Format string exploit on an arduino - rhme2 Casino (pwn 150)

Рет қаралды 17,976

LiveOverflow

Күн бұрын

Пікірлер: 29

@BillyEllis 7 жыл бұрын

Great stuff :D

@sjakievankooten 7 жыл бұрын

Nice one again man. keep going ;)

@WorldandWarfare 7 жыл бұрын

you do great work mate!

@desheen5056 7 жыл бұрын

mister overflow, you should make a patreon page

@aidenrhama9147 7 жыл бұрын

can i make a request. please make a video ret2libc in 64bit binary that require more than 1 argument, like a execeve function

@LiveOverflow 7 жыл бұрын

I know I have been saying for a while now that more advanced stuff will come soon. And it will come "soon". I first want to finish editing all the rhme2 videos, then I have some other small projects and then I will tackle again binary exploitation. And stuff like that will be covered. But it might still take a while :(

@aidenrhama9147 7 жыл бұрын

that's good. hope you can finish it soon

@aidenrhama9147 7 жыл бұрын

wow great. got a new knowledge from you :D

@troz3799 7 жыл бұрын

Do you have a video on how to use python to "talk" to a network? I can kind of copy the code from here, but I'd like to see a more in depth video on it.

@LiveOverflow 7 жыл бұрын

yeah, checkout the videos from protostar in the binary exploitation playlist. Or see here: liveoverflow.com/binary_hacking/protostar/net0.html all the "net" and "final" levels include networking, where I had to write a little bit of networking. The code in this video is actually not networking, but it's a serial (UART) communication with an arduino board connected via USB.

@troz3799 7 жыл бұрын

Thanks

@maplicant232 7 жыл бұрын

What does this sort of exploit look like in code? Is it some fault in C's string formatting? If so, why hasn't this been fixed already?

@LiveOverflow 7 жыл бұрын

Format string exploits is not really a fault by C (or the libc library). The programmer made a mistake and used for example "printf" wrong. The printf function has 1 or more parameters: printf(format, var1, var2, ...). If you want to print the string a user wrote you would have to write printf("%s", user_input);. But if you do a mistake and write printf(user_input), then now the user controls the format specifier and can use "%x %s" and more. Here is an example and a bit more explanation: liveoverflow.com/binary_hacking/protostar/format1.html

@maplicant232 7 жыл бұрын

Thanks!

@mynewrandomhandle 7 жыл бұрын

The source code of many challenges is in the Rhme2 github repository

@rambo6glaz438 7 жыл бұрын

Will you start making console hacking videos ? (like kernel exploit explanation) it would be so cool :)

@iLoveTurtlesHaha 7 жыл бұрын

I don't understand what is going on but it seems so interesting. I'm now learning C# (and coding in general) but still what he says in this video is going over my head. I'm guessing if I learned Python I won't be so lost. Anyone want to give some advice? Edit: I subbed because I need some of this guy's smarts to rub off on me XD.

@arunmagesh 7 жыл бұрын

Why can't we just do a strings on those binary and get the flag?

@LiveOverflow 7 жыл бұрын

I don't have access to the binary. The binary is encrypted with an unknown key. You uploaded it to an arduino, which uses a custom bootloader and an unknown embedded key to decrypt the challenge. Now you can interact with the board, but you cannot extract the decrypted binary.

@arunmagesh 7 жыл бұрын

LiveOverflow Flash it normally and use avrisp to extract it back. That way you can get the bootloader + flash which has what so ever key.

@arunmagesh 7 жыл бұрын

LiveOverflow Anyway I will try to replicate it and see how I can bypass that tomorrow morning.

@LiveOverflow 7 жыл бұрын

+Arun Magesh nope that won't work ;) the chip is locked. Otherwise each challenge could have been solved with reverse engineering.

@LiveOverflow 7 жыл бұрын

you can't replicate it, because the challenge arduino boards were flashed with the custom bootloader and shipped to us. The challenge binaries available on github are not encrypted and compatible with the standard arduino bootloader for anybody to try it.