Execution Flow Hijacking (ret2win) - pwn103 - PWN101

Execution Flow Hijacking (ret2win) - pwn103 - PWN101 | TryHackMe

Рет қаралды 3,805

Күн бұрын

Hijacking the program's execution flow in order to execute a function of our choice, which is usually called ret2win (because we are returning to win() or any equivalent function) . We are abusing a buffer overflow caused by the use of scanf. A detailed explanation is given about how the stack behaves and what is happening in memory during the execution, so as to understand the underlying concepts and why this attack is possible. A thorough explanation will be given about how RSP and RBP registers are modified by the instructions, either as a direct or side effect. Step-by-step tutorial solving pwn103 from PWN101 binary exploitation room on TryHackMe.
More on ret2win:
- ir0nstone.gitbook.io/notes/ty...
Function Prologue and Epilogue: en.wikipedia.org/wiki/Functio...
More on ENTER and LEAVE high-level procedures: books.google.es/books?id=zWrZ...
The MOVAPS issue: ropemporium.com/guide.html#Co...
PWN101 Room: tryhackme.com/room/pwn101
Endianness video: • Endianness Explained. ...
Binary Exploitation PWN101 Playlist: • Binary Exploitation PW...
Binary Exploitation PWN101 Webpage: razvioverflow.github.io/tryha...
00:00 - Intro
00:16 - Checking what file it is
00:25 - Executing the binary
00:57 - Segmentation Fault (vuln)
01:20 - Executing the file
01:56 - Recap so far
02:22 - Launching Cutter
02:39 - Checking binary protections
03:11 - Disassembling the binary
05:55 - Identifying and explaining the vulnerability
07:44 - Understanding the underlying concepts
08:05 - Execution Flow Hijacking
08:52 - Understanding the underlying concepts
09:33 - CALL instruction
10:57 - RET instruction
12:19 - Understanding the stack during the execution
14:32 - Function Prologue
14:56 - Understanding the stack during the execution
17:10 - Function Epilogue
17:26 - LEAVE high-level procedure
17:58 - Understanding the stack during the execution
18:48 - Understanding the exploit
20:44 - Writing the exploit
23:11 - Exploiting locally
23:18 - Exploiting remotely
23:41 - The MOVAPS issue
25:02 - Exploiting remotely
24:33 - Fixing the exploit
25:22 - Reading the flag
25:27 - Outro[*]
Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG

Пікірлер: 32

@christiansanchez4883 7 ай бұрын

You are literally the best at explaining this! I've been going through tutorials and none have address the stack alignment issue. This has finally solved issues I've been stuck on for weeks. I wish I could give you more likes.

@RazviOverflow 7 ай бұрын

Glad I could help :)

@ratlinuxgamer2855 2 жыл бұрын

What I like the most is how you explain the theory. Thaks mate.

@RazviOverflow 2 жыл бұрын

You are welcome! Glad it helps :)

@katchen2626 5 ай бұрын

why are you SO AWESOME i've been looking EVERYWHERE for someone to explain stack addressing, and nobody did it as perfect and precise and short as YOU.THNAK YOUUUU

@RazviOverflow 2 ай бұрын

You are welcome, glad to help :)

@regas6441 4 ай бұрын

Thanks for the explanation on the MOVAPS issue, been getting it and didn't really understand what was going on.

@RazviOverflow 4 ай бұрын

You are most welcome :)

@mmelt Жыл бұрын

Incredibly well presented. Don't forget to register Sublime Text!

@RazviOverflow Жыл бұрын

Thank you! I'm on it, I promise :P

@davidshipman5964 5 ай бұрын

Great video! I learned a lot. It is crazy that you can do things like this lol

@RazviOverflow 5 ай бұрын

Glad you liked it!

@danielcmihai 2 жыл бұрын

Nicely done mate !! Top

@RazviOverflow 2 жыл бұрын

Thank you :)

@ilabsentuser Жыл бұрын

I am loving this series! This one really had me lost though. There is something I would like to ask. Even though in this case it is obvious (as s1 is the only variable in general function) how do you easily realize that scanf is writing its output there? More specifically on disassembly view, as in decompiled views it is easy to find. Essentially I would like to understand how to recognize on disassembly when a function writes to a variable, of course you don't have to answer this yourself, with pointing me into some docs for it should be enough, I can RTFM hahaha. Thanks in advance! Will try to complete the next chapter alone, this one was a no go xD

@RazviOverflow Жыл бұрын

Hi there! Thank you for your kind words. Will continue the series pretty soon (I've been taking a break recently). Answering your question, there are 3 things we have to take into account: 1. We are dealing with a 64bit binary. That is, arguments are passed via registers and not via stack. (You can google about how parameters are passed to functions in 32-bit and 64-bit architectues in assembly). 2. We are dealing with a Linux binary, so we have to take into account the naming convention (en.wikipedia.org/wiki/X86_calling_conventions#List_of_x86_calling_conventions). The first parameter is taken from RDI, the second from RSI, and so forth.... 3. Right before the scanf call at address 0x40132c (6:43), the parameters are being set. If you've never used scanf before, take a look at the man page man7.org/linux/man-pages/man3/scanf.3.html. You will notice the first parameter is the format string (RDI) and the second one is the buffer (RSI). Now taking a look at the assembly code, instruction 0x40131a is setting the RSI register, whose value will be the address of [s1] because of the previous register. And [s1] is rbp-0x20. Cutter does a pretty good job when assigning variable names like s1 to given addresses, but you don't really need them. If you see something like: lea rax, rbp-0x20 mov rsi, rax ... call scanf() You already know the second parameters of scanf will be rbp-0x20. Hope this helps!

@ilabsentuser Жыл бұрын

@@RazviOverflow Ah, I see, I was making some wrong assumptions there. I am reading on what you mentioned and it is being very informative. Will keep reading about it after work, but I have to say that this info is exactly what I needed, I think I did not knew exactly what to search though, as it seems it was easily reachable :(, so thanks again for pointing me on the right direction. Will keep digging at it :)

@RazviOverflow Жыл бұрын

@@ilabsentuser Glad to help, and ask whenever you consider!

@Sh3lld0n 2 жыл бұрын

Great video! Can you say how you install decompiler for cutter? Thanks

@RazviOverflow 2 жыл бұрын

Thank you! The decompiler is installed by default. From their repo I download the AppImage file and simply execute it.

@JoPraveen 2 жыл бұрын

Nicee ✨💯

@rhyswong6779 2 ай бұрын

Sorry as I am kind of new to using Cutter, but when I use Cutter on my end my theory is that it somehow adds the 0x8 of the ebp to the variable? So instead of it being 0x20 like in the video its 0x28. I say this become my exploit dosen't work if I add the extra padding for the 8 bytes on top of 0x28

@RazviOverflow 2 ай бұрын

Hello, take a look at this question: reverseengineering.stackexchange.com/questions/32317/cutter-shows-addresses-relative-to-stack-but-not-rbp-how-to-change-it

@00habib00 2 жыл бұрын

great man!!!

@RazviOverflow 2 жыл бұрын

Thank you!! Stay tuned, more to come.

@lanadweikk 8 ай бұрын

i don't understand why sometimes we use "p64" and others "p32", can you please explain?

@RazviOverflow 8 ай бұрын

p64() packs a 64bit int (8 bytes), while p32() packs a 32bit int (4 bytes). docs.pwntools.com/en/stable/util/packing.html#pwnlib.util.packing.p32 Depending on the number of bytes you are trying to pack you must use one or the other.