6: Return to Lib-C (ret2system/one_gadget) - Buffer Overflows - Intro to Binary Exploitation (Pwn)
Рет қаралды 13,067
Күн бұрын6th video from the "Practical Buffer Overflow Exploitation" course covering the basics of Binary Exploitation. NX/DEP is enabled this time so we can't inject shellcode and expect it to execute. Instead, we'll use ROP to return to Lib-C, specifically libc.system('/bin/sh'). We'll use checksec, ghidra, pwndbg and create a couple of pwntools scripts (x86/x64). Finally, we'll look at the one_gadget tool, which can be used to gain a shell from libc with a single offset, providing constraints can be met! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #BinaryExploitation #BufferOverflow #BinExp #RE #Pwn #PwnTools
Find the binary files, source code and scripts to go with the series @ github.com/Crypto-Cat/CTF/tre...
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
KZbin: / cryptocat23
Twitch: / cryptocat23
↢Binary Exploitation / Reverse Engineering↣
Pwn.College: pwn.college
How2Heap: github.com/shellphish/how2heap
NightMare: guyinatuxedo.github.io
Ir0nstone: ir0nstone.gitbook.io/notes/ty...
PinkDraconian: • Pwn Zero To Hero
More: github.com/Crypto-Cat/CTF#readme
↢Video-Specific Resources↣
github.com/david942j/one_gadget
libc.blukat.me
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
HackTricks: book.hacktricks.xyz/exploitin...
GTFOBins: gtfobins.github.io
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Basic File Checks: 0:20
Linux Permissions (chown/chmod-RWX): 1:25
Review Source Code: 3:08
Summarise Previous Attacks: 3:43
Outline Ret2LibC attack (ghidra): 4:34
Find EIP Offset with GDB-PwnDbg: 6:12
Disable ASLR: 7:37
Locate Lib-C Offsets: 8:28
PwnTools Script (x86): 10:25
Debug with GDB: 12:05
Repeat for 64-bit: 15:28
Find "POP RDI" with Ropper: 15:56
PwnTools Script (x64): 16:30
Importing Lib-C into PwnTools: 17:41
ROP Automation with PwnTools: 19:31
One Gadget Tool RCE: 20:01
End: 25:01
@_CryptoCat 2 жыл бұрын
Another example of ret2lib-c attack, from a real CTF: kzbin.info/www/bejne/h2a7qWaXgpWWi6c
@meleksalaani4911 2 жыл бұрын
you know am a crypto guy and pwn stuff was a mystery until i began watching you videos. keep up the good work
@_CryptoCat 2 жыл бұрын
awesome! thanks mate 🥰
@xenorev Жыл бұрын
glad that i found this channel. thank you for the clear and great explanation.
@_CryptoCat Жыл бұрын
thank you 🙏
@user-ci4it4yp9v Жыл бұрын
Thank you for such an amazing share. but I'm confused that I modified the libc_base, pop_rdi, and binsh according to my local system, but it didn't work. I ran gdb to debug the program, and can only get SEGSEGV in this step: movaps xmmword ptr [rsp], xmm1; and the rdi register has the "/bin/sh" string.
@user-ci4it4yp9v Жыл бұрын
After searching similar issues with google, I found that the xmm0 instruction will check if the stack is aligned. I added p64(RET_ADDR) after the padding, and it succeed. And here is the code: payload = flat( asm('nop') * padding, # Padding up to RIP p64(ret), pop_rdi, # Pop the following address into the RDI register binsh, # Address of /bin/sh in libc system, # Address of system function in libc ) I got ret using this command learned from this video: ropper --file secureserver --search "ret"
@_CryptoCat Жыл бұрын
Nicely done! Stack alignment issues come up alot, there's some explanation here: ropemporium.com/guide.html#Common%20pitfalls
@rockedwow7217 11 ай бұрын
@@user-ci4it4yp9v this actually helped me. thanks
@servomekanism8505 9 ай бұрын
Thanks!!
@elevatecyber5031 2 жыл бұрын
Awesome video. This is my go-to channel for reverse engineering/binary exploitation walkthroughs!
@_CryptoCat 2 жыл бұрын
Great to hear! thanks mate 🥰
@MantisSTS 2 жыл бұрын
Hey dude, awesome video. I will have to catch up on the previous videos! Keep up the great work
@_CryptoCat 2 жыл бұрын
thanks mate 🥰
@azeemkhan9901 2 жыл бұрын
When we use LDD that gives us the address of the binary locally, is there a way to get it remotely? I have seen how you use the readelf -s command on libc to get the offsets then calculate by subtracting, for some reason I am not getting a base address with 000 driving me nuts
@_CryptoCat 2 жыл бұрын
yes! once you get things working locally, you can run your exploit against the remote server and when you leak a lib-c address e.g. puts(), you can use the lib-c DB (blukat) to identify the correct version (and offsets). It's explained in the next episode 😉
@jasonmatthewhillman9973 2 жыл бұрын
Question: If we are faced with a challenge where we are provided a copy of the libc library, how would can we ensure that when we run the binary it uses the custom libc? I see in the video how you were able to pass libc to pwntools, which is awesome, but I am curious how we might do so at the command line. I have tried using LD_PRELOAD and LD_LIBRARY_PATH, but when I then run ldd to verify the libraries that the binary is using, it throws a couple errors (ie ./libc.so.6: version `GLIBC_2.33' not found (required by /bin/bash)). I figure there must be a semi-standard workflow for this sort of thing, and with the CyberApocalypse 2022 event coming up, I want to be as prepared as possible. Thank you!
@_CryptoCat 2 жыл бұрын
hey, i recommend patching with github.com/io12/pwninit - i modified the script a little bit since i don't use the template it produces, but it will patch the binary to use the libc in same directory 🙂 with cyberapocalypse coming up, one thing i'd say is nearly every CTF there's a couple of pwn challs where my ret2libc,shellcode,rop etc scripts only require a few line changes 😉
@jasonmatthewhillman9973 2 жыл бұрын
@@_CryptoCat This is excellent! I'll get to patching! This really is an excellent series my friend, and I recognize just how much time has gone into learning what you are presenting here so masterfully. Your efforts are sincerely appreciated, and your desire to share speaks volumes to your character. Very classy and an excellent example for the rest of us who want to learn, grow, and go on to share with others as well. Blessings and good tidings.
@_CryptoCat 2 жыл бұрын
@@jasonmatthewhillman9973 awww such kind words, thank you mate 🙏🥰
@r0075h3ll 8 ай бұрын
13:57 Cleared my silly doubt on the difference between offset and memory address. Offset: A relative location from an address to the function Memory Address: The exact location/address to the function 0xf7dba000 is the memory address where libc is loaded into the main memory. We only have the offset of system() and "/bin/sh" and so we calculate their memory addresses by adding their respective offset to 0xf7dba000. x 0xf7dff040(system's mem addr) - 0x45040(system's offset) = 0xf7dba000(libc's mem addr)
@r0075h3ll 8 ай бұрын
Adding to this, OS doesn't always load all the instructions and globals in an executable at the same memory addresses. PIE or Position Independent Executable is such an executable in which the functions and variables are referenced using relative addressing(%rip) instead of absolute addresses. To make this happen, OS doesn't recompile the program eeverytime with different addresses but it simply chooses a different starting point for an instruction and then rest of the instructions are loaded relative to that starting point a.k.a base address, and this where offsets come into play.
@UcheMark-hp1rl Жыл бұрын
Great Video As Always Thanks 😃
@_CryptoCat Жыл бұрын
🙏🥰
@anntakamaki1960 8 ай бұрын
You overwrite EIP with the address of “system” function. However, later in the payload, you put the address of “/bin/sh”. Would the address of “/bin/sh” be an input to the “system” function?
@_CryptoCat 8 ай бұрын
You got it! 🙂
@AidinNaserifard 2 жыл бұрын
Thanks for sharing mate👊
@_CryptoCat 2 жыл бұрын
cheers bud 👊
@anntakamaki1960 8 ай бұрын
To clarify: with PIE or ASLR, the base address of libc change, but the offset to different function don’t change right?
@_CryptoCat 8 ай бұрын
Exactly! 💯
@TalsonHacks 2 жыл бұрын
In 11:21, you’ve put a padding for ret as 0, but doesn’t that make the program try to go back to the address 0 and continue the execution? Or is that just how it works in 64-bit systems? I know so many questions, still learning xD. And great video as always!
@_CryptoCat 2 жыл бұрын
Oooft good question! This caused me confusion for a while also xD You're right, It would make it return to 0x0, if this were a web server or some service which we didn't want to crash after our shell exits (to avoid detection), we'd want to return to valid address (e.g. main). 64-bit is essentially the same format except the parameters are taken from registers rather than the stack. If we want to have program to continue (x64) we might setup a payload like: [padding, pop_rdi, bin_sh, system, main]. To accomplish the same thing in x86 we'd want: [padding, system, main, bin_sh]. The address we want to return to (return pointer) comes after the system() call in both payloads, the only difference is how the parameters are taken; in x86 they are read from the stack after the return addresses, for x64 they must be popped into registers before the return addresses. Hope this makes sense, here's a couple of resources that helped me get my head around this: ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/calling-conventions and zhu45.org/posts/2017/Jul/30/understanding-how-function-call-works/#calling-a-function
@TalsonHacks 2 жыл бұрын
@@_CryptoCat Okayyy, got it now. Thank you so much! 💜
@rockedwow7217 10 ай бұрын
is rdi is similar to rip? like are they the gadget responsible for holding the next instruction?
@_CryptoCat 10 ай бұрын
RDI is similar to RIP in that it's a 64-bit register in the CPU. However, RDI is not used for instructions - it's the first register used to take parameters, e.g. if you call a function that requires a single parameter, you'll want to first make sure you "pop" the parameter off the stack, into the RDI register. If you have multiple parameters, you'll use other registers as well, e.g. RDI, RDX, RCX, R8, R9 😉
@ekadani5335 Жыл бұрын
I tried to compile the source code by myself, but I am missing the POP RDI gadget. Why didn't my binary have the POP RDI gadget? I only get the POP RBP gadget after checking with the ropper. This problem occurred not only in this exercise but also in others when I compiled the source code. Because of this issue, I am unable to reproduce the scenario on my own and must rely on the binary provided.
@_CryptoCat Жыл бұрын
What OS/architecture is your VM? How about your host machine?
@ekadani5335 Жыл бұрын
@@_CryptoCat I use the latest update of Kali Linux (Debian).
@_CryptoCat Жыл бұрын
@@ekadani5335 Hmmm a Kali Linux VM inside a Windows host or the host PC is just running Kali? Sometimes for binary exploitation challenges there can be variations due to compiler differences, maybe the GCC version is different. I'm surprised pop RDI is missing though as it's a very common instruction 🤔 It is possible to manually add the instruction to the C code, this is often done in challenges, e.g. ROPEmporium where they create "usefulGadgets" for the player to use when solving.
@ekadani5335 Жыл бұрын
@@_CryptoCat I use Kali Linux as my host OS. My GCC version is 12.2.0. Do you know how to manually add the instructions?
@_CryptoCat Жыл бұрын
@@ekadani5335 Sure, you can see an example in the 32-bit code where I had to add a JMP ESP instruction: github.com/Crypto-Cat/CTF/blob/main/pwn/binary_exploitation_101/06-return_to_libc/32-bit/secureserver.c I'm a little confused why the 64-bit code isn't compiling with a "pop RDI" gadget still because the puts() and gets() function calls both require an argument be moved to the RDI register, can you see what instruction the compiler is using to accomplish this? If you can find that instruction, you can probably use it in your exploit instead of "pop RDI".
@ValliNayagamChokkalingam Жыл бұрын
Awesome as always! I want to learn more about Pwn Tool Scripts a bit more in detail(your explanation was really good) - could you suggest some good resources?
@_CryptoCat Жыл бұрын
Cheers mate! Some good info here: github.com/Gallopsled/pwntools-tutorial#readme and in the PwnTools docs but I do find them lacking a little. I often pick up on new techniques from CTF writeups that weren't clear in official docs.
@ValliNayagamChokkalingam Жыл бұрын
@@_CryptoCat Thank you!
@anntakamaki1960 8 ай бұрын
17:07 Hello sir, we have no operation pointers until the RIP, however after that we pop_rdi. So I get this is to ensure that “binsh” gets put into RDI register. However, wouldn’t this end up overwriting RIP with pop_rsi? I thought we had to put address of system into RIP.
@_CryptoCat 8 ай бұрын
Hmmm where's the pop_rsi bit coming from?
@anntakamaki1960 8 ай бұрын
@@_CryptoCat sorry, I meant pop_rdi, it was typo.
@_CryptoCat 8 ай бұрын
@@anntakamaki1960 Ah gotcha! These instructions execute in sequence, so when we send through that payload it's actually executing 72 no operation instructions, followed by a pop_rdi instruction.. The pop_rdi instruction will take the next value off the stack, put it in the RDI, then increment the instruction counter so that the next instruction to be executed will be system(). After that, you might have some other instruction, e.g. to return to main(). Hope that makes sense! ☺
@anntakamaki1960 8 ай бұрын
@@_CryptoCat I just went through my notes for your “ret 2 win with parameters” video, and it seems that with 64-bit that’s just how you have to do it. Just one more question, in your previous reply you said that the 72 no op bytes are executed. Why is that? Since we are not pointing RIP to the stack, and NX is enabled as well? But I understand how the system() gets called with /bin/sh parameter now.
@_CryptoCat 8 ай бұрын
@@anntakamaki1960 Ooops sorry good point + well spotted, I didn't review the video - just the payload. You're right the NOPs are just filler here, padding our way to RIP so the first instruction to be executed will be the POP RDI 🙂
@ekadani5335 Жыл бұрын
Sir, I have an issue with 64-bit ret2libc. I have disabled aslr and set the libc address, system, and binsh. But the exploit didn't work. I got a general protection fault in dmesg. Do you know the problem, sir? The 32-bit ret2libc exploit works well, but not the 64-bit ret2libc The solution: Now the 64-bit ret2libc works well after I add a return address after the padding. Thank you for providing the material, Sir. You're great
@_CryptoCat Жыл бұрын
Excellent, nice work solving the issues! 🙂
@adrielpupo4116 Жыл бұрын
I feel like teaching us how to do it with ASLR enabled would be more helpful, we cant just disable it all the time.
@borovicka_ Жыл бұрын
facts for real tho
@_CryptoCat Жыл бұрын
I've got loadssss of videos covering more advanced cases, just tried to simplify this as much as possible for newcomers. You can check this one for a full example: kzbin.info/www/bejne/h2a7qWaXgpWWi6c - there's also more advanced examples later in this series, e.g. episode 8 will look at leaking PIE + Lib-C
@KK-yv4ku 10 ай бұрын
Hey Man! I have questions (as usual, sorry😅) 1) I'm not being able to get a shell with the payload from the script but used manually (./secureserver < payload) what could be? (Using the pwntools script works great and get the shell) 2) if i want to write it manually, how do i add the null return pointer on python2? 3) im doing another exploitme, really similar but it gets the arguments in the commandline (./exploitme argument) i know i have to change the io.sendlineafter. tried io.sendline(b,payload) and io.sendline(payload) but none of them worked... Any idea? Sorry again for being a pain in the ass, but I'm really hooked to your vids gotta understand everything. Love u bro.
@_CryptoCat 10 ай бұрын
Hey, thanks mate! 1) Not sure what the issue could be here, assuming you are doing everything as in the video, it should work.. 2) Unfortunately you can't! when you add \x00 null bytes and try to print in the terminal they won't show because null is the string terminator, e.g. if you have \x41\x41\x41\x41\x00\x00\x00\x00\x42\x42\x42\x42 then it will only print AAAABBBB. 3) Wow it's been so long since I did a pwn chall that takes params when executing the binary xD You should just be able to pass the params when you launch the program, check docs here: docs.pwntools.com/en/stable/tubes/processes.html
@davidlightman4929 2 жыл бұрын
Could you talk in a future video how to build payload while satisfying the constraints for one_gadget plz? Thanks a lot anyways :)
@earthlyelder Жыл бұрын
Another banger
@_CryptoCat Жыл бұрын
👊
@akramsalim9706 Жыл бұрын
Nice mate
@_CryptoCat Жыл бұрын
cheers mate!
@onemoment5850 2 жыл бұрын
Thank you.
@_CryptoCat 2 жыл бұрын
🥰
@ameer2942 2 жыл бұрын
I am not gonna buy you a coffee, imma buy you a whole coffee shop. 👊
@_CryptoCat 2 жыл бұрын
awww thanks mate 🥰
@markuche1337 Жыл бұрын
Is it all x64 binaries that has an address for pop rdi cause i tried performing ret2libc on a binary am testing and turns out that its only pop rdi that is missing By the way love your videos 🤟
@_CryptoCat Жыл бұрын
Thanks mate! Someone else asked this a couple of weeks ago so I'm assuming a compiler update has changed the default instructions used. If you scroll through the comments of this video you should find it - they also tried to compile this challenge and got no "POP RDI" instruction, IIRC the string was loaded to the RAX register and then MOV'd from there to RDI 🤔 In general, if there's no POP RDI, you'll need to find another solution. However, for challenges like this you can manually add the POP RDI instruction to the code to ensure it shows up 😉
@markuche1337 Жыл бұрын
@@_CryptoCat Thanks
@MrGhost-pj8lf 20 күн бұрын
@@_CryptoCat Currently I have one challange file from one CTF it also have exact same security and functions as video but the only one thing missing is pop rdi. When I do ropper search there is no pop rdi
@wwmik 2 жыл бұрын
thanks
@_CryptoCat 2 жыл бұрын
💜
@darkpaladin5664 2 жыл бұрын
nice
@_CryptoCat 2 жыл бұрын
ty 💜
@Big_Boy_Biggins Ай бұрын
Your malware has effected my computer
@_CryptoCat Ай бұрын
Please tell me this is a joke? 🙏😂
@Big_Boy_Biggins Ай бұрын
@@_CryptoCat no a former manager was high and did this to me
@_CryptoCat Ай бұрын
@@Big_Boy_Biggins Hmmm OK just so we're clear, none of these exercises contain any malicious code that could be defined as "malware" 😝
@rockedwow7217 11 ай бұрын
my exploit doesnt work... I entered gdb and found this in the RSP: 0x7fffffffddf0 -▸ 0x7ffff7f62031 ◂- 0x68732f6e69622f /* '/bin/sh' */ I modified the binsh location and reused the python script, and noticed that the value in the RSP changed, so i know the problem lies either on the binsh or system(since it is followed after binsh). I have modified the location of the binsh and system to what i have on my system and it still doesnt work. ill keep looking for a solution.
@rockedwow7217 11 ай бұрын
i managed to fix it looking at a solution in the comment section, but why did i find the string of bin/sh in my RSI instead of RDI?
@eduardcorlan99 11 ай бұрын
@@rockedwow7217 I have exactly the same problem, I managed to get the location of the system, and I also got this thing for binsh 0x7fffffffddf0 -▸ 0x7ffff7f62031 ◂- 0x68732f6e69622f /* '/bin/sh' */. How did you manage to do it ?
@eduardcorlan99 11 ай бұрын
Nvm, I found your comment above, and got the solution 🤩
@_CryptoCat 11 ай бұрын
Each time Lib-C is updated, the offsets can change! That means that the offset of "/bin/sh" and the offset of "system()" will vary depending on your specific lib-c version. For that reason, when you do pwn challenges, you'll often need to get the exploit working locally first and then try and work out the version of lib-c on the remote server and update all your offsets accordingly. You can use a site like libc.rip to assist with this process. I also cover how to do this in many of the CTF pwn walkthrough videos, e.g. kzbin.info/www/bejne/h2a7qWaXgpWWi6c
CryptoCat
Рет қаралды 11 М.
RazviOverflow
Рет қаралды 6 М.
CryptoCat
Рет қаралды 11 М.
5: Injecting Shellcode (Shellcraft/MSFVenom) - Buffer Overflows - Intro to Binary Exploitation (Pwn)
CryptoCat
Рет қаралды 14 М.
CryptoCat
Рет қаралды 14 М.