Shellcode Execution (ret2shellcode) - pwn104 - PWN101 | TryHackMe

preview_player
Показать описание
Hijacking the program's execution flow in order to execute our payload, which conveniently corresponds to assembly instructions/code that spawn a shell (Shellcode), an attack that is commonly referred to as ret2shellcode or simply shellcode execution. This time we are abusing a buffer overflow caused by the misuse of read. The address of the buffer on the stack (where we want to jump to in order to execute the shellcode) is leaked by the binary itself, thus allowing us to bypass ASLR with ease. In this video ASLR and the concept of Shellcode are introduced. Detailed explanation is given as to how execute the shellcode. Step-by-step tutorial solving pwn104 from PWN101 binary exploitation room on TryHackMe.

More on shellcode execution:

More on ASLR (Address Space Layout Randomization):

00:00 - Intro
00:14 - Checking binary protections
00:59 - Executing the binary
01:17 - Segmentation fault (vuln)
01:44 - Analyzing binary's output
02:32 - ASLR (Address Space Layout Randomization)
06:53 - Disassembling the binary
07:28 - read() function
08:30 - Disassembling the binary
09:49 - Shellcode
10:57 - Recap
12:22 - Shellcode address leak
13:46 - Shellcode as input
14:19 - Looking for shellcodes
14:52 - Shellcode as input
16:30 - Writing the exploit
18:01 - Exploiting locally
18:30 - Exploiting remotely
19:10 - Debugging the connection
19:47 - Exploiting remotely
20:33 - Reading the flag
20:58 - Outro[*]

Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG
Рекомендации по теме
Комментарии
Автор

This is one of the best videos I've seen on the ret2shellcode attack. I learned a lot, thank you!

Автор

I learned SO MUCH on this one! This was a blast! Thank you Thank you Thank you Thank you Thank you 🙏🙏🙏🙏🙏

marcovalentinoalvarado
Автор

Nice job yet again!! ( Love the eerie music at 16:34 )
PS: I've used p.recvuntil("I'm waiting for you at ") and then p.recv().

danielcmihai
Автор

very very informative! thanks a lot man!

habib
Автор

why does the shellcode come before the padding in this case? In the previous videos you did the padding first.

uremomisepic
Автор

in my connections, when i delete with backspace, it deletes all word (not one char, deletes until a space) how can i fix it? thanks.

GokEnsar
Автор

Why do you minus shellcode? why do you not add them all together like in the previous videos?

davidmohan
join shbcf.ru