Pwntools ROP Binary Exploitation - DownUnderCTF

Просмотров 86 тыс.

% 2 340

To help support me, check out Kite! Kite is a coding assistant that helps you faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/? (disclaimer, affiliate link) courses.zero2auto.com/?coupon=JOHNHAMMOND to get 15% off 0verfl0w's course! Apply it as a GET parameter, ?coupon=JOHNHAMMOND!
Hang with our community on Discord! johnhammond.org/discord
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: paypal.me/johnhammond010
GitHub: github.com/JohnHammond
Site: www.johnhammond.org
Twitter: _johnhammond

Опубликовано:

22 сен 2020

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 108

@stefanodevenuto1867 3 года назад

I really love when you share with us your learning process, that phase of the video where you learn with us. Extraordinary video man!

@p0fs 3 года назад

It is alignment issue because system() uses xmm registers to move data around, and they require 16 bytes alignment. Could be just one ret instruction to offset the stack.

@tg7943 3 года назад

Nice to see how the number of your subscribers rises further and further. You've earned this. Keep up the good work!

@jayeshzala2339 3 года назад

John, you really taught me ROP, before watching your video I was very confused with it. Thanks man keep it up👍🏻

@0x2a1A4 2 года назад

@ John Hammond your content is golden ! keep up the good work. love that you also keep in the struggles (the learning process) that we all have from time to time with syntax.! keep up with your awesome content.!

@sumeetchanikar6297 2 года назад

I really liked the way you explained ROP. This is super amazing!

@EternalListener 3 года назад

No, John, this ROPGadget explanation was immensely useful to I bet most of us!

@ThisCanNotBTheFuture 3 года назад

I know it's asking a lot, but a future series on Binary Exploits from scratch would be sweet

@mamtachahal1277 3 года назад

You are absolutely amazing, I am loving these contents

@jandrodali4901 3 года назад

yeah it's for stack alignment try to add p64(pop rdi +1) which is ret instead of puts and it will works fine

@4lpina 3 года назад

Awesome video, thank you so much for sharing your knowledge

@spear7916 3 года назад

great video sir. Learned a new thing thank u so much

@markgentry8675 3 года назад

great vid mate. one of my favorites yet. binary exploitation outside of ya average buffer overflow is something I need explained just like this. nice one bruva

@XxStormProductionsxX 3 года назад

Thank you for your explanation. Great video!

@djmikeholmes6214 3 года назад

Hey John, another great video although well above my knowledge base!!! So cool how you always get your end results. I'll keep watching and learning thx.

@sinwolf5539 3 года назад

*Goes to checkout pwnscripts* great job John!

@TheAyushbest1 3 года назад

John amazing video as always tho after watching the throwback one this seemed a little short 😂 also I think calling puts again overwrites to the registers and empties out space for system to load

@bhagyalakshmi1053 Год назад

Thank you for the explaining is a more thanks thanks thanks thanks

@Nunya58294 3 года назад

This videos are just absolutely brilliant! It's inspired me to keep going with my pen testing abilities on my own personal system(s). I'm not as advanced as others so these videos really help to understand the basics good sir

@charlesnathansmith 11 месяцев назад

These videos are great. Even when you cover a topic I already know fairly well, you introduce new tools or work processes to make it simpler. Showing all the mistakes or oversights or having to look up more about something is refreshing too, because it's always a messy process. There's no circumstance where anyone goes in and knows exactly how to deal with every single thing they'll run into. Thats half the job, and hopefully it's encouraging to everyone exploring new things. It is to me

@aaravsinha6610 3 года назад

@John Hammond hey John can you please explain what is the difference between the addresses returned by rop.call("puts" , [elf.got["puts"]] ) rop.call("puts") elf.symbols["puts"] Thanks you in advance

@CurseTheVulgar 9 месяцев назад

Anyone knows if the Beginner Malwae Analysis course can be found somewhere today (2023) since it's no long being sold?

@d4rk-c1ph3r 2 года назад

Learned some ROP and pwned a live challenge in HTB Santa CTF

@sumedhvangara7368 3 года назад

Hey john can you please make a vid on a ctf question using xss?

@ThomasGabrielsen 3 года назад

I've watched a lot of your videos lately, and I learn a lot from them in so many topics. I like "cut to the chase"-videos on RU-vid, and your videos are great in that regard. You are exceptionally good at explaining complex challenges including many topics. Just a thought: Have you considered recording while you're solving some of the CTF challenges the first time? I mean the more or less the raw footage. Including all your debugging, head scratching, etc. Don't be afraid to show that you're struggling because your are a very skilled man, and I'm sure your knowledge are far above the average viewers anyway. Just a thought. You obviously know what you're doing, and I'm very sure that your channel will grow very fast. :-)

@_JohnHammond 3 года назад

Hey there Thomas, thanks so much for all the kind words! Appreciate it. I do actually screen-record when I am working through CTF challenges for the first time, if just to get the footage and potentially repurpose it for later content. I could potentially share that as video, but it might be barebones (no audio) -- unless I were to go back and try and do commentary over it (which would mean, like, two times the work ahaha). I can try it sometime and see how it goes!

@ThomasGabrielsen 3 года назад

@@_JohnHammond Thanks for your reply! I totally understand that there will be too much work to do commentary afterwards. I would very much like to watch the unedited video without audio. I'll get your excellent commentary in your "walkthrough" videos anyway so there's no need to do it twice. :-)

@aaravsinha6610 3 года назад

@@_JohnHammond hey John can you please explain what is the difference between the addresses returned by rop.call("puts" , [elf.got["puts"]] ) rop.call("puts") elf.symbols["puts"] Thanks you in advance

@olavoborges57 2 года назад

awesome content

@orgozlan323 3 года назад

thank you

@johnathondupuis1301 Год назад

Hi there - I was wondering if I could ask a question concerning rop. Hi Peter - I hope this email finds you well. I've been unable to figure out how stack alignment works for a return with an offset not divisible by 4. Ret 0x0016 for example. No matter what I try the stack is always misaligned. If you have any pointers, I'd really appreciate it! Thanks!

@ronakjoshi5093 3 года назад

hey john how you doing today?

@JuanMartinez-dh3tf 3 года назад

What an excellent video, if you could make a video about Canary, I would really appreciate it. Greetings from Mexico :)

@azeemkhan9901 2 года назад

How can we get the libc address remotely in the cleanest possible way?

@karmanyaahm 3 года назад

Your binary exploitation tutorials are pretty nice

@willemvdk4886 3 года назад

John, please help me. I've watched the entire thing and it's been extremely interesting. But, I seem to be missing an important, but seemingly basic, point. What is the relationship between the netcat connection (which is a remote server listening to a certain port, correct?) and the executable that you're inspecting? Somehow that executable, that seems to be running on your local computer, is opening up a TCP connection via netcat and then through the buffer overflow exploit you get a shell? I'm probably missing the point, here, but I don't get it. Please explain.

@hegzploit 3 года назад

at first, he was testing with the local executable and once he got it working he just switched his "p = process()" with "p = remote()" since pwntools is pretty flexible when switching from local to remote it's as easy as changing one line.

@jnevercast 2 года назад

That executable is the program running on the server and listening for input. It's common during these CTF to be given a copy of the server program so that you can pull it apart and find your exploit. Once you find your exploit (like with ELF), you create your payload and send that to the server to get the flag :)

@hackersmania9275 3 года назад

Hey John! Great video. Just wanted to tell you that the peculiar issue you faced (not getting shell when running only system then getting shell when first calling puts and then system) is due to the 16-byte alignment requirement of modern architecture. They require the stack pointer to be 16-byte aligned whenever an SSE2 instruction (especially) is called. In system function there is a SSE2 instruction movaps XMMWORD PTR [rsp+0x40],xmm0. Hence you didn't got the shell in the first attempt. More info: stackoverflow.com/questions/54393105/libcs-system-when-the-stack-pointer-is-not-16-padded-causes-segmentation-faul Have a good day 👋

@danielgee5916 3 года назад

If anybody knows, Do you know what type of bash profile John uses? He usually said that he uses that to format output inside terminal but could not find it?

@donfoumare 3 года назад

He uses this cat clone as a colorizing pager for man as described in the readme: github.com/sharkdp/bat

@ARZ10198 3 года назад

Darn , I missed the premiere

@i_sometimes_leave_comments 3 года назад

Can you give us a link to that "batman shell extension" you're using? I can't seem to find it...

@donfoumare 3 года назад

Here it is: github.com/sharkdp/bat

@netanelberman6291 3 года назад

@@donfoumare Thank you so much!!!

@juandeag7722 3 года назад

How do you get colored manpages again ? I heard some version of bad-man or something

@MrJohnyBGood101 3 года назад

bat - cat with wings on github

@juandeag7722 3 года назад

@@MrJohnyBGood101 thank you!

@higswat 3 года назад

hahaha nice video....classic when code dont work we dont know why.....and when i does work still dont know why :D

@iansugg3496 2 года назад

I stg I come to this video every time I have to do a ret2libc attack

@indiaaranv 3 года назад

I believe the additional puts call allows for the stack to be 16-bit aligned cause they’re running on Ubuntu 18.04

@R4ngeR4pidz 3 года назад

Does puts not return though? when you make a call its return address gets pushed to the stack, so its offset in that function you're calling, but when you return from that function that return address gets popped from the stack and it makes 0 difference beyond that maybe ROP does some extra stuff that provides the offset though

@indiaaranv 3 года назад

Thijs Bruineman Well, it does return. However, the system ABI for the x86_64 architecture guarantees a 16-byte aligned stack before a call. When the ROP instructions are loaded onto the stack, and system() is called, it makes use of this fact. So, by your stack has to be aligned to the 16-byte(sorry I said 16-bit in the initial comment) boundary. Regarding your concern about the function returning and thus not having an effect, what the ret instruction call actually does is it first pops the stack pointer, which in turn means it increments the stack pointer. This has the effect of adding the extra 8 bytes that might be needed to align the stack. Usually, what one would do is to simply use a ROP gadget that just has one ret call. However, in John’s case he made a call to puts, which if it has an odd number of instructions(I’m assuming) it will have the same effect.

@indiaaranv 3 года назад

Please do correct me if I’m misguided thanks!

@dack42 3 года назад

I believe you can just pass align=8 to the ROP() constructor, and it will automatically align things for you. The default is align=4 (for 32 bit).

@zedeleyici.1337 3 года назад

nice video

@n1ghtmar3_orin 3 года назад

Anyone have the challenge file? It will really help to practice

@cassandradawn780 3 года назад

nice vid

@HalValla01 3 года назад

3:30 that flicker tho

@MatteoGariglio 2 года назад

Hey John, have you figured it out why do we need to call("puts") again in our second payload? 46:54 This video is insane, thanks! Cheers

@abdullahozbay2086 2 года назад

In below, Alex Skalozub exlains that "It is alignment issue because system() uses xmm registers to move data around, and they require 16 bytes alignment. Could be just one ret instruction to offset the stack. "

@jameselliot9114 3 года назад

damn I wanna buy that course

@SWUnreal 3 года назад

I learned most of my re hacking games its more fun than analyzing malware samples imo

@shishirsubedi5412 3 года назад

This prevents going back and forth for running the script. It listens for event and runs every time after the file is saved. while true; do inotifywait -q -e modify ; clear; python3 ; done And Great video. Thanks

@abdarafi 3 года назад

Great tips man ;)

@salikaa86 3 года назад

Your CPU cores are overheating and throttling back, look at your video at 22:32. It wont go above approx 96 deg C due to its aggressive protective measures, but you lose computing power and it might needs your attention to address it :) Nice vid anyway, thank you!

@bhagyalakshmi1053 Год назад

What is assembly code

@spacefishaviation276 3 года назад

I love the video but DAMN the price of that coarse IS HIGH!

@gstud210 2 года назад

Need more buffer overflow videos

@alexpearce3083 3 года назад

the best

@ch33zer 3 года назад

One of the most fascinating parts about ROP is that you don't even need full instruction sequences, before the RET: you can execute suffixes of an initial instruction that then means you're likely executing fragments of subsequent instructions all the way up to the ret. The initial paper focused EXCLUSIVELY on these types of gadgets. I don't know if ROPgadget is doing this though.

@GunniBusch1 3 года назад

I think you need more subscribers! You make awesome videos! And everybody who says something different! Hack them!

@bluesquare23 3 года назад

You ever imploit a binary instead?

@bhagyalakshmi1053 Год назад

Xmma?

@goodboy8833 3 года назад

Waiting

@KushChoudhary 3 года назад

🙌🏻

@luigi0069 3 года назад

Too

@cerealtech4138 3 года назад

Hit my like Burton if you noticed the dade Murphy easter egg

@bhagyalakshmi1053 Год назад

Files rdx, dangerous files

@emfeditz. 3 года назад

Bro I am from India so brother plz I request u please Hindi captions on plz sir plz

@anonymusblak3757 3 года назад

@JustSomeAussie1 3 года назад

Longest ad i've ever seen

@citizendot1800 3 года назад

Video starts at 2:25

@JNET_Reloaded 3 года назад

and for love of god put env line inside pythoon3 file then you wont have to call a script with python3 you waste alot of time!

@oofme6749 3 года назад

uh no, you don't, typing speed is what defines that. Takes literally a second to type python.

@JNET_Reloaded 3 года назад

@@oofme6749 what a noob would say!

@bruh_5555 3 года назад

More favourable and aesthetic for the audience to type Python and run it instead of env

@JNET_Reloaded 3 года назад

@@bruh_5555 the 1st line of py script has env blababla for a reason so that you can just type ./scriptname.py and there you go simple!

@oofme6749 3 года назад

@@JNET_Reloaded I personally enjoy typing out python because I don't find it needed to pass #!/usr/bin/env python3 at the beginning of the file. Also, "noob" I'm sure knowing more than 7 languages, known for teaching others the art, also known to help small businesses patch vulnerabilities, a reverse engineering professional, been doing it since 11 years old, doesn't count one as a noob. It's rather noobish that you made a comment about somebody not putting env in the program rather than realizing that it works and runs the same way. Its really funny. Grow up.

@JNET_Reloaded 3 года назад

ur picture frames are not inline redo it lol

@JNET_Reloaded 3 года назад

you dont need quotes around a wget command either!

@highvisibilityraincoat 3 года назад

he said before it’s just habit. chill.

@franckchiron9848 3 года назад

What do you mean ? Like for the URL part ? It is not necessary until it is, try to get that one : www.google.com/?smartass=JNET&PS1=maybe_not_so_smart

@JNET_Reloaded 3 года назад

you need to stop with the blank lines and = things its suppose to be bla=foo not someshit = here < thats poor! plus soon as you know its vuln to a buffer overflow all u gotta do is put loads of chars in the nc connection thats it!

@SiliconSentry 3 года назад

For what he's doing white space is ignored and it makes it easier to read so why does it matter? Also, he's said before that he likes to automate his attacks once he figures it out because it's good practice. Sure he could have pushed a bunch of crap into the netcat but he doesn't have to. If you don't like it make a video doing it your way for people to watch.

@WhiteHatHacking 3 года назад

Making it more readable is not only valid but also recommended and should be standard practice. The only situations where you wouldn't do that is if you're in a competition or time is the primary concern.

@JNET_Reloaded 3 года назад

@@WhiteHatHacking no its annoying empty lines and shit its gta stop. Basic auto takes out them spaces weve moved in from .bas files.