BASIC Buffer Overflow | Ryan's CTF [13] Everyday I'm Bufferin

John Hammond · Intermediate ·🔐 Cybersecurity ·7y ago

Key Takeaways

Demonstrates a basic buffer overflow attack using a Ryan's CTF challenge

Full Transcript

the first challenge in the extreme category from Ryan Nicholson CTF is called everyday I'm buffering for 100 points so the challenge prompt here is crash the program just right to retrieve the flag so they give us a show we can work with login with CTF 7 and challenge 7 & LS and we see that we have a program in our current directory that we can play with and work with so if I run this program it says quit copying me and it looks like it's waiting for input so sub and it just spits out our input back at us and we're back to our prompt so assuming just kind of trying to gauge from the challenge title here we can kind of safely say we're gonna end up doing a buffer overflow in this challenge so this is the first time I've actually recorded doing a buffer overflow on video and I'm pretty bad at trying to showcase this with like lots of graphs and pictures and images of how the stack works and stuff like that so there hopefully will be a little bit of suspended disbelief and you will understand but I'm not going to show anything extra other than just meat typing on the terminal so hopefully it'll still be ingrained in your mind a little bit what I'm gonna do here is just actually for one thing showcase my methodology and then I wanted to do a little bit of more file reconnaissance in this thing so I want to see other strings in this binary and I see other stuff that says you found the secret function and the flag text file the flag is blah blah blah so there's nothing in here other than you found the secret function although that is peculiar because it makes me wonder what we have to work with in this binary so something that I'm going to actually use is called Reed elf and you can use Reed elf tack s to note the symbols that you want to get out of it and then you give it the program or the binder that you're looking for and this will list out all the different kind of symbols there's a lot here so if you wanted to like strip this down you can see things that are labeled as functions and if you want to just grep for only those we can corrupt a chi for func so see we even see one results here for secret function so how do we get access to that or how do we get that program to run the secret function because it didn't look like it printed that out for us and when we ran when we actually ran the program we weren't able to do anything other than enter something so thus enters the notion of a buffer overflow so if I just spam garbage into this thing it tries to spit it back out at me and it gives me a segmentation fault so we've crashed the program at this point now if I want to know where things particularly crashed or how I made this this fault occur I can run D message and this is a lot of output in the Web Filter Mille here so I'm going to pipe this into tale and it says at the very very last line okay program here had a seg fault at for one for one for one for one and instruction pointer for one for one for one so what we've done is actually these a s capital a is our zero X for one when you're for lemon and hex so what we've done is we have overflowed the buffer that was storing that input and we have exceeded that cap and pushed outside broke through the buffer limit and now we're leaking on to the stack frame and we've overwritten the return address that is stored at the very top of the stack so now when the our program would normally want to return to a different function rather than this input function it isn't able to because obviously there is no function residing at memory address for one for one for one for one normally this would just be the same function that we came from before and it would be able to like successfully return back to that function but since we've over floated we can control the IP or the instruction pointer to point it to wherever we really want it to go like if we wanted to go back to the main function we particularly could or we can make it call the secret function so we need some way to actually get to that memory address 0 for 0 sorry 0 8 0 4 8 5 3 B for secret function so we'll have to submit those and give them to the program as bytes first thing we need to do is figure out where the offset is as to where we're getting that seg fault where we're getting our overriding a IP position so kind of a trick that some people do here is actually use Python in one line to take advantage the string multiple multiplier here and then pipe that output which if we have originally that is fifty A's that we can give to the program and we know we get a segfault so let's try and shrink this down and find that offset as to where we overwrite EIP or where we don't over ie IP e IP being the register IP being e being 32-bit and IP being instruction pointer or so that didn't have have an error so let's try and do a little like binary search in our own manual discussion here forty that gives us another seg fault so do we get any luck there no I want to see where we can get this for one for one for one to change into what it should normally be so let's try 35 oh okay so that's changed a little bit we're missing a byte here at the very very end so let's bring that down to 32 Oh a legal instruction core dump so let's check out that it says traps program trap invalid opcode so something different than what we would normally expect here but we tried 30 what about 31 is that just okay no seg fault there is that just a threshold is that the balance so let's try 33 okay now we get a segfault and you can see that for one is starting to leak into where would normally be overwriting this instruction pointer here if I added another 30 for any message you can see another for one just leaking in again 35 how do we look here for one for one for one so we can say that we can safely say that 32 is where we can start to access things and let's verify that let's try 32 and then let's add BBB so now we can check that out and see we have a seg fault at four two four two four two four two so we have complete control following our 32 A's to whatever we add afterwards we'll go to that hex byte so now we have to actually send this memory address in hex but still keep the endianness or keep the actual like like structure of that function written in memory so we can kick advantage of this by doing it in in two ways I'm gonna get over to my terminal here in Python if you import the struct module and if you need some documentation on this you can do Python struct interpret string does as packed binary data and you can pack it into a specific format typically we want little-endian because that's just how our Intel processors are and I in this case will be an unsigned integer so it's the number that we're looking for in memory so you can do struct pack with I didn't have it copied correctly secret function copy do we have it now no hate web show okay and in fact that actually has to be the second argument you have to specify the format and type first so less than symbol or Wacka Wacka and i denote it there and the hex value that we're trying to convert into little ND and raw bytes so just like this and that's pretty handy it doesn't make a whole lot of sense if you actually have pwned tools installed you can use p 32 or p 64 if you're working with that data so you just passing that as argument and it will give you that same put it in proper little endian format so you can see this is just switching the bytes around into little endian format and then using the backslash X to denote that okay it's raw hex data so now if I go ahead and supply this to our exploit or our attack into the program we can if I paste from browser here denote that string or 32 bytes for our offer our overflow and then override EIP to the address of the secret function it should return back and call that secret function and we get it it's as you found the secret function the flag is by collateral so cool we finally got that we can go ahead and submit that for points and we can keep track of it in our notes if we particularly want to whatever I'm gonna type this out by collateral cool so take note in that if you wanted to create your own notes function as to how you went through that or your notes file to discover that secret function and convert it into bytes out of the hex address but that is a speedrun of how to do a buffer overflow when there is a vulnerable function waiting for you in the binary but you should always check for that because most challenges have that set up cool hey I want to give a special shout out to people that love and support me on patreon I cannot say thank you enough all of these people are awesome $1 a month on patreon will give you a special shot or at the end of every video just like this $5 a month on patreon will give you early access to everything I release on YouTube if you did like this video please do like comment and subscribe check out ass out on discord join are discord server link in the description and I hope to see you maybe some love from patreon cool see you soon

Original Description

If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010 E-mail: johnhammond010@gmail.com PayPal: http://paypal.me/johnhammond010 GitHub: https://github.com/JohnHammond Site: http://www.johnhammond.org Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

Related Reads

📰
Australia finds serious gaps in Big Tech’s response to child sexual abuse online
Australia's online safety regulator finds Big Tech's response to child sexual abuse online inadequate, citing existing tools not being utilized
The Next Web AI
📰
The Future of Endpoint Security: Why Visibility, Intelligence, and Automation Will Define the Next…
Learn how visibility, intelligence, and automation will shape the future of endpoint security and why it matters for businesses
Medium · Cybersecurity
📰
Why Every Cybersecurity Product Needs Enterprise-Grade Connectors in 2026
Learn why enterprise-grade connectors are crucial for cybersecurity products in 2026 and how they can improve integration and efficiency
Dev.to · Shivang Patel
📰
Malware Deep Dive: Gandcrab
Learn about Gandcrab ransomware and its analysis to improve cybersecurity knowledge
Dev.to · jordanricky1604-ship-it
Up next
8-Step Cybersecurity Engineer Roadmap 2026 | GenAI Era | #shorts
SCALER
Watch →