Return Oriented Programming (PicoCTF 2022 #48 'ropfu')

Подписаться 1,7 млн

Просмотров 21 тыс.

50% 1

Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

Опубликовано:

16 май 2022

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 59

@FurikuriYugi 2 года назад

Awesome as always my friend.

@aminel2a 2 года назад

28:25 I'm just like* why not sh(), but I was too hasty, great work john💖

@sikkavilla3996 2 года назад

hey john, have you tried using the command cyclic to find the padding size for your buffer? I would recommend that if you need to find the length quicker for easier calculations. Overall a great video, and keep up the good work!

@chriskaprys 2 месяца назад

12:07 For those starting out in gdb, as I am: I believe what he was looking for there was x/500b (or x/500xb). It was already printing in xw (hex, word) mode, so x/500 (i.e. x/500xw) gave the *hex* of the 500 *words* at that address. b = byte h = half-byte (2 bytes) w = word (4 bytes) g = giant word (8 bytes) 👍 13:18 or, as Scooby would say, the "ROPportunities" 😜

@getellied 2 года назад

Okay, this one was really freaking cool

@moosematrix 11 месяцев назад

Currently on my binary exploitation journey and this was engaging!! Thank you John

@v01d_r34l1ty 2 года назад

NICE!~ANOTHER VIDEO LETS GO JOHN!

@timothysnyders1426 2 года назад

JOHN!!!!!! I don't really understand what you did.. but you talking us through this challenge is inspiring.. This must be what my employers think when I'm explaining things to them haha.. Love you man!! Keep doing this because I'm going to be here to watch and listen... Maybe stay away from binary bruv :)

@secinject814 2 года назад

Hey Hey My. Hammond! Excuse any typos as I am barely awake right now. But I just wanted to ask if you knew any good reverse engineering/binary exploitation books/e-books out there. Or the best youtubers that showcase, explain, and demonstrate how binary exploit/reverse exploit works. As I have focused far more on web exploit like XSS, SSRF, LFI etc... Thanks again as always for all the educational content and hope you continue being an inspiration!! Thanks!!

@AlmostEpic89 2 года назад

In early today, was awesome seeing you at the Ninja one summit!

@davidyoder5890 2 года назад

Ninja does summits now?!

@fhajji 3 месяца назад

This was really interesting!

@SESUAV 2 года назад

Pardon my noob question but I would like to know if this exploit will work if we replace the "A" with a NOP sled.. It would automatically enter the buffer then. Would it not? We wouldn't need the short jump then

@themightiestofbooshes9443 2 года назад

There he is!

@simplifiedknowledgehub 2 года назад

Sir i am getting problems in Forensics last one left in 300 pts and one 400 pts

@KFLawless1412 Год назад

Thank you for the awesome and educational video, John. I have a question that you or maybe someone else could answer (and I'll post it elsewhere too) Considering the stack was exectuable, could you not have done the following instead of using ROP? 1. Load the shellcode for "cat flag.txt" in your initial input instead of the 500 'C' bytes 2. For your injected return address after the buffer of 'A' bytes, simply put the address (in the stack) of the shellcode you just injected Maybe I'm missing something, but assuming that ASLR isn't enabled since you were able to discern the address of the jump instruction, you could know the address in memory of the stack location you pushed your initial input to in the first place. Maybe I'm not making any sense, but thank you again.

@user-ql6rp7dr9m Год назад

This video is just great ! How do you write a python script to solve this challenge ?

@samthelamb0718 4 месяца назад

how did you automatically know to jmp 10 bytes forward?

@lethanhat361 2 года назад

What is 16 bytes of nop for ? At first, I didn't use any nop instructions before the shell code and it failed. After that i tried adding 2 bytes of nop and it worked miraculously. Does it have anything to do with stack alignment ?

@weirdstuffsforyou 2 года назад

That depends. processor can jump to any point. Just for safer side we can use long NOPs so that our shell code will not get effected by it.

@zer001 2 года назад

Cool, now i know that there is a Bird in my (HayStack). Nice. :)

@Johnstuart2023 2 года назад

hey, can you tell me what does the short jump do and why do we need it in this case ?

@weirdstuffsforyou 2 года назад

It's used for jumping from new_eip to NOPs as payload will get back to eax from short_jump so that we can add return address to stack for execution

@vanievors2476 Год назад

How did you overwrite the EIP pointer if the executable is Canary-Protected??

@christiansanchez4883 8 месяцев назад

The function we are using "vuln()" is not canary protected. A different function in the file is.

@j3r3miasmg 2 года назад

I don't get it why the stack canary is not accusing *** stack smashing detected *** when you overflow the buffer, canary and the return address. Did I miss something?

@sepp104 2 года назад

The stack canary is not present in the vuln-function. it is only present in some library-functions.

@j3r3miasmg 2 года назад

@@sepp104 I only know it's not present because his exploit worked (I didn't looked into the binary). But if you look at 02:20, it clearly says "Canary found". Something is misleading me.

@christiansanchez4883 8 месяцев назад

@@j3r3miasmg yeah there are specific things that 'checksec' looks for when it's looking for a canary, and it found a canary "somewhere" in the file, but luckily for us, not in the vuln() function. Or for any function that would naturally be called for that matter. So there essentially is no Canary. Try using ghidra to disassemble and you'll see what i mean

@j3r3miasmg 8 месяцев назад

@@christiansanchez4883 Thanks for your answer. A little bit misleading this if there is no canary in the function, but checksec did his best for us... ^^

@BryanChance 2 года назад

Hmmmmm..i have no idea what's going on but it looks very interesting! And who are you talking to? LOL

@franciscolucarini8761 2 года назад

When the Solfire challenge?

@bhagyalakshmi1053 Год назад

Wos1,2,3?

@sireynolds7334 2 года назад

Your Rop-Fu is strong.

@bhagyalakshmi1053 Год назад

Atti. Time files?

@fjr2go 2 года назад

interesting!

@bhagyalakshmi1053 Год назад

Binck mins root madal Bank "credit card"filles ?

@jaroslavhromatka3257 2 года назад

Hi, I enjoy your content but lately you've been having issues with audio. Please, can you normalize audio before you upload the video? For example, this video sound levels are so low that in order to listen to it I had to put volume to 100% and put even +12dB gain on my external mixer... when youtube played an ad in the middle of the video, it almost made me deaf... :-( just FYI: for example I listen to movies on Netflix or videos on other RU-vid channels on 25-40% volume (usually no more than 50%)...

@aminel2a 2 года назад

best comment 👌

@davidyoder5890 2 года назад

💯

@davidbellecy1709 2 года назад

I have to connect my phone to a USB speaker and put both at 100%.

@Joel-gf4zl Год назад

I'm on my phone and hear it fine at 45% volume while in the same room as a loud TV. It is a little lower, but not that low. For me anyway.

@samthelamb0718 5 месяцев назад

i dont understand, why do the most interesting videos you post have get the least amount of views!

@guilherme5094 2 года назад

👍

@bhagyalakshmi1053 Год назад

Please assembly code file's

@Dr.DomAPI 2 года назад

Make video on cryptography 😍

@bhagyalakshmi1053 Год назад

Ret vlu Designer explain powerful

@bhagyalakshmi1053 Год назад

John lon please

@rsvv6828 2 года назад

Why he took \xeb\x08

@weirdstuffsforyou 2 года назад

It's for a short jump. Short jump can be used like EB 0 to EB 7F. He used eb 08 which jumped to the next address as mentioned and written as \xeb\x08.

@rsvv6828 2 года назад

@@weirdstuffsforyou Thanks for your answer

@bhagyalakshmi1053 Год назад

Str

@bhagyalakshmi1053 11 месяцев назад

Dword ptr this fu ?

@bhagyalakshmi1053 Год назад

Emi lon please request 🎄🎁 give me lon please request