14:28 In case anyone is ever curious the lowercase 'a' became a bracket in ESP because the stack pointer was pushed onto the stack at the start of the function, and loaded again before returning. It loads from ECX and subtracts 4, and because of the overflow 'aaaa' or 0x61616161 is stored, giving 5d instead of 61 for the first byte.
@@oppenheimer11 Hey, sorry for the delayed response! I got similar question from someone trying to setup a pwn challenge today so thought I'd provide an update. In terms of explanation, I won't be able to explain it better than others have already: zhu45.org/posts/2017/Jul/30/understanding-how-function-call-works As for the code used in the video (and the code of the pwn chall I was asked for help with today).. Moving the code from the main() function to a new function would get around the issue with the first character changing.
for those that are confused with the gets() function not working, it was deprecated from C++ 14. Instead use std::cout or std::cin to print and retrieve values from the user.
TY and NP bro 💜 your series has been great so far, I'll be following along 😊 TBH there'll probably not be much here you haven't come across already doing HTB/CTFs 😅 I just figured I'd put some pwn challs into a series with a bit more structure because a) I'm a bit embarrassed about the audio quality, tiny fonts and lack of editing on some of the older vids 👀 and b) HTB/CTF chall videos don't do great for views in long term, which I understand lol.. people don't really search for specific HTB/CTF Pwn vids when they want to learn, especially if they have to pay for the binaries in order to follow along 😆
@@_CryptoCat I totally get that! Let's hope that both of our series blow some new steam into the world of binexp! (is that an idiom or am I just making stuff up here?)
@@PinkDraconian Haha it's definitely a saying 😁 I agree, binexp is a highly technical field and very daunting when starting out, hopefully we are making a lot more accessible for people just looking to to get started 👊
Thanks 🥰 It will be a lot of the same stuff covered in the retired HTB pwn challenges but more structured and a bit better quality since I was just learning pwn when I solved the HTB challenges, and hopefully have got better at making videos as well since then 😁
Thank you so much for this bro! I have been struggling with binary exploitation and reverse engineering for a couple of years now and trying to understand the GOT, ret2win, ret2libc and all that. I'm thankful that you can take time out to create this. Definitely earned a sub!
Thanks mate 🥰 They are difficult topics to grasp! Even with CompSci degree and some CTF experience I struggled with a lot of these concepts. Hopefully this series can make it easier for people starting out in future 😊
Thanks mate 💜 Nearly all stuff I've covered before in one video or another but I'm really happy with the structure of these and I hope they will be helpful for those just getting started 🥰
@@franciscolucarini8761 I hope so! Maybe some will be able to show me some new things as well, which regularly happens when I upload videos - it's great for my learning process as well, some questions in the comments teach me as much as the person asking the question 😆 edit: Somebody recommended deusx64 to me a while ago and I completely forgot about it. Going to add it to the GitHub resources now, TY!
This has been on my TODO list for a long time but I need to learn proper heap exploitation first 😂 I will definitely make videos for it when I do though.. I don't really feel like I properly understand things until I can explain out loud so making vids helps me 🙂
hi mate, basically values are moved between registers and the stack (pop/push/mov etc) so although your buffer is in RAM, when some of these instructions execute, the overflowed data will make it into the registers.
Here's a screenshot of the theme settings, which I adapted from a DefCon theme I saw on reddit: imgur.com/a/gCnvq8A Only thing I'd say is when using certain tools, e.g. LinPeas, the colours won't be very helpful (for identifying what is most vulnerable). Best to keep an OG profile that you can quickly swap to when running certain tools 😉
i have a question when i try to exploit it using a shellcode injection the eip is not overflowed and when i check the assembly output i can see that the eip is pointing to ret and when i get rid of "return 0;" in the code the code becomes vulnerable ? any explanation i guess because the return address of the calle is already hardcoded and it's equal to 0 ? exit code ?
Hey, good question! Actually the function returning a value of zero shouldn't prevent it from being vulnerable.. that's the value being returned from the function but the address it's returning from should be the same, i.e. return to the point at which (well, right after) the function was called. I'm not too sure why removing the "return 0" makes your shellcode attack work though, it's been a while since I made these videos. If you figure it out, give us an update for any future viewers who have the same question ☺
Good question 🤔 I'm not sure which has more tools installed by default. Parrot for example has a few different versions, which come with different tools pre-installed. Most of the core Kali/Parrot tools are the same though and any missing ones should be easy enough to install. Both perfectly good operating systems 😊
@@hva8055 That's actually why I made the initial switch to Parrot, my Kali wasn't working properly at the time (python issues, I spent weeks trying to fix) and I figured if I was going to go through the trouble of setting up a fresh VM, I might as well checkout a new OS at the same time 😁
It's just a customised colour profile for the terminal, you can check it here: imgur.com/a/gCnvq8A - beware that some tools really benefit from a standard colour profile though, e.g. linpeas, so it's good to create a separate profile that you can easily swap between 🙂
I used this to setup PwnDbg/Peda/GEF: github.com/apogiatzis/gdb-peda-pwndbg-gef - Just run the ./install.sh script. I only use PwnDbg these days though personally.
14:28 In case anyone is ever curious the lowercase 'a' became a bracket in ESP because the stack pointer was pushed onto the stack at the start of the function, and loaded again before returning. It loads from ECX and subtracts 4, and because of the overflow 'aaaa' or 0x61616161 is stored, giving 5d instead of 61 for the first byte.
Thanks for that! 🙏🥰
@@oppenheimer11 Hey, sorry for the delayed response! I got similar question from someone trying to setup a pwn challenge today so thought I'd provide an update. In terms of explanation, I won't be able to explain it better than others have already: zhu45.org/posts/2017/Jul/30/understanding-how-function-call-works
As for the code used in the video (and the code of the pwn chall I was asked for help with today).. Moving the code from the main() function to a new function would get around the issue with the first character changing.
best binary exploitation intro available!
💜💜💜
I'll watch it religiously! Thanks for your teaching videos!
Awesome! ty mate 💜
for those that are confused with the gets() function not working, it was deprecated from C++ 14. Instead use std::cout or std::cin to print and retrieve values from the user.
Hands down the best starter pwn course on entire TH-cam
🙏🥰
Great video! Thanks for the little shoutout. I love the style you're taking with this series as well! Will definitely watch all of these!
TY and NP bro 💜 your series has been great so far, I'll be following along 😊 TBH there'll probably not be much here you haven't come across already doing HTB/CTFs 😅 I just figured I'd put some pwn challs into a series with a bit more structure because a) I'm a bit embarrassed about the audio quality, tiny fonts and lack of editing on some of the older vids 👀 and b) HTB/CTF chall videos don't do great for views in long term, which I understand lol.. people don't really search for specific HTB/CTF Pwn vids when they want to learn, especially if they have to pay for the binaries in order to follow along 😆
@@_CryptoCat I totally get that! Let's hope that both of our series blow some new steam into the world of binexp! (is that an idiom or am I just making stuff up here?)
@@PinkDraconian Haha it's definitely a saying 😁 I agree, binexp is a highly technical field and very daunting when starting out, hopefully we are making a lot more accessible for people just looking to to get started 👊
Thanks for this series!!!. It's will be fun😉. I'm waiting for the next video.
Thanks mate 🥰 Next one on Wednesday 😉
Very nice, looking forward for this playlist
Thanks mate 🥰 Will be a couple of videos a week for the next month or two 😉
@@_CryptoCat I the meantime I'll watch and rewatch other of your videos :D Like your style
@@DaniSpeh Haha thanks bro!
Wow I was watching your retired htb pwn playlist, then this video uploaded super nice! Looking forward to learn more from you
Thanks 🥰 It will be a lot of the same stuff covered in the retired HTB pwn challenges but more structured and a bit better quality since I was just learning pwn when I solved the HTB challenges, and hopefully have got better at making videos as well since then 😁
Thank you so much for this bro! I have been struggling with binary exploitation and reverse engineering for a couple of years now and trying to understand the GOT, ret2win, ret2libc and all that. I'm thankful that you can take time out to create this. Definitely earned a sub!
Thanks mate 🥰 They are difficult topics to grasp! Even with CompSci degree and some CTF experience I struggled with a lot of these concepts. Hopefully this series can make it easier for people starting out in future 😊
This is going to be awesome looking forward for further videos.
Thanks mate, more to come!
it will be a magnificent course
Thanks mate 💜 Nearly all stuff I've covered before in one video or another but I'm really happy with the structure of these and I hope they will be helpful for those just getting started 🥰
Also for experts, because it is possible that they find something more of their knowledge or better explained
Also it would be cool if you do something about deusx64, also first challenges, these would improve an already magnificent course
@@franciscolucarini8761 I hope so! Maybe some will be able to show me some new things as well, which regularly happens when I upload videos - it's great for my learning process as well, some questions in the comments teach me as much as the person asking the question 😆
edit: Somebody recommended deusx64 to me a while ago and I completely forgot about it. Going to add it to the GitHub resources now, TY!
Keep up the binary exploitation. Great work
Thanks mate 👊
Finally thanks bro keep the good work👍
Cheers bro 👊
Great intro, Thank You!
🥰
The series is going to be awesome ✨
🥰🥰🥰
great one!
waiting for other videos 🔥
cheers mate 🥰 new one 2mz!
Thank you this series bro
🙏🥰
Thank you so much!
You're welcome! 💜
Please start a series on Heap Exploitation as well.
This has been on my TODO list for a long time but I need to learn proper heap exploitation first 😂 I will definitely make videos for it when I do though.. I don't really feel like I properly understand things until I can explain out loud so making vids helps me 🙂
i love you for that dude
🥰🥰🥰
Thanks bro ❤️
💜
Awesome bro...
ty 🥰
I have a doubt.
Why overflowing buffer or stack overwrites the values in register, registers are on CPU and stack is in ram.
Please answer
hi mate, basically values are moved between registers and the stack (pop/push/mov etc) so although your buffer is in RAM, when some of these instructions execute, the overflowed data will make it into the registers.
cryptocat ftw !!!
😻
Hey can you please share your terminal setup? I really like the color scheme and the looks of your parrot OS :)
Here's a screenshot of the theme settings, which I adapted from a DefCon theme I saw on reddit: imgur.com/a/gCnvq8A
Only thing I'd say is when using certain tools, e.g. LinPeas, the colours won't be very helpful (for identifying what is most vulnerable). Best to keep an OG profile that you can quickly swap to when running certain tools 😉
i have a question when i try to exploit it using a shellcode injection the eip is not overflowed and when i check the assembly output i can see that the eip is pointing to ret and when i get rid of "return 0;" in the code the code becomes vulnerable ? any explanation i guess because the return address of the calle is already hardcoded and it's equal to 0 ? exit code ?
Hey, good question! Actually the function returning a value of zero shouldn't prevent it from being vulnerable.. that's the value being returned from the function but the address it's returning from should be the same, i.e. return to the point at which (well, right after) the function was called.
I'm not too sure why removing the "return 0" makes your shellcode attack work though, it's been a while since I made these videos. If you figure it out, give us an update for any future viewers who have the same question ☺
Your checksec output is different to mines. Mines doesn't show the architecture and isn't in a list view. Any idea why?
Nvm I was using the checksec installed using apt instead of pwntools
I love you so much
d'awww thank you 💜
Sir, which kernal as more tools kali or parrot
Good question 🤔 I'm not sure which has more tools installed by default. Parrot for example has a few different versions, which come with different tools pre-installed. Most of the core Kali/Parrot tools are the same though and any missing ones should be easy enough to install. Both perfectly good operating systems 😊
@@_CryptoCat because my kali is not working properly so
@@hva8055 That's actually why I made the initial switch to Parrot, my Kali wasn't working properly at the time (python issues, I spent weeks trying to fix) and I figured if I was going to go through the trouble of setting up a fresh VM, I might as well checkout a new OS at the same time 😁
@@_CryptoCat thanks sir
How's your manpage colorized ?
It's just a customised colour profile for the terminal, you can check it here: imgur.com/a/gCnvq8A - beware that some tools really benefit from a standard colour profile though, e.g. linpeas, so it's good to create a separate profile that you can easily swap between 🙂
it's so good
tyty 💜
❤️❤️❤️
💜💜💜
How u do so that you can run gdb-pwndbg from anywhere, I cloned the repo but cannot run It like u did
I used this to setup PwnDbg/Peda/GEF: github.com/apogiatzis/gdb-peda-pwndbg-gef - Just run the ./install.sh script. I only use PwnDbg these days though personally.
How to fix stary 342 error when I run gcc
Hmmm sounds like it could be unicode related: askubuntu.com/a/272744 - did you modify the source code?
@@_CryptoCat sorry I don't have much idea about this..what do I have to edit?
@@stefanreduction3354 np, you shouldn't need to edit them.. did you just try to download and run the binary?
@@_CryptoCat I didn't edit anything..and code is fine actually
@@stefanreduction3354 OK, you shouldn't need to run GCC then. Just try and use the compiled binary 🙂
Thank you
Welcome! 💜
Im a New subscriber
Awesome! Welcome 💜
8:41