10: Bypassing Stack Canaries (leak + write) - Buffer Overflows - Intro to Binary Exploitation (Pwn)
ฝัง
- เผยแพร่เมื่อ 4 ก.ค. 2024
- 10th video from the "Practical Buffer Overflow Exploitation" course covering the basics of Binary Exploitation. NX and stack canaries are enabled this time, so we'll use a printf() format string vulnerability leak the stack canary, allowing us to overwrite it with the expected value. We'll use checksec, ghidra, pwndbg and pwntools! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #BinaryExploitation #BufferOverflow #BinExp #RE #Pwn #PwnTools
Find the binary files, source code and scripts to go with the series @ github.com/Crypto-Cat/CTF/tre...
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
TH-cam: / cryptocat23
Twitch: / cryptocat23
↢Binary Exploitation / Reverse Engineering↣
Pwn.College: pwn.college
How2Heap: github.com/shellphish/how2heap
NightMare: guyinatuxedo.github.io
Ir0nstone: ir0nstone.gitbook.io/notes/ty...
PinkDraconian: • Pwn Zero To Hero
More: github.com/Crypto-Cat/CTF#readme
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
HackTricks: book.hacktricks.xyz/exploitin...
GTFOBins: gtfobins.github.io
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Basic File Checks: 0:25
Review Source Code: 2:06
Disassemble with Ghidra: 3:05
Outline Attack (Canary Leak + Write): 3:56
Fuzz Printf Format Vuln for Canary: 5:23
Locating Canaries with GDB-PwnDbg: 6:42
PwnTools Exploit Script: 10:37
Additional Pwn/CTF Resources: 12:57
End: 14:38 - วิทยาศาสตร์และเทคโนโลยี
![Bypassing Stack Canaries and NX/DEP (Ret2Lib-C) - Bird - [Intigriti 1337UP LIVE CTF 2022]](http://i.ytimg.com/vi/XaWlKYgmEDs/mqdefault.jpg)
11:42 - I should of been clearer about the stack layout. We have our 64 byte buffer + 4 byte canary, then 12 bytes of padding before we can overwrite the EIP.
That 12 bytes of padding is overwriting the 4 byte "in_GS_OFFSET" (used by canary) + 4 byte saved EBP + 4 bytes of padding, introduced by the compiler to ensure 16-byte stack alignment.
An example of stack canary overwrite with ret2libc attack, from a CTF: th-cam.com/video/XaWlKYgmEDs/w-d-xo.html
An example of stack canary brute force attack, from a CTF: th-cam.com/video/dAsujQ_OPEk/w-d-xo.html
Please keep this series going, these have been some of the best explainations and tutorials to far!
thanks mate! definitely will be extended 😊
i was waiting for this one 🤩
This video series was awesome, I will definitely be re-watching the whole thing when I start digging deeper into binary exploitation! Thanks!
thanks mate 🙏🥰
What a journey... Thanks for your amazing series. I hope that you will not stop here. We need more content like this. The way you teach us is amazing. Definitely learned a lot from this! 🤩😋❣
Thank you mate! 🙏🥰
Just want to drop some appreciation for your content. This whole channel is a godsend for anyone getting into infosec! Amazing effort!
awww thanks mate, greatly appreciated 🙏🥰
Followed this series... I can say one of the best learning series with practical exploitations with all different tools, I mean amazing!!!
Thank you mate for doing such series. Learned a lot, man, learned a lot!
Awww thanks mate, really great to hear! 🙏🥰
These videos are awesome ! Thanks !
🙏🥰
Great video series. Definetly some of the better content out there
Thanks mate, appreciated! 💜
Awesome series and resources. They will be useful for the upcoming HTB Cyber Apocalypse !
Thanks mate 🥰 They will be indeed!
This series was very educative. I hope you will make some videos about heap exploitation
thanks mate! i will.. eventually 👀😅
Thanks for the amazing series sir 🙏
I definitely need to go back and review the course again though (especially the last 3 videos) since it’s pretty tricky.
No problem! 🥰
it was cool tanks for everything ☺☺
Great as always. =) It would be interesting to look at the solution to this challenge not through a canary leak, but through its brute =)
Thank you 🙏 Not quite the same (custom canary) but there's an example of brute-forcing a 32-bit canary in this challenge: th-cam.com/video/dAsujQ_OPEk/w-d-xo.html
This was a fantastic series, I didn't know how to start binary exploitation but now you've paved the way, Thank you So much
Once you make more awesome series pls don't forget your student here xD hehe
Bye for now senior
tyty 💜
❤
💜
Hii mate your videos are awesome . Can you make video on cryptography for CTF
me hate crypto 😑
OG
😎
Thank you very much for your content.
Btw you got the offset manually so automation won't work?
Thanks mate! Sure, you could automate it 🙂
these are super helpful, do you plan on making any more?
Thank you 🥰 I did/do plan to make more, it's just hard finding the time!
bro i cant get it 8:00 why if the offset start at zero we sub 1 ??
Computers normally start counting at zero, humans start at 1 so at 7:55 I counted 24 (1-24) but when I run the script those 24 blocks are labelled (0-23). Either way,. it's the 24th element, it's just a different index 🙂
how are you doing lowk kinda advanced computer security, but are confused by indexing starting at 0 😅im somehow impressed
wawa
Hi, really good explanation!
Got one doubt on grep and bash scripting..
when i give the following command
Input:
"locate directory | grep txt | cat $1"
Output :
"
/usr/share/dirbuster/wordlists/directory-list-1.0.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
"
But what i expect is the first line to come as output...
What am i missing?? or the correct command would be..?
Thanks mate! 🥰 Try this:
head --lines 1 `find / -name '*directory*.txt' 2>/dev/null`
Great explanation as always sir. Can you please make a series on Pwn101 room of tryhackme, sir.
Thank you! I had a quick look at it before but IIRC the exercises were very similar to this series, I don't think it would add that much value. Besides, I'm pretty focused on web these days 😁