BASIC Buffer Overflow | Ryan's CTF [13] Everyday I'm Bufferin
Skills:
Security Basics90%
Key Takeaways
Demonstrates a basic buffer overflow attack using a Ryan's CTF challenge
Full Transcript
the first challenge in the extreme category from Ryan Nicholson CTF is called everyday I'm buffering for 100 points so the challenge prompt here is crash the program just right to retrieve the flag so they give us a show we can work with login with CTF 7 and challenge 7 & LS and we see that we have a program in our current directory that we can play with and work with so if I run this program it says quit copying me and it looks like it's waiting for input so sub and it just spits out our input back at us and we're back to our prompt so assuming just kind of trying to gauge from the challenge title here we can kind of safely say we're gonna end up doing a buffer overflow in this challenge so this is the first time I've actually recorded doing a buffer overflow on video and I'm pretty bad at trying to showcase this with like lots of graphs and pictures and images of how the stack works and stuff like that so there hopefully will be a little bit of suspended disbelief and you will understand but I'm not going to show anything extra other than just meat typing on the terminal so hopefully it'll still be ingrained in your mind a little bit what I'm gonna do here is just actually for one thing showcase my methodology and then I wanted to do a little bit of more file reconnaissance in this thing so I want to see other strings in this binary and I see other stuff that says you found the secret function and the flag text file the flag is blah blah blah so there's nothing in here other than you found the secret function although that is peculiar because it makes me wonder what we have to work with in this binary so something that I'm going to actually use is called Reed elf and you can use Reed elf tack s to note the symbols that you want to get out of it and then you give it the program or the binder that you're looking for and this will list out all the different kind of symbols there's a lot here so if you wanted to like strip this down you can see things that are labeled as functions and if you want to just grep for only those we can corrupt a chi for func so see we even see one results here for secret function so how do we get access to that or how do we get that program to run the secret function because it didn't look like it printed that out for us and when we ran when we actually ran the program we weren't able to do anything other than enter something so thus enters the notion of a buffer overflow so if I just spam garbage into this thing it tries to spit it back out at me and it gives me a segmentation fault so we've crashed the program at this point now if I want to know where things particularly crashed or how I made this this fault occur I can run D message and this is a lot of output in the Web Filter Mille here so I'm going to pipe this into tale and it says at the very very last line okay program here had a seg fault at for one for one for one for one and instruction pointer for one for one for one so what we've done is actually these a s capital a is our zero X for one when you're for lemon and hex so what we've done is we have overflowed the buffer that was storing that input and we have exceeded that cap and pushed outside broke through the buffer limit and now we're leaking on to the stack frame and we've overwritten the return address that is stored at the very top of the stack so now when the our program would normally want to return to a different function rather than this input function it isn't able to because obviously there is no function residing at memory address for one for one for one for one normally this would just be the same function that we came from before and it would be able to like successfully return back to that function but since we've over floated we can control the IP or the instruction pointer to point it to wherever we really want it to go like if we wanted to go back to the main function we particularly could or we can make it call the secret function so we need some way to actually get to that memory address 0 for 0 sorry 0 8 0 4 8 5 3 B for secret function so we'll have to submit those and give them to the program as bytes first thing we need to do is figure out where the offset is as to where we're getting that seg fault where we're getting our overriding a IP position so kind of a trick that some people do here is actually use Python in one line to take advantage the string multiple multiplier here and then pipe that output which if we have originally that is fifty A's that we can give to the program and we know we get a segfault so let's try and shrink this down and find that offset as to where we overwrite EIP or where we don't over ie IP e IP being the register IP being e being 32-bit and IP being instruction pointer or so that didn't have have an error so let's try and do a little like binary search in our own manual discussion here forty that gives us another seg fault so do we get any luck there no I want to see where we can get this for one for one for one to change into what it should normally be so let's try 35 oh okay so that's changed a little bit we're missing a byte here at the very very end so let's bring that down to 32 Oh a legal instruction core dump so let's check out that it says traps program trap invalid opcode so something different than what we would normally expect here but we tried 30 what about 31 is that just okay no seg fault there is that just a threshold is that the balance so let's try 33 okay now we get a segfault and you can see that for one is starting to leak into where would normally be overwriting this instruction pointer here if I added another 30 for any message you can see another for one just leaking in again 35 how do we look here for one for one for one so we can say that we can safely say that 32 is where we can start to access things and let's verify that let's try 32 and then let's add BBB so now we can check that out and see we have a seg fault at four two four two four two four two so we have complete control following our 32 A's to whatever we add afterwards we'll go to that hex byte so now we have to actually send this memory address in hex but still keep the endianness or keep the actual like like structure of that function written in memory so we can kick advantage of this by doing it in in two ways I'm gonna get over to my terminal here in Python if you import the struct module and if you need some documentation on this you can do Python struct interpret string does as packed binary data and you can pack it into a specific format typically we want little-endian because that's just how our Intel processors are and I in this case will be an unsigned integer so it's the number that we're looking for in memory so you can do struct pack with I didn't have it copied correctly secret function copy do we have it now no hate web show okay and in fact that actually has to be the second argument you have to specify the format and type first so less than symbol or Wacka Wacka and i denote it there and the hex value that we're trying to convert into little ND and raw bytes so just like this and that's pretty handy it doesn't make a whole lot of sense if you actually have pwned tools installed you can use p 32 or p 64 if you're working with that data so you just passing that as argument and it will give you that same put it in proper little endian format so you can see this is just switching the bytes around into little endian format and then using the backslash X to denote that okay it's raw hex data so now if I go ahead and supply this to our exploit or our attack into the program we can if I paste from browser here denote that string or 32 bytes for our offer our overflow and then override EIP to the address of the secret function it should return back and call that secret function and we get it it's as you found the secret function the flag is by collateral so cool we finally got that we can go ahead and submit that for points and we can keep track of it in our notes if we particularly want to whatever I'm gonna type this out by collateral cool so take note in that if you wanted to create your own notes function as to how you went through that or your notes file to discover that secret function and convert it into bytes out of the hex address but that is a speedrun of how to do a buffer overflow when there is a vulnerable function waiting for you in the binary but you should always check for that because most challenges have that set up cool hey I want to give a special shout out to people that love and support me on patreon I cannot say thank you enough all of these people are awesome $1 a month on patreon will give you a special shot or at the end of every video just like this $5 a month on patreon will give you early access to everything I release on YouTube if you did like this video please do like comment and subscribe check out ass out on discord join are discord server link in the description and I hope to see you maybe some love from patreon cool see you soon
Original Description
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Australia finds serious gaps in Big Tech’s response to child sexual abuse online
The Next Web AI
The Future of Endpoint Security: Why Visibility, Intelligence, and Automation Will Define the Next…
Medium · Cybersecurity
Why Every Cybersecurity Product Needs Enterprise-Grade Connectors in 2026
Dev.to · Shivang Patel
Malware Deep Dive: Gandcrab
Dev.to · jordanricky1604-ship-it
🎓
Tutor Explanation
DeepCamp AI