Nice, thanks for explanation of your solution. I solved it that way: 1. I found "system" function call in compiled binary, and that is actually it, you just need to supply "/bin/bash" to it. 2. also you need to find a way to pass this string, instead of trying to pass it throught stack I found some unused space in memory layout (I used 0x00000000004C0170 - I dont remember why in particular this address - maybe it is already a string constant? - so I used it as not to disrupt running binary) 3. And exploit is actually a. gets(0x00000000004C0170) b. system(0x00000000004C0170, 0, 0)
Interesting solution. Maybe the address you specify is in the .bss section since you need an address not altered by ASLR and with at least rw- permissions. Nice to know :)
ปีที่แล้ว
Hey, I love your contents, your series. Please keep it up. People need it. Thank you.
"If there is something you want to say, leave it in a comment" I want to say thank you man for this great series, I have learned a lot from you. your explanations are very clear.
At 9:25, you mentioned about changing the whole memory page protection (in order to be able to execute the shellcode), but how did you know that the shellcode is within the memory page of __libc_stack_end (and not in some other page of the stack which will make the stack not executable)?
@@RazviOverflow Thanks for the tip. I ran the debugger in IDA several times (ASLR enabled) and noticed that you’re right in terms of the standard input and __libc_stack_end are always in the same page. Specifically, the offset between rbp-20h (the beginning of the buffer for standard input) and the virtual address of __libc__stack_end is always 0x148 bytes, which is good enough for a page size of 4096 bytes
Could you please create a video for this vulnerable executable with PIE enabled additionally? I have no idea how I can bypass this when both DEP and PIE enabled for a statically linked executable.
There are many reversing- and pwn-related sites. Take a look at razvioverflow.github.io/starthacking, but I recommend you either pwn.college or nightmare course by guyinatuxedo. Also how2heap
Nice, thanks for explanation of your solution.
I solved it that way:
1. I found "system" function call in compiled binary, and that is actually it, you just need to supply "/bin/bash" to it.
2. also you need to find a way to pass this string, instead of trying to pass it throught stack I found some unused space in memory layout (I used 0x00000000004C0170 - I dont remember why in particular this address - maybe it is already a string constant? - so I used it as not to disrupt running binary)
3. And exploit is actually a. gets(0x00000000004C0170) b. system(0x00000000004C0170, 0, 0)
Interesting solution. Maybe the address you specify is in the .bss section since you need an address not altered by ASLR and with at least rw- permissions. Nice to know :)
Hey, I love your contents, your series. Please keep it up. People need it. Thank you.
Thank you :)
"If there is something you want to say, leave it in a comment"
I want to say thank you man for this great series, I have learned a lot from you. your explanations are very clear.
Thank you for your kind words. I'm happy my videos helped you :)
Hey, i know it's a bit specific but i really would love to see some kernel exploitation, awesome video btw
At 9:25, you mentioned about changing the whole memory page protection (in order to be able to execute the shellcode), but how did you know that the shellcode is within the memory page of __libc_stack_end (and not in some other page of the stack which will make the stack not executable)?
17:55 - Aligning the leaked address
Usually the stack isn't that large. However, you can always debug and check it.
@@RazviOverflow Thanks for the tip. I ran the debugger in IDA several times (ASLR enabled) and noticed that you’re right in terms of the standard input and __libc_stack_end are always in the same page.
Specifically, the offset between rbp-20h (the beginning of the buffer for standard input) and the virtual address of __libc__stack_end is always 0x148 bytes, which is good enough for a page size of 4096 bytes
Finished, flowers scattered 完结散花
Could you please create a video for this vulnerable executable with PIE enabled additionally?
I have no idea how I can bypass this when both DEP and PIE enabled for a statically linked executable.
After completing the pwn101 series, I want to continue to improve. What suggestions do you have?
There are many reversing- and pwn-related sites. Take a look at razvioverflow.github.io/starthacking, but I recommend you either pwn.college or nightmare course by guyinatuxedo. Also how2heap