First Stack Buffer Overflow to modify Variable - bin 0x0C
Key Takeaways
The video demonstrates a stack buffer overflow attack on the stack0 level of exploit-exercises.com using gdb and Python, modifying a variable to print a success string without executing arbitrary code.
Full Transcript
in this episode we will have a look at the first level of protostar from exploit exercise calm if you have questions about the setup you can watch the previous video generally I advise you to stop the video right here and work on it by yourself maybe give it a day and see how much you can figure out and after that watch my explanation but if you feel completely lost then just follow me this you should give you enough information to solve the next level on your own so let's first have a look at the challenge description this level introduces the concept that memory can be accessed outside of its allocated region how these tech variables are laid out and that modifying outside of the allocated memory can modify program execution and this level is located at up protostar binstock 0 okay next we will have a look at the source code which is provided below let's start with the first quick overview this is clearly a program written in Z it reads some input with gets then check see modified variables and prints either success or fail message so obviously the goal of this level is to make the program print the success string know this level is not about executing arbitrary code to gain root privileges first we have to understand a couple of basics a real fool root exploit will come in later levels so for now let's just focus on smaller goal you can also execute this Dec 0 program and we can see that it seems to wait for some input and then prints try again ok so let's have a more detailed look at the code there are two local variables an integer number modified and a char array buffer with space for 64 characters an array of chars and c is basically just a string then modified will be set to 0 and apparently never changed again next as he gets function with our 64 character long char buffer let's have a look at the gets main page so gets is used to read the string from the input when we scroll down we can also find a bug section which is telling us to never use gets this cannot be more clear that this is the vulnerability in this program as an explanation it is that it's impossible to tell how many characters gets will read it has been used to break computer security and after the gets called modified is compared to zero if it not zero we have one but how can modify it ever become nonzero it's set to zero and never changed by the way volatile is a way to tell the compiler that it should not optimize the usage of this variable because at first glance it looks like modified will always be zero and thus it might simply remove the unnecessary if case but it with volatile we can force a compiler to keep it as it is I think we have a good understanding of this program now in C let's open it with gdb and start debugging first let's set a breakpoint in Maine with break main then type 1 or short R to start the program from the beginning now it's stopped at the start of main with disassemble you can disassemble the current function but also set the disassembly flavor to Intel because I like it more let's try to understand fully what is happening here Ike note those parts in the reverse engineering introduction but here we need the full understanding how the stack works so let's start with the first instruction push EBP a quick flash back to my CPU introduction video I mentioned that the stack is just a memory area at the bottom and when we look at the memory with info prop mappings we can see that the stack goes from BFF VB to Z 0 0 and because the stack rose from the bottom it starts at the highest address so C 0 but C 0 doesn't belong to it anymore so basically these text starts at Z 0 minus 8 which is pfff 8 so push EBP EP is a register which is used as the base pointer and it contains an address pointing somewhere into the stick ok so whatever the meaning of this address is it seems to be important because it gets pushed on the stack which is like saving the value at the end of the main function you find a leaf and the internal instruction reference tells us that leaf is just basically move ESPE and pop EBP as you can see the start and end of the function at symmetrical at the start we push EBP and move ESP into EBP and when the function is done we do the reverse don't worry I will illustrate this nicely in a moment just one more little thing after those two instructions we mask ESP which basically just sets the last four bits to zero to keep it nicely aligned not that important and then we get subtract hex 60 from it so ESP the stack pointer now points to a bit lower address than EBP and the next instruction moves 0 at the memory location at offset hex 5c from the stack pointer and that seems to be perfectly match our modified variable that gets set to 0 at first it's a lot to take in but let's do it again but this time with an animation so here on the left you can see the assembler code and on the right I will illustrate the stack with the three important registers the instruction pointer EAP the stack pointer ESP and the base pointer EBP so first it starts somewhere else with call main call will push the theoretically next instruction pointer on to the stack and then jump to our main function as you can see when the address of the next instruction was pushed the stack pointer got incremented and the address is placed there so now comes our push EBP I will illustrate with some arrows that this file is a stack address which points to another location on the stack now we overwrite EBP with the value from ESP move EBP ESP then we subtract hex 60 from ESP look at the stack now this area between ESP and EEP is called a stack frame this is now a small area of memory that we can use for local variables and calculations inside the main function and do you notice where EBP is pointing to it's pointing to the old EBP so this area here is basically a stack frame of the previous function which called me and we know that we move 0 into ESP plus hex 5c which we think is the modified variable and it's true the local variables all have their space in the stack frame and it's so big because it had to make space for at least 64 characters and the modified integer at the end of this function we will now perform a leaf which moves EBP into ESP effectively destroying the previous stack frame then we pop EBP which restores the previous stack frame isn't it amazing oh wait it gets cooler how do we know now where to return to from main well if you remember call push the address of the instruction after the call so the next value on the stack is where you want to return to and the read instruction is basically just popping this address into the instruction pointer and that's jumping back where we came from computers huh aren't they mind blowing so much smart stuff in there now let's continue with the assembler code after value on the stack got set to 0 we will repair the EAX register with an address from this decade offset 1z leia or le a load effective address is similar to move but instead of moving the content often register offset into a register it moves the address of an register offset into a register and this address then gets placed on top of the stick this is called calling convention the programs and functions have to agree how to pass function parameters in assembler in this case the parameters are placed on the stack and the gets function takes one parameter which points to a character buffer and the character buffer is on a stick thus we have to pass it the address where the character buffer starts afterwards we read the value we previously set to zero and with tests we can check if it's zero or not and branch off to print one of the messages so let's remove the break comes from main with del delete instead of breakpoint before and after the gets before we start I want to show you a cool trick we will define a hook that will execute some gdb commands when we stop at the break to do this type define hook stop then info registers to show the register and X 24 WX dollar ESP and X 2i dollar EAP and finish with end this will now print the registers these deck and the next two instructions every time when we hit a breakpoint now continue and enter a couple of capital S do you see those hex four ones those are all A's you have entered now let's see the content of the address we check if it's zero simply examine ESP plus hex 5c still zero but it shows us where it is located on a stack and we look at our stick we see that our aides are still a little bit too far away so let's count how much we need for our characters here then 4 times 4 that's 16 for a row and we have three full rows and with the next full row we can apparently right into those zeros so run again enter that many characters I like to use recognizable patterns so I can clearly see which letter which Row is it looks promising so single step forward and it will load the modified variable from the stack into EAX and indeed those are the characters that we entered let's try this without gdb we can use echo and our previous string and pipe it into this tech zero program cool it worked before the end let me show you how we can make this input a bit more convenient thanks to Python with Python minus C we can specify a comment that should be executed then we can use print and pythons cool string syntax which allows us to repeat this character multiple times with this knowledge you should be able to solve stack one and stick to it's pretty much the same task just some different ways of input and a different vulnerable function but if you invest some time you can absolutely solve it and I will not make a video about those next video will be about to take 3 this is when things get start to get choose so see you next time you
Original Description
We will write our first Buffer Overflow for the stack0 level of exploit-exercises.com.
stack0: https://exploit.education/protostar/stack-zero/
Intel Reference: intel.de/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#BinaryExploitation #BufferOverflow
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 14 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
▶
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
![[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F](https://i.ytimg.com/vi/2GVi8_9u5TY/mqdefault.jpg)
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Systems Design Basics
View skill →
Related AI Lessons
⚡
⚡
⚡
⚡
How I Structured My Next.js 14 App Router Project — And Why It Scales
Dev.to · Mbanefo Emmanuel Ifechukwu
Let’s write a simple Lexer in Go
Medium · Programming
The Hardest Part Of Microservices Is Undoing What Already Succeeded
Medium · Programming
What OOP Actually Buys You (And Why “Real World Modeling” Is a Lie)
Medium · Programming
🎓
Tutor Explanation
DeepCamp AI