First Exploit! Buffer Overflow with Shellcode – bin 0x0E

40
4



We write our first real exploit to get root access. Solving stack5 from exploit-exercises.com with a simple Buffer Overflow and shellcode.

Run into some problems (illegal instruction):
Stack Level 5:

-=[ 🔴 Stuff I use ]=-

→ Microphone:*
→ Graphics tablet:*
→ Camera#1 for streaming:*
→ Lens for streaming:*
→ Connect Camera#1 to PC:*
→ Keyboard:*
→ Old Microphone:*

US Store Front:*

-=[ ❤️ Support ]=-

→ per Video:
→ per Month:

-=[ 🐕 Social ]=-

→ Twitter:
→ Website:
→ Subreddit:
→ Facebook:

-=[ 📄 P.S. ]=-

All links with “*” are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

#BufferOverflow #BinaryExploitation #Shellcode

Nguồn: https://khudothidongvan.com/

Xem thêm bài viết khác: https://khudothidongvan.com/cong-nghe/

40 COMMENTS

  1. Hey can you help me? When I try to put an adress into the instruction pointer, the adresses change all the time. In your video, the adresses remain the same. What am I doing wrong?

  2. For those getting SEGMENTATION FAULT when trying to execute the shellcode (INT3 interrupt), here's the solution:
    recompile your code with this option "-z execstack" to make the stack memory executable.

  3. Hi,
    After successfully executing shellcode
    I just wanted to know why my shellcode process always exits after a single command like "ls"…

  4. Anyone tried this on their base machine ? not while on ssh protostar ? because it dosent work on Linux 5.5.0-1parrot1-amd64 kernel ! or it doesn't related to kernel and I am doing something wrong ??

  5. to generate the alphabet one can use this one-liner: "".join([4*chr(a) for a in range(97, 120)]). Also metasploit framework has a utility for index finding

  6. This was a great intro to buffer overflows. It was a bit little challenging to get working on modern 64bit Linux system, but finally figured it out. It would be really cool to see an updated video on this. Keep up the good work man!

  7. 9:07 another good tool, especially if you're using Linux, is MSFVenom… Sure you've heard of it, a lot of different exploits to chose from, can generate shellcode without certain chars, of a certain size etc

  8. I'm running this on ubuntu 16.04 on VM, and I can't run shell as root even though i set setuid, setgid, and set ownership of the program to root. Why is it not working?

  9. If you're running this on your own, also make sure you compile with the "-fno-stack-protector" flag and "-z execstack" flags

  10. After much searching i finally get the basic idea. So how would this work on "real" programs with the modern protections. I find the more i look into it the more complex it gets:D

  11. When I do this, the memory mapped address of the stack is very different between inside GDB and out, and I'm at a bit of a loss as to how to reconcile this.

    Inside GDB: 0xfffdd000-0xffffe000
    Outside GDB: 0xffc67000-0xffc88000

    I'm struggling on how to find some absolute jump address to overwrite the pointer on the stack that will reference the executable code I've placed onto the stack. Anyone have some idea?

  12. 04:48 What if the code is in a read-only memory? The debugger cannot just swap instructons with `int3` then, right? :q So how can it still debug such read-only code?

  13. 03:10 Unless the stack is non-executable :q
    So maybe a jump into some library code? I think we could modify the stack so that it contained a series of return addresses and then just allow the CPU to return through all of them to execute some code.

  14. Implemented the exploit on the buffer and got stuck for longer than I'd like to admit. One thing I learned the hard way: Make sure that your exploit instructions don't start overwriting themselves through stack "push" instructions….. shortening the noop-slide and adding more padding after the exploit instructions fixed things.
    I now understand why @LiveOverflow chose to traverse the stack in the "opposite" direction. That made things considerably easier. Long noop-slide, no worries about shell-code-self-destruction and generally less space-restriction for the exploit.

    Absolutely great content!

  15. omg now I understand why I do not understand it. He said to put on wizard's hats and he repeated it and I did not put it and I'm sure it is the reason =D Thanks for the tutorial. Danke noch mal =)

  16. yo guys I'm really stuck here and I dont know why I calculated the offset found 140 I created a payload containing 115 NOP sled + 25 byte of shell code + an address in the middle of nop sleds but i keep getting segmentation fault although i checkd again the offset and it's 100 % 140 bytes.And when I change the return address each time adding 8 bytes I arrive to a certain point where putty crushes as if I touched its configuration (wtf ?) Guys pleaaase heelp ..

  17. I hope someone can help me here. When executing the exploit in gdb everything works fine, but if i try to execute it outside of gdb i do get a Segmentation fault error?

  18. Just an update, I was flying through these challenges and was perplexed about something. I never had to nop anything and my shellcode was executed no problem, never got an illegal instruction upon piping, the only time I got an "illegal instruction" was piping my script without the appended shellcode!

  19. Has anyone tried to do this on an x64 machine instead of the protostar VM. I keep getting seg fault when trying to execute the 0xCC instruction.

LEAVE A REPLY

Please enter your comment!
Please enter your name here