It is alignment issue because system() uses xmm registers to move data around, and they require 16 bytes alignment. Could be just one ret instruction to offset the stack.
@ John Hammond your content is golden ! keep up the good work. love that you also keep in the struggles (the learning process) that we all have from time to time with syntax.! keep up with your awesome content.!
These videos are great. Even when you cover a topic I already know fairly well, you introduce new tools or work processes to make it simpler. Showing all the mistakes or oversights or having to look up more about something is refreshing too, because it's always a messy process. There's no circumstance where anyone goes in and knows exactly how to deal with every single thing they'll run into. Thats half the job, and hopefully it's encouraging to everyone exploring new things. It is to me
Hey John, another great video although well above my knowledge base!!! So cool how you always get your end results. I'll keep watching and learning thx.
great vid mate. one of my favorites yet. binary exploitation outside of ya average buffer overflow is something I need explained just like this. nice one bruva
Hey John! Great video. Just wanted to tell you that the peculiar issue you faced (not getting shell when running only system then getting shell when first calling puts and then system) is due to the 16-byte alignment requirement of modern architecture. They require the stack pointer to be 16-byte aligned whenever an SSE2 instruction (especially) is called. In system function there is a SSE2 instruction movaps XMMWORD PTR [rsp+0x40],xmm0. Hence you didn't got the shell in the first attempt. More info: stackoverflow.com/questions/54393105/libcs-system-when-the-stack-pointer-is-not-16-padded-causes-segmentation-faul Have a good day 👋
Does puts not return though? when you make a call its return address gets pushed to the stack, so its offset in that function you're calling, but when you return from that function that return address gets popped from the stack and it makes 0 difference beyond that maybe ROP does some extra stuff that provides the offset though
Thijs Bruineman Well, it does return. However, the system ABI for the x86_64 architecture guarantees a 16-byte aligned stack before a call. When the ROP instructions are loaded onto the stack, and system() is called, it makes use of this fact. So, by your stack has to be aligned to the 16-byte(sorry I said 16-bit in the initial comment) boundary. Regarding your concern about the function returning and thus not having an effect, what the ret instruction call actually does is it first pops the stack pointer, which in turn means it increments the stack pointer. This has the effect of adding the extra 8 bytes that might be needed to align the stack. Usually, what one would do is to simply use a ROP gadget that just has one ret call. However, in John’s case he made a call to puts, which if it has an odd number of instructions(I’m assuming) it will have the same effect.
This videos are just absolutely brilliant! It's inspired me to keep going with my pen testing abilities on my own personal system(s). I'm not as advanced as others so these videos really help to understand the basics good sir
I've watched a lot of your videos lately, and I learn a lot from them in so many topics. I like "cut to the chase"-videos on RUclips, and your videos are great in that regard. You are exceptionally good at explaining complex challenges including many topics. Just a thought: Have you considered recording while you're solving some of the CTF challenges the first time? I mean the more or less the raw footage. Including all your debugging, head scratching, etc. Don't be afraid to show that you're struggling because your are a very skilled man, and I'm sure your knowledge are far above the average viewers anyway. Just a thought. You obviously know what you're doing, and I'm very sure that your channel will grow very fast. :-)
Hey there Thomas, thanks so much for all the kind words! Appreciate it. I do actually screen-record when I am working through CTF challenges for the first time, if just to get the footage and potentially repurpose it for later content. I could potentially share that as video, but it might be barebones (no audio) -- unless I were to go back and try and do commentary over it (which would mean, like, two times the work ahaha). I can try it sometime and see how it goes!
@@_JohnHammond Thanks for your reply! I totally understand that there will be too much work to do commentary afterwards. I would very much like to watch the unedited video without audio. I'll get your excellent commentary in your "walkthrough" videos anyway so there's no need to do it twice. :-)
@@_JohnHammond hey John can you please explain what is the difference between the addresses returned by rop.call("puts" , [elf.got["puts"]] ) rop.call("puts") elf.symbols["puts"] Thanks you in advance
This prevents going back and forth for running the script. It listens for event and runs every time after the file is saved. while true; do inotifywait -q -e modify ; clear; python3 ; done And Great video. Thanks
Your CPU cores are overheating and throttling back, look at your video at 22:32. It wont go above approx 96 deg C due to its aggressive protective measures, but you lose computing power and it might needs your attention to address it :) Nice vid anyway, thank you!
John amazing video as always tho after watching the throwback one this seemed a little short 😂 also I think calling puts again overwrites to the registers and empties out space for system to load
In below, Alex Skalozub exlains that "It is alignment issue because system() uses xmm registers to move data around, and they require 16 bytes alignment. Could be just one ret instruction to offset the stack. "
@John Hammond hey John can you please explain what is the difference between the addresses returned by rop.call("puts" , [elf.got["puts"]] ) rop.call("puts") elf.symbols["puts"] Thanks you in advance
Hi there - I was wondering if I could ask a question concerning rop. Hi Peter - I hope this email finds you well. I've been unable to figure out how stack alignment works for a return with an offset not divisible by 4. Ret 0x0016 for example. No matter what I try the stack is always misaligned. If you have any pointers, I'd really appreciate it! Thanks!
John, please help me. I've watched the entire thing and it's been extremely interesting. But, I seem to be missing an important, but seemingly basic, point. What is the relationship between the netcat connection (which is a remote server listening to a certain port, correct?) and the executable that you're inspecting? Somehow that executable, that seems to be running on your local computer, is opening up a TCP connection via netcat and then through the buffer overflow exploit you get a shell? I'm probably missing the point, here, but I don't get it. Please explain.
at first, he was testing with the local executable and once he got it working he just switched his "p = process()" with "p = remote()" since pwntools is pretty flexible when switching from local to remote it's as easy as changing one line.
That executable is the program running on the server and listening for input. It's common during these CTF to be given a copy of the server program so that you can pull it apart and find your exploit. Once you find your exploit (like with ELF), you create your payload and send that to the server to get the flag :)
If anybody knows, Do you know what type of bash profile John uses? He usually said that he uses that to format output inside terminal but could not find it?
One of the most fascinating parts about ROP is that you don't even need full instruction sequences, before the RET: you can execute suffixes of an initial instruction that then means you're likely executing fragments of subsequent instructions all the way up to the ret. The initial paper focused EXCLUSIVELY on these types of gadgets. I don't know if ROPgadget is doing this though.
@@JNET_Reloaded I personally enjoy typing out python because I don't find it needed to pass #!/usr/bin/env python3 at the beginning of the file. Also, "noob" I'm sure knowing more than 7 languages, known for teaching others the art, also known to help small businesses patch vulnerabilities, a reverse engineering professional, been doing it since 11 years old, doesn't count one as a noob. It's rather noobish that you made a comment about somebody not putting env in the program rather than realizing that it works and runs the same way. Its really funny. Grow up.
you need to stop with the blank lines and = things its suppose to be bla=foo not someshit = here < thats poor! plus soon as you know its vuln to a buffer overflow all u gotta do is put loads of chars in the nc connection thats it!
For what he's doing white space is ignored and it makes it easier to read so why does it matter? Also, he's said before that he likes to automate his attacks once he figures it out because it's good practice. Sure he could have pushed a bunch of crap into the netcat but he doesn't have to. If you don't like it make a video doing it your way for people to watch.
Making it more readable is not only valid but also recommended and should be standard practice. The only situations where you wouldn't do that is if you're in a competition or time is the primary concern.
I really love when you share with us your learning process, that phase of the video where you learn with us. Extraordinary video man!
It is alignment issue because system() uses xmm registers to move data around, and they require 16 bytes alignment. Could be just one ret instruction to offset the stack.
No, John, this ROPGadget explanation was immensely useful to I bet most of us!
Nice to see how the number of your subscribers rises further and further.
You've earned this. Keep up the good work!
yeah it's for stack alignment try to add p64(pop rdi +1) which is ret instead of puts and it will works fine
John, you really taught me ROP, before watching your video I was very confused with it. Thanks man keep it up👍🏻
I really liked the way you explained ROP. This is super amazing!
@ John Hammond your content is golden ! keep up the good work. love that you also keep in the struggles (the learning process) that we all have from time to time with syntax.!
keep up with your awesome content.!
I know it's asking a lot, but a future series on Binary Exploits from scratch would be sweet
These videos are great. Even when you cover a topic I already know fairly well, you introduce new tools or work processes to make it simpler.
Showing all the mistakes or oversights or having to look up more about something is refreshing too, because it's always a messy process. There's no circumstance where anyone goes in and knows exactly how to deal with every single thing they'll run into. Thats half the job, and hopefully it's encouraging to everyone exploring new things. It is to me
You are absolutely amazing, I am loving these contents
Hey John, another great video although well above my knowledge base!!! So cool how you always get your end results. I'll keep watching and learning thx.
great video sir. Learned a new thing thank u so much
Thank you for your explanation. Great video!
Awesome video, thank you so much for sharing your knowledge
great vid mate. one of my favorites yet. binary exploitation outside of ya average buffer overflow is something I need explained just like this. nice one bruva
Hey John! Great video. Just wanted to tell you that the peculiar issue you faced (not getting shell when running only system then getting shell when first calling puts and then system) is due to the 16-byte alignment requirement of modern architecture. They require the stack pointer to be 16-byte aligned whenever an SSE2 instruction (especially) is called. In system function there is a SSE2 instruction movaps XMMWORD PTR [rsp+0x40],xmm0. Hence you didn't got the shell in the first attempt. More info: stackoverflow.com/questions/54393105/libcs-system-when-the-stack-pointer-is-not-16-padded-causes-segmentation-faul
Have a good day 👋
Learned some ROP and pwned a live challenge in HTB Santa CTF
*Goes to checkout pwnscripts* great job John!
I believe the additional puts call allows for the stack to be 16-bit aligned cause they’re running on Ubuntu 18.04
Does puts not return though? when you make a call its return address gets pushed to the stack, so its offset in that function you're calling, but when you return from that function that return address gets popped from the stack and it makes 0 difference beyond that
maybe ROP does some extra stuff that provides the offset though
Thijs Bruineman Well, it does return. However, the system ABI for the x86_64 architecture guarantees a 16-byte aligned stack before a call. When the ROP instructions are loaded onto the stack, and system() is called, it makes use of this fact. So, by your stack has to be aligned to the 16-byte(sorry I said 16-bit in the initial comment) boundary.
Regarding your concern about the function returning and thus not having an effect, what the ret instruction call actually does is it first pops the stack pointer, which in turn means it increments the stack pointer. This has the effect of adding the extra 8 bytes that might be needed to align the stack. Usually, what one would do is to simply use a ROP gadget that just has one ret call. However, in John’s case he made a call to puts, which if it has an odd number of instructions(I’m assuming) it will have the same effect.
Please do correct me if I’m misguided thanks!
I believe you can just pass align=8 to the ROP() constructor, and it will automatically align things for you. The default is align=4 (for 32 bit).
This videos are just absolutely brilliant! It's inspired me to keep going with my pen testing abilities on my own personal system(s). I'm not as advanced as others so these videos really help to understand the basics good sir
Thank you for the explaining is a more thanks thanks thanks thanks
3:30 that flicker tho
I've watched a lot of your videos lately, and I learn a lot from them in so many topics. I like "cut to the chase"-videos on RUclips, and your videos are great in that regard. You are exceptionally good at explaining complex challenges including many topics.
Just a thought: Have you considered recording while you're solving some of the CTF challenges the first time? I mean the more or less the raw footage. Including all your debugging, head scratching, etc. Don't be afraid to show that you're struggling because your are a very skilled man, and I'm sure your knowledge are far above the average viewers anyway.
Just a thought. You obviously know what you're doing, and I'm very sure that your channel will grow very fast. :-)
Hey there Thomas, thanks so much for all the kind words! Appreciate it. I do actually screen-record when I am working through CTF challenges for the first time, if just to get the footage and potentially repurpose it for later content. I could potentially share that as video, but it might be barebones (no audio) -- unless I were to go back and try and do commentary over it (which would mean, like, two times the work ahaha). I can try it sometime and see how it goes!
@@_JohnHammond Thanks for your reply! I totally understand that there will be too much work to do commentary afterwards. I would very much like to watch the unedited video without audio. I'll get your excellent commentary in your "walkthrough" videos anyway so there's no need to do it twice. :-)
@@_JohnHammond hey John can you please explain what is the difference between the addresses returned by
rop.call("puts" , [elf.got["puts"]] )
rop.call("puts")
elf.symbols["puts"]
Thanks you in advance
hey john how you doing today?
This prevents going back and forth for running the script. It listens for event and runs every time after the file is saved.
while true; do inotifywait -q -e modify ; clear; python3 ; done
And Great video. Thanks
Great tips man ;)
Your CPU cores are overheating and throttling back, look at your video at 22:32. It wont go above approx 96 deg C due to its aggressive protective measures, but you lose computing power and it might needs your attention to address it :)
Nice vid anyway, thank you!
awesome content
Anyone knows if the Beginner Malwae Analysis course can be found somewhere today (2023) since it's no long being sold?
How do you get colored manpages again ? I heard some version of bad-man or something
bat - cat with wings on github
@@MrJohnyBGood101 thank you!
John amazing video as always tho after watching the throwback one this seemed a little short 😂 also I think calling puts again overwrites to the registers and empties out space for system to load
thank you
Hey John, have you figured it out why do we need to call("puts") again in our second payload? 46:54
This video is insane, thanks! Cheers
In below, Alex Skalozub exlains that "It is alignment issue because system() uses xmm registers to move data around, and they require 16 bytes alignment. Could be just one ret instruction to offset the stack.
"
hahaha nice video....classic when code dont work we dont know why.....and when i does work still dont know why :D
Your binary exploitation tutorials are pretty nice
@John Hammond hey John can you please explain what is the difference between the addresses returned by
rop.call("puts" , [elf.got["puts"]] )
rop.call("puts")
elf.symbols["puts"]
Thanks you in advance
Hey john can you please make a vid on a ctf question using xss?
Can you give us a link to that "batman shell extension" you're using? I can't seem to find it...
Here it is: github.com/sharkdp/bat
@@donfoumare Thank you so much!!!
Darn , I missed the premiere
I stg I come to this video every time I have to do a ret2libc attack
Hi there - I was wondering if I could ask a question concerning rop. Hi Peter - I hope this email finds you well. I've been unable to figure out how stack alignment works for a return with an offset not divisible by 4. Ret 0x0016 for example. No matter what I try the stack is always misaligned. If you have any pointers, I'd really appreciate it! Thanks!
I learned most of my re hacking games its more fun than analyzing malware samples imo
How can we get the libc address remotely in the cleanest possible way?
What an excellent video, if you could make a video about Canary, I would really appreciate it.
Greetings from Mexico :)
I love the video but DAMN the price of that coarse IS HIGH!
the best
John, please help me. I've watched the entire thing and it's been extremely interesting. But, I seem to be missing an important, but seemingly basic, point. What is the relationship between the netcat connection (which is a remote server listening to a certain port, correct?) and the executable that you're inspecting? Somehow that executable, that seems to be running on your local computer, is opening up a TCP connection via netcat and then through the buffer overflow exploit you get a shell? I'm probably missing the point, here, but I don't get it. Please explain.
at first, he was testing with the local executable and once he got it working he just switched his "p = process()" with "p = remote()" since pwntools is pretty flexible when switching from local to remote it's as easy as changing one line.
That executable is the program running on the server and listening for input. It's common during these CTF to be given a copy of the server program so that you can pull it apart and find your exploit. Once you find your exploit (like with ELF), you create your payload and send that to the server to get the flag :)
nice
Need more buffer overflow videos
nice video
damn I wanna buy that course
I think you need more subscribers! You make awesome videos! And everybody who says something different! Hack them!
If anybody knows, Do you know what type of bash profile John uses? He usually said that he uses that to format output inside terminal but could not find it?
He uses this cat clone as a colorizing pager for man as described in the readme: github.com/sharkdp/bat
nice vid
What is assembly code
You ever imploit a binary instead?
One of the most fascinating parts about ROP is that you don't even need full instruction sequences, before the RET: you can execute suffixes of an initial instruction that then means you're likely executing fragments of subsequent instructions all the way up to the ret. The initial paper focused EXCLUSIVELY on these types of gadgets. I don't know if ROPgadget is doing this though.
Waiting
🙌🏻
Too
Hit my like Burton if you noticed the dade Murphy easter egg
Anyone have the challenge file? It will really help to practice
Video starts at 2:25
Xmma?
Files rdx, dangerous files
Longest ad i've ever seen
Bro I am from India so brother plz I request u please Hindi captions on plz sir plz
.
and for love of god put env line inside pythoon3 file then you wont have to call a script with python3 you waste alot of time!
uh no, you don't, typing speed is what defines that. Takes literally a second to type python.
@@oofme6749 what a noob would say!
More favourable and aesthetic for the audience to type Python and run it instead of env
@@bruh_5555 the 1st line of py script has env blababla for a reason so that you can just type ./scriptname.py and there you go simple!
@@JNET_Reloaded I personally enjoy typing out python because I don't find it needed to pass #!/usr/bin/env python3 at the beginning of the file. Also, "noob" I'm sure knowing more than 7 languages, known for teaching others the art, also known to help small businesses patch vulnerabilities, a reverse engineering professional, been doing it since 11 years old, doesn't count one as a noob.
It's rather noobish that you made a comment about somebody not putting env in the program rather than realizing that it works and runs the same way. Its really funny. Grow up.
you dont need quotes around a wget command either!
he said before it’s just habit. chill.
What do you mean ? Like for the URL part ? It is not necessary until it is, try to get that one : www.google.com/?smartass=JNET&PS1=maybe_not_so_smart
ur picture frames are not inline redo it lol
you need to stop with the blank lines and = things its suppose to be bla=foo not someshit = here < thats poor! plus soon as you know its vuln to a buffer overflow all u gotta do is put loads of chars in the nc connection thats it!
For what he's doing white space is ignored and it makes it easier to read so why does it matter? Also, he's said before that he likes to automate his attacks once he figures it out because it's good practice. Sure he could have pushed a bunch of crap into the netcat but he doesn't have to. If you don't like it make a video doing it your way for people to watch.
Making it more readable is not only valid but also recommended and should be standard practice. The only situations where you wouldn't do that is if you're in a competition or time is the primary concern.
@@WhiteHatHacking no its annoying empty lines and shit its gta stop. Basic auto takes out them spaces weve moved in from .bas files.
@@JNET_Reloaded lmao someone's never heard of PEP8 sit down dude.
@@kaushiksivashankar9621 its in the eye of the beholder tho i prefere not having lines just for 1 char thats messy to me!