Return Oriented Programming (PicoCTF 2022 #48 'ropfu')
ฝัง
- เผยแพร่เมื่อ 28 ส.ค. 2024
- Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeac...
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humbleb...
🐶Snyk ➡ j-h.io/snyk
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsor...
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
![[TH] VALORANT Champions Seoul - Grand Final - EDG vs TH](http://i.ytimg.com/vi/WvObMc9VelI/mqdefault.jpg)
![[TH] 2024 PMSL SEA W3D1 | Fall | สัปดาห์ตัดสิน ทีมไปไฟนอล](http://i.ytimg.com/vi/ZBU3GyzqErI/mqdefault.jpg)
28:25 I'm just like* why not sh(), but I was too hasty, great work john💖
Awesome as always my friend.
hey john, have you tried using the command cyclic to find the padding size for your buffer? I would recommend that if you need to find the length quicker for easier calculations. Overall a great video, and keep up the good work!
12:07 For those starting out in gdb, as I am: I believe what he was looking for there was x/500b (or x/500xb).
It was already printing in xw (hex, word) mode, so x/500 (i.e. x/500xw) gave the *hex* of the 500 *words* at that address.
b = byte
h = half-byte (2 bytes)
w = word (4 bytes)
g = giant word (8 bytes)
👍
13:18 or, as Scooby would say, the "ROPportunities" 😜
Hi, I enjoy your content but lately you've been having issues with audio. Please, can you normalize audio before you upload the video? For example, this video sound levels are so low that in order to listen to it I had to put volume to 100% and put even +12dB gain on my external mixer... when youtube played an ad in the middle of the video, it almost made me deaf... :-( just FYI: for example I listen to movies on Netflix or videos on other TH-cam channels on 25-40% volume (usually no more than 50%)...
best comment 👌
💯
I have to connect my phone to a USB speaker and put both at 100%.
I'm on my phone and hear it fine at 45% volume while in the same room as a loud TV. It is a little lower, but not that low. For me anyway.
In early today, was awesome seeing you at the Ninja one summit!
Ninja does summits now?!
Currently on my binary exploitation journey and this was engaging!! Thank you John
Thank you for the awesome and educational video, John. I have a question that you or maybe someone else could answer (and I'll post it elsewhere too)
Considering the stack was exectuable, could you not have done the following instead of using ROP?
1. Load the shellcode for "cat flag.txt" in your initial input instead of the 500 'C' bytes
2. For your injected return address after the buffer of 'A' bytes, simply put the address (in the stack) of the shellcode you just injected
Maybe I'm missing something, but assuming that ASLR isn't enabled since you were able to discern the address of the jump instruction, you could know the address in memory of the stack location you pushed your initial input to in the first place.
Maybe I'm not making any sense, but thank you again.
JOHN!!!!!!
I don't really understand what you did.. but you talking us through this challenge is inspiring.. This must be what my employers think when I'm explaining things to them haha..
Love you man!! Keep doing this because I'm going to be here to watch and listen...
Maybe stay away from binary bruv :)
Hey Hey My. Hammond! Excuse any typos as I am barely awake right now. But I just wanted to ask if you knew any good reverse engineering/binary exploitation books/e-books out there. Or the best youtubers that showcase, explain, and demonstrate how binary exploit/reverse exploit works. As I have focused far more on web exploit like XSS, SSRF, LFI etc...
Thanks again as always for all the educational content and hope you continue being an inspiration!! Thanks!!
I don't get it why the stack canary is not accusing *** stack smashing detected *** when you overflow the buffer, canary and the return address. Did I miss something?
The stack canary is not present in the vuln-function. it is only present in some library-functions.
@@sepp104 I only know it's not present because his exploit worked (I didn't looked into the binary). But if you look at 02:20, it clearly says "Canary found". Something is misleading me.
@@j3r3miasmg yeah there are specific things that 'checksec' looks for when it's looking for a canary, and it found a canary "somewhere" in the file, but luckily for us, not in the vuln() function. Or for any function that would naturally be called for that matter. So there essentially is no Canary. Try using ghidra to disassemble and you'll see what i mean
@@christiansanchez4883 Thanks for your answer. A little bit misleading this if there is no canary in the function, but checksec did his best for us... ^^
This was really interesting!
Okay, this one was really freaking cool
There he is!
NICE!~ANOTHER VIDEO LETS GO JOHN!
omg this is fuckin cool, i love it
Are you simple?
What is 16 bytes of nop for ? At first, I didn't use any nop instructions before the shell code and it failed. After that i tried adding 2 bytes of nop and it worked miraculously. Does it have anything to do with stack alignment ?
That depends. processor can jump to any point. Just for safer side we can use long NOPs so that our shell code will not get effected by it.
Make video on cryptography 😍
Pardon my noob question but I would like to know if this exploit will work if we replace the "A" with a NOP sled.. It would automatically enter the buffer then. Would it not? We wouldn't need the short jump then
Sir i am getting problems in Forensics last one left in 300 pts and one 400 pts
Cool, now i know that there is a Bird in my (HayStack). Nice. :)
Hmmmmm..i have no idea what's going on but it looks very interesting! And who are you talking to? LOL
i dont understand, why do the most interesting videos you post have get the least amount of views!
Your Rop-Fu is strong.
This video is just great ! How do you write a python script to solve this challenge ?
Hi
how did you automatically know to jmp 10
bytes forward?
When the Solfire challenge?
How did you overwrite the EIP pointer if the executable is Canary-Protected??
The function we are using "vuln()" is not canary protected. A different function in the file is.
Ret vlu
Designer explain powerful
Wos1,2,3?
hey, can you tell me what does the short jump do and why do we need it in this case ?
It's used for jumping from new_eip to NOPs as payload will get back to eax from short_jump so that we can add return address to stack for execution
John lon please
Atti. Time files?
Binck mins root madal Bank "credit card"filles ?
interesting!
Please assembly code file's
👍
Why he took \xeb\x08
It's for a short jump. Short jump can be used like EB 0 to EB 7F. He used eb 08 which jumped to the next address as mentioned and written as \xeb\x08.
@@weirdstuffsforyou Thanks for your answer
Str
Dword ptr this fu ?
Emi lon please request 🎄🎁 give me lon please request
Ohh my god how do you do that @john 🫣
To hard for me to understand 😅🤣
How did you overwrite the EIP pointer if the executable is Canary-Protected??
If you disassemble the source code in ghidra, you'll see that there is no canary in the vuln() function