Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F

LiveOverflow · Intermediate ·🛡️ AI Safety & Ethics ·10y ago

Key Takeaways

The video demonstrates the ret2libc technique to exploit a buffer overflow vulnerability in the stack6 challenge from exploit-exercises.com, using tools like gdb and libc to manipulate the return pointer and execute a shell command. The technique involves using return-oriented programming to execute the system function in libc and find the address of a string in the map memory of libc.

Full Transcript

in the last episode we've created our first full stack buffer overflow exploit by overriding the return pointer on the stack and jumping to Shell Code that we have placed on the stack as well in this episode we will look at stack level six which looks at what happens when you have restrictions on the return address to understand this video you must have understood how normal buffer overflow and jumping to Shell Code works I hope I explained it well enough in the past videos but if there are still open questions please post them on Reddit I really need you to have understood that stuff as a hint this level tells us that this level can be done in a couple of ways such as finding the duplicate of the pilad with object minus s or R toip C or even return oriented programming in this video we will not be able to explore return oriented programming but I will will show you a couple of other tricks that will eventually lead to return oriented programming so let's have a look at the source code and again it's very similar to the previous levels just some small changes instead of everything being in main main calls this function get path get path allocates a string buffer for 64 characters then reads A String with gets and we all know by now that with gets we can read arbitrarily many characters which we can use to overwrite the return point on the de but the next line is interesting built-in return address is a function from the compiler which you can use to read the current return address from the stack and this return address is checked if it starts with hex BF the ENT performs a bitwise end with the address after that only the part where they were same survives basically setting the remaining bits to zero and checking if the front is still hex BF if the return address starts with hex BF it prints this return address and exits when we use our exploit from last time and adjust the pading to account for the new unsigned INT in this function we see that it doesn't work it fails with okay so we cannot use addresses that start with hex BF the exit protects this function from being exploited that way because the exit is a CIS call that simply quits the program so even though we have smashed the return pointer this function will never return so you can see that even having a buffer overflow doesn't necessarily mean you can exploit it when you open this level now in GDB break it get path run it and then look at the memory with info proc map we can see that the only address that starts with BF are on the stack so basically we cannot return to a stack address this is crazy then how can we run our code if we cannot return to the stack where we place our Shell Code so first of all all we can still control the return pointer as long as it doesn't start with BF and now comes the sick idea of returning into known code let's think about this the return instruction just looks at the current address on top of the stack removes it and just jumps there what would happen if you return to the address hex 8484 F9 which is the return instruction itself think about this we override the return point of with hex 080 we reach the return instruction it will pop this address from the SEC and jump to it basically just jumping to itself and now it will read the next address on the stack and jump there now you could repeat that make the next address on the stack again 080 or place the address of the stack here and we can return into the stack again and in theory that should work because the original return address got overwritten with an address that starts with 08 zero okay let's try that let's modify our exploit code instead of the Shell Code let's use int three CC instruction again for a trap we all know that when we hit them we have code execution and we just have to find suitable Shell Code so let's focus on the interesting part set a break point at the return of get path and then run it with our exploit input we hit the break point and we got past the return point to check so let's look at this deck we can see that that the address on top of the deack is now the 08 address which is the return instruction so now single step forward this should pop this address from this deack and jump there and indeed we hit the break point again because we jump to itself when you now look at the stack the next address on the stack is the stack address and we will return into this address now so when we just continue we will return into the stack like in the previous exploit where we hit our traps boom arbitrary code execution by the way this address we jump to the 080 is a gadget when you read about return oriented programming you are looking for gadgets and that was a simple no operation Gadget it was just a return doing nothing and for full return oriented programming you look for gadgets that do some more stuff before returning to the next address now when we do this kind of stuff you hear me saying return into or jump to those become equivalent in this case because yes we execute a return instruction but we are not returning to the original function anymore we are returning into something else effectively just jumping somewhere else so I hope that doesn't confuse you maybe you ask yourself why the hell was the stack executable in the first place there's no valid reason why the stack should be executable that's why there exists a general memory policy nowadays write X or execute basically it means never have a memory page that is writable and executable because then an attacker cannot execute any Shell Code that he was able to write in the process memory so we would hope that today every modern system uses D data execution prevention and sets the NX bit the non-executable bit for memory Pages like the stick but reality is not so simple embedded devices are on the rise with the internet of things and often they don't support features like that almost on programming languages like JavaScript used jit just in time compiler so they have to compile code on the fly in memory when needed and execute that so they need writeable and executable memory regions but even if we had D we could use techniques like red toip C to never execute actual Shell Code but still Pon a system now one of the hints said you could look into red tulip C now that you are almost a pro in exploitation you understand what that means it's very similar to what we did in stack level four return into lip C like we just returned into some code we could just return into the huge Library lip C there must be something interesting that we could have used one interesting function from lip C is system which executes a shell command with print system we can find the address of it but simply returning into it will probably not work we need to make sure to control a couple of things let's create a simple C program that cause a lipy system for us in the end we want to somehow execute system with bins H because then we get a shell if we try that here that works well now let's look at this in GDB we can see that before the call to system the address of the command we want to execute is put on top of the stick and as we know a call to a function will push your return address on the stack as well so if we draw this this is how the stack will look like once we are at the start of system first the address of the command is placed on the stack and then the address we want to return to now imagine if we use our buffer overflow to return into a system first of all we didn't execute the call instruction thus there was no return address pushed but we fully control the stack so system expects the stack to look like this and we can build this by hand so first we have to put the return address for system on this deck but actually we don't care about this right now but that's still cool and important and remember that because you can chain those things together like we chain two returns after each other before we could chain multiple function calls or other gadgets after each other by always controlling the return pointer of The Next Step so in our case when system finishes we will return into a sec Vault because it will return into 4141 4141 so next add address on the deack has to be a string we want to execute preferably B AG there are many options how to get a reference to such a string one option would be to use a stack address because there are strings we control on environment variables because they are at the bottom of the stack and a bit easier to predict but as you remember the stack is a bit unreliable a more reliable technique is this here we can use find to search in the map memory of lip C for string cool apparently at this address we can find bin as H let's check if that is true examine memory as a string at this address what the frck GDB what the hell are you doing why do you say you found b h there if it's not there I have no idea why that's happening couldn't find anything online anyway ignore this here's another Technique we can use string to find all strings in lip C and with minus t we can print the offset inside this file as hex and then we can simply add this offset to the address lip C is loaded to and that is the real address of Bess H okay so let's copy this address into our exploit and then let's try it remember to use the trick from the previous video with the parenthesis and the cat because the exploit script will close the input again and cool it works what we just did was the technique called red to lip C and we never executed any code on the deck no [Music]

Original Description

Solving stack6 from exploit-exercises.com with the re2libc technique. stack6: https://exploit.education/protostar/stack-six/ -=[ 🔴 Stuff I use ]=- → Microphone:* https://geni.us/ntg3b → Graphics tablet:* https://geni.us/wacom-intuos → Camera#1 for streaming:* https://geni.us/sony-camera → Lens for streaming:* https://geni.us/sony-lense → Connect Camera#1 to PC:* https://geni.us/cam-link → Keyboard:* https://geni.us/mech-keyboard → Old Microphone:* https://geni.us/mic-at2020usb US Store Front:* https://www.amazon.com/shop/liveoverflow -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- All links with "*" are affiliate links. LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm. #StackOverflow #BinaryExploitation
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveOverflow · LiveOverflow · 17 of 60

1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
2 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
3 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
4 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
5 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
6 Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
7 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
8 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
9 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
10 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
11 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
12 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
13 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
14 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
15 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
16 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
18 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
19 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
20 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
21 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
22 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
23 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
24 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
25 A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
26 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
27 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
28 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
29 Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
30 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
31 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
32 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
33 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
34 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
35 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
36 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
37 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
38 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
39 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
40 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
41 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
42 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
43 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
44 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
45 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
46 The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
47 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
48 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
49 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
50 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
51 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
52 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
53 TCP Protocol introduction - bin 0x1A
TCP Protocol introduction - bin 0x1A
LiveOverflow
54 Socket programming in python and Integer Overflow - bin 0x1B
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
55 Linux signals and core dumps - bin 0x1C
Linux signals and core dumps - bin 0x1C
LiveOverflow
56 [Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
57 Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
58 Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
59 How to learn hacking? ft. Rubber Ducky
How to learn hacking? ft. Rubber Ducky
LiveOverflow
60 Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow

This video teaches how to use the ret2libc technique to exploit a buffer overflow vulnerability in the stack6 challenge from exploit-exercises.com. The technique involves using return-oriented programming to execute the system function in libc and find the address of a string in the map memory of libc. This is a critical skill for security engineers and developers to understand how to design secure systems and prevent exploitation.

Key Takeaways
  1. Break into the get_path function using gdb
  2. Run the exploit code with modified input
  3. Hit the break point and get past the return instruction
  4. Create a simple C program to call the system function
  5. Use buffer overflow to return into the system function
  6. Execute the system function with bins H using buffer overflow
  7. Put the return address for system on the stack
  8. Add the address of a string to the stack
  9. Use find to search for a string in the map memory of libc
  10. Use string to find all strings in libc and print the offset as hex
💡 The ret2libc technique can be used to exploit buffer overflow vulnerabilities by manipulating the return pointer to execute system functions in libc, and finding the address of a string in the map memory of libc can help to determine the location of the system function.

Related AI Lessons

What 116 court judgments taught me about the limits of AI
Learn about the limitations of AI in professional settings through an analysis of 116 court judgments and a personal project using consumer AI tools
Medium · AI
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Protect your ChatGPT history from being used as evidence with a simple hardware solution using a $80 chip and a Pi5
Medium · AI
Your Skepticism About AI Is an Asset. Here’s How to Use It.
Learn to leverage skepticism about AI to improve its adoption and implementation in your team and organization, and why it matters for responsible AI development
Medium · Programming
The Dark Side of AI: What We Lose When We Stop Thinking
Discover how AI's benefits come with a cost to human critical thinking skills, and why it matters for professionals to be aware of this trade-off
Medium · AI
Up next
Containers Don't Make Your AI Agent Safe
Web Dev Simplified
Watch →