About that FS register. Segment registers are used to form linear address from a virtual. Virtual address is a full form of addressing, which goes like seg:offset (10:6455, cs:rip). There are six segment registers: cs - code segment, ds - data segment, ss - stack segment, and three additional es, fs, gs. The default data segment is ds, but can be overrided within an opcode prefix to es, fs or gs. Also, the processor fetches the instructions not just from rip, but cs:rip. Same for the stack, it's not rsp, it's ss:rsp. Those segment registers hold the selector in the global or local descriptor table. Among with the other segment attributes (like current ring) they specify a base and a limit of that segment. Which means you can specify ds to start from linear address 0x10000 and have a limit of 0xffff, so you can address with ds:123 to be pointing to a linear memory at 0x10123, and you can access up to ds:ffff. This can allow segmenting a program in a single virtual address space. Modern operating systems don't care about segmentation and use paging for address space separation. So cs, ds, ss describe segments which start at 0 and have a limit of 4 gb - that's full 2^32 of addresses on x86. On x64 segmentation doesn't care about base and limit at all. But! You have a per-thread structure - a stack, in a hardware it is implemented via using rsp register, right? But what if we need another "more constant" structure for a thread? OS's used TLS or TEB as a separate segment - fs. It's base is selected by the kernel when a thread is created. So every thread can execute smth like mov fs:[0] and be sure that it is pointing to it's private data. x64 even reserved fs and gs registers to be theated specially - they have a non-zero base, it's for the OS's could implement their TLS. Why exactly fs? Well, ds is defaulted for data fetches, es is reserved for string ops like 'stosb', which should have the same base as ds to operate as we expect. So the next spare segment register is fs. As simple as that. gs may also be used, in fact it is used for x64 TEB on x64 windows, while fs is used for 32-bit TEB for compatibility reasons.

It took a lot to get my head around assembly, but now I understand it, it's so easy (within reason)!

I'm folowing you since month, and i finally make a comment. This is definitely the BEST stuff I've ever seen. Thank you so much !

Your videos are such high quality. Thank you for taking the time to discuss topics thoroughly. I look forward to understanding binary exploitation, thanks to all you've done!

Damn. A whole video answering my question I've asked a couple of month ago on another your video.

Segmented registers: In the old days, when computers had segmented memory, these registers would point to various memory segments. CS pointed to code segment, DS data segment, SS stack segment. ES, FS, and GS are just extra general purpose registers. Modern computers don't use segmented memory any more, so these registers are now a days used for paging information, threading information, and other information. Modern computers use flat memory instead of segmented memory. We no longer have DS, ES, or SS in x64! CS, FS, and GS are still here! This is because all modern 64-bit computers use flat memory model.

Du bist der einzige Mensch bei dem ich Angst habe, dass er aufhört Videos zu machen, weil man dich nicht ersetzten kann ^^ Es hat schon viel zu lange gedauert dich zu finden.

My professor told me segment registers stores indexes of entry’s in the global descriptor table , and the highest 13 bits are segment selectors and the last 3 bits are CPL

Segmentation registers are used to hold segment selectors wich contain the index that must be used to access the GDT to find the segment information. Three of these registers are special-purpose registers cs, ss and ds (respectively code segment, stack segment and data segment for the current process). The cs register has also the information about the current privilege level. For each of these registers, there is an associated non-programmable register that holds the segment descriptor to avoid the access to the GDT. That offset is summed to the base address of the segment retrieved from the segment descriptor (an entry of the GDT). If I'd made some errors in English I'm sorry.

That intro and outro sound was made by you? If yes then good job! It's really cool and somehow matches the content of the series :P

Recommended reading related to this video: www.elttam.com.au/blog/playing-with-canaries/ It explains thoroughly stack canaries on modern Linux and how it can be played with :) And probably the most comprehensive intro to x86 segmentation: duartes.org/gustavo/blog/post/memory-translation-and-segmentation/

Great video as always! I have so many questions... I might "borrow" your video and talk over it with my questions and where I got confused and see if any charitable soul takes pity on my stupidity and helps my out lol. Of course first I'll have to try it out for my self. Keep these videos coming, you're doing a great job bro 👍

you know a good teacher when he admits that he doesn't fully understand about a subject instead of pretending he knows. Anyways, I still wish I had 10% of your knowledge 😞

how about ROP as bin bin 0x22 ? would be the next step in exploitation methinks great video, really fascinating stuff also I am amazed that were only talking bypassing the stack canary here, bypassing ASLR is a whole new wolrd of suffering

Explained very well, Do you mind telling me what kind of experience you have? Throught out yoyr life possibly? Nothing personal I just want to get an idea, ive been watching more of yoyr videos I find myself spending a lot of time doing so

if it is intially reading the stack cookie from "fs:0x28", why do we have to guess it later? can we not just read it from there again? Or will that create a new, random, stack cookie? I tried checking what it does, but if I try to access fs:0x28 (checked it's the same on my system by disassembling something first), I can't get it to compile, or it segfaults when it gets there :/ (not much experience with assembly language though :p)

2:53 i tried to reorder variable but it does affect the assembler code, and also i noticed that when program ends with exit(0) instead of return 0, then program don't check for stack cookie(if its changed or not) at the end though it declare it on the starting.

Modern problems requires modern solutions

Mate, is it possible to code something like this with a GUI for remote access attacks? Looking to code something to put in my GIT, probably way beyond my skills but we have to aim for something ;)

i don't understand how the integer at ebp -54 is before the buffer at ebp-50 on the stack? In this case isn't it after? The stack grows downward right?

... I search on your channel for protostar videos... 😢 But no found

Yep, it's time to learn assembly.

echt extrem interessanter kanal, viel zu spät entdeckt

wouldn't it make more sense if each buffer had a 'cookie' at the end and if they were all compared

This may be a dumb question, but do you guys think the attack surface for penetration testers is getting smaller as time passes? It seems like there are so many different kinds of protections in place these days that it just keeps getting harder and harder

Nice video! can you do more things like websecurity?

To be clear, you could just debug the application to see what the cookie value is being matched against? That this buffer overflow stuff is just for fun, but far less effective than just debugging.

64-bit is very hard against any issue, so besides the bruteforcing part it might not even be possible.

can the aslr be exploited using the random exploit :)? may be it's a stupid question but that what comes to my mind right now

I watched one of Gynwael vids, and want to ask if Time based bruteforce of cookie byte by byte is possible on x64, or will it be too fast to record, like if u guess first byte, you try to check second byte, which means, that execution of process is longer, which means you probably guessed first byte right ?

Woooop Wooooop nice but would like to see CFG and other windows protection.But enjoyed the video brings back good memories..

An Ode To C / C++ Thread SAFETY Static constants abound in the lexical analyzer and compiler. Dynamic linking libraries deploy a plethora of data structures like trees and maps. The linker if static won't undergo modifications by system calls in the appended files at runtime. The loader generates the machine codecs always dynamic in binaries or hexadecimals. The compile time could be automatic or register prompting change in the volatile memory. That makes for thread safe in mutex or deadlock address locations. Any programming languages that are reporting segmentation fault or overflow and overrun are unsafe and need be pontificated for the perverse logic. It could make the operating system crash and the semaphore would rather be rectified to reinstate the infinite loop.

Curious why you would randomize the cookie, if the cookie is already being randomized. Now you have two changing parts instead of one. Wouldn't you be better off keeping your cookie guess static?

Can you make vid on Page table/ Virtual memory.

you have interesting videos

How do you want to bruteforce the cookie? It changes on every run of the program so it would only be exploitable if the main function forks into a new process. Or am I missing smth?

cool bro

so if you have fs:[0x28] = fs*16 + 0x28

Making mistakes really needs a programmer which ignores this, I'm ignoring such messages,but my code is most of the time only used by me

Can someone tell me what program he is using to graphically display the assembly code ?

Aren't those "cookies" called "cannaries"?

But why 0xffffff in calculator?

bufferoverflow attack out dated ???

Am I the only one who prefers AT&T syntax?

lol , nice

oh .. you hook me up I know it will end up build a rop chain but bypassing the cookie ...

im a nodejs developer i cant find authentication in socket io using mysql as session store it will be vulnerable by someone tries to flood the memory of my server due to lack of authentication pls someone help me

not first