Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Key Takeaways
The video demonstrates the ret2libc technique to exploit a buffer overflow vulnerability in the stack6 challenge from exploit-exercises.com, using tools like gdb and libc to manipulate the return pointer and execute a shell command. The technique involves using return-oriented programming to execute the system function in libc and find the address of a string in the map memory of libc.
Full Transcript
in the last episode we've created our first full stack buffer overflow exploit by overriding the return pointer on the stack and jumping to Shell Code that we have placed on the stack as well in this episode we will look at stack level six which looks at what happens when you have restrictions on the return address to understand this video you must have understood how normal buffer overflow and jumping to Shell Code works I hope I explained it well enough in the past videos but if there are still open questions please post them on Reddit I really need you to have understood that stuff as a hint this level tells us that this level can be done in a couple of ways such as finding the duplicate of the pilad with object minus s or R toip C or even return oriented programming in this video we will not be able to explore return oriented programming but I will will show you a couple of other tricks that will eventually lead to return oriented programming so let's have a look at the source code and again it's very similar to the previous levels just some small changes instead of everything being in main main calls this function get path get path allocates a string buffer for 64 characters then reads A String with gets and we all know by now that with gets we can read arbitrarily many characters which we can use to overwrite the return point on the de but the next line is interesting built-in return address is a function from the compiler which you can use to read the current return address from the stack and this return address is checked if it starts with hex BF the ENT performs a bitwise end with the address after that only the part where they were same survives basically setting the remaining bits to zero and checking if the front is still hex BF if the return address starts with hex BF it prints this return address and exits when we use our exploit from last time and adjust the pading to account for the new unsigned INT in this function we see that it doesn't work it fails with okay so we cannot use addresses that start with hex BF the exit protects this function from being exploited that way because the exit is a CIS call that simply quits the program so even though we have smashed the return pointer this function will never return so you can see that even having a buffer overflow doesn't necessarily mean you can exploit it when you open this level now in GDB break it get path run it and then look at the memory with info proc map we can see that the only address that starts with BF are on the stack so basically we cannot return to a stack address this is crazy then how can we run our code if we cannot return to the stack where we place our Shell Code so first of all all we can still control the return pointer as long as it doesn't start with BF and now comes the sick idea of returning into known code let's think about this the return instruction just looks at the current address on top of the stack removes it and just jumps there what would happen if you return to the address hex 8484 F9 which is the return instruction itself think about this we override the return point of with hex 080 we reach the return instruction it will pop this address from the SEC and jump to it basically just jumping to itself and now it will read the next address on the stack and jump there now you could repeat that make the next address on the stack again 080 or place the address of the stack here and we can return into the stack again and in theory that should work because the original return address got overwritten with an address that starts with 08 zero okay let's try that let's modify our exploit code instead of the Shell Code let's use int three CC instruction again for a trap we all know that when we hit them we have code execution and we just have to find suitable Shell Code so let's focus on the interesting part set a break point at the return of get path and then run it with our exploit input we hit the break point and we got past the return point to check so let's look at this deck we can see that that the address on top of the deack is now the 08 address which is the return instruction so now single step forward this should pop this address from this deack and jump there and indeed we hit the break point again because we jump to itself when you now look at the stack the next address on the stack is the stack address and we will return into this address now so when we just continue we will return into the stack like in the previous exploit where we hit our traps boom arbitrary code execution by the way this address we jump to the 080 is a gadget when you read about return oriented programming you are looking for gadgets and that was a simple no operation Gadget it was just a return doing nothing and for full return oriented programming you look for gadgets that do some more stuff before returning to the next address now when we do this kind of stuff you hear me saying return into or jump to those become equivalent in this case because yes we execute a return instruction but we are not returning to the original function anymore we are returning into something else effectively just jumping somewhere else so I hope that doesn't confuse you maybe you ask yourself why the hell was the stack executable in the first place there's no valid reason why the stack should be executable that's why there exists a general memory policy nowadays write X or execute basically it means never have a memory page that is writable and executable because then an attacker cannot execute any Shell Code that he was able to write in the process memory so we would hope that today every modern system uses D data execution prevention and sets the NX bit the non-executable bit for memory Pages like the stick but reality is not so simple embedded devices are on the rise with the internet of things and often they don't support features like that almost on programming languages like JavaScript used jit just in time compiler so they have to compile code on the fly in memory when needed and execute that so they need writeable and executable memory regions but even if we had D we could use techniques like red toip C to never execute actual Shell Code but still Pon a system now one of the hints said you could look into red tulip C now that you are almost a pro in exploitation you understand what that means it's very similar to what we did in stack level four return into lip C like we just returned into some code we could just return into the huge Library lip C there must be something interesting that we could have used one interesting function from lip C is system which executes a shell command with print system we can find the address of it but simply returning into it will probably not work we need to make sure to control a couple of things let's create a simple C program that cause a lipy system for us in the end we want to somehow execute system with bins H because then we get a shell if we try that here that works well now let's look at this in GDB we can see that before the call to system the address of the command we want to execute is put on top of the stick and as we know a call to a function will push your return address on the stack as well so if we draw this this is how the stack will look like once we are at the start of system first the address of the command is placed on the stack and then the address we want to return to now imagine if we use our buffer overflow to return into a system first of all we didn't execute the call instruction thus there was no return address pushed but we fully control the stack so system expects the stack to look like this and we can build this by hand so first we have to put the return address for system on this deck but actually we don't care about this right now but that's still cool and important and remember that because you can chain those things together like we chain two returns after each other before we could chain multiple function calls or other gadgets after each other by always controlling the return pointer of The Next Step so in our case when system finishes we will return into a sec Vault because it will return into 4141 4141 so next add address on the deack has to be a string we want to execute preferably B AG there are many options how to get a reference to such a string one option would be to use a stack address because there are strings we control on environment variables because they are at the bottom of the stack and a bit easier to predict but as you remember the stack is a bit unreliable a more reliable technique is this here we can use find to search in the map memory of lip C for string cool apparently at this address we can find bin as H let's check if that is true examine memory as a string at this address what the frck GDB what the hell are you doing why do you say you found b h there if it's not there I have no idea why that's happening couldn't find anything online anyway ignore this here's another Technique we can use string to find all strings in lip C and with minus t we can print the offset inside this file as hex and then we can simply add this offset to the address lip C is loaded to and that is the real address of Bess H okay so let's copy this address into our exploit and then let's try it remember to use the trick from the previous video with the parenthesis and the cat because the exploit script will close the input again and cool it works what we just did was the technique called red to lip C and we never executed any code on the deck no [Music]
Original Description
Solving stack6 from exploit-exercises.com with the re2libc technique.
stack6: https://exploit.education/protostar/stack-six/
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb
US Store Front:* https://www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#StackOverflow #BinaryExploitation
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 17 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
▶
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: AI Safety Engineering
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
What 116 court judgments taught me about the limits of AI
Medium · AI
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Medium · AI
Your Skepticism About AI Is an Asset. Here’s How to Use It.
Medium · Programming
The Dark Side of AI: What We Lose When We Stop Thinking
Medium · AI
🎓
Tutor Explanation
DeepCamp AI