PWN Overflow | CSAW CTF "BigBoy"

Рет қаралды 47,536

5 жыл бұрын

If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: paypal.me/johnhammond010
GitHub: github.com/JohnHammond
Site: www.johnhammond.org
Twitter: / _johnhammond

Пікірлер: 28

@stevet7522 4 жыл бұрын

How did I not find this guys channel sooner? This stuff is amazing.

@_JohnHammond 4 жыл бұрын

Thanks for the kind words, and thanks for watching!

@MrEdwardSP 4 жыл бұрын

State of the art explanation... Amazing video~

@_JohnHammond 4 жыл бұрын

Thanks for all the kind words! And thanks for watching!

@alecsymmonds959 2 жыл бұрын

You're a beast! Motivating.

@niteshsurana 4 жыл бұрын

Commenting for the LLS CTF Flag! And hey, I've subscribed to you months ago :p

@timothyhill4486 4 жыл бұрын

Love the video

@gyul2311 5 жыл бұрын

John Can I ask you what program are you using when you record your screen?

@_JohnHammond 4 жыл бұрын

Holy crap, I don't know how I missed this a YEAR ago -- but I use OBS Studio, nowwadays. I used to use SimpleScreenRecorder or Kazam.

@mushtakhussain9017 4 жыл бұрын

Damn thats an art work.. hope i can learn alot from you.. play more ctf john.. im getting inspired ❤

@timothyhill4486 4 жыл бұрын

Commenting for the LLS CTF Flag!

@ApploFag 4 жыл бұрын

John please explain, we pass buffer 'aaaa'+magic_hex and then bash shell will be executed. After that all input after our string will pass to bash command shell via cat command and we will get output also, am I right?

@lsd3284 3 жыл бұрын

I have a doubt , when esp sets buffer frame of 0x18, and waiting for our input, you tried to brute over garbage input to fill those in buffer and hit eax. I don't understood what do you mean by hitting eax or how is input reacting to stack and eax ?

@tobiasmayer4492 5 жыл бұрын

Containing the year in the title would be awesome.

@sontapaa11jokulainen94 4 жыл бұрын

Yeah. I wonder how many people "missed the like button" because of that.

@shogunisheremistaa3432 4 жыл бұрын

You can find the binary in this repo: github.com/osirislab/CSAW-CTF-2018-Quals/tree/master/pwn

@mamtachahal1277 4 жыл бұрын

If someone can explain why he did to make the bash stay. He put the entire python command under brackets and used cat, but why does that make the bash stay?

@robinhood3841 4 жыл бұрын

Hey john i really love and enjoy how you are working in exploitation can u pls give me good resources or books to start from ?

@kushansingh6244 4 жыл бұрын

Hi John I don't understand why would you use 'A'*$i to find if it overflows the buffer. I am new to reverse engineering. Can you please help me understand that python script. I will appreciate it.

@_JohnHammond 4 жыл бұрын

I can't tell what you are asking? The "A"*$i is Bash syntax, that $i is the variable that will be replaced with the current count in the for loop. I use that technique to sort of spray the binary with different length inputs and see which ones it acts differently for (as 20 was where we were correctly overwriting EIP and getting a shell). Does that help at all..?

@kushansingh6244 4 жыл бұрын

@@_JohnHammond Hi John, yes i get it now, so it's a trick used to spray heap and find out the memory location where it's overflowing. Is it more of a trial and error or is there a way to guess the numbers as in this case you used 20 to 28 ?

@_JohnHammond 4 жыл бұрын

@@kushansingh6244 This isn't spraying the heap -- just looping through numbers to determine which "offset" of garbage input will get the right overflow position to force a new EIP. I estimated 20 to 28 because we could see the buffer size was 0x10 (16 in decimal) -- so I added four to that number, because EBP will be in the way, and did a small range of 4's to see if there was anything else that could be in the way. The amount of data that is being read in, or the buffer size, or good indicators as to where you should base your search.

@kushansingh6244 4 жыл бұрын

@@_JohnHammond Got it, thanks Appreciate it !