Return Oriented Programming (PicoCTF 2022 #48 'ropfu')

20,379
0
Published 2022-05-17
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreonj-h.io/paypalj-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk

🌎Follow me! ➡ j-h.io/discordj-h.io/twitterj-h.io/linkedinj-h.io/instagramj-h.io/tiktok

📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

All Comments (21)
  • @aminel2a
    28:25 I'm just like* why not sh(), but I was too hasty, great work john💖
  • hey john, have you tried using the command cyclic to find the padding size for your buffer? I would recommend that if you need to find the length quicker for easier calculations. Overall a great video, and keep up the good work!
  • @moosematrix
    Currently on my binary exploitation journey and this was engaging!! Thank you John
  • @getellied
    Okay, this one was really freaking cool
  • @AlmostEpic89
    In early today, was awesome seeing you at the Ninja one summit!
  • JOHN!!!!!!
    I don't really understand what you did.. but you talking us through this challenge is inspiring.. This must be what my employers think when I'm explaining things to them haha..
    Love you man!! Keep doing this because I'm going to be here to watch and listen...


    Maybe stay away from binary bruv :)
  • @secinject814
    Hey Hey My. Hammond! Excuse any typos as I am barely awake right now. But I just wanted to ask if you knew any good reverse engineering/binary exploitation books/e-books out there. Or the best youtubers that showcase, explain, and demonstrate how binary exploit/reverse exploit works. As I have focused far more on web exploit like XSS, SSRF, LFI etc...

    Thanks again as always for all the educational content and hope you continue being an inspiration!! Thanks!!
  • @fhajji
    This was really interesting!
  • @SESUAV
    Pardon my noob question but I would like to know if this exploit will work if we replace the "A" with a NOP sled.. It would automatically enter the buffer then. Would it not? We wouldn't need the short jump then
  • @KFLawless1412
    Thank you for the awesome and educational video, John. I have a question that you or maybe someone else could answer (and I'll post it elsewhere too)

    Considering the stack was exectuable, could you not have done the following instead of using ROP?
    1. Load the shellcode for "cat flag.txt" in your initial input instead of the 500 'C' bytes
    2. For your injected return address after the buffer of 'A' bytes, simply put the address (in the stack) of the shellcode you just injected

    Maybe I'm missing something, but assuming that ASLR isn't enabled since you were able to discern the address of the jump instruction, you could know the address in memory of the stack location you pushed your initial input to in the first place.

    Maybe I'm not making any sense, but thank you again.
  • This video is just great ! How do you write a python script to solve this challenge ?
  • @samthelamb0718
    how did you automatically know to jmp 10
    bytes forward?
  • @zer001
    Cool, now i know that there is a Bird in my (HayStack). Nice. :)
  • @j3r3miasmg
    I don't get it why the stack canary is not accusing * stack smashing detected * when you overflow the buffer, canary and the return address. Did I miss something?
  • @lethanhat361
    What is 16 bytes of nop for ? At first, I didn't use any nop instructions before the shell code and it failed. After that i tried adding 2 bytes of nop and it worked miraculously. Does it have anything to do with stack alignment ?