Buffer Overflows: A Symphony of Exploitation
Вставка
- Опубліковано 13 лип 2024
- ⚠️* Disclaimer:
The information presented in this video is for educational purposes only. It is not intended to be used for illegal or malicious activities. The creator and any individuals involved in the production of this video are not responsible for any misuse of the information provided. It is the responsibility of the viewer to ensure that they comply with all relevant laws and regulations in their jurisdiction.
I really hope you enjoyed this video! Comment "0x41414141" if you read this!
🔖 My Socials:
avatar/mascot made with picrew: picrew.me/en/image_maker/1108773
- full credits to the artist: / mimisentakosen
- visit her shop: coconala.com/services/1871766...
official discord server: dsc.gg/crow-academy
crows-nest.gitbook.io/
github.com/cr-0w
/ cr0ww_
💖 Support My Work
/ cr0w
ko-fi.com/cr0ww
www.buymeacoffee.com/cr0w
Join this channel to get access to perks:
/ @crr0ww
🖥️ Extra Resources:
ropemporium.com/
github.com/rosehgal/BinExp
📹 Videos/Channels Mentioned:
TCM's BOF Playlist:
• Buffer Overflows Made ...
LiveOverFlow's Python2 vs Python3:
• Python 2 vs 3 for Bina...
🎵 Music Credit goes to Ian Taylor, and Adam Bond (a variety of OSRS OSTs): Created using intellectual property belonging to Jagex Limited under the terms of Jagex's Fan Content Policy. This content is not endorsed by or affiliated with Jagex.
The images and music used in this video are used under the principle of fair use for the purpose of criticism, comment, news reporting, teaching, scholarship, and research. I do not claim ownership of any of the images/music and they are used solely for the purpose of enhancing the content of the video. I respect the rights of the creators and owners of these images and will remove any image upon request by the rightful owner.
Copyright Disclaimer under section 107 of the Copyright Act of 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, education, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing.
🕰️ Timestamps:
00:00 - Intro
00:31 - Background
02:25 - What is a Buffer Overflow?
05:06 - Secure Example
07:21 - Insecure Example
07:52 - Prerequisites
09:03 - Exploitation Checklist
10:16 - Assembly Basics
11:56 - Common Pitfalls
12:43 - Getting Our Hands Dirty
19:07 - Exploiting The Binary
20:37 - Bonus
21:05 - Challenge
29:50 - Outro - Наука та технологія
Now this is the content I wanted to see
>:)
Honestly, I know basically nothing about hacking, yet this was so digestible and entertaining!
AH ❤️ tysm that’s the plan!! :)
PLEASE I BEG YOU KEEP SHARING YOUR KNOWLEDGE IN THAT WAY, THAT'S A BANGER
AAAA THANK YOU SO MUCH :"))!! , AND WILL DO :D
I thought UA-cam is very poor when we talk about this type of content until I found your channel 🤩🤩
thank you so much for the kind words :’)
Love the way this was put together, very entertaining as well as informative!!
thank you so much! :)))
That is the most comprehensive example of how a buffer overflow works that I have ever seen in a video. I have only seen it explained in books on the subject. That was a well done video and most programmers have no idea how important it is to check buffers because most don't know anything about how the processor actually works. This would be a good video for all programmers to see. I am not a professional programmer, it is a hobby interest for me but it is also a hobby interest to learn how the circuitry in the computer at the logic level actually works so it naturally makes since to me how the overflow attack works. Well done.
Todd, I wanted to take a moment to write out a special message for you. Something about your message really pulled on some heartstrings for some reason, so number 1, thank you so much for the kind words, seriously it means so much to me. Secondly, I completely get what you're saying. It's inherently a pretty technical subject to cover, I mean there are so many moving parts and most of them are seriously pretty low-level in relation to the CPU; and the 1s and 0s therein. As you were saying, most programmers have probably heard of these kinds of attacks but since they typically use such a high-level/highly-abstracted language that handles memory management and does garbage collecting for them, it can very easily slip their minds which, 100% downplays the severity of it. It's because of this reason that I decided to make a video so that ALL of us, as a community - hackers, programmers, infantile water lizards, etc. could learn about these kinds of vulnerabilities :) Thank you so much for commenting, Todd. Keep up the great work as well! I hope you stick around! :D
join our official discord: dsc.gg/crow-academy
especially if you're a femboy :3
Easily the best video on buffer overflows I've seen. Thanks!
thank you so much for watching
This video is awesome! Thank you for putting the effort!
Loved the format! Keep at it man! :)
thank you so much, enrique 🥹❤️ will do ! : )
im your 99th subscriber, keep going to 100!
thank you so so much!! we made it to 100!! :D
@@crr0ww man you have 344 subs now
@@originalni_popisovac it's so crazy!! i know the channel has been growing so fast : )
This is literally the only video about buffer overflow which made it so simple, i could understand.
LMAO IVE REWATCHED THIS LIKE 10 TIMES NOW AND JUST NOTICED THE OSRS MUSIC IN THE BACKGROUND
BRO LMAO
Great video! One thing about the secure example, although that specific version is not insecure, it's important to note that dependent on the size of your buffer (even if you only read the buffer size in) can become insecure.
When taking input into a buffer with read, it's usually pretty smart to only read untill the 2nd to last byte.
Eg. if you have a buffer of size 200, you read in 199 bytes, this is because read does not supply a NULL byte or anything to terminate the string for you.
Why is this an issue?
If you're for example printing a string where input is supplied with read, and you're printing using the %s modifier. Printf will print untill a NULL byte is hit.
If your buffer happens to be 8 byte aligned the user may fill up the 8 byte buffer completely, without a NULL byte. The printf will subsequently print those 8 bytes and whatever is found in memory afterwards, if whatever is found happens to not be a NULL byte. This is a leak primitive.
As an example I took your secure program and changed the buffer size to 256 and the read size to 256. So char buf[256] and read(0,buf,256).
Output looked as follows:
AAAAA..
:O that was fascinating... (you really DO learn something new everyday xD)!! seriously, thank you so much for such a detailed explanation; I had a blast reading this and will definitely try to tinker with this soon (right now, I'm following the malloc maleficarum and working on the house of force - really exciting stuff!) :D!! AND THANK YOU SO MUCH for subscribing and the kind words, Jens! :')
@@crr0ww heap stuff is where it gets really exciting! Looking forward to see what videos you might make on it!
If you're diving into heap stuff I can recommend using pwndbg instead of peda for debugging btw. As it has bindings for checking the heap and free bins. This makes it a lot easier to keep track of what's going on instead of having to manually parse the heap to figure out what's going on 👌
@@jensnielsen8612 I 100% agree; this heap stuff is insanely intriguing (oh and you best believe I'm going to make a video on heap exploitation :))
I've already got pwndbg running and have been using it religiously recently xD, and MAN is it magnificent :D tysm for having this little interaction with me, jens! you really made my day :)
This is so refreshing, in a sea of lame-ass videos of dudes with Guy Fawkes masks talking about "hacking like Mr. Robot."
I love your videos.
Thank you man this vid show me the whole pic and and imporve my understanding thank you again
Love the video. Amazing. Despiste about all usefull explanation I cant stop think about your teminal theme. Keep going and thanks for your time.
awesome! Fun to watch and listen!
Really loved this masterpiece, you deserve billion subs
😂 thank you so much, i really appreciate it!
@@crr0ww glad you did
Love your stuff man. I want to be like you when I grow up :)👍
i love your content Crow!
appreciate 'cha, thank you so much
amazing vid, love the osrs music!!
you can return to a function thats never called in a program ------> *brain implodes*
Nice work buddy, keep it up!
thank you so so much!! :D
This is an amazing video. Thank you!
thank you so much
Time to write every program in rust 😅
bro im invested in this channel
AA THANK YOU SO MUCH, that's so nice 🥲❤
It is as if all the brain of the internet condensed into this channel
Love the content and loving the background RuneScape music
thank you!
LOVE your way man. +1 sub
thank you so much! :D
first video? this is great!
thank you so much!! that means so much to me :'D
i love it just needed a reminder
Broooooooooooooo!!!! please continue manking videos like this one pleasseeeee!. that was really fun
thank you so much, that's so nice!! :"D there are some videos planned right now just hold on a littttttle longer ;)
i swear your so entertaining how do you evencome up w this
This was an awesome video!
thank you so much! that’s so kind of you :) i’m glad you enjoyed it
Best video made on buffer exploitation
This is the channel I've been looking for for aaaaaages
Cool video, hope you go viral soon.
i REALLY appreciate that, thank you so much! :)
best quality channel
Heeyyyy!! Mama Murphy approves this channel!! Much love buddy!!
AAAA THANK YOU SO MUCH!
0x41414141
Loved the video, I never really understood buffer overflows even though I have been exposed to it for a while. The video is well structured and the comedy makes the digesting of such technical information smooth.
May I know what OS you're using? It looks really cool. Thanks again for the video, expected to see a lot more on technical/niche cyber topics.
0x41414141 🫡
Thank you so much for the comment, I'm so glad you enjoyed it; that makes all of this super worth it
this video made me giggle as well as taught me something
i'm so glad!! thank you :)
Awesome!
you’re awesome
Οh thats some good content. I guess im your 47th sub hahah keep it up
i will always remember you, lil skeleton >:) thank you so much
@@crr0ww ❤️
39 seconds into the video
*Subbed cos good animation
thank you so much!! :D
absolute gold
Great content. Subscribed!
thank you so much, yassine! :D
@@crr0ww thank you for producing such an informative and entertaining content. Keep up ♡
0x43434343
15:34
You just dissed all the Indians in all tech comment sections😈😈😂
This is my jam
Osrs music made this video 10x better, gg
nice video! i am now hacker boy 9000
glad to be of service, hacker boy 9000!
pretty cool
Amazing 🔥
hehe tysm bro! :D
0x41414141
Happened to stumble upon your channel recently, and quite happy I did. As a very seasoned (old) IT guy, I find your videos highly educational, and I love your sense of humor and all the little drawings and such! Keep up the great work!
thank you so much! : ) im so glad you enjoyed it, that's very kind of you
YES, Harry Potter hacking mad. The videos that I need in MY BLOOD
😂😂 LET’S GOOO tysm for commenting xD
Amazing video!
tltr - can you tell me which programs you have been using to making your videos?
I have been thinking about making videos like yours, but in Portuguese (I’m from Brazil), and with a defensive approach/perspective. But I have no idea how to do it, I just have the content knowledge and some digital notes. What kind of programs I have to learn about, to make an animated video like this
amazing video
appreciate you
Hello Crow, I love your content and I just stumbled on it yesterday. One other thing caught my attention, please can you make a mini series showing how you mod(riced) your operating system, and the fonts and zsh shells and theme you are using? It looks so good!
thank you so much!! that means so much to me :') and of course! i have a ricing/modding series already planned for the future, stay tuned! :D
every time i hear that runescape music, all i can think of is waiting literal hours to play the game, just on that menu...
trust me, i feel you. there is no game like runescape : ') just hearing the music and editing it brought me back straight to lumbridge.
those were the days :')
Damn the algorithm is in your favor man
looks like my sacrifice to the youtube gods actually paid off >:)
Great explanations! Just curious, does that background music use the Mother 3 soundfont?
thank you so much for commenting! :D ahhh as much as i love the mother/earthbound games and music, I didn't use it here : ( I used music from a game called "old school runescape" : )
@@crr0ww ah i thought the timpani and the high hat sounded familiar but ig not. :)
The Runescape music was confusing since I'm playing it while watching this vid but the music doesn't match the area where I am in the game
LMAOOO mb XDD
Nice video! Stack Based BoFs are cool, but an idea, what do you think about ROP BoFs? I think those are the most triky ones ahahahahah
Anyways, very cool video!!
thank you so much! ROP is definitely one of my favourite techniques, there are also some variants of ROP itself XD (sROP, etc.), I'll be sure to cover it :>
I logged in my Google account just to liked and say that I enjoyed all your content!
i appreciate that so much, thank you! : )
Hey crow just curious - first time learning about some of this stuff.
What if their are no functions "worth exploiting" if that makes any sense. I guess the idea is that it gives you access to return any function within the program itself and that's beneficial but seems like it could be pointless if their is nothing worth exploiting?
Can you do any function "injection"? That might not make any sense haha.
hey, that's actually more common than what you might think! : ) in that scenario, it's a bit trickier but it can still definitely be done. that's when you'd want to look at something like using ROP for your exploit(s) :) hope that helps
How's your xxd printing ascii on the right? my one only shows hex values in output
Cool video!
thank you so much! : )
@@crr0ww Of course! I'm always happy to hand out credit where it's due (and it's definitely due here). Your art style is cute and your videos are informative. Keep it up!
Have a nice day, cheers from Canada!
Thank you father log. Great video, in gonna go overflow some buffers now
of course my son, thou shall floweth over any buffer thou shall see ❤️🥹
@@crr0ww father is it biblical cannon to tattoo 0xDEADBEEF on my arm?
@@raphaelradespiel9970 if the necro-cow calleth to you, let thine deadbeef in >: )
@@crr0ww thanks mate, in all seriousness, I really enjoyed your video. Got me in the mood to try this out. Good balance of e entertainment and education
@@raphaelradespiel9970 thank you so much that means so much 😭❤️❤️
This video is kinda interesting... although I also find it super scary that I find this video interesting.
ahhh balanced as all things should be >:) thank you so much!
you should make a video about heap exploitation, or maby a series??
What'd you use to make this video? It looks great
tysm : ) i used davinci resolve to make this (& all my other vids)
Good video :)
thank you so much :D!
Hi, amazing video about the basics! what is the poffset tool used at 13:51? 0x41414141 :)
hi thank you so much for the sweet comment! oh, and 0x41414141 🫡
@@crr0ww oh, so tools from metasploit. Thanks!
High quality
thank you
Nice desktop environment. Could you please share your desktop environment configuration details
sure : ), i might put the config files up eventually but for now, here's what I'm working with:
OS: kali
WM: bspwm
bar: polybar
compositor: picom
launcher: rofi
notifs: dunst
terminal : alacritty
colourscheme: catpuccin mocha
font: iosevka
hope that helps! :)
nice
If you have a FreeBSD router, with 1024 rx and tx descriptors is it more or less safe to give windows 1023 rx/tx buffers or 1025 rx/tx buffers?
Hey, somehow I am facing "not found in pattern buffer" when trying to find an EIP offset. What could be the reason and do you have some guidelines where I can look deeper in this EIP process? thanks!
so we were given a task in university where we should exploit a program with a buffer overflow as we were learning about assemly at that time.
Didn't understand shit so that's why i'm here.
BUT: Can you actually expect to face programs where you can use buffer overflows or is software secure enough for that?
I'm happy I ran into this video.
thank you so much : D!!
@@crr0ww :) Subscribed, I’ll be following your content
@@Mauzy0x00 YOU'RE THE BEST TYSM 😭♥
what os is this?
and thanks for the great content!
thank you so much
mouse!!!
where??? kill it!!
Hello Guys! Does anyone know what distro is he using and also the customization on it? Would help me a lot! Thanks :) Great vid!
hey! just using kali that i riced up a bit : ) I might make a dedicated repository with my config files, but here's what I'm working with rn:
OS: kali
WM: bspwm
bar: polybar
compositor: picom
launcher: rofi
notifs: dunst
terminal : alacritty
colourscheme: catpuccin mocha
font: iosevka
hope that helps
Thanks @@crr0ww for your reply! still lovin' your content!
Hmmm your voice sounds familiar but didnt recognize old channel
Hello! I am actually learning these stuffs and also about cybersecurity in general as a newbie, and I want to ask something. If you come across this comment, please feel free to answer :3
I have been getting SIGABRT error instead of SIGESEV error as mentioned in the video, been facing some problems for that. Can anyone explain why and how is this happening? and also, how to bring sigesev error as demonstrated?
I have had the same issue. I tried writing more characters into the buffer (for example, 5000 worked for me in the sense that it gave me SIGSEV error, but the contents of my EIP (RIP in my case) register are not repeating 'A's but (vmovdqa ymm1,YMMWORD PTR [rdi+0x1]) instead. I would like to know what the issue is as well.
Edit: I just thought of this, but could the issue be with the CPU architecture, since I have an AMD CPU? Could the difference between Intel and AMD CPUs be causing the difference in behavior?
This sounds like Chicago or LA
So even if there is an exploitable buffer in someone code, if you don't have access to a function that is also useful, then it doesn't really matter? Assuming RX/DEP is present?
Hey, at 12:24 the command r < pattern.txt, when r is some kind of alias (as i got it). What is the full command?
hi, the "r < pattern.txt" is the same thing as running "run < pattern.txt" : ) hope that helps
Hey, What linux distro you using?
what version of gdb are you using?
in this video, i was using gdb-peda: github.com/longld/peda
What font are you using?
hi, it's "iosevka" hope that helps : P
what color scheme you are using ?
cattpuccin mocha! : )
What about rust binaries? Is it possible?
100% it's definitely possible to have buffer overflows occur in rust binaries; albeit it's a bit harder because rust is definitely one of the more "memory-safe" languages out there (from what i've seen/heard, i've yet to actually program in rust) thank you for commenting : ) !
which os are u using mate?
just a simple little kali vm :)
Noice what i was thinking of making that kind of video but a bit dumb er way.
you should do it!! :) thank you so much for commenting
What kind of shell are you using?
ZSH : ) the terminal is alacritty with a cattpuccin mocha colourscheme hope that helps
@@crr0ww Thank you very much
lmao
Do you use arch?
i do! (arch btw
Does rust stop this?
from what I know about rust (not a rust programmer unfortunately xD), it's a very "memory-safe" language that has a really good garbage collector, a borrow checker, and other mechanisms to prevent attacks like this. Although, you could 1000% still force this vulnerability to occur within rust code
Could've been made more easier if explained slowly while typing and doing instead of explaining first and doing it practically, later in which we miss some points which are not effectively described. But good stuff if you already know ASM and have a basic idea what buffer is..
AAAA
AAAA :D