Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe скачать в хорошем качестве

Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe

Return to libc (ret2libc) fully explained from scratch. In this video we will see and understand how to perform a ret2libc in a multistaged exploit. First, we will abuse a buffer overflow in order to hijack the execution flow and leak addresses from the global offset table (GOT). We will create a tailored ROP chain to jump to PLT, passing as parameters addresses from the GOT. Once we obtained the information we need, we execute once again (second stage) the vulnerable function and, based on the leaked information, we will jump to system() passing as parameter the string "/bin/sh". In order to do so, we will discover the libc version the server is running and jump to specific locations once we leak the dynamically resolved addresses. Knowledge videos: Exploiting Return Oriented Programming (ROP) tutorial    • Exploiting Return Oriented Programmin...   Global Offset Table (GOT) and Procedure Linkage Table (PLT)    • Global Offset Table (GOT) and Procedu...   Endianness Explained. Little-Endian and Big-Endian for 32 and 64 bits    • Endianness Explained. Little-Endian a...   Additional references about ret2libc: Wikipedia: https://en.wikipedia.org/wiki/Return-... Exploitdb: https://www.exploit-db.com/docs/engli... Ired.team: https://www.ired.team/offensive-secur... Phrack Magazine: http://phrack.org/issues/58/4.html Tools to search for specific libc version: https://libc.rip/ https://libc.blukat.me/ https://libc.nullbyte.cat/ 00:00 - Intro 01:27 - More referenes to learn ret2libc 02:08 - History of ret2libc 03:07 - Disassembling the binary 03:25 - Checking the protections 03:55 - Seeking the vulnerability 04:51 - Spotting the vulnerability 05:32 - Hijacking the execution flow 05:59 - Scenario for ret2libc 06:40 - GOT and PLT 07:25 - How to leak addresses 08:04 - The GOT 08:52 - The PLT 09:54 - Recap 12:00 - ROP 12:38 - What addresses to leak 13:09 - Starting the exploit 13:27 - The puts() function 13:56 - Calling convention 14:25 - Seeking for gadgets 15:22 - Endianness 15:56 - Calling puts() 17:10 - Passing GOT entry as parameter 18:05 - Creating the payload 19:43 - Executing the exploit 20:20 - Improving the exploit 21:53 - u64() vs p64() 23:12 - Executing the exploit 23:28 - Exception or error 24:25 - Executing the exploit remotely 24:42 - Debugging exploit errors 26:00 - Leaking remote addresses 26:25 - ASLR randomization and addresses offsets 27:00 - Leaking server addresses 27:38 - Finding specific libc version 29:11 - Second stage of the exploit 29:35 - Address of system() and /bin/sh 31:28 - Modifying the exploit 32:22 - Calling system("/bin/sh") 33:30 - Executing the exploit 35:10 - Reading the flag 35:24 - Outro[*] Exploit code, not people. LinkedIn:   / razvioverflow   Did you like the video? Found it useful? If you feel like lending a hand consider buying me a coffee (or three ☕), it really helps! https://ko-fi.com/razvioverflow https://paypal.me/razvigg Twitter: @Razvieu *Outro track: Etsu - Selcouth GG