The only thing that is NOT CLEAR from this video is how you guessed the return address? How did you know exactly which address should be replaced by B ascii values?
You can find it out by checking push/pop instructions, which push items onto the stack frame or pop from it , in the disassembled function. The return pointer of a function is pushed on the stack when it's called,.
Love this gdb stuff very little missing I assume after access granted on a real system the operating system or private code would still run or would you have to point to it
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer
Thank youuuuu I have a little problem, saying that I can write into the buffer through an argv[1] once I figure how much character I need and I figute what the return pointer address is, if I execute ./program my payload + p32(address I need in hex) when I check gdb the return address changed but not to the address I need it to be, as if it read the "\" and the "x" of the little endian p32 as a value on their own, how can I change that?
because the value we are storing at a particular memory address must be stored in hex. Little endian specifies that it is already in hex otherwise we would not be able to differentiate between python string or python reference to hex value
This does not work! maybe it did on what ever system you used ? But it doesn't work on unbuntu 20.04, cannot over write return of gets, no matter what I try!
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer.
Seems you’ve stopped posting vids...but this is by far the best intro to BO and gdp our there. I salute you good sir, and please come back!
True
I agree. This was so much fun watching a BO practical example. I quite enjoyed it. 🤟✌️👏👏👏
This guy is freaking awesome. He explains it so much better than my professor :D.
This is literally some of the best and practical explaination conveyed so nicely, a low level stuff (pun intended :D), great respect
Best video explanation of this seemingly complicated topic, thank you!
The only thing that is NOT CLEAR from this video is how you guessed the return address? How did you know exactly which address should be replaced by B ascii values?
“x/1x $sp” should work
How did you find the return pointer just by looking at the stack?
experience i think
Trail and error , you gotta enter dump values like A until you hit a segmentation fault
Seems like finally some1 explained properly without much hassle. :))
Hi James, very nice video. I am interested in system programming, and it is so difficult to find a tutorial video like this. Please don't stop.
8:50 I'm really confused on how he can tell it's the return pointer
Exactly my point. how do u determine the return pointer
@@tlehloba Usually, trial and error
You can find it out by checking push/pop instructions, which push items onto the stack frame or pop from it , in the disassembled function. The return pointer of a function is pushed on the stack when it's called,.
@@kraken_norse thank you mann you saved the day
sooo helpful - would have been up all night doing my pset if it weren't for this video
Extremely well explained! 😊
I am delighted, acquire so much understandable infromations , TY man!
how do i ignore the gcc errors because of the implicit declarations of the "gets" function
This video was so helpful, I watched it twice :)
I understood properly, thank you sir for the video
Could you explain how do we identify the return address?
anoop john by radarex
Thanks for this wonderful analysis video....
Love this gdb stuff very little missing I assume after access granted on a real system the operating system or private code would still run or would you have to point to it
This video is really high quality content!
beautiful!!! just what I was after!
thank you so much for clear explanation. Please where can I find a full course of your courses ?
Amazing explanation. Thanks a lot
Why does the stack store new data towards the return pointer? Wouldn't going the opposite way ensure rp is never touched?
I do the same exact step but i only have seg fault. Can It be because the Memory region of my eip( return pointer) Is only readable?
James- great video
Thank you for your awesome how-to!
How to identify the return pointer?
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer
Thank youuuuu I have a little problem, saying that I can write into the buffer through an argv[1] once I figure how much character I need and I figute what the return pointer address is, if I execute ./program my payload + p32(address I need in hex) when I check gdb the return address changed but not to the address I need it to be, as if it read the "\" and the "x" of the little endian p32 as a value on their own, how can I change that?
When you print the stack with x/##x $esp, the first address that you call the offset, is that just the first address of the following 4 * 4 bytes?
More videos plzz ..
Is it possible to exploit packet buffer overflow due to slow data rate
Well explained. I got the flag I was looking for.
Another good one keep up you have good representation way
what if we do not have an $esp register after the gets function? instead I have $rax register
its 64-bit application,you will find $rsp instead of $esp
Great video sir!
Your legends sir your best ... You rock ..
awesome video explained so much
such a nice video
I'm finally getting it!!! 🎉
Which software is this?
Why does the address of the granted function needs to be written down in little endian?
because the value we are storing at a particular memory address must be stored in hex. Little endian specifies that it is already in hex otherwise we would not be able to differentiate between python string or python reference to hex value
Anybody else getting a cannot access memory address error after setting breakpoints?
much appreciation mate
You do know u used the same superman lone in both buffer videos right? Haha just teasing thank you for answering questions that nobody else could
Everything was great, but I just couldn't get access granted
This does not work! maybe it did on what ever system you used ? But it doesn't work on unbuntu 20.04, cannot over write return of gets, no matter what I try!
Superb
Кто сделал лабу? В лс скиньте плез)
V well explained
The code is not compiling
Thank you sooo much
This is awesome
good stuff
awesome
teach me more about hacking an android device
Instead of 0x41414141 I get 0x565561f5 which is my ret address.
I got the address working when I used the example code from kuafu1994.github.io/HackWithGDB/ASM.html
Че там 8 лабка ма? ахахахахха
Какая ? )
В будущем это уже 7я лаба)😂
ne och
+Abay Zhunus главное дедлайн продлили)
ai dento
>>Thank U so much
❤
Тем временем до дедлайна 47 минут
nbbbbbnbnbnkjbjkbjkbjkbjkbjkbjkbjkbjkbkjbjkb
you don't use nano? I can't watch this.
Has anyone really been far even as decided to use even go want to do look more like?
Oatify Er... take a deep breath and then try again...
can I have your linkedin account i've a challnge for u
How to identify the return pointer?
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer.
@@breakingcode92 How do you determine eip/rip?