Identifying another exploit mitigation and find bypass. stack0: part 2 - bin 0x22

preview_player
Показать описание
In part 2 we have a closer look at stack0 on a modern system. We are trying to plan an exploit that works in case we can guess the stack cookie. We have to be a bit creative here.

-=[ 🔴 Stuff I use ]=-

-=[ ❤️ Support ]=-

-=[ 🐕 Social ]=-

-=[ 📄 P.S. ]=-

All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

#BinaryExploitation #BufferOverflow
  1. LiveOverflow
  2. Live Overflow
  3. liveoverflow
  4. hacking tutorial
  5. how to hack
  6. exploit tutorial
Рекомендации по теме
Identifying another exploit 0:09:36

Identifying another exploit mitigation and find bypass. stack0: part 2 - bin 0x22

Cybersecurity Expert Demonstrates 0:03:27

Cybersecurity Expert Demonstrates How Hackers Easily Gain Access To Sensitive Information

SEPM Tutorial 17 0:07:03

SEPM Tutorial 17 - How to Create Memory Exploit Mitigation Policies

Cross-Site Scripting (XSS) 0:09:31

Cross-Site Scripting (XSS) Explained And Demonstrated By A Pro Hacker!

Understanding CVE-2024-40766: Essential 0:08:29

Understanding CVE-2024-40766: Essential Guide on Risks, Mitigation & Real Attacks

Simulate Attacks with 0:07:21

Simulate Attacks with Infection Monkey | Cyber Security Simulation, Validation, and Mitigation

Log4J - CVE 0:45:40

Log4J - CVE 2021-44228 (Log4Shell) - Exploitation & Mitigation

Understanding Exploit Mitigations 1:19:46

Understanding Exploit Mitigations for Defenders

Security Terminology - 0:06:06

Security Terminology - Vulnerability, Exploit, Threat, Mitigation Techniques

Buffer Overflow Attacks 0:08:24

Buffer Overflow Attacks - How hackers exploit the vulnerability & How to Mitigate Risks? Explain...

Ransomware Attack Simulation 0:09:39

Ransomware Attack Simulation

Giving Hackers a 0:30:41

Giving Hackers a Headache with Exploit Mitigations - Maria Markstedter, Azeria Labs

HAFNIUM Exchange Server 0:16:01

HAFNIUM Exchange Server 0-Day Exploits

An Overview of 0:02:07

An Overview of the Exploit Mitigation feature of Symantec Endpoint Security (SES)

Omer Yair - 0:42:13

Omer Yair - Exploiting Windows Exploit Mitigation for ROP Exploits - DEF CON 27 Conference

Pentesting 101 Mastering 0:08:07

Pentesting 101 Mastering Vulnerability Mitigation Strategies

Windows 10 Kernel 0:53:29

Windows 10 Kernel Mitigations and Exploitation w/ Jaime Geiger & Stephen Sims - SANS HackFest Su...

DEF CON 24 0:20:11

DEF CON 24 - Max Bazaliy - A Journey Through Exploit Mitigation Techniques in iOS

TRAPMINE Kernel-Mode Exploit 0:01:08

TRAPMINE Kernel-Mode Exploit Mitigation

19-Exploit Mitigation Part-1 0:32:11

19-Exploit Mitigation Part-1 (Theory)

WHAT IS AN 0:11:41

WHAT IS AN EXPLOIT IN CYBER SECURITY & TYPES OF EXPLOITS || ZERO DAY EXPLOIT || ETHICAL HACKING

How to know 0:10:19

How to know if your PC is hacked? Suspicious Network Activity 101

Exploit Mitigation in 0:58:17

Exploit Mitigation in Windows 8

The right steps 0:12:01

The right steps and actions to help mitigate Log4j Vulnerability Exploit

Комментарии
Автор

Ah some serious topics now I see, it does inspire some sense of dread because it seems you would need to dedicate quite a lot of time and be serious about security to get any further than toy examples and games, and even then it seems like just a slow start.
Great episode, thanks. :)

TonelessR
Автор

I love this! The bug is as simple as can be and yet the system really resists exploitation. There is no guarantee that it is even possible, which makes it feel much more real. I can't wait to see what hurdles await in the heap and format string challenges.

scarlas
Автор

Hi at 03:11 you mention that this is probably a mitigiation technique.

I mean in the end it makes exploitation harder whether it was intended to be a mitigation or not :) . It was just driving me crazy, trying to find the name of this mitigation technique for over an hour until i found out that it actually has no name.


Just thought you or anyone else might appreciate this :) .

adi
Автор

great video, really appreciate your work!
i have a question:
if we replace in our script the "RRRR" with b32(0x80484cf) and we accidentally get
esp point to this address will it work as well?

nirshaashua
Автор

Does the volatile keyword change the order of the variables on the stack? Is that why the simple overflow won't work?

Loving your videos, learning a ton. Thanks!

MarkPentler
Автор

Dude, your awsome, I like so so so so so much your content <3 a hug

WhoAmI-uksr
Автор

Is there something special about stack cookies because brute forcing it requires a seperate episode? A while loop that keeps generating 4 random bytes must be too straightforward. Awesome series by the way!

maplicant
Автор

4:55 "We have to get creative" But green is not a creative color

MaxPicAxe
Автор

Can't wait for the next episode :)

cyancoyote
Автор

Hi LiveOverflow,
I have change the eip to correct address (7:12 in your video) of shellcode but shellcode do not execute

nguyenvana
Автор

Which value is overwritten by The RRRR part? Is it ebp ? I don't really understand the activation record layout

Rhirrim
Автор

Would be interesting if you could re-attempt this on even more-modern systems. It seems that in the past 2 years and a half there have been more protection mechanisms added to compilers, so this exploit doesn't really work anymore. Nevertheless still an excellent video! If it makes my brain move I likez

NikiforGeorgiev
Автор

how da heck did changing esp to R's ensure that esp might land on the stack

hackerish
Автор

on 6:59 you said that ESP don't point to our buffer
why does this happen?.
we didn't overwrite or something like that.

yuvalweber
Автор

If the stack cookie’s position is consistent, why not use biteise operators?

chonchjohnch
Автор

I don't understand anything where should I start, other than your first few videos? (I've already watched them numerous times and still understand null)

jaime
Автор

At 6:28 why is your stack not smashing? you didn't set any break point, also didn't manipulate eip. is the aslr off?

gmgurukula
Автор

5:26 Maybe you could just always overwrite the last cookie byte with 0 and leave ESP untouched? (eventually after enough tries it will be 0)

agnusxendis
Автор

Do you think it is completely impossible to perform a buffer overflow exploit on a 64 bit system with a stack cookie?

vincenttang
Автор

Love exploit development must have wrote over 30 exploits in my day's..But now
its having the time to put into coding again and reading which i don't have at the
moment...It's a shame there aren't many jobs out there for pentesting unless
you have loads of qualifications..I know people with bachelor's degree and such
in computer tech and still have no idea what a buffer overflow is or any other
vulnerabilities..Why all the down thumbs ??..Oh and if you are going to do exploit
development and find a decent vulnerability don't forget to notify the developers
are you could be looking at some time in jail, Or even a court case against you
for loss of revenue..And one more things that p!ss me off is the arrogance of
some of the developers of applications..Make sure you follow responsible
exploit disclosure guidelines..

muhaahaloa