Рет қаралды 13,067
6th video from the "Practical Buffer Overflow Exploitation" course covering the basics of Binary Exploitation. NX/DEP is enabled this time so we can't inject shellcode and expect it to execute. Instead, we'll use ROP to return to Lib-C, specifically libc.system('/bin/sh'). We'll use checksec, ghidra, pwndbg and create a couple of pwntools scripts (x86/x64). Finally, we'll look at the one_gadget tool, which can be used to gain a shell from libc with a single offset, providing constraints can be met! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #BinaryExploitation #BufferOverflow #BinExp #RE #Pwn #PwnTools
Find the binary files, source code and scripts to go with the series @ github.com/Crypto-Cat/CTF/tre...
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
KZbin: / cryptocat23
Twitch: / cryptocat23
↢Binary Exploitation / Reverse Engineering↣
Pwn.College: pwn.college
How2Heap: github.com/shellphish/how2heap
NightMare: guyinatuxedo.github.io
Ir0nstone: ir0nstone.gitbook.io/notes/ty...
PinkDraconian: • Pwn Zero To Hero
More: github.com/Crypto-Cat/CTF#readme
↢Video-Specific Resources↣
github.com/david942j/one_gadget
libc.blukat.me
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
HackTricks: book.hacktricks.xyz/exploitin...
GTFOBins: gtfobins.github.io
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Basic File Checks: 0:20
Linux Permissions (chown/chmod-RWX): 1:25
Review Source Code: 3:08
Summarise Previous Attacks: 3:43
Outline Ret2LibC attack (ghidra): 4:34
Find EIP Offset with GDB-PwnDbg: 6:12
Disable ASLR: 7:37
Locate Lib-C Offsets: 8:28
PwnTools Script (x86): 10:25
Debug with GDB: 12:05
Repeat for 64-bit: 15:28
Find "POP RDI" with Ropper: 15:56
PwnTools Script (x64): 16:30
Importing Lib-C into PwnTools: 17:41
ROP Automation with PwnTools: 19:31
One Gadget Tool RCE: 20:01
End: 25:01