atm im practicing easy binary exploitation but still not stasfying because they arent realistic.
If you have any reccomandation about tutorial or courses where i can actually grow (specially the mindset) it would really help me :).
I tried to solve it on my own first. I wanted to overwrite the got entry of puts with the address of execve. I would have to place the execve parameters on the stack too right? Is that even possible?
Also, why is system not linked to the program dynamically?
Also also, why is it that when I instead of using telnet, use s.send("id
")
s.recv(1024)
That then I get no response?
hey liveoverflow! don't know if you are still here but can I ask, if ASLR is enabled, how would u pwn this challenge! Is there any resource you can recommend (or make) to show how to overcome ASLR! thank you so much!
0:00 [SILENCE]
0:01 Forma string vor.....
I tried to replace the GOT address of `syslog` first, which caused a lot of segfaults (obviously). It made it so I couldn't attach a debugger to the process which made it really difficult for me to troubleshoot memory and do calculations. Even after I got the exploit working with the recommended `strncmp` method, replacing the `strncmp` GOT address with the `syslog` one resulted in segfaults. I suppose that means there are some finicky functions out there :\
If I replace the `strncmp` with `printf`'s GOT address, /bin/sh will keep trying to run "/bin/sh [final1]".
this is pure beauty
instead of overwriting GOT with other function (like system or execve), can you overwrite GOT with address of shellcode (with nop sled) placed in environment variable ?
+Albertus Farley we do the GOT -> libC thing, because the stack is not executable anymore. And the environment variables are on the stack. Also I think it's more elegant than shellcode :)
@@LiveOverflow But what if ASLR is enabled and NX is disabled, is there any way to jump to the buffer even if it's address is actually randomized ?
Awesome video! Btw, I instead overwrote the got entry for strchr() with the address of system()
nice! would be great if you could share the python script ? thx in advance
Amazing..
Awesome.
Can anyone help me understand the part of code where he writes the lower half of the system address and then the upper half.
username = pad + "BBBB" + STRCMP + "%17$65407x %18$08n " + STRCMP2 + "%17$47157x %24$08n"
So after writing the lower half , can't we just write STRCMP2 and then %18$30x and then %19$n
I dont understand why %17 and %24 for writing the higher part of the address.
How did you find out its %17 and %24 for upper address ? it didnt work for me though ! can you explain it ?
@@evildead7845 That is what I am asking
can anyone explain how to write upper address ? I know offset it at 17 so after writing this STRNCMP+'%17$65407x %18$08n' ... I get right address 0xffb0 which is lower addr of system.
Now when I try to write to upper address using this STRNCMP2+'%18$47x %19$08n' (Where I think is upper address is at 18th offset and writing at 19th) ! But I get seg fault... Also I tried changing values of offset for upper address but still no luck :( Anyone like to correct me ?
Hey I also faced the same problem like you have mentioned then i tried the method he used in format string exploit video i first placed the STRNCMP and STRNCMP2 on stack then tried to manipulate the address at GOT
try using:-
username = pad+ "BBBB"+ STRNCMP + STRNCMP2 +"%17$65403x %18$08n %18$47158x %19$08n"
you may have to fiddle around with the address but it works for me
@@ashishsahota1122 STRNCMP and STRNCMP2 on stack then manipulating address worked ! Thanks
@@evildead7845 I don't know exactly how he did it in video but when I tried change %n with %x in order to view the syslog file to view stack the position of the address when i tried the placing (STRNCMP + address + STRNCMP2 + address) the address of(strncmp) were not printed (i don't exactly know why) but when i tried (STR... + STR.. +address +address) and then printed the the stack the address were placed as expected . I think the padding in %x shifts the address in the stack he used %24$( padding)n in the vid @13:14 .
Guys i am new here and which video should i start first?
0X00
Great video !
Great video as always..
Great
Sick!
Hey, I really love your videos, they are a ton of help for me!
I never like to simply carry on with something until I understand it completely.
So on to the question: You say it's very useful to use the custom function "read_until()" in these kind of remote service challenges, but you don't really explain why and I can't think of any reasoning at the moment (I might be missing out something here...) Why do we not care if the server sends us more than that? (is it because the prompt would repeat if line is bigger than 128?)
It's just that we somehow have to detect when the server is done with sending. We want to know when we received what we wanted and when we can respond back. So read_until allows us to specify a point until we want to keep reading from the server. There is no other good way to detect when the server is done with sending stuff. Except timeouts, but that is not nice either - timing can always vary.
can u post a link to the exploit ? thx
rede mal auch deutsch alter
Lern Englisch alter o.O
Mit englischen Videos hat er erstens eine größere Zielgruppe und zweitens ist Englisch die Fachsprache in der Informatik, also sollte man das eh lernen wenn man in dem Gebiet tätig sein will...
+SonKomischerTyp ich hab keine Ahnung wie die Hälfte der ganzen Begriffe in deutsch genannt werden :P
+RitaLinx wenn du deutsche subtitles schreibst füge ich die gerne dazu.