Bypassing stack canaries and PIE/PIC by abusing a Format String vulnerability. In this step-by-step tutorial we will understand what a canary is, what is its main purpose and how can we bypass it in order to hijack the program's execution flow. At the same time, we will dig into Position Independent Executable (PIE) or Position Independent Code (PIC) and learn how to bypass it as well, exploiting the same Format String vulnerability. Leaking addresses from the binary will allow us to get the dynamic binary's base address (its base address during execution) to finally perform a ret2win attack. Step-by-step tutorial solving pwn107 from PWN101 binary exploitation room on TryHackMe.
Format String explained in depth: • Exploiting Format Stri...
Endianness explained: • Endianness Explained. ...
PWN101 Room: tryhackme.com/room/pwn101
Binary Exploitation PWN101 Playlist: • Binary Exploitation PW...
Binary Exploitation PWN101 Webpage: razvioverflow.github.io/tryha...
00:00 - Intro
01:40 - Checking binary protections
02:13 - Executing the binary
03:18 - Spotting the vulnerabilities
03:47 - Disassembling the binary
04:45 - Analyzing the vulns
05:53 - Canary checks
06:46 - Explaining what a canary is
08:10 - Logic behind canaries
10:26 - Idea to bypass canaries
10:56 - Recap
11:35 - Win function (ret2win)
11:54 - PIE
12:15 - Base address and offsets
13:58 - Disassembling and debugging the binary
15:15 - Debugging the stack
18:15 - Finding the value to leak
19:35 - Finding Positions for the format string
20:58 - Finding the position of our input
23:48 - Format String positions
24:04 - Format String payload
24:44 - Testing the payload
25:52 - Alternative method
26:56 - Writing the exploit
28:31 - Dynamic Base Address of the binary
30:28 - Hijacking the execution flow
32:45 - Exploiting locally
32:55 - Exploiting remotely
33:13 - Debugging the exploit
36:00 - Exploiting remotely (again)
36:18 - Reading the flag
36:26 - Outro[*]
Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG