Pwntools & GDB for Buffer Overflow w/ Arguments (PicoCTF 2022 #43 'buffer-overflow2')

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up everybody welcome back another youtube video showcasing more of pico ctf 2022 we are diving back in and we are on the second half of the fourth page everybody we've done like what 42 videos thus far 66 challenges in pico so we are cruising through it hopefully we can get to get a bit more in so we'll hop over to my computer screen and we'll check out this next challenge we have in front of us we're working in the binary exploitation category and this challenge is called buffer overflow 2. we do need to launch a dedicated instance for this it says control the return address and the arguments ooh so now part of me wonders is this going to be a 32-bit or a 64-bit challenge we have a netcat connection to go work with the remote application but we have the program and the source code it says this time you'll just need to control the arguments the function you return to so sure thing let's go ahead and download these i'll hop over to my terminal here i do still have some leftovers from the previous video so let me close out those oh that's ghidra over off on the side here but let's move into the binder exploitation category let's make a directory for buffer overflow two and we know we want to get to the com one we have not yet completed the new machine and i totally lost what was in my clipboard so let's go grab that one more time we'll grab the source w get that down we'll grab the binary w get that down and let's see if we can beat the clock and solve this thing before our 30 minutes are up i just open the binary on accident i do want to look at the source code in my text editor so von dot c and it looks like okay kind of the same structure and setup as all the previous ones we've been working on but our win function actually takes argument 1 and argument 2. um okay so it'll return the flag it'll actually print it only if we can get past these two checks if argument one is not equal to cafe food then we bail out hex cafe food right zero x c a f e f zero zero d uh if r two is not equal to food food then it returns the program function bails out and we won't actually see the flag printed out for us so okay we have to make sure we supply those arguments have our vuln function of course with gets also puts and uh enter our string and it calls the vuln function so pretty good pretty easy for us to work with is this a 32-bit program it is so we can get into how 32-bit calling conventions work in linux right let me dig into this i want to look for 32-bit calling convention uh 32-bit to do i'm just going to control f here and there s pascal is not what we're doing um is it c decal or syscall no this calls the center calling venture for os2 api uh we must be in cdecl um let me go take a look here oh yeah okay this one it should be the c declaration is a calling convention that originates from microsoft's compiler for the c programming language and is used by many c compilers for the x86 architecture oh hey let me dive into this for just a quick second at the rely the reason that i just speed run over to the c calling conventions is because we are calling a function after all we are going to end up running our new flag or win function to get the flag but the arguments and how they're passed to that function are specified in some specific way when we get in that low-level binary exploitation stuff sure it just happens naturally when our program runs but because we are now controlling the program like as an attacker or someone that we do something different with our buffer overflow exploit we want to be able to make it do what we want so we will have to pass it arguments to functions that we want to call that's why we're checking out the calling conventions sorry it's a disclaimer right in the c declaration subroutine arguments are passed on the stack integer values and memory addresses are returned in the eax register okay so that's the return address where it's stored we don't need to worry about that one specifically in this case but we do need to worry about the fact that our arguments are passed on the stack in the context of the c programming languages function arguments are pushed on the stack in right to left order in other words the last argument is pushed first consider the following c source code snippet so we have a callee function and a caller so the caller function will call with arguments one two and three and then add five to it at the very very end so if we were to actually take a look at what this looks like in assembly here's our caller function we have a new stack frame or a call frame we have basically what we consider a function prologue where you'll see this just about all the time for when you look at the assembly of how a function is being written out we push the base pointer so we can keep track of the previous call frame or the stack frame right and we set the base pointer to be the stack pointer so we saved the original call frame but now we're just reassociating and reorienting ourselves for the current stack frame yeah and then we push the call arguments in reverse that means three would be pushed on the stack first two would be pushed on the sack second and then one would be pushed on the stack last and we see that we see that exactly hey in this assembly code so if we were to call colleagues as following it that means that the things most closest to it are the furthest arguments that are pushed on the stack so when we try to overwrite the return address we'll need to make sure that the ones that follow it are where we want to return after that function exits and then the arguments that follow in the reverse order does that make any sense whatsoever we'll write it out in code and we'll see it here the way that we could probably speed run this process for us is by trying to copy um our specific exploit script but let's do something a little bit different actually let's uh yeah you know what let's do it i'm going to copy our original buffer overflow 1 exploit.python script and we can modify it but i realize sure this is going to do this all kind of remotely for the time being but i want to play with this locally and the best way to do that is to honestly level up some of our binary exploitation techniques yet again i know we introduced jeff in like the last binary exploitation video trying to get more cool stuff in our debugger now let's make our python scripting a little bit better and our ctf playing and bin x been reverse engineering stuff better with pwn tools it's finally time we'll crack it open we'll go grab pawn tools if you haven't heard of this thing it is the coolest thing since sliced bread pwn tools is a capture the flag framework and exploit development library written in python it's designed for rapid prototyping and development in making exploits writing as simple as possible we can just go ahead and download it super easy here are these documentations at docs.pwntools.com but i'll give you a crash course super duper quick what you'll end up doing is you'll install it with your python package installer like pip pip 3 because we're using python 3 install pwn tools in my case i already have it installed forgive me so if i were working in python 3 here i just am i'm in the interpreter manual interaction right if i imported pwn that library is now something that i can work with and i know it's called pwn tools but the way that we import it in scripts is going to be import pwn now we can do a couple different things with this um let's basically yeah let's basically delete this whole thing rather than import socket and import struct let's import pwn we'll keep arg parse because maybe we want to do some some strange shenanigans but if we imported pwn what we could do is we could actually go ahead and specify a local binary that we might want to work with we could specify that as like an elf file yeah so elf can be a pwn dot capital elf elf and then we can specify the path to the program that we want to be working with in this case it's vuln right that vuln l file that we just downloaded now the reason that i do this is because we could actually wrap around the whole idea of the binary rather than trying to hard code where that win function was or where that flag function is we could actually go find it with python using some symbol lookups really really cool actually let me do that we've got this l file let's print it out let me print out elf and i will go ahead and split this display here run it it'll automatically run checksack which is one of those command line utilities we even saw it in the previous uh blog post we were reading you could use checksuck on a binary and it will tell you hey this is a 32-bit architecture there is no stack canary we do have nx enabled so we can't really execute shell code off the stack but we can bebop around with return addresses no position independent executable partial railroad whatever whatever this gives us an idea and baselines okay what should we be doing for exploitation what's accessible to us what's not what's realistic what's feasible checkset is good to do and pwntools will just automatically do that for us now i mentioned we would be able to go ahead and determine where we might see that win function now we can only do this right because hey we know this von function is not stripped it's still keeping track of the symbol names for where they are in the binary with that said i could actually print out okay we know we want the win function up here where's the address for that let's index it through dot symbols and let's print that out and there's this big decimal value that's just churned out but of course hey we're going to represent that in hex and now you have the memory address the location where in the binary is this present it's at eight zero four nine two nine six okay you might press the i believe button on that but let's keep in mind what if we were to use read alph on our vol where is our win function oh 8049296 that is the advantage of using our pwn tools library right away because sure we can actually access that super duper easy now what if we wanted to interact with this program locally rather than just trusting hey we're going to throw stuff at the remote and we'll never know or see if we get a seg fault or not here's what we could do we could actually specify a new variable and take our elf binary and run it as a process i'm just going to call it p for the quick and easy sake of hey we could type that pretty quick but then if i run p.l process what we could do is we could say p dot interactive and then we can suddenly interact with it at any point where we want to while we could still do weird stuff like oh send data to the program or receive data just as if it were a remote socket connection but just holding onto it locally so that's kind of cool here let's p receive in fact we don't even need arguments to that normally you pass in like a boilerplate 0-4096 hey pwntools will do that for you we can just print out what we receive let's try and run that now i'll do it from the uh script here boom okay i made a mistake actually it's going to tell us right away after we ran checkset oh we can't execute this thing because it's not marked as executable good catch thank you pwntools let's use chmod plus x vol and then try and run our script and boom it says hey please enter your string with new lines note that it is in bytes so you have a b prefix before the string quotes and we enter interactive mode very very cool if you wanted to decode this so it is no longer bytes and it's just a real string you could do that just as well uh and i'll have to hit ctrl c to break out of that on my keyboard ctrl c to quit the program please enter your string starting interactive mode so we can interact with it like aaa and it would print it out for us and then end the application okay good enough right now i wonder there is a super duper cool way to hook this thing to gdb um and i i think let's let's throw caution the wind here and let's try it let's let's go ahead and create a process and see if we can hook it to gdb uh gdb attach based off of it or can i do it just based off of an elf um let's try it gdb can equal i'll call it g how about elf.gdb can i do that will it let me run it from python elf has no attribute gdb okay let's make the process and let's use pwn.gdb attach to p does that work oh look at that look at that so it popped up a new window and it won't actually do it hey we attached the program couldn't get registered no such process so did it die can i run it it does it does to let me run it so very very cool you could use gdbinit to set up anything that you might like like pass in arguments to stage a lot of your gdp processing or we could still debug it locally as needed through our script and maybe i'll automate some portions of it super duper cool super duper handy good to be able to synthesize both our script our debugger and all of our exploitation in one place anyway we know we've done all this cool stuff right we have a process we can receive information we can make you interactive but we want to exploit this thing let's figure out where the offset is and we i guess could do that with gdb of course gdb vuln we use our pattern create there is a crap ton of data of course the cyclic pattern that we might just give the program so let's run this thing it wants to know our string i will paste in all of that jazz and we see oh it broke it crashed now jeff makes this nice and easy for us because hey we're looking at a 32-bit application 32-bit binary our eip our extended instruction pointer is the thing that's clobbered and filled currently set to dab that's pretty hilarious what we could do is we could use pattern search dollar sign eip or as it gets pattern offset right yeah pattern offset we found it offset 112. so let's jot that down in our code offset equals 112 and for the sake of our experimentation let's try to do a pattern create 112. so i just have this string and let's rerun the program one more time where i can enter our string and then slap in a c c c c at the bottom here now when i run this sure we crash but note my eip is the ccc that i just entered we know we have the sweet spot we know we have the threshold we do properly have the offset and we know ooh we could just slap in the address of win yeah that flag function so let's build on our payload just like we had previously we'll do a join byte string we'll wrap it in parentheses we'll use a bytes of a times 112 and then we want a new eip right so new eip would equal the value that we get from our elf symbols win function because remember we don't have to hard code anymore we don't need to use read elf because pwn tools will handle that for us super slick but remember that just gave us the decimal number or the hexadecimal number however we want to represent it that's not going to work we need it in little endian we could use that whole struct thing that we did earlier with struck.pack but that was a good built-in way to do it in python if you didn't have pwn tools now that we have pwntools there is a quick and easy convenience function for that let me search for packing in util packing this is a module for packing and unpacking integers these are simplifying access to struct.pack instruct.unpack it'll keep in mind a little endianness or big endiness or whatever you really want here you could use p8 to specify an 8-bit thing or p32 to specify a 32-bit number an integer so the same way ooh check out how that is originally our little endian representation of a memory address like dead beef p32 will do that super duper easy all good we could do that just as well let's use pwn p32 i believe that's exposed right away we don't need to use on and off connections to util or packing it should just be able to behave so if i run that i pass it through is our new eip going to work i'll do this from the command line let me quit i'll use python 3 on our exploit and ooh it says please enter your string switching interactive mode but no dice it didn't really work for us did we do it right well we didn't even send the payload for one thing that probably isn't gonna work here let's receive to print out the data that we were getting let's decode it as we did before but let's go ahead and actually send our payload and rather than sending like a newline character at the end of our payload we can actually use send line which is something that pwntools makes super duper easy for us we'll send line our payload now let's try and run this thing please enter your string hmm where are we going wrong well should we receive something or should we actually have a new line character let's try and receive someone super quick i'll just add that line in please enter your string nope not having it all right let's add in a new line character and let's just use send rather than sunlight that might do some other voodoo magic that i'm not knowing about try this one please enter your string still not coming through what's going wrong is our new eip right let's print that out please enter your string that is right well i know hey we are still trying to add in these arguments but i would have expected it would yell at me hey printf you need to create a flag.text file before you can do any of this i was kind of hoping that that would show for us but i might be missing something else what we could do is we could set a breakpoint and try and run this with gdb let's use gdb.vom let's disass our phone function and let's do it right at the call yeah so if i set a gdb attach statement in our process here can i actually pass in a gdb init script with pwntools that way we could actually have it run commands yeah or just gdb on its own i want to look for that working with gdb cool cool cool run a gdb attach where was that attach path to binary gdb args string process name oh gdb script that's what it is that allows you to do whatever you might like is that just gdb script as the argument so keyword argument and they use the triple uh double quotes here to denote a multi-line string so i'll set a breakpoint at that address and then i'll try and hit c to continue and actually let it run sublime text black or python black is trying to make this a little bit prettier and that makes it even messier but hey we'll let it we'll let it go let's see if i run this how's it look opens up gdb nice and it broke somewhere no debugging symbols why did it break oh no it hit the break point breakpoint at that address which was kind of where we wanted to can i hit n to move forward or p no it was it was like way wack maybe gdp to do that is not something i can just whip off the cuff forgive me i am going to comment out uh that gdb trick for the moment uh and we'll get back to what we were doing because hey we know that when we end up clobbering the instruction pointer we will go to that function we are going to call that win function but right after it following it on the stack is going to be the return address for that function for the new one that we're calling right so once when is finished executing where will it go next well a safe way to hey maybe continue on the execution of the program is to just see can we get it go back to can we get it to go back to the main function like as if we started again um so what we could do is we could just copy the new eip line where we're grabbing the symbols for our win function maybe we could make it just go back to the main function for our own return address yeah so if i paste this in i'll actually add a comment here so that's visible and now i i realize oh sorry that doesn't have an equal sign at the end so it's not adding on to it it wasn't actually doing anything let's try to run with this please enter your string no no okay did i was it running just fine without that for some reason no okay so let's add the plus equal sign and let's also use cenline and see if that works please enter your string you know what let's not receive any data and let's just let the cenline run and let's let interactive take care of it let's see if that will cruise through it does it does okay so take a look at what's happening here it says please send your string when we switch to interactive mode which kind of happened hey in whatever order we sent our big long payload which sent the address of our win function that we want to get to and then the address of our main function which brings us back to the same prompt please enter your string that happened because it's on the stack and how that we're executing this and actually uh what we could do in all reality is try and jerry rig this thing so that we can actually debug this with gdb oh and we also had an extra receive maybe that was the problem we were receiving twice and that's yeah that must have been why here let me put this back for the moment and remove that receive we had up top then if we print the receive it wouldn't hang on us yeah okay i'm just an idiot that's all forgive me and then our receive would probably just printed it out um i don't have an issue oh oh it tried to decode the bytes but it because it displayed the real bytes now utf-8 wouldn't be able to retrieve that but latin one will so it's stupid encodings are dumb just send your payload and go interactive is my best advice to you i think that's the fairest thing so sorry i know i'm i'm flicking back and forth way too quickly um what we can do is actually take our process and let's not spawn it until we've built out our payload here and what we could do is we could actually write our payload to a file so that way we could sort of hack together hey let's use gdb and let's have it read in our payload and we can debug it as needed so if we open the payload as a file pointer we can actually write the payload that we have and that way when we start the process we could have gdb read and run our payload and so we don't have to do this stuff and do it through the script we can still debug it while we give it our payload so sure i won't set a breakpoint here but i will go ahead and set like a i'll set a breakpoint on the win function because we should hopefully be calling it right and then we'll continue onward but we will actually sorry read in from our payload so these are basically gdb commands that we're running just within our script in python let's see if that works i'm hitting control b i'll fire this up and where are we at where are we at did we hit a break point yes we did so check it out break point one at this address and win and you can see it right down here we stopped at this address and win and we are at the very very beginning of our win function so we did in fact call it because of our payload now if i hit n i there we go for the next instruction we can see hey we push ebp onto the stack so ebp currently has the value of our a's i'll hit ni for next instruction again and now you can see that 414141 has been pushed onto the stack we set ebp to esp so esp is currently that thing we set the exact same thing for ebp once i hit enter i'll hit enter again we do some magic pushing ebx onto the stack we do some magic and then hey it's going to end up calling something to read stuff in hitting enter again for next instruction next instruction next instruction next instruction you know we're going to end up calling the f open function to actually read in the flag.text and then i get to the so let me be honest i had to kind of pause recording and reorient myself because i was getting this way super wrong uh if i didn't record the footage and i for forgive me i totally forget i was in ctf pico binary exploitation uh buffer overflow 2 and i just echoed hey john or like please subscribe into a flag.text so i created localflag.text for me to play with if i didn't already showcase that in in this video here so what that would mean is that we will in fact read this file if i hit ni for the next instruction and i'll let me go back to my screen did i not show that literally whatsoever here uh believe me i was in ctf pico by inauguration buffer overlook too and i echoed a john please subscribe into a flag.text i'm the worst i'm sorry i didn't even go back to show you that oh and now i just closed that whole thing this is a disaster that's all right we can just run this script and go back to it so starting again at the tippy top of our win function i'm going to hit ni a few times so i can next instruction next instruction next instruction pass over the file open and you can see oh that would very well read in files and here's what we do here's something that we do simple and strange and odd we jump to some things to be able to read in our please subscribe flag and then we compare what our ebp plus hex 8 is against cafe food that is our very very first argument right that we wanted to be able to pass into this function but what is our ebp plus hex 8 right now so let me type her and enter x to be able to examine that within gdb i'll examine dollar sign ebp dollar sign to reference that register plus 0x8 currently it's this stack value right so when i hit next instruction and i am currently at that compare instruction it's probably going to fail and it's actually is going to say oops that is not equal to zero that compare instruction failed so we are going to jump to the very very end of this function which brings us to oops okay we'll hit knop oops we'll jump to the very end which is going to bring us to this instruction at win offset 157 sure next instruction we end up moving ebx to the address at abp minus four now what was that ebp minus four can i check that super quick ebp minus 0x4 that was our a's uh so do we go somewhere weird here let's check let me hit ni next instruction leave that's going to end up doing some strange things to our uh stack but when we by the time we hit ret red is going to return and bring us back to the very very top location on our stack which is main because we entered that as our return address thanks to our payload so the next instruction ni it brings us right back to main so we know we do in fact have our main return address jump happening and working just fine and it's cool to be able to see that in the debugger but we know that we need to now check for our arguments we need to pass in cafe food and food food and the way that we read about how this worked on wikipedia is that okay this needs things pushed on the stack uh in reverse order where food food would come first and cafe food would come next but we are writing the stack in our in a different direction right because of how we end up putting together our own exploit because we have our instruction pointer and then its return address and then arguments we grow the stack in one direction when it's reading it in the other direction so we have to actually put these in the order that they're expected to be because of our binary exploitation technique because of what we're doing here so let me show you that let's go ahead and just do yeah pwn p32 to pack this thing 0x cafe food and then we need to do the same thing for food food right as the next argument so when i run this we're going to fire up gdb one more time we know we are hitting our break point at the very very top of the win function uh unless to make things speedy let's go ahead and disassemble our win function and then it will go down and hop to check right where we're doing the comparisons we're checking if ebx ebp plus hex 8 bbp ebp hex plus hex c are equal to these values so let's go down and set a break point on i guess our compare instruction you know what there's no sense going either way so let's add a break point with the asterisk of that memory address right for the compare instruction let's hit enter and now let's continue until we hit exactly that break point break point two right here you can see we have compare as our current instruction based off of our instruction pointer thanks to jeff and now let's do that comparison let's actually examine the value i'm using x again to examine ebp plus hex eight currently that is cafe food because of our exploitation because of our script because we said sweet we know the new address that we want to jump to we're gonna set a return address for it to trampoline back to once it's done but the arguments to our win function that we're going to end up calling right up here are going to be in the order that is reversed to how they reversed it so our natural arg1 r2 structure cafe food and food food does that make any sense hey i uh i know i made a big different background there's probably a little bit harder to read so if i hit next instruction and i now you can see jeff says hey that was not taken because it's not zero and that hey or not not zero i don't know how exactly that's reading but we were true we were good i think that's the not zero flag was set and that's when it would take it so it's not not one of those explanations forgive me uh yeah jump not equal to zero we know that we have met the criteria for that argument being correct and i fight the next instruction again we don't take the jump we now examine what is our base pointer plus hex c that is food food which again meets this comparison and we won't jump we do not take the return function we do not bail out we continue onwards and we finally end up calling the printf function with the argument of our flag if i scroll up now that will be present and displayed output on the screen and we have our working exploit and we were able to debug it and make sense of it all thanks to jeff that was some of the good quick troubleshooting the way that we learned we jump to the very end of this function we leave we know we end up going to calling back to our main function and that's where we are we're now back in main perfect so let's quit out of the debugger let's get back to our script here our terminal and let's go ahead and run our exploit.pi we don't need to attach this to gdb anymore but we can go ahead and actually send this payload to the process that we run and make it interactive so we're no longer going to debug with our payload but we can just fire it off and there is our flag we have finally put together that good exploit script now the reason we had some fun doing this in uh gdb or excuse me and because we were doing this within pwn tools is so that we could determine whether or not we were building and preparing a local exploit versus a remote exploit so let me check we imported arg parts for a reason and we kept it we said hey let's keep track of our own art parser so parser is going to be our parse argument parser this is the same boilerplate code that we've written in the previous one but let's go ahead and add an argument we can say yeah let's do remote or i guess host and port or what should we do should we make these optional how can we do that hardparse optional arguments [Music] or just i guess we can call it destination how about that it sounds pretty dumb uh but i guess that we could make it limit to two options is there a way to do that arg parse limit to restricting values of command line options oh that's got a way to do it choices that's the way how about that does it have to be int no does it need it as a set maybe let's do type to be string uh that needs to be literal str sorry and then choices can equal local or remote how about that so args can equal parser dot um parse args and let me just go ahead and print out our args destination because i just kind of want to see it python3 exploit okay it does need a destination versus local or remote we can say local in which case it'll just return the value so we could check at the very very end of this if arg's destination is equal to local then we'll do it locally and ultimately we're going to end up sending the same payload one way or the other um we can also do an l if args.destination is equal to remote but i would like to pass in other arguments like the host and port number host and that would be a string can we do that if and only if another argument exists uh meh i think default would have to be what it is import and that can be an integer how about that does that work otherwise we'll end up using a pwn tools remote functionality and that remote will allow us to pass in hey what is the host and port that you want to connect to it's basically like args or socket connect but you don't have to do all the boilerplate that comes with it and we can kind of script this in a quick and easy way although ultimately we end up sending our payload and writing this all out so let's see if that works for us well here i'll uh minim i'll shrink this down so you can see wow this is our nice fancy script here to be able to exploit this thing and if i were to run this thing locally oh it does need it how do i set those to be optional argparse optional arguments is it not just setting a default optional um oh required i guess that's it yeah whatever required equals false on those what requires an invalid argument for positionals oh okay so we have to make those like tag tag host or attack i guess target would be a better word then so you're not using tac h maybe that's a fine way to do it why do you have to be positioned you can't use it for positionals hmm i'm probably structuring that in some bad way and i'm sure anyone else watching or listening in will let me know how i could do that better anyway we'll use tag tag port and tag p and with that can we use local what oh yeah it needs an actual ins not just a string how about that there we go it runs locally and it works so we're good now if we try to do this with remote namespace has no argument to host yep that's because we changed it to target and we should probably check on what those are but it will yell at us could not resolve hostname one way or the other so yeah it'll totally die if that doesn't work so we should check if args.target or args.port if they don't exist so and if not on those we should exit for one thing and like actually print supply target and port as a quick here stupid dumbo maybe it works supply target import yeah we could actually use the cool pwn tools like error on that rapon.fatal i think supply tacti for target and tacp for port how does that look no it doesn't it doesn't it doesn't is it error error yeah okay so that'll kill i want it to probably do a warning and then exit cleanly though there we go okay that looks a little bit nicer sorry i know we had some back and forth and now we're gonna have to restart the instance all along but with that we have significantly improved our scripting prowess and do we even need to pass in those yeah it's not going to be able to know positionally which is frustrating but boom [Laughter] maybe we could keep playing with our arguments if we really wanted to get like super finicky about it but honestly i think that was more than enough torture for this one video um we we extrapolated this significantly longer than we needed to but we've using pwn tools we have learned how we can structure the stack for calling conventions on 32-bit processes and binaries uh we've stuck the thing together with gdb and jeff so we can do a little bit better debugging when we're getting to some other shenanigans and with that we honestly can hey create our get flag script with this we can do grep tac oe pico ctf um and do we even need peter interactive anymore not gonna lie i don't think we do we we should do a p dot receive all though so we can actually grab our our binary uh on flag let's see if this turns it out for us uh does not what's our error here receive all oh you know what we should probably print it out imagine that and then we can decode it as needed and will that actually work will it air yep it'll wind about some of the specific bytes that it was showcasing so rather than utf-8 let's use latin one as our encoding and churn all that out blah okay perfect so now we can see the weird oddball bites uh and we can get the last flag at the end and we can cut through this even if we were doing it locally hey we get our own flag but we want to do it remotely and we want to grep out our pico ctf flag it'll cleanly exit and with that we have our get flag scripts oh i didn't even save it come on what happened what oh oh oh i need to get back into buffer overflow two let's run this thing again save our script and our flag and with that we have this challenge done uh so goodness holy crap everybody i'm super sorry i feel like look i mean the fact so i had to pause i had to stop i had to get my bearings and like figure this out and actually do it right because i kept fumbling and there will be an edit there will be a quick cut to like save you from that torture but i hope there were still a lot of really good learning lessons in this whether it's hey using pwn tools um and being able to interact with that remote socket in a quick and easy way using arg parts to be able to determine whether or not you're doing a local exploit or remote one and then hooking it up with gdb so you can still debug the payload that you're building out um with jeff of course and then knowing ultimately the whole learning lesson of this was how you can control the arguments how you can control the calling conventions of a 32-bit application in a program sure you can control the instruction pointer but you can also determine where it goes next with the return address that just follows it on the stack and then the arguments right that'll again follow them on the stack and while sure stack normally puts them in reverse order they're going to look in like normal order to us as we're building it out on our own stack to exploit this thing and perform the buffer overflow so a little bit of a different ball game a little bit of idiosyncrasies and gimmicks in there but i really really hoped there was some good learning lessons and i'm sorry this took forever but i hope you learned something new i'm gonna stop talking everybody i think i gotta go to bed i think i gotta take it easy thanks so much for watching everybody if you liked this video please do all those youtube algorithm things i would love if you could like the video comment subscribe support share etc i love you i'll see in the next video take care

Info

Channel: John Hammond

Views: 37,836

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: 26mEa1Ojux8

Channel Id: undefined

Length: 50min 19sec (3019 seconds)

Published: Tue May 10 2022