this is a sick tip thanks buddy

I love you

I wonder why pwntools isn't doing that by default. It makes things a lot easier

exactly ;)

I've struggled to understand why it is that simply because the address is the last thing printed that it means the address is positioned at the top of the stack, and this is the only comment that seems to address this issue. I can see that placing more items on the stack shifts the value that the "%x " will print out down the positions on the stack. Eventually, the value printed will fall within the range of values in the first argument supplied to the program, and the exact number of characters supplied can be manipulated to position the target pointer. But just because the target pointer is the last value printed doesn't mean its anywhere near esp. In fact, when using gdb, esp seems to be at 0xbffff5d0, while the final address that the target pointer is set at is somewhere around 0xbffff7f0.

@@ponysopher First off, the challenge was not to modify ESP. The challenge was to modify the variable called 'target'. Nothing is being 'overflowed'. Instead, memory is being leaked, and allows the %n feature to be exploited to overwrite a variable. That is what the success message came from. Next, the address of target is not at the top of the stack. The address is somewhere above the 'main' stack frame, with argv.

that's just because the leading zeroes are not printed: 0x00004141 -> 4141

@@LiveOverflow lol XD

Also, what's with the last function you were writing at the end?

@@jag831 the function at the end is used to get a string of the same lenth, this is used to keep the stack fixed

kmlh

Please help me. I'm still stuck with echooo :(

@me on discord pulkit.singhania#9456

Cap

Hello, tôi cũng mới tìm ra kênh này :))

@@huyvuquang2041 :v

I showed in the video what the input is. It's "AAAAAAAA %x %x %x %x %x %x..." ... so the 20782541 is the "%x %x" stuff. And there are 8x 41 in there. and 41414100 is actually in memory looking like this: 00 41 41 41, so it just means the string doesnt start aligned, there is a nullbyte at the start of it :)

LiveOverflow Thanks! :) The tutorials are awesome by the way! No other tutorials come even close to yours :)

little endian

@@LiveOverflow xx se need overwrite

I thought about this problem too. and I figured it out, it is just because four A or eight A are not neccessarily placed aligned on the stack for no special reason. XD

how did you solve it?

Same

\x38 at first is for the purpose of little endian (reverse ordering of address)

I think it does not matter if the format string is read from lower address or higher, the important thing is that when it is represented by %x, it will be ordered in little endian. But the order you write the address in print(python) is important, because I assume it writes the address first to lower address then to higher

I think that it is kind of system protection, where it start with variable length of the stack.

You can use the Vm of the book "The art of the explotatio " nostarch.com/hackingCD . Test with it

Did you compile it yourself? are you using the VM? The input is placed on the stack, so if you break at the correct point, you can find your input AAAA on the stack. Maybe you break at the wrong point when you do the x/500x $esp?

Hi, I didn't get the consecutive '41's either, and I was doing this experiment on a VM virtual machine. Is that due to VM?

I don't quite understand what you mean with "clips at 500 chars"? I think what you are referring to was me trying to say, that format strings are sometimes ugly to deal with and keeping a constant size input makes it easier. That's why I make sure my input is always 500 chars. But you can also make it bigger or not clip at all. So you can ignore that too. does that answer the question?

Hello - thanks. I am at the point where I need to decrease slowly the value 400 (in my example shown) however if I run the application multiple times and do not change the value 400 - all of the values on my screen change. Sometimes 0 0 0 0 0 and sometimes 25207825 20782520 78252078 - but not consistent. The system is 64bit and is maybe ASLR stopping me? ./program "`python -c "print 'AAAA'+'\0x00\0x34\0x0b\0x60'+'BBBB'+'%x '*400"`" thanks for these videos - amazing work

Try compiling the source with `--no-pie`. Your toolchain may have been built with PIE set to default.

this didn't help me

I don't know much about video editing, but I guess he just put a picture over the clip and used an effect.

$ ./rabbit

fra per favore come hai risolto, ci sono fermo da 2 giorni su sta stronzata

@@education4454 sinceramente non riprendo in mano sta roba da un botto e non mi ricordo per niente, mi dispiace

@@education4454 hai risolto? lol

@@education4454 quindi?

yep, whenever you do one %x it increments the internal pointer of printf (this is meant to point to the given argument, but if none are supplied it reads from the stack). You could do something like %50$x to increment the pointer by 50 places to read the value of the [ESP+50].

@@cyber1377 wouldnt %50$x mean that it takes the argument at [ESP+200] since printf points at the first four bytes when %x and the second 4 bytes when %2$x

@@uuuuuhhlettuce3909 ye i got it wrong, since each address is 4 bytes it would actually be 50*4

%64d is similiar to 'A'*64

thanks!

Because %n is using to write into a variable address that is placed on top of the stack. Therefore if we place on top of the stack an address (the address of our target value) %n will modify it.

Ok, I take it back, seems like that's not an issue when hacking ^^

@@kim15742 If you mean that is referring to an undeclared variable it is actually declared above the vuln function as a global variable, I didn't see it at first too, if you're meaning that doing if(_int_variable) is undefined behavior it is actually a C legal instruction: 0 is false and non zero is true

If(variable) means if(variable != 0) and the opposite if(!variable) means if(variable == 0). Widely used syntax but a bit misleading if you don't know it.

how to did he just print the variable's memory address and write to it if he just had written it himself

@@yaseen_elolemy What he was searching for was the ability to call: `printf("...some characters... %n", &target)` which is equivalent to `printf("...fewer characters... %x %n", 0, &target)` `printf("...even fewer characters... %x %x %n", 0, 0, &target)` `printf("...a couple of characters... %x %x ... more %x ... % x %n", 0, 0, ..., 0, &target)` Now, the point is that you can get printf to read deeper and deeper (shallower and shallower?) in the stack for more "function arguments" by adding more and more %x, until printf is looking for its next argument at a location in memory that contains the value equal to `&target`. Once you have something that behaves like `printf("...some characters... %n", &target)`, then that printf call -- according to the printf specification for %n -- will basically do this: `*(&target) = strlen("...some characters... ")` This changes the value of target to some non-0 value. (It's probably been set to something closer to 4 + 4 + 5 + 8 * 127, since that's approximately how many characters have been printed out by printf before consuming the %n, but this attack only cares that it's not 0.)

for a different perspective, for those of us just coming to grips with format strings... @@yaseen_elolemy think of how the entire runtime stack looks once we enter printf: Lo-mem Hi-mem [printf stack frame] | vuln-ebp | vuln-eip | string (argv[1]) | [vuln stack frame] | main-ebp | main-eip | argv[1] | ...stuff... | target-address think of consecutive %x specifiers as popping values off the stack to read - note that is not what actually happens, of course, just consider it this way for a minute. with the correct number of %x "pops," we are tricking printf into thinking we pass it an address to write the %n to

@@nez14526 Thanks, ur explaination is pretty clear. Btw what is \x08 at 9:18 for?

I am assuming that you are talking about the objdump command? In that case it is most likely because you are compiling with 64-bit c so your addresses are twice as long. You can compile to 32 bit binary tho just look up how to do it

Plenty of real world software that did that. Just search for CVEs related to format string vulnerabilities

@@LiveOverflow Yeah, "did" is the right word. Because as this vulnerability became known, I don't suppose anyone still does.

lol. If this is how it would work, then there would be no need for security reviews anymore :D of course these issues are still found

@@LiveOverflow Can you provide any recent example instead of loling?

64bit hat eine andere calling convention. Und ich weiß auch nicht was der compiler auf dem neuen ubuntu baut. Du solltest die VM nutzen, sonst wirds am anfang schwer. You should checkout episode "Buffer overflow on a modern system impossible? stack0: part 1 - bin 0x21"

Hallo LoF habe wahrscheinlich rausgefunden wo das eigentliche Problem besteht, ich habe komische Werte auf Windows 10 Running VM workstation 12 , habe das gleiche auf Virtual Box mit windows 7 64 Bit getestet und da funktioniert es einwandfrei.

then you don't know where to write?

This time is "read", for example, the CTF challenge wants us to read variable without giving us source code or binary file, what should we do?

you can use the format strings like %x %x %x etc to leak values from the stack. Maybe the variable is there. Or at least the address of the variable.

I'll try , thank you so much :)

You compile the source?

@@NotStirred9 Or the source. Not everything is open source

@@MauricioMartinez0707 So you want to exploit something, without having it?

@@NotStirred9 Well generally the point of exploitation is to gain access on a machine that is not yours, so yeah. That's the idea

You're an idiot

if you look closely that x08 isn't even in the python -c print (it's not being supply to the program) I think it's just an artifact on the terminal since at the start it came up as \x08, which is ASCII for backspace.