Exploiting Return Oriented Programming (ROP) tutorial - Binary Exploitation PWN101
Рет қаралды 16,465
Күн бұрынROP tutorial step by step, explained in detail. We will understand how Return Oriented Programming works and how to use this exploitation technique to abuse (exploit) vulnerable binaries. We will understand the theory behind the technique and later put it into practice by exploiting an actual challenge from ROPEmporium. In order to understand ROP, the most important thing is to understand what the RET instruction does (which are its effects) when it gets executed. Knowing how the ESP/RSP and EIP/RIP registers are affected by it is fundamental. We can achieve the desired behavior by chaining together ROP gadgets (creating a ROP chain), abusing a buffer overflow and hijacking the exaction flow.
Some quick notes after uploading the video:
- I forgot to include a good ROP reference from Exploit DB (Shaif El-Sherei): www.exploit-db.com/docs/engli...
- A ROP gadget is any instruction sequence that ends with an instruction that modifies the RIP register, typically a RET (but it could be any other instruction, like JMP). In the video, in order to keep things simple, I mentioned only the RET case.
- Yes, around 14:45 I mispronounce the word "contriving" :(
References to learn more about ROP:
- ROP Emporium: ropemporium.com/
- FuzzySecurity: www.fuzzysecurity.com/tutoria...
- Code Arcana: codearcana.com/posts/2013/05/...
- CTF101: ctf101.org/binary-exploitatio...
- Rapid7: www.rapid7.com/resources/rop-...
- Wikipedia: en.wikipedia.org/wiki/Return-...
- Information Security Lab: cs6265/2019/tut/tut06-01-rop.html
- Ired.team: www.ired.team/offensive-secur...
Tools to find gadgets within a binary:
- ROPgadget: github.com/JonathanSalwan/ROP...
- Ropper: github.com/JonathanSalwan/ROP...
- Pwntools' ROP: github.com/Gallopsled/pwntool...
- Radare2: radareorg.github.io/blog/post...
00:00 - Intro
00:47 - More references to learn ROP
01:29 - What is ROP?
02:55 - What are ROP gadgets and chains?
04:19 - The RET instruction
06:06 - Drawing the RET instruction (legit epilogue)
07:53 - Drawing the attack
12:43 - Checking binary protections
13:43 - Executing the binary
13:56 - Crashing the binary
14:15 - Reversing the binary
14:50 - Spotting the vulnerability
15:30 - Reversing the binary
16:00 - Spotting a call to system()
16:36 - Starting to write the exploit
17:22 - Reversing the binary
17:37 - Calling convention of x64
18:24 - Checking strings
18:33 - Spotting the command to pass to system()
19:10 - Tools to find ROP gadgets
20:07 - Finding ROP gadgets in the binary
21:20 - Writing the exploit
22:38 - Drawing the exploit
25:00 - Executing the exploit
25:17 - Exploitation successful
26:00 - Outro[*]
Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG
@RazviOverflow Жыл бұрын
Some quick notes after uploading the video: - I forgot to include a good ROP reference from Exploit DB (Shaif El-Sherei): www.exploit-db.com/docs/english/28479-return-oriented-programming-(rop-ftw).pdf - A ROP gadget is any instruction sequence that ends with an instruction that modifies the RIP register, typically a RET (but it could be any other instruction, like JMP). In the video, in order to keep things simple, I mentioned only the RET case. - Yes, around 14:45 I mispronounce the word "contriving" :(
@antisec1656 Жыл бұрын
This is by far the clearest explanation of ROP ive ever seen and you are the only channel ive seen to break it down into the very basics, and make it super clear to understand. Glad to be one of your first 500 subs, but you deserve more than the big CTF youtubers out there and I can see your channel blowing up. Thanks a lot!
@RazviOverflow Жыл бұрын
Thank you. I really appreciate your words :)
@MysteryMooCows Жыл бұрын
Wow. I cant wait for your channel to explode! You have a deep understanding of what you're doing and present the material in a clear and approachable way. I really enjoyed this, thank you!
@RazviOverflow Жыл бұрын
Thank you very much! Glad you liked the video. I try to make things as simple as I can.
@atharavhedage3607 9 ай бұрын
Truely said, you deserve subs more than top CTF KZbinrs out there, absolutely clear content, loved it!
@RazviOverflow 8 ай бұрын
Thank you :)
@user-pg9te8ug1j Ай бұрын
Wow - this is by far the best explanation if seen on the topic so far. Thank you very much!
@RazviOverflow Ай бұрын
Glad you liked the video :)
@user-ng9uv3hs3k 5 ай бұрын
This is seriously the best explanation i've found on ROP. The explanation is so clear and detailed. So helpful 😄 Loved it!
@RazviOverflow 5 ай бұрын
I'm happy it helped you :)
@kushagrasingh467 6 ай бұрын
Woah! loved the explanation, you surely deserve more number.
@RazviOverflow 5 ай бұрын
Thank you :)
@migwe1019 Жыл бұрын
Thank you so much, this is by far the clearest rop tutorial ive ever seen. keep up the good work
@RazviOverflow Жыл бұрын
Thank you. Glad it helps!
@petermackinnon6546 Жыл бұрын
wanted to comment this as well. Beautiful side-by-side visual.
@RazviOverflow Жыл бұрын
@@petermackinnon6546 Thank you :) I find it a bit rudimentary and definitely home made (it's plain paint), but pretty effective at the same time
@regas6441 4 ай бұрын
Excellent content, this actually helped me a lot. Please keep posting!
@RazviOverflow 4 ай бұрын
Glad it helped!
@Obeeron Жыл бұрын
Extremely clear explanations thank you for this video
@RazviOverflow Жыл бұрын
You are welcome :)
@danielcmihai Жыл бұрын
Nice one once again. Looking forwards to more content.
@RazviOverflow Жыл бұрын
I appreciate your comments. This week I'm uploading (at last) the ret2libc video :)
@luxdown7965 Жыл бұрын
Excellent, as always :)
@RazviOverflow Жыл бұрын
Thank you! :)
@sarthakjoshi3947 Жыл бұрын
Great, keep up the good work.
@RazviOverflow Жыл бұрын
Thank you! :D
@nopsled9824 Жыл бұрын
very nice. well done!
@RazviOverflow Жыл бұрын
Thank you!
@nathandaugherty8765 6 ай бұрын
Possibly already pointed out - at around 8:30 the picture of the stack being overflowed is backwards. The stack grows from high memory addresses to low. Everything that was drawn into the stack should be flipped upside down. Nonetheless, still a great video and explanation.
@RazviOverflow 6 ай бұрын
Incorrect. As you stated, stack grows from higher (H) addresses toward lower (L) ones. At the right of the drawing there is a huge arrow that goes downwards from H to L to indicate just that. There is no such thing as flipping the stack upside down. It doesn't matter how you draw it as long as you specify where the higher or lower addresses are. If you check the whole series from the beginning or the process I usually follow to draw the stack, you will notice I always do it like so. Thanks for the comment.
@Ouroboros2291 Жыл бұрын
Can somebody advice the debugger for NASM?
@Nunya58294 Жыл бұрын
Check out GDB (GNU Debugger)
@zeshanahmednabin 8 ай бұрын
Can you make a Cutter setup video. My cutter shows addresses relative to stack. Which is pretty confusing... I was wondering why isn't my exploit working... It shows var void *buf @ stack - 0x28 whereas on yours it shows var void *buf @ rbp - 0x20 @14:53
@RazviOverflow 8 ай бұрын
They changed that in recent versions of cutter. I'm not sure if you can change it back to the older form (like in my video). Anyways, you just have to realize that what they call "stack" is the base stack address (right where the saved return address ends), and right above it lies the rbp. So rbp-0x20 and stack-0x28 are equivalent given that rbp is 8 bytes long.
@AdiSings2023 7 ай бұрын
Hello! One of the best videos about ROPs. One thing I would like o mention: After: payload = b"A" * 0x28 I also need an address of just 'ret' got with ROPgadget so: payload += return_address. Moreover I need to push it further to "usefulFunction" address. So: payload += usefullFunction_address So now I can add the other 3 addresses that you have in your video. I don't know why it is not working with what you just present there...
@RazviOverflow 7 ай бұрын
Hello, thank you. I'm not sure if I understand correctly. All I show in the video is tested and working.
@AdiSings2023 7 ай бұрын
@@RazviOverflow I am saying that on my end, it doesn't work just with those 3 added addresses to the payload. I need 2 more (1 of a ret address and the address of the "usefulFunction")
@arielelbaz8218 17 күн бұрын
Can u share your code ? Mine also is not working
@bhagyalakshmi1053 Жыл бұрын
Nice expression
@_vox5189 18 күн бұрын
polino mi manchi
@HoneyBravoLui 20 күн бұрын
Ciao POLIMI
@cgrbro 11 ай бұрын
hello,thanks for all but where is the file i didn't find . Can u share please ?
@RazviOverflow 11 ай бұрын
I think it is pretty easy to find in ROPEmporium page: ropemporium.com/challenge/split.html
@cgrbro 11 ай бұрын
@@RazviOverflow well, thank u. i looked tryhackme for binary
@RazviOverflow 10 ай бұрын
@@cgrbro Around 0:30 I mention we will exploit the split challenge from ROPemporium, which is shown around 0:53
@cgrbro 10 ай бұрын
@@RazviOverflow yes i just realized thank u so much
@RazviOverflow 10 ай бұрын
@@cgrbro You are most welcome, glad to help
@polmarin2911 Жыл бұрын
Hola Razvi! Volverás a meterle caña al otro canal o ya lo has abandonado del todo? Se te echa de menos!
@RazviOverflow Жыл бұрын
Gracias :) Pues la verdad es que no sabría decirte. No descarto volver a hacer vídeos, pero ahora mismo tengo otras prioridades en la vida.
@polmarin2911 Жыл бұрын
Pues mucha suerte en tus nuevos proyectos y si vuelves a colgar algun video, al menos tendrás mi visualización y mi like. Suerte camarada!
@RazviOverflow Жыл бұрын
@@polmarin2911 Muchas gracias. Un abrazo!
@ragnarlothbrok367 Ай бұрын
i dont understand a shit from all of this, i don't know what is the flow or next instruction when you talk about things, i don't see the context
@RazviOverflow Ай бұрын
You are the first one (so far) pointing out the context is missing. Please tell me why and how the video could be improved.
@ragnarlothbrok367 Ай бұрын
@@RazviOverflow Just look at the illustration at 12:30, it may be not even your fault, just assembly is ... insane, everything goes everywhere all the time and i fail to map this in my brain
@RazviOverflow Ай бұрын
@@ragnarlothbrok367 Ok, then the problem is not the video. Have you tried watching easier videos?
RazviOverflow
Рет қаралды 6 М.
4: Ret2Win with Function Parameters (x86/x64) - Buffer Overflow - Intro to Binary Exploitation (Pwn)
CryptoCat
Рет қаралды 16 М.
RazviOverflow
Рет қаралды 4,2 М.
RazviOverflow
Рет қаралды 4,6 М.