Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe

Скачать Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe бесплатно в качестве 4к (2к / 1080p)

У нас вы можете скачать бесплатно Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe или посмотреть видео с ютуба в максимальном доступном качестве.

Для скачивания выберите вариант из формы ниже:

Cкачать музыку Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe бесплатно в формате MP3:

Если иконки загрузки не отобразились, ПОЖАЛУЙСТА, НАЖМИТЕ ЗДЕСЬ или обновите страницу
Если у вас возникли трудности с загрузкой, пожалуйста, свяжитесь с нами по контактам, указанным в нижней части страницы.
Спасибо за использование сервиса video2dn.com

Описание к видео Exploiting Return to Libc (ret2libc) tutorial - pwn109 - PWN101 | TryHackMe

Return to libc (ret2libc) fully explained from scratch. In this video we will see and understand how to perform a ret2libc in a multistaged exploit. First, we will abuse a buffer overflow in order to hijack the execution flow and leak addresses from the global offset table (GOT). We will create a tailored ROP chain to jump to PLT, passing as parameters addresses from the GOT. Once we obtained the information we need, we execute once again (second stage) the vulnerable function and, based on the leaked information, we will jump to system() passing as parameter the string "/bin/sh". In order to do so, we will discover the libc version the server is running and jump to specific locations once we leak the dynamically resolved addresses.

Knowledge videos:
Exploiting Return Oriented Programming (ROP) tutorial    • Exploiting Return Oriented Programmin...
Global Offset Table (GOT) and Procedure Linkage Table (PLT)    • Global Offset Table (GOT) and Procedu...
Endianness Explained. Little-Endian and Big-Endian for 32 and 64 bits    • Endianness Explained. Little-Endian a...

Additional references about ret2libc:
Wikipedia: https://en.wikipedia.org/wiki/Return-...
Exploitdb: https://www.exploit-db.com/docs/engli...
Ired.team: https://www.ired.team/offensive-secur...
Phrack Magazine: http://phrack.org/issues/58/4.html

Tools to search for specific libc version:
https://libc.rip/
https://libc.blukat.me/
https://libc.nullbyte.cat/

00:00 - Intro
01:27 - More referenes to learn ret2libc
02:08 - History of ret2libc
03:07 - Disassembling the binary
03:25 - Checking the protections
03:55 - Seeking the vulnerability
04:51 - Spotting the vulnerability
05:32 - Hijacking the execution flow
05:59 - Scenario for ret2libc
06:40 - GOT and PLT
07:25 - How to leak addresses
08:04 - The GOT
08:52 - The PLT
09:54 - Recap
12:00 - ROP
12:38 - What addresses to leak
13:09 - Starting the exploit
13:27 - The puts() function
13:56 - Calling convention
14:25 - Seeking for gadgets
15:22 - Endianness
15:56 - Calling puts()
17:10 - Passing GOT entry as parameter
18:05 - Creating the payload
19:43 - Executing the exploit
20:20 - Improving the exploit
21:53 - u64() vs p64()
23:12 - Executing the exploit
23:28 - Exception or error
24:25 - Executing the exploit remotely
24:42 - Debugging exploit errors
26:00 - Leaking remote addresses
26:25 - ASLR randomization and addresses offsets
27:00 - Leaking server addresses
27:38 - Finding specific libc version
29:11 - Second stage of the exploit
29:35 - Address of system() and /bin/sh
31:28 - Modifying the exploit
32:22 - Calling system("/bin/sh")
33:30 - Executing the exploit
35:10 - Reading the flag
35:24 - Outro[*]

Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG