JackHacks
JackHacks
  • Видео 2
  • Просмотров 8 462
Remote Code Execution via Tcache Poisoning - SANS SEC 760 "Baby Heap" CTF
A video walkthough for SANS SEC 760s "Baby Heap" CTF challenge which involved exploiting a format string vulnerability and a one-byte overflow to poison tcache and gain remote code execution.
*NOTE* - There seem to be some slight errors in the video, my apology!
- At 27:50, 0x101 is meant to be 257 not 254
- When explaining the A, M, and P flags for the Heap Chunks, those are supposed to be "bits" not "bytes"
🔗 Links From Video:
- Steph3nSims/status/1233119624658481157
- azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/
👨‍💻 Gear I Use:
- Microphone: Audio Technica AT2020USB+
- Camera: Logitech HD Pro Webcam C920
- Headphones: Shure SE215 (Sound Isola...
Просмотров: 7 747

Видео

Computer Security Livestream: Ask Me Anything1:43:22Computer Security Livestream: Ask Me Anything
Computer Security Livestream: Ask Me Anything
Просмотров 7184 года назад
Short AMA stream where I answered viewer questions, talked about HTB (HackTheBox), the new updates to OSCP, spoke about burnout, gave a high level explanation of breaking into exploit development and explained how egg hunters work. Many thanks to everyone who joined me on stream! Really appreciate you all hanging out and asking questions, as well as sharing awesome links! =) 🔗 Links From Stream...

Комментарии

  • @kevinwydler7305
    @kevinwydler7305 10 месяцев назад

    This is soo informative and really well explained! Thank you soo much

  • @sezarstarscourge7368
    @sezarstarscourge7368 Год назад

    0x101 =257 you did a little listak : 254 ; but its cool

  • @antonsonj4995
    @antonsonj4995 Год назад

    Thanks a ton!!! Really helpful video ❤️

  • @flyingtiger123
    @flyingtiger123 Год назад

    I was confused by the technique for several days until I came across this .Fabulous video!

  • @shravyabhaskara8003
    @shravyabhaskara8003 2 года назад

    the explanation was soo clear! I struggled with finding the proof of work for a challenge while playing CTF's. Glad I came across this video. Recently been trying to make a challenge based on tcache poisoning. Your video walkthrough really helped! Thanks a lot.

  • @manolo_averias
    @manolo_averias 2 года назад

    Great video man, come back

  • @lazlowcarmichael1829
    @lazlowcarmichael1829 3 года назад

    Absolutely phenomenal video. Illustrative and informative.

  • @pwndumb2903
    @pwndumb2903 3 года назад

    I love the video. Its amazing. Thx. Can you tell me how software you used to create the animations (arrows and text) in vídeo ? I not ask about the exploit because I have to learn a lot to understanding heap exploitation.

  • @NetworkITguy
    @NetworkITguy 3 года назад

    I'd say time management is critical as well, however for someone who is behind the knowledge curve and has to catch up, I would say that drilling in that fact that you should at the very least learn something new everyday is key to success. Grinding day in and day out burns you out but also, sadly, is needed to progress in this field once you plateau. Though I am not saying you shouldn't have hobbies or not time manage. If fact a perfect example is STÖK's story on how he has to manage his time. Also there's a redteamvillage talk about burnout, I'd say go watch it.

  • @superhero1
    @superhero1 4 года назад

    Great video! Thank you so much.

  • @rootedinside106
    @rootedinside106 4 года назад

    One of the most informative videos I have seen about heap exploiting! Thanks!

  • @fusca14tube
    @fusca14tube 4 года назад

    Hi JackHacks... first of all, thank you for your video. Can you help me? I'm trying to develop an exploit based in your heap exploitation, but my exploit freezes when I send data without ' '. It only works if I use s.sendlineafter("Data: ", data), but I NEED to use s.sendafter("Data: ", data) (without ' ') to explore "off by one Overflow" vulnerability. What I am doing wrong? Thanks in advance.

  • @TheVampirePlaysMc
    @TheVampirePlaysMc 4 года назад

    Really nice vid, learned a lot. Can you please explain why do you have to use 0xf8 for initial malloc for the one byte overflow? Couldn't any size exploit the one byte oveflow? Another question, when did we exploit tcache? I didn't see where that came into play

    • @texon7631
      @texon7631 4 года назад

      Tcache is a technique use by the heap (as you can see in the vid) to improve heap management, he crearly respond in the video to both of your questions.

  • @markusdauberschmidt2969
    @markusdauberschmidt2969 4 года назад

    Which glibc are you using on your system? I don't have the same output using gef/pwndbg on libc2.27 (Ubuntu 18) when freeing the 2nd and 3rd chunk.

  • @ムワ-d7n
    @ムワ-d7n 4 года назад

    Nice walkthrough, more heap exploitation please

  • @mesh3al32
    @mesh3al32 4 года назад

    Thank you for the very informative walk-through , best Linux heap exploitation video :)

  • @anticharacter
    @anticharacter 4 года назад

    at 27:50, isn't 0x101 in decimal 257 not 254?

    • @JackHacks
      @JackHacks 4 года назад

      Yes you would be correct! It would be 257, seems I made a mistake in my script 😅. There seem to be some other errors like when I say "bytes" instead of "bits" - will be putting out a disclaimer note for those soon.