Identifying another exploit mitigation and find bypass. stack0: part 2 - bin 0x22
ฝัง
- เผยแพร่เมื่อ 13 ก.ค. 2017
- In part 2 we have a closer look at stack0 on a modern system. We are trying to plan an exploit that works in case we can guess the stack cookie. We have to be a bit creative here.
stack0: liveoverflow.com/binary_hacki...
=[ 🔴 Stuff I use ]=
→ Microphone:* geni.us/ntg3b
→ Graphics tablet:* geni.us/wacom-intuos
→ Camera#1 for streaming:* geni.us/sony-camera
→ Lens for streaming:* geni.us/sony-lense
→ Connect Camera#1 to PC:* geni.us/cam-link
→ Keyboard:* geni.us/mech-keyboard
→ Old Microphone:* geni.us/mic-at2020usb
US Store Front:* www.amazon.com/shop/liveoverflow
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#BinaryExploitation #BufferOverflow
Ah some serious topics now I see, it does inspire some sense of dread because it seems you would need to dedicate quite a lot of time and be serious about security to get any further than toy examples and games, and even then it seems like just a slow start.
Great episode, thanks. :)
I love this! The bug is as simple as can be and yet the system really resists exploitation. There is no guarantee that it is even possible, which makes it feel much more real. I can't wait to see what hurdles await in the heap and format string challenges.
Hi at 03:11 you mention that this is probably a mitigiation technique.
I found an answer on stackexchange which says that this isn't a mitigation attempt but rather just a normal epi/prolouge reverseengineering.stackexchange.com/questions/13811/what-is-this-protection-that-seems-to-prevent-rop-when-aslr-in-on/13815 .
I mean in the end it makes exploitation harder whether it was intended to be a mitigation or not :) . It was just driving me crazy, trying to find the name of this mitigation technique for over an hour until i found out that it actually has no name.
Just thought you or anyone else might appreciate this :) .
Can't wait for the next episode :)
Dude, your awsome, I like so so so so so much your content
4:55 "We have to get creative" But green is not a creative color
Go and get some leaves and sticks, and arrange them into your favorite color.
great video, really appreciate your work!
i have a question:
if we replace in our script the "RRRR" with b32(0x80484cf) and we accidentally get
esp point to this address will it work as well?
Hi LiveOverflow,
I have change the eip to correct address (7:12 in your video) of shellcode but shellcode do not execute
Does the volatile keyword change the order of the variables on the stack? Is that why the simple overflow won't work?
Loving your videos, learning a ton. Thanks!
+Mark Pentler nope. Has no effect
Would be interesting if you could re-attempt this on even more-modern systems. It seems that in the past 2 years and a half there have been more protection mechanisms added to compilers, so this exploit doesn't really work anymore. Nevertheless still an excellent video! If it makes my brain move I likez
After a bit of testing.. I figured out that to make the exploit work exactly how it is in this video (only with different address needed for printing success message), we need to add -fno-pie and -no-pie flags as well. So the whole command for compilation would be:
gcc -fno-pie -no-pie -m32 stack0.c -o stack0_32_vuln
Both flags are responsible for disabling position independent executables. One is for the linker (-no-pie) and the other is for the code generation (-fno-pie )
@@NikiforGeorgiev yo man thank you i was trying for 5 days to figure out why dosen't work, i used no-pie but no -fno-pie , that was the problem all the time
how da heck did changing esp to R's ensure that esp might land on the stack
I think the R’s are just 4 padding bytes to reach the esp value to be popped from the stack, and the null byte at the end of the string is actually changing the esp - the 0 - 4 = 0xfc byte (little endian esp so the low order byte is overwritten). I think there’s a gap between the cookie and esp?
The cookie is saved at [ebp-0xc] (check 2:53, at instruction 080484aa) and the stack pointer is retrieved from [ebp - 0x4] (check 2:36), so there are 4 bytes between the cookie and the stack pointer hence why he used R's to fill that space, not sure what's saved in there though
Which value is overwritten by The RRRR part? Is it ebp ? I don't really understand the activation record layout
Is there something special about stack cookies because brute forcing it requires a seperate episode? A while loop that keeps generating 4 random bytes must be too straightforward. Awesome series by the way!
yeah sure ;) but that could be slow and there is another caveat when it comes to output buffering.
In some situation you can brute-force it in a smarter way, for example in case of a server that forks to treat an incoming request, the stack cookie will be the same between the parent process and the child process so you can bruteforce it byte by byte.
Damn that's a clever observation.
5:26 Maybe you could just always overwrite the last cookie byte with 0 and leave ESP untouched? (eventually after enough tries it will be 0)
+Agnus Xendis but in order to reach the stored return pointer I will have to overwrite stored esp.
Ah, I see now. Thanks!
on 6:59 you said that ESP don't point to our buffer
why does this happen?.
we didn't overwrite or something like that.
Do you think it is completely impossible to perform a buffer overflow exploit on a 64 bit system with a stack cookie?
Not if you can leak the cookie, or if you have a fork server. There are ways. Just this particular challenge stack0 seems impossible to me on 64bit. Would loooove to be proven wrong.
If the stack cookie’s position is consistent, why not use biteise operators?
I don't understand anything where should I start, other than your first few videos? (I've already watched them numerous times and still understand null)
I don't know :(
we're in the same situation :(
Step 1: Learn to C/C++ and Python/Ruby
Step 2: Pick up Hacking: The Art of Exploitation by Jon Erickson. It's a pretty thorough introduction and by the end of it you'll know where to go next
Step 3: Start messing around with CTFs (such as Pwnable.kr, PicoCTF, and Over The Wire)
Step 4: Buy more books
Step 5: Watch more Defcon/Blackhat/LiveOverflow
Step 6: Read through the more well-informed communities (/r/netsec, /r/reverseengineering, news.ycombinator.com, literally anything Tavis does, and anything mentioned in the previous 4 places.)
Step 7: Got to step 3 and repeat until the end of time.
At 6:28 why is your stack not smashing? you didn't set any break point, also didn't manipulate eip. is the aslr off?
The stack pointer (esp) points to some random place in memory but that's fine as long as you don't try to dereference it, however if he executes the next instruction (ret) then the program will segfault because he tries to pop a value from the top of the stack, and to do that you need to dereference esp
What about PIE?
websecurity please!
Love exploit development must have wrote over 30 exploits in my day's..But now
its having the time to put into coding again and reading which i don't have at the
moment...It's a shame there aren't many jobs out there for pentesting unless
you have loads of qualifications..I know people with bachelor's degree and such
in computer tech and still have no idea what a buffer overflow is or any other
vulnerabilities..Why all the down thumbs ??..Oh and if you are going to do exploit
development and find a decent vulnerability don't forget to notify the developers
are you could be looking at some time in jail,Or even a court case against you
for loss of revenue..And one more things that p!ss me off is the arrogance of
some of the developers of applications..Make sure you follow responsible
exploit disclosure guidelines..
Damn!! ... i wanna learn!! this!! shit!! ... but your'e too damn!! fast!! mahn!! ... you're assuming a lot of knowledge from me! ... lol ... but anyways ... this is not a "beginner" tutorial or something so ... there's that