Exploit Dev Pitfall Corrupted Shellcode

What kind of monster doesnt use A's for buffer overflow exploitation

nug

Never thought to consider that I may overwrite my exploit when using an overflow. Very informative video, thank you so much for sharing all you've learned with us newbies!

column.

Hello! I never comment on your videos but Im following you for years now, you do an amazing job and I learn so much from this channel, keep up the good work!, anyway I want to let you know that im studying for a certification focus on exploitation, and this is very good on explaining why EIP should not be close to ESP, also could be a good intro to stack alignment, something that was very frustrating for me and there's not good tutorials about it, maybe you should try to do one :) Again, amazing job, congrats!

dplastico

Love the part when he says "Then my CAF will block it." 2:15

machinexa

Oh gosh i remember having the same problem too but never figured how
makes so much sense now

Ariana-dnmm

Another solution for shellcode overwriting problem that worked for me was to add "add rsp, 0x50" before the start of the actual shellcode. That way the stack moves far away from the RIP.
The bytes representation of that instruction is \x48\x83\xc4\x50, compiled with rasm2 -a x86 -b 64 "add rsp, 0x50" (for linux 64-bit).
So the payload looks like:
nopslide + add rsp, 0x50 + shellcode + padding + RIP. I also like to remove the padding, because this shellcode will never overwrite the RIP and the longer the nopslide, the better.

lukaprsina

Another pitfall can happen is when exploiting gets on an x86 machine and it writes its returnvalue on the stack also corrupting your shellcode

douwehuysmans

I get the feeling this is the exact issue I've been having while trying to write custom shellcode for a picoCTF 2019 challenge... I'll have to fire it up after I get off work tomorrow morning. Thank you for the amazing videos!

zaneoblaneo

Man, You're Awesome with your magic explanation ! Debug FTW !

anishamdi

This is really a great explanation and example, I'm really starting to understand a bit better thanks to your great explanations.

I hope you feel better so you can get the rest of your videos done without feeling too Ill.

christiansacks

For the program execution redirection problem, it won't work because gets() shouldn't be in main, it should be something like :
#include <stdio.h>

void vuln()
{
char buffer[64];
gets(buffer);
}
int main()
{
vuln();
}

thecrazzxz

Love the effort you’re putting in these videos!

BBones_

This is absolutely brilliant content. Thank you!

simon

8:36 right now im thinking "oh it pushed to the shellcode and overwrote the pop"
id probably put a nop slide here
or maybe do
mov ax, sp
add ax, 300
mov sp, ax

otesunki

Hi man, really cool video as usual ! ;)



Yet I wonder.. Did you use pure gdb for "minimalistic look = more meaning to what's shown" or just forgot to enable a enhancer?
Imho, gef or peda are way more pleasant to use + more pedagodic for newcomers.. :D

LoukaJC

Keep up the good work man!

I love your vids :)

Filmer

@LiveOverflow So to be clear, it’s because there’s different ret opcode(0xC3, 0xCB) used for near return & far return that cause the “ret pitfall” ?

hexrabbit

I had a similar issue, where the shellcode got corrupted.

Adding sub $40, $rsp (bytes: \x48\x83\xec\x40) to the start of shellcode does also solve the issue, basically moving the stackpointer out of the way.

Jonasonweb

3:53 sagste zweimal das gleiche direkt nacheinander :D

GodlikeGER

Coming back around to this cause I think I'm hitting this problem xD

BillyHudson