ST

sailboat on Sat 26 Feb 2011

For anyone who is trying to make these examples work, make sure that when you compile, you include the following option -fno-stack-protector so gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -o demo demo.c

c-b51 on Tue 01 Mar 2011

firstly thank you for the assam example-videos.

i try this examples, but it doesn't work. my compiler said that: 'demo.c:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘<’ token' with -fno-stack-protector to me, but why? i don't know.

H4TT1fn4TT on Thu 03 Mar 2011

Did you had to write them in reverse order because there is a last in first out rule?

c-b51 on Fri 04 Mar 2011

yes, that was my own mistake. thank you for your fast help. i found that error on the same day. but i have an another question. my esp show me 0x14 and not 0x8. what should i do in this case?

raju on Tue 22 Mar 2011

its a amazing video

tektonik on Sat 26 Mar 2011

[quote]c-b51: yes, that was my own mistake. thank you for your fast help. i found that error on the same day. but i have an another question. my esp show me 0x14 and not 0x8. what should i do in this case?[/quote]

Your memory map may not match up exactly with the one in this video therefor your address may be different, Mine are as well. The important thing is to understand which address is chosen and why. For example: the first address in CanNeverExecute() on my system is 0x080483e4, whereas the address in the video is 0x080483b4. So this is the address I will use for the printf call because it points to the first instruction in that function.

So just make sure that you are copying the same relative address as in the video and don't worry about whether the numbers match exactly. I highly suggest working through the assembly programing tutorials if you have not already, very enlightening.



[quote]H4TT1fN4TT: Did you had to write them in reverse order because there is a last in first out rule?[\quote]

This is exactly correct. The stack is stored in order from highest memory to lowest memory, however the program will read it from lowest to highest when it accesses the values stored there. So when we stack: /xb4 /x83 /x04 /x08 the /xb4 will be in the high mem and /x08 will be in the lower mem and the program will pop them off the stack in correct order by starting with the lowest byte and working to the highest.

This is also explained in the Assembly Primer. Check it out! You gotta work through the basics in order to understand the advanced. Its much worth the couple of hours you put in to it.

atoi on Wed 20 Apr 2011

First off, awesome vid once again! Thanks for the information :)

Secondly I wanted to mention that perl can be a real help here. While printf command does get the job done, perl is a bit more flexible that can potentially save you a lot of typing:

perl -e 'printf "A" x 12 . "\x24\x84\x04\x08"' | ./demo

In this case I am telling perl to print A 12 times then concatenating the memory address for the CanNeverExecute() function on the end.

Col_Loki on Tue 26 Apr 2011

Just so helpful, quite a complex topic to cover and you do it so well. Keep up the good work!

resoliwan on Sun 08 May 2011

it so good but i have a question
Dump of assembler code for function CanNaverExecute:
0x08048414 <+0>: push %ebp
0x08048415 <+1>: mov %esp,%ebp

and i try to write hex value at return address but

printf "aaaabbbbcccc\x14\x84\x04\x08" |./demo

aaaabbbbcccc?
Segmentation fault

just print hex to char ... how can i write hex value ?
plz help me

oscarozuna on Mon 30 May 2011

nice videos

4dm1n on Sun 05 Jun 2011

Nice presentation. ru from chennai.. Mr.ramchandhran

rails345 on Mon 06 Jun 2011

Excellent presentation evident of a lot of thought and work. Interesting that the gdb step function follows the lines of the program (language) that is actually executed.
......Is there a way to step thru the assembly language created by the C program?

smartboy on Thu 30 Jun 2011

Excellent presentation. I really appreciate your efforts. thanks.

xsurf on Wed 06 Jul 2011

Thank sailboat for your comment.

rakesh on Sun 31 Jul 2011

excellent mr.ramchandhran..

SpEcTeR on Tue 02 Aug 2011

thank you so much.Actually for a long time I was spending many time for understanding buffer overflow.Moreover I found many books about that.But your video was perfect and clear.

ethico on Sat 20 Aug 2011

i am glad i found this video. thanks and looking forward to see the exploitation part.

Alos on Sun 16 Oct 2011

thank u! vivek!!!! :) greetings from mexico

t0ph4tter on Sun 16 Oct 2011

I watched your assembly primer and found it really helpful, but this video is where the really cool stuff happens! I finally registered just to comment on this video. The memory addresses were a bit different so I had to work some of it out on my own, but I got it working and feel like I really understand it. Thank you and keep up the great work!

Kao on Wed 02 Nov 2011

Which Linux version shoul I use to test it and where to download, please? I always get the message from some security solution :(

dZONE on Fri 04 Nov 2011

Great work Vivek..it all goes down nice and clear now.....Keep it up..we need more guys like u!!

stock on Thu 01 Dec 2011

I tried to run the demo in gdb but instead of reserving 8 bytes, cpu go ahead to do `sup $10, %esp`. I can't figure out why the reservation of space is double (from 8 to 16 byte). Does anyone got the similar problem? I understand the memory map may not be the same (coz address randomizer at start), but the amount of memory reserved should be fixed by 8 (because we did "char buffer[8]")??

Dump of assembler code for function main:
0x080484ae <+0>: push %ebp
0x080484af <+1>: mov %esp,%ebp
=> 0x080484b1 <+3>: call 0x8048474 <GetInput>
0x080484b6 <+8>: mov $0x0,%eax
0x080484bb <+13>: pop %ebp
0x080484bc <+14>: ret
End of assembler dump.
(gdb) disas GetInput
Dump of assembler code for function GetInput:
0x08048474 <+0>: push %ebp
0x08048475 <+1>: mov %esp,%ebp
0x08048477 <+3>: sub $0x10,%esp
0x0804847a <+6>: mov %gs:0x14,%eax
0x08048480 <+12>: mov %eax,-0x4(%ebp)
0x08048483 <+15>: xor %eax,%eax
0x08048485 <+17>: lea -0xc(%ebp),%eax
0x08048488 <+20>: mov %eax,(%esp)
0x0804848b <+23>: call 0x8048374 <gets@plt>
0x08048490 <+28>: lea -0xc(%ebp),%eax
0x08048493 <+31>: mov %eax,(%esp)
0x08048496 <+34>: call 0x80483a4 <puts@plt>
0x0804849b <+39>: mov -0x4(%ebp),%edx
0x0804849e <+42>: xor %gs:0x14,%edx
0x080484a5 <+49>: je 0x80484ac <GetInput+56>
0x080484a7 <+51>: call 0x8048394 <__stack_chk_fail@plt>
0x080484ac <+56>: leave
0x080484ad <+57>: ret

PuN1sh3r on Thu 08 Dec 2011

hey man, i want to thank you for taking the time to do all this videos. good damn work, please keep it up man you r doing fantastic... :)

dikien on Sun 25 Dec 2011

thank you! from south korea!!

Prd_schumy on Thu 29 Dec 2011

Loved it...thanks ! -as ever...you smooth as silk !

JuanV on Wed 25 Jan 2012

I always been looking for some good explanation about the exploits until i found this.

Thanks alot dude

hacknix on Thu 26 Jan 2012

I need someone who is capable of hacking* websites & accessing their email database


I don't need scraping,web crawling or extractors


I need this sites HACKED so I gain access to their email DB


I will need to test the result u give me,if it checks out,I am willing to pay up to 3000$

per website and 10-20 websites monthly,which will increase upon delivery of faster & quality

service


Pls note,CONTINUITY is what I am after...I NEED A GOOD PARTNER I CAN WORK WITH FOR A VERY

LONG TIME!. I HAVE AT LEAST 500 WEBSITES ON MY LIST AND IM WILLING TO PAY 3000$ PER WEBSITE

PLEASE SEND ME A MAIL IF U CAN DO THIS ASAP ; omorye007 (at) yahoo (dot) com


Cheers

G3RM4N on Thu 15 Mar 2012

Thank you for the great video!!

I got a question:

everything worked fine but to overwrite the return value
i got to write this:

printf "123456789ab\x00\x34\x84\x04\x08"

because if i try to use ur code printf "123456789abc\x08\x34\x84\x04\x08" idk

it works but i get some stuff at end of the reputting like �

Also my return value apear after 16 bytes not like urs after 12 bytes. But everything works great if i overwrite the 12 bytes like u did. i dont get it :/ help me guys

0xbffff2c4: 0x00163c55 0x08048489 0x002aaff4 0xbffff2d8
0xbffff2d4: 0x08048478 <------return value 0x00000000 0x0014a113 0x00000001

gundu on Sun 18 Mar 2012

excellent video........:)

adam on Wed 28 Mar 2012

Thank you for wonderful videos Vivek, this also works nicely for 64bit :D

genuine on Sun 15 Apr 2012

Very well explained, could i get more information on the machine setup you have in the video? software, OS etc..

SeshaKiran on Thu 26 Apr 2012

Awesome video. very thorough.

Wilson on Thu 26 Apr 2012

Hi guys, could somebody help me please ? In the assembly megaprimer i've successfully ported all the programs to x64 ( i'm working on a x64 Backtrack R2 ) but i can't make this vulnerability work on my x64 system , and i just can't figure out why , i've tried to search after tutorials on overflowing x64 programs but i haven't found one yet
Here is my stack right before taking input
0x7fffffffe3d0: 0x00000000 0x00000000 0x004004d0 0x00000000
0x7fffffffe3e0: 0xffffe3f0 0x00007fff 0x004005fc 0x00000000

the return address is:0x004005fc

Disas Main:

0x00000000004005ef <+1>: mov %rsp,%rbp
0x00000000004005f2 <+4>: mov $0x0,%eax
0x00000000004005f7 <+9>: callq 0x4005cc <GetInput>
0x00000000004005fc <+14>: mov $0x0,%eax

Disas CanNeverExecute:
0x00000000004005b4 <+0>: push %rbp
0x00000000004005b5 <+1>: mov %rsp,%rbp
0x00000000004005b8 <+4>: mov $0x4006fc,%eax

My Input Is : prinf "AAAABBBBAAAABBBB\xb4\x05\x40\x00" | ./VulnApp

I've tried playing with the input length and to feed the whole 8bytes like
prinf "AAAABBBBAAAA\xb4\x05\x40\x00\x00\x00\x00\x00"

what should i do ? please explain , aslr is of course turned off
thanks :)

mayurkumar on Thu 03 May 2012

hello sir,
Is that reversing of hex values is due to little endian

orrala on Sat 05 May 2012

@stock: I had the same problem, it looks like some versions of gcc have a stack smashing detection module, so, it can be disabled adding -fno-stack-protector parameter to the compilation.