32-bit x86 LINUX BUFFER OVERFLOW (PicoCTF 2022 #31 'buffer-overflow1')
Рет қаралды 48,579
2 жыл бұрынHelp the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
@Desker_ 2 жыл бұрын
Literally the first content I've seen about buffer overflow that was so incredibly well explained that made me get really interested in learning more about it. This video doesn't even feel like it's 44 minutes long, I could watch way more of you teaching this super interesting stuff
@elijah2863 2 жыл бұрын
There are videos that discuss stack over follow / buffer overflow and more variables. Just gotta know what to look for, this information has been out for many many years! Has a lot to do with network administration and active directories. Heck I'm surprised there hasn't been any CTF for buffer under run. I reported the security threat the second I figured I could gain full privilege to a server and reroute traffic. Sad part is I had no idea about bug bounty programs and since big shot did or else I'd be rich lol
@Joel-gf4zl Жыл бұрын
@@elijah2863 are you a poorly written bot?
@teodorzhelev7181 2 жыл бұрын
my first time ever i understood the whole logic of buffer overflow
@LowPolySkull8303 2 жыл бұрын
Thanks John for uploading this writeup. I'm embarrassed to say that I spent 5 days trying to solve this one and looking that the "print" command was to blame, made my jaw drop. Love your content and I have to admit that you've been my inspiration to pursue a career in cybersecurity
@Noflexing100 Жыл бұрын
A unique analogy I like to think of it as is say someone’s normal appetite. They’re normally able to comfortably eat 3 slices of pizza. You feed them 4, they may be able to handle it, feed them 5 they’ll start to feel sick, you feed them 6 and they’ll barf. Meaning you only saw them eat pizza but now thanks to throwing up overflowing, you could see say spaghetti, corn.
@KCM25NJL 8 ай бұрын
The return value has been compromised :)
@joeyshi2114 2 жыл бұрын
Fascinating stuff! Really shows how all these different Linux programs can be used to solve and debug a larger problem
@m4rt_ 2 жыл бұрын
Thanks for explaining everything in a noob friendly way. I will be forever grateful
@lfcbpro Жыл бұрын
THIS is what I wanted to learn, great content and explanations, finally understood some of the concepts. Enjoyed the programming walk thru too.
@flying_r1chman577 2 ай бұрын
for the first time I understand what a buffer overflow really is, thank you!
@jorjo1061 Жыл бұрын
Incredible stuff and fantastic explanation, you're a great teacher john
@charliebeaufils9281 2 ай бұрын
You explain it very well! I speak french, and your explanations are clearer than the ones on my main language
@williamperry2074 2 жыл бұрын
Great video John, learned a lot and had fun watching. You make it all seem so easy!
@mrhappytroll 2 жыл бұрын
This was a good one, learned a lot, been watching all of these in order lol
@shivasijwali6779 2 жыл бұрын
This my first time seeing a buffer overflow and u explained it very well sir and total get it Your explanation is great always ❤️😇
@Marc-yy9mo 2 жыл бұрын
Fantastic Unreal content John. Could've been 3 hours and still entertaining and informative.
@SnedgeJohn 2 жыл бұрын
Great as always! Enjoyed it a lot!
@CesSanchez 2 жыл бұрын
Best RET2WIN Beginner Masterclass I've ever seen in KZbin. A massive Thank you for that!
@HAGSLAB 2 жыл бұрын
Pretty detailed this one John, should be very good for the beginners. You go through a lot of the standard pitfalls here which is great.
@KarolinaRiddle111 Жыл бұрын
Your knowledge is astonishing!
@GreatLich 2 жыл бұрын
This is a good video i learned how buffer overflow's are actually made and what the \x byte characters actually are, thank you.
@sha16 9 ай бұрын
Great video, thank you so much!
@yajusgakhar6969 2 жыл бұрын
I usually don't say stuff like this, but I'm a fan of your videos.
@tonyitalia7798 2 жыл бұрын
Congratulations. A thousand congratulations. I'm looking forward to Buffer Overflow 3. I've tried everything, but it won't.
@ozorg 2 жыл бұрын
great info! thx 4 uploading.
@rsinistic 2 жыл бұрын
Excellent video and explanation. Thanks
@georgehammond867 2 жыл бұрын
argparse is soo hard > you make it look easy, great work from John.
@chadgomez8508 2 жыл бұрын
Your vids are awesome !!!
@drewzilla1263 Жыл бұрын
Excellent content! learned a lot on this one. Based on seeing the previous buffer overflow CTF, I tried passing various lengths of strings to the program and did manage to get it to crash, but I didn't know anything about how to get the address to the win function and pass that in. Thanks!
@popooj Жыл бұрын
Your python scripting skills is always so incredible!!
@petehinch3871 2 жыл бұрын
Well explained John
@LoayMatar 2 жыл бұрын
Excellent explanation!
@mahkhi7154 2 жыл бұрын
The Computer has a Limited Number of PROCESSOR Registers (or Variables) e.g. EAX, EBX. When you Jump to Run another Function, those Registers (Variables) need to be saved on the Stack. The next function can then use EAX, EBX registers or Variables. When the Function finishes and Returns to the previous Function, Variables from the STACK are copied to EBX, EAX and Instruction Pointer, so the previous function can run.
@kobaltauge 2 жыл бұрын
This was a very good video. A little bit chunky in the explanation about the stack, but the rest was perfect. One comment. You defined the variable "offset" but forgot to use it. =) Thank you very much for your efford. BTW I didn't solve this challenge during the event.
@shadman1911 2 жыл бұрын
Great stuff! this makes me fell extra noob
@abitterberry2149 2 жыл бұрын
That was a fun challenge!
@ShootingUtah 2 жыл бұрын
I sort of prefer to think of everything in terms of activation records and dynamic links to other activation records. For some reason it's easier to wrap my mind around everything.
@bladesvlogs4965 Жыл бұрын
Melted my brain 😂😂
@DaniSpeh 2 жыл бұрын
Exceptional !!!
@AmanPatel-rv2it 2 жыл бұрын
At 31 will watch it all !!
@rasraster Жыл бұрын
Awesome video, loved what you showed. Interesting how big a leap in required knowledge and skill this entailed. Are you sure there wasn't a simpler solution?
@KCM25NJL 8 ай бұрын
A slightly more efficient method of finding the offset is to generate a fairly large string of characters that never repeat the same 2 bytes, pass it into the app that you started with a debugger, then check the EIP register and read out the little endian format of the string. Search for that as a substring of the original string you generated, et voila.... count the bytes prior and you have your offset without trial and error.
@user-hd3pz2ow1b 2 ай бұрын
thanks
@jacoumata 7 ай бұрын
Great video, thanks John
@abdirahmann 2 жыл бұрын
stand up for once so that i can scan that QR code!!, you are killing me! 😮💨💀
@mahkhi7154 2 жыл бұрын
buffer Overflows Exist for Speed Performance reasons. e.g. What is Your Favourite Number? You could simply check in code that the user only types two characters. To Stop the buffer Overflow attack. However, you cant do something like that for Reading a large XML or HTML file. it will Slow things down.
@animzex1257 Ай бұрын
that python programming was hectic
@earthlyelder Жыл бұрын
great
@ShootingUtah 2 жыл бұрын
Little endian means least significant byte gets stored in the lowest memory address. Big endian means the least significant byte gets stored in the highest address needed for all the bytes or in other words the most significant byte gets put in the smallest address. Just remember little endian is least significant byte goes to lowest address and big endian is reverse of that.
@charlesnathansmith 10 ай бұрын
It just tells you if the "little end" or "big end" comes first. For anyone wondering why on earth little-endian became a thing, it's because it simplifies mathematical operations for the processor. You always start with the least significant byte then carry to the more significant ones, so starting with the LSB in memory avoids having to count over from the beginning of it's storage to find the LSB, esp for inc or dec or other small operations that only occasionally will carry
@m4rt_ 2 жыл бұрын
So this is where "Stack Overflow" comes from
@liudvikasstankus 2 жыл бұрын
can you please do more malware analysis videos
@ThatOldGuyYouKnow Жыл бұрын
Cyberchef also does endian swapping, so you can just dump in the address (shown as big endian), then it will give you the little endian rep
@smokingone Жыл бұрын
what were the error codes it gave when it segfaulted? i'm curious as to what exactly happened. the first one gave error 14 in _vuln_ second one was error 6 in _vuln_ and the third was error 14 in _libc-2.33_ , was it a coincidence they had the same number or was it the same error on different programs? is there a way to get more details about an error code when working with something like this?
@AreeshaAftab-kk3nv 6 ай бұрын
I have a question, can this python script be used for other ctfs with ofcourse some modifications
@FunkadelicFeed Жыл бұрын
38:51 what's “I believe button" ?
@user-uh7lv1ge1i Жыл бұрын
I have a little bit confusion on the little endian part. If stack grows from high addr to low addr, memory address increases towards the high addr, and the return addr is just somewhere above buf variable, then, when passing AAA....\x f6 \x 91 \x 04 \x 08 to the program, shouldnt it read and store the inputs from the \x 08 to the \x 41? like low addr high addr | local var | return address of the function | \x 08 \x 04 \x 91 \x f6 \x 41 ......... \x 41 \x 00 Then, when the return address is overwritten, it should be the \x 00 \x 41 being written to the return addr first, rather than the \x f6?
@user-uh7lv1ge1i Жыл бұрын
And also, why is the address of win() in local the same as the one on the server? shouldnt the win() has a different address to be called in the server?
@charlesnathansmith 10 ай бұрын
Say your function gets called, so return address gets pushed to the stack and execution transfers to the beginning of your function. ESP is say 0x2000 now, which points to the first byte of the return address in memory It's a completely bare-bones function that doesn't save the frame pointer or set up any other variables, all it does is subtract 0x100 from ESP, to create a 100-byte local buffer starting at address 0x1900. If you start copying a string to your buffer, the first byte gets copied to 0x1900, the 2nd byte to 0x1901, etc. If you don't do any bounds checking, the 101st through 104th bytes you copy in will go in 0x2000 through 0x2003 and you've overwritten your return address Discreet numbers the processor saves are stored in little-endian on Intel systems. Buffers are generally copied in byte by byte in an incrementing loop
@charlesnathansmith 10 ай бұрын
They gave out a pre-compiled executable with the challenge to ensure it was configured to be based at the same virtual address to make the challenge easier. Since it actually tells you the original return address during operation, you could actually still calculate the right address on the server if it were based differently but not changing from run to run.
@muhammadosama3358 Жыл бұрын
what if the binary was stripped? how will we find the address of the function then?
@fusillator 2 жыл бұрын
I don't get why the win function address is the same on both hosts, your local machine and the remote server, couldn't the win function be allocated in different addresses on memory of different hosts (also disabling aslr)?
@fusillator 2 жыл бұрын
I think im a stupid. it will be the same because its the virtual memory address, and it will be mapped on the appropriate physical memory by the os.
@HAGSLAB 2 жыл бұрын
Well, you're not stupid, because you answered your own question correctly ;)
@fooyager Жыл бұрын
because there were protection called PIE/ASLR, which is will randomization the address but in this binary the protection are disabled so the address will be the same
@CanadianMason85 5 ай бұрын
Lol I literally just held the "K" button to test if I could overflow it at random and it spit the flag out.
@m4rt_ 2 жыл бұрын
40:00 You forgot to use the offset variable.
@GreatLich 2 жыл бұрын
Loooooo forgotten but remembered in our hearts.
@DingDong-rc1ox Жыл бұрын
someone HELP ME PLEASE........i type "./ vuln" then after that it show this "-bash: ./: Is a directory". at minute 2.15 in this video......what i must do?
@animzex1257 Ай бұрын
dont give space after ./ vuln rather write it ./vuln
@mback3713 Жыл бұрын
Use awk
@PeetHobby 2 жыл бұрын
Is this not to easy with the source code?
@muhammadosama3358 Жыл бұрын
only thing that the source code help with was the use of gets/buffer size
@fooyager Жыл бұрын
You can still view the source code with decompile the binary but its not 100% similiar with original source code
@afb9999 2 жыл бұрын
Who uses 32bit x86 in 22
@MsDuketown 2 жыл бұрын
It's GNU/Linux. And it's a framebuffer, not a linux buffer. And industry names 32-bit x86 simply Aarch64, so terminology related to hardware and software are less confused with platform and system concepts. So maybe a better name is a Unix buffer. Simple user mistakes by displaced devs but keep up the good work! Just work on your terminology conventions because using it like you do really sucks and kills people. (btw, your graphic terminology sucks even harder but that's not just a typical problem in the USA; it's global.)
@easternplatypus 2 жыл бұрын
holy shit, you need to go outside dude, touch some grass fr.
@HAGSLAB 2 жыл бұрын
I'm pretty sure mixing up some terminology doesn't kill people 🤣
John Hammond
Рет қаралды 43 М.