The Heap: How to exploit a Heap Overflow - bin 0x15
ฝัง
- เผยแพร่เมื่อ 1 ต.ค. 2024
- We are solving heap1 from exploit-exercises.com by exploiting a heap overflow.
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#BinaryExploitation #HeapOverflow
![[UNCUT] “บอสณวัฒน์” ลากไส้!! ใครหนุนหลัง "แม่ตั๊ก ป๋าเบียร์" I คนดังนั่งเคลียร์ I 30 ก.ย. 67](http://i.ytimg.com/vi/QlD7mU2KKRk/mqdefault.jpg)
![ผัวเถื่อน - ยูริ โตเกียวมิวสิค [ OFFICIAL MUSIC VIDEO ]](http://i.ytimg.com/vi/P08ORRVDGl8/mqdefault.jpg)
These tutorials are by far some of the best material on the entire internet focused on this subject. I love the technical explanations as well as the quality of the video editing. Curious what you are using to do your editing? Keep up the excellent work, I've learned quite a lot from these and look forward to learning that much more. Where do you hang out in IRC? Kudos!
ow, that looks fucked
I love it.
Great vids by the way, keep it up :)
again this is an older video; but this kind of stuff even it is an "easy" challenge still completely blows my mind. this is CRAZY. I totally love this.
don't forget to turn ASLR off!
"oh, that looks fucked" lol
Awesome video series!
-Heap overflow-
-Buffer overflow-
LiveOverflow
@Liveoverflow you should really start the challenges @ root-me system hacking, THAT WOULD BE EPIC AS FUCK!
3:45 I didn't know a Compiler can optimize that since it's a function.
I mean, it's possible but it's a really special purpose optimization.
Compilers are very specialized now, to the point where this code
#include
int bitcount(uint64_t x) {
int v = 0;
while(x != 0) {
x &= x - 1; v++;
} return v;
}
Is optimized to a single instruction
popcntq %rdi, %rax.
Unfortunately if you change the code even a little bit the optimization won't work
Thanks for the video, I was stuck at this level since yesterday! Watched your video exactly until 1:51 and immediately noticed what I was overseeing/missing all the time. Damn. Further exploitation was pretty straightforward :D
awesome! congrats!
thanks! keep up the good work! have been following your channel for a while and i must say that it motivated me to dive deeper into the "art of exploitation" after years of mostly doing other (though RE and lowlevel related) stuff :)
Why eip is overwrote with the source of string copy after you overwrote the destination of string copy can someone explain please
Hi , thank you for your videos, i have a problem , the output of the gdb isnt like you, the part `*__GI_strcpy (dest=0x804a038 "", src=0x0) at strcpy.c:39`
please help me
Thank you for this good series of tutorial :)
I'm a bit confuse on print in GDB. Could you help explain why we have to set $i1 = (struct internet*) 0x08041028 ?
Shouldn't print work with an existing variable in the current context ?
I first tried (gdb) print *i1, print i1, x/x i1 but the address of i1 seems to be totally different from the real one 0x08041028.
Hi LiveOverflow, I have followed through your tutorial, and it is straightforward and super helpful. I thought that I would try it on an Ubuntu 16.04, 32 bit system, and I have run into a problem. At about 3:10 you have a segfault for your strcpy function, and it is clear which string is being copied and the string's target address (0x46464646). But, when I have a segfault, my error message says:
__strcpy_sse2 () at ../sysdeps/i386/i686/multiarch/strcpy-sse2.S:1657
1657 ../sysdeps/i386/i686/multiarch(strcpy-sse2.S: No such file or directory.
When I use backtrace I get he same error. This error is not nearly as clear and helpful as the one that you receive in your tutorial.
I have looked around online to see how to solve the "no such file or directory" problem thinking that this might help. I tried installing libc6-dbg, installing build-essentials and setting gdb's debug-file-directory. This didn't help. Is it because I am using a different version of C? Or, is the error message difference due to a configuration in gdb. Thank you.
Try compiling your c file with the '-g' flag maybe
I get the same error, did you ever find a fix?
How can you use the run echo command with the chars needed if the programme doesn't work arround the argv argument but a gets() function
How do I get my gdb to show the destination address?
learning in 2022 and it seems that these tutorial vidz of yours are some of the best on the whole www
This worked because printf on line 34 was optimized to puts(), if it was printf printing with arguments then it could have gone into endless recursion by calling printf & exploit would have failed. The real question is how to exploit this code if line 34 was printf.?
Hi, I was wondering if there is a way to exploit this on a 64-bit system. The problem is that we have to override 0x00007ffff7ef6070 (address to malloc'd area on heap) to 0x00000000006041d0 (address to puts@got) and strcpy stops copying before a nullbyte.
You're really good but what I don't understand is that if EIP indicates the next step to process how can you manipulate it if it should be changing every microsecond? Like while Im watching your youtube video isn't eip changing to read new data from memory and send it to the audio card? Maybe it is all process encapsulated?
A CPU by nature can actually only run one program at once (i'm simplifying things here). The fact that you can run multiple programs, even though you only have a single CPU is faked by the OS rapidly switching between running different processes (threads to be exact). These days you likely have multiple cores, but that still stands; the OS has to run thousands of threads on the hand-full cores you have. When the OS switches to running another thread, it'll save the current thread's registers along with the rest of the thread state, and restore the registers and state for the thread that's going to run next, so all the registers you see him access are for the current thread only.
Wow thank you! :D Thank you so much, really. I love this channel and ctf community. Everyone is so polite. Thank you for existing and making me feel home
How did it actually change where i2->name was pointing to? Shouldn't it have just changed the value inside? Or does it have to do with overwriting the meta-headers?
why echo is not working insted of /bin/echo ?
I love the videos posted on this channel.The content is very clearly explained in depth.This is the best material I read so far.
Watched*
Excellent !!! Amazing videos !! I am so happy to discover these videos . The best video I ever came across on internet 😎
You're amazing! :)
My gdb is not showing the memory address where segmentation fault occurred. Any idea ?
It says -->> Program received signal SIGSEGV, Segmentation fault.
__strcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:298
298 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.
I face the same issue. Do you know how to fix it?
This video was very helpfull but there is something I can't figure out. When you replace the FFFF with the Address of Puts what happens to the code flow.. I mean why the eip is replaced with the firt 4 characters of second argument?? Thanks in advance
You see a strcpy there. So a string copy. And the destination of the string copy is the global offset table. The global offset table contains the addresses of functions such as puts. So if you overwrite the puts function address with another address, next time you call puts, you redirect code to wherever you want it to be. More info in episode "bin 0x12"
Amazing.. Very clear.. I wiil check also that video
And that's why you must use strncpy(copy N chars from src to dest) here, never trust user input :D. Awesome series!
Development rule #1 - never ever trust anything that comes from the other guy.
@@rootabeta9015 Developer rule #2 - never ever trust any code that came from yourself.
Developer rule #3 - never ever trust any code
@10:00 why doesn't the malloc for the name of the i2 ever get assigned? The name of i2 was 0x0 before the strcpy().
I think the breakpoint triggers in between the malloc and the assignment.
Of course you aren't the best security researcher, but you are the one making the best informative videos i know of
and i thank you for that :)
to do what he is try to do by the beginning :
run gdb
break * after the latest strcpy
define hook-stop
info registers
end
run with the payload to detect
When i run my payload and step forward from the break point do the hook will stop again or the hook will be in the break point boundaries
@@robinhood3841 yeah that is what you need ? i not sure forget most of it already
How much it will differ in ×64 system.?
For heap0 challenge, I was able to get the overflow offset but the address from objdump is different from gdb .
When I try it in gdb it crashes and from terminal it never jumps to winner.
does anybody know where I can find the sources for these protostar exercises?
the original website is down, and the bootable image that I downloaded over vulnhub doesn't contain any source code. I have searched the internet, but didn't find anything.
if anybody has the same problem, I found them: github.com/hellosputnik/exploit-exercises
exploit.education This is where it went. Seems to be the original author
@@toxicraptor4196 thanks a lot!
@@w0ttheh3ll No problem, good luck!
great video!
what Linux and gdb are you using
doesnt matter
u r wow!
really, awesome!
Hey can i contact you by email?
of course... @gmail.com
I do not understand
same
what exactly?
at 8:49 it'es bits not bytes right ?
Thanks a lot! Will there be a video on exploiting heap functions such as unlink?
yep. there will be. We are getting there slowly :)
My cookbook video write-up (not very well edited) already contains a more advanced heap exploit if you are interested in that.