This analysis serves as a sobering reminder that even mature kernels can fall victim to primitive logic errors like unchecked buffer copies. It expertly bridges the gap between theoretical exploit patterns and the critical necessity of defensive programming in low-level systems.
Install our extension to search inside any video instantly.
FreeBSD: a look at the FatGid vulnerabilityAdded:
So hello everyone uh welcome to my channel.
Today we are going to have a look at the fat G. It's a vulnerability with the local privilege escalation for FreeBSD.
Uh and it's going to allow a normal user to get root access.
This was disclosed, as far as I know, it was disclosed today. It's uh CV 2026.
Um yeah, it's um it was exactly today and um it's 7.8 in the CVS score. It's a relatively high uh score. And uh you might be thinking why am I talking about this? I'm talking about this because this this has been publicly disclosed and therefore um all the information is out there. So let me just see here. Uh I'm trying to find my stream to find online where yes I'm should be live here.
Um, I might do a So you um this is I I'm I'm doing um uh a live streaming now, but I might uh do a video out uh out of this.
All right. So um we have the fat g a four byte type an 8 byt stride one root shell.
Uh it's a vulnerability that affects uh the recent kernels for uh 14.3 14.4 15.0 and uh the kernel should be updated um immediately. Um there is some uh some misinformation here I think or at least um we are going to see the official uh statement from uh the security advisory. Um the freebies 15 the surrounding codes differed for enough that the chains were uh do not lift overflow into a local privilege escalation on that branch. The bug remained a kernel panic triggered by an unprivileged user. 15.0 is now patched as well.
Okay. Uh we are going to have a look at the hi nice to nice to see you here.
Uh so uh interesting topic today. uh buffer um um um uh local privilege escalation was just released today and um yeah there is a proof of concept in um in GitHub um so there's um it's p there are patch patches available and uh the interesting thing there's lots of technical description here it's really interesting to read but there is a a a GitHub page where Um everything can be downloaded.
Um this is probably in the new age of AI that you just get those things really fast. Um okay and let's have a look at the official security advisory. So this was announced yesterday.
Um it has been corrected in the version 15 stable 15 uh so release P9 in the 14.4 4 14.3 so uh 4.4 four is P5 and or for the 14.3 is uh P14.
Uh background the system calls are programmatic interface uh are the programmatic interface through which user space processes request services from the operating system kernel providing a control boundary between unprivileged application code and privileged kernel operations.
Um, it's a system call. The set credentials is a system call. I think it was relatively newly introduced into the system which enables a privileged process to atomically set its full credential set including the real, the effective and the saved user and group identifiers as well as the list of supplementary groups. This is intended to be used by programs such as login and pam the plug pluggable authentication module um so by pam aware authentication frameworks that must transition a process into a target user context in a single race-free operation replacing the need for multiple discrete calls to set UID set group ID and set groups.
The problem is that the that there is a buffer overflow. So let's see. Um the set credit system call is only available to privileged users. That should be the case. Yes. Uh however, before the privilege level of the caller is checked, the user supplied list of supplementary groups is copied into a fixed size kernel stack buffer. This is uh a problem without first validating its length. This is typical. Mhm. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.
The stacking the smash for fun and profit uh was released. When was this?
In I think yeah in the yeah long time ago. Um the impact because the bounds check of the on the supplementary group list occurs after the kernel stack buffer has already been written. An unprivileged local user may trigger the overflow without holding any special privilege which is a local privilege escalation.
This will allow any user to become root.
Successful exportation may allow an attacker to execute arbitrary code in the context of the kernel allowed an unprivileged local user to gain elevated privileges on the affected system.
The solution is to upgrade the system because currently there is no workar around available. And here you see the steps that should be taken to do it. Um I'm not going to go into the detail. Um but and here are the patch the patch sets that um are available for the different versions and yeah here is an example of a fix I took here for 14.4 four. This is the hash. So here in the uh GitHub, this is the commit hash and um it has been committed two days ago. So it's available. You can um download this uh patch set and um yeah, it's a a fix for the buff overflow.
Uh it's already available in all of these uh um all all of these releases, all all of these versions. This seems to me from the timeline as it's uh written here that this was a responsible disclosure. So there's I think there's a timeline. Yeah, the timeline here this was known already since a couple of days. The SEC team was has been notified. Um the local uh privilege escalation proof of concept uh was um um yeah I for the PS5 I don't think the PS5 will be exploited but That would be an interesting thing. Yes.
Um Yeah. And the So they were yesterday there was the the patches were released and today the uh they pro they also published um security advisory and the public release of the write up and proof of concept.
uh the proof of concept I have here a a virtual machine running um let's see I will start uh here the machine let me see um uh the uh the main I think it's this one here yes this you can you can see it a little bit more close um I've just installed this machine and I did a little bit of a tweak that I'm not going to discuss what I did because um as it is the proof of concept that you download from from the repository it's not working. So I I made made this to work and I'm not going to be discussing how I've done uh how I've done that. Uh so what I'm going to uh to show you is that I created it's it's um it's a FreeBSD 14.4 4 and uh uh I it's it's at 14.4 release.
Yeah. And here as a unpriv unprivileged user I put the set credential.zip and this is just a download. If you go to the to the GitHub this is just a download here of of of the zip file. Um, so there is a uh can you play Steam games on any VST? I think you can with the Lin Linux later.
You can play you can play games on FreeBSD.
Uh, I'm not a gaming expert, so but I think it's possible.
Um, yeah. And so I I did this. So I'm going to unzip the credentials here. this um this exploit set credential main and there is here the exploits this is exactly what you get from the website.
So I think we need to move the make file into uh remove the extension that they that they added and is just make and uh as as in the website it creates um it creates two files the wrapper and the x uh set creds whatever so two files here I think the wrapper we don't need it what we need Please make install.
Yeah. And it copies the a file to /tmp / rsh.
And if we look at tmp rsh, it's um it belongs to test. It's u and to wheel and it's not a setid binary. So if I execute this file, it's not going to do anything in the system. And now comes the bad thing. Of course, I can run the credentials here uh this this um this executable.
And um as in the website um here um you run the things and now if you look at the if you look at the file now you see that it became root with a set ID. Okay. So this is now the exploit. So you can you can just run tmp rsh and I'm currently root who am I id and uh the user the the user test has no um uh has no privileges to um to become root. So but now it's it's it's root on the system. So yeah that's the that's the bad thing.
So, and on top of this, you can see that this is really very um um very easy and very stable.
You just need to have a little bit of delta knowledge to what has been published to get the things up and running. Um yeah, and so maybe maybe we what we can try is to do an update of the system. Um, I've not done this before, but we could try. Let's see the security advisory actually.
So, we should fetch apply the patch.
Uh, or FreeBSD update fetch. PBSD install. Okay, let's let's try that. Pre um PBSD up fetch.
It might take a little bit of time to do this.
Um, and here is the the part where if I'm doing a video editing, I'll just accelerate these things because it will going to take forever.
Oh, and why am I running this with a with a hex system? And let me just log in as as root.
Okay. Uh, previousD update patch. Uh let first um yep it's running free PST update fetch.
So it should it's running in in the local machine. And now let's try the fetch again. So this is um yeah update your vulnerable system uh or ARM platforms is interesting because here in the fetch G they refer to the problems.
Oh I see now you're having the screen cut. Uh so maybe I that was just to see it before a little bit better. Um the where I'm going to tell you in soon what the SMAP SMB is. Um and it requires only that ZFS is loaded. So that's with a ZFS pool. So and currently this system has a ZFS pool. Yes, Zet or ZFS. I I don't know how you want to pronounce it.
Um yes and what did I want to say? I I I forgot. So it it's doing the fetch. Um let's see the the mitigations that are actually available for FreeBSD. Um I know that there is there is a a different system. Let me harden BST. So let's uh it's a really really nice uh FreeBSD distribution by Sean Webb. And they have here um they have here a list of mitigations. Where is it? Um hardened wiki.
I think is it bad gateway? Not good. Um hardened wiki mailing lists. Harden latest builds about. Maybe it's in the about.
No.
Interesting. Um, there used to be a link here somewhere. I think it's in the wiki or something which lists the ah feature comparison. There there it is.
That's what I wanted to to to check. Um, uh, I'm not sure how up toate this is.
Um I think this is a little bit biased and is not really up to date because for example I think PIE is already available in FreeBSD but it says here no it is not available and it's conf um here comparing the hard BSD distribution to FreeBST Open BSD and NetBSD and the Sean has been really busy um getting uh mitigations uh in harden BSD.
So if you really want security, I I uh advise to go to Harden PSD.
They have really lots of very good um protections here. Of course, again, FreeBSD is a little bit naked here. Um but I think the list is not up to date and not everything is some of the things are maybe a little bit paranoid you know but uh you know that security um an attacker just needs to go for the weakest link. Yeah. So you need unfortunately it's not a symmetric thing. Someone that is installing a system has to protect against all the possib all the possible attacks. someone that is um attacking the system just needs to to find one bad thing in the system and um and therefore they have here quite a lot of uh different mitigations but but let's see the mitigations that are available in FreeBSD in the official documentation this is 15.0 zero the release. So they there you go for example it's we are not so bad yeah the ASLR address space layout randomization this means that when the software is loaded in the when you start a program the addresses every time they look different means that when you do a buffer overflow you cannot predict easily where you need to jump to take over to to do arbitrary execution uh position independent exe executables.
You need both of the things for the ASLR to to work. If you have ASLR turned on, but the program is not compiled with position independence uh turned on, then it it just loads every time in the in the same uh memory and it doesn't work at yet.
The exclusive uh or execute page. So, um I think this is related. It's probably described here. Uh yeah, this all the tunables and all the things. Yes, the wx is a vulner that strengths the secure by controlling memory access permissions.
If I'm not mistaken, it's going to make the stack non-executable u prevented uh ex in in areas of memory that are designated as writable and writing is restricted as of execution. Yes. So it's not only the stack, it's other memory locations.
Uh okay. Uh prom max. I don't really know what this is. Um it's but um I think the hardware still. So I saw here somewhere promax.
Um the rail row is an interesting is an interesting thing. So when you load a library it it does it needs to relocate the symbols in the in the symbol relocation table and if you load the binary so the normally when uh it's a speed up mechanism that you have that not all the symbols are are uh resolved when the binary starts because it can for a large binary it can take quite a lot of time to resolve all the symbols and it will take some time to start a binary. So what you do is lazy binding and this means that your allocation table needs to be writable.
Uh and one way to uh to attack the system is to replace the address of for example of printf or open or any function that is typically loaded by your software and you you change if you know the address of this uh this dispatcher table then you can patch it and you can call your own function and the railroad basically makes this dispatcher the the table read only but it makes the program start up a little bit um a bit a little bit slow if I'm not mistaken. So the bind now it's probably the it's probably saying that the binding needs to happen at at the start stack overflow protection capsicum microode. So there are lots of vulnerabilities that are in the freebst kernel. Let's let's see how it's still trying to fetch. I think we're not going to to be able to make the the the thing today.
Um, oops. Where where was I? I was in the mitigations. Yeah. And we have here in the in the page the mitigations. We have quite a lot of cool things that are described and u we could turn on the SLR. We could um turn on the uh position independent files for 64 uh for 32bit etc. Yeah, it's um what is the prom max extension to M map product provides the ability to set the maximum protection of a region located by M map and later alder by M protect for example memory location originally with an M map of pro read pro right may may be made rightable by a future but may not be made executable. Okay. So if you are able to write to some place then uh and read then you don't want the to run code there. That's that's one of the protections.
So um the thing um since this is not really installing the point that uh that we have here that so many you you can definitely do lots and lots of mit mitigations and the problem is that some of these mitigations they might break software.
Okay. Um they might might break software uh because they are a little bit too aggressive. um and some software maybe for example um for the the M protect and so on there might be some software that needs this feature for whatever reason it it could be considered a malicious feature yes um but uh yeah what what I'm trying to say is that you need to test quite a lot of software so that's uh one of the reasons why things are a little bit slow and why also in the open BSD as far as I know um they tend to dive deep into the into some mitigations but they are also testing quite a lot of the ports in the port tree and they are migrating quite a lot of um quite a lot of features in the port tree to support new features that they include.
One of the really really nice features that OpenBSD has is um um the pledge. Yeah. If you I don't know if you heard about the pledge but um so uh open BSD pledge and unveil. Exactly. It's the it's a really uh it's a really nice thing. Basically you have some promises and some execution and you are pledging you are saying okay from now on I'm only going to use this and those types of system calls and no others and as you go over the execution of the program at some point in time for example you might drop uh from the pledge saying I I don't want to open at this point in time I don't want to open any more files and the colonel is going to say okay if you if you're saying that you don't want to open any more files from this point on if an exploit takes happens and tries to open a file because your software will not open a file it did the pledge I don't want to open any more files and if for some reason you start you end up by opening a file the the process just get shot boom just says no you you are not you are not doing what you what you promised. So there there it is.
Bye-bye. Uh no more no more run uh no more running for you. And a couple of this mitigated by this kind of stuff.
What's the Linux way of doing pledge?
That's um a very good thing. I think pledge was ported to Linux. There's an equivalent pledge pledge uh in Linux uh open BSD API ported to user space.
It's with a sec uh Berkeley packet filter implemented in uh in this one here. I don't think that um in I don't think that you have um pledge.com. Okay. Linux port and Cosmo.
Okay, interesting. Um, and this was the original in 2015. So, you see this is this is more than 10 years old. So, Theo presented this the the pledge. He he did a really awesome presentation, I might say.
As far as I know um pledge does not um uh is not implemented in the kernel in the Linux kernel but you see here some libraries um which are uh which implement uh using um sec security whatever I don't remember what is the comp uh part of security um all right let's let's see here so yeah I I I don't see I don't see this running now. But then um so I I cannot show the mitigation. I don't know why it's not fetching. I I think I might have some problem with my with my system. Uh I wasn't I was not supposed to do this now. Uh but I I think I I showed um quite well. Or did did I read this until the end? Yes, I think so.
So it was the um the main thing is uh that unfortunately was not able to do is uh to update the system to the latest versions. You see that this has for the uh for the fetg um there are uh mitigations already in place and that that is really really good. Okay. So responsible disclosure is always good.
Um so we can um the technical details are really really interesting. Um let me try to boot another machine and I'm going to show you something that I've developed recently. I don't think that this is available in in the system yet. So uh box run. Let me see.
No, it's not available yet. that I um yeah a couple of days ago I uh created a new port which is a sandboxed execution for programs. If you know bubble wrap um in Linux this is doing something similar to that. So bubble wrap uh containers bubble wrap yeah it's not uh low-level unprivileged sandboxing tool used by flatpack and similar projects. Um it's it's actually a quite nice thing. uh FreeBSD does not have um uh uh so many um things. So the this I I think they they they rely on name spaces and yeah user namespace, IPC namespace, P and so on. These features are not enabled in FreeBSD. But we have jails and we have other stuff. So let me let me go here and start um with root um root. Yeah. And I think I have man box run. I've Yes, I've installed already this program. So this was is going to be provi is provided by myself and you are going to be able to uh pkg install this very simply. Okay.
So, Boxr Run creates isolated execution environments. It's a sandbox using Free SP uh FreeBSD's native uh security primitives. It uses jails for file system and network isolation. Null file system mounts for selective directory exposure uh exposure resource control for resource accounting and control and pro control for process security features. provides fine grain control over file system visibility, network access, resource limits and security hardening. All features are enabled by default. So when you start the process with box run, it's going to make sure that ASLR is turned on and all these features for example that you cannot debug bit trace is denied and it runs security level three. So very very very uh hardened um turning on lots of features.
Optionally if you are using a PFI wall it can do net and allows to have um uh outbound connectivity with port forwarding.
Oh um uh interesting from GPT5. Hopefully it's not is not uh hallucinating. Um but uh FreeBSD11 yeah it's it's probably it's probably correct. Um I don't think that they are updating always to the latest and greatest. So and this means that the fetg is not going to uh cannot be affect cannot affect those systems because the set cred was introduced in I think it was FreeBSD version 14. So if it is if they say it's version 11, then it doesn't have the set crap.
Okay. Um let me show you a little bit more about the about this program. Um maybe instead of doing the things like this, I can zoom in a little bit. You can see a little bit better. Yes, you can see the the the screen a little bit better.
So you have uh you have some really nice some really nice explanation and uh if you're using jails or if you're using podman and so on in FreeBSD, this program is going to I I would call this a poor man's jail.
it it it doesn't pull things from anywhere, but it's just going to make the programs that you're running have a look at the operating system in a in a slightly different way. So, and it it works a little bit like bubble wrap.
So, I I'm going to show you already. I'm going to show you how it does. So, you you can bind directories when you run a program. It doesn't have uh it's it's it's like you do a ch root and it has absolutely nothing inside.
And instead of downloading a jail, instead of downloading a system that you are going to mount, what you're going to do is you're going to mount the files that are in your system already. So you don't need to do um uh you don't need to do anything special. And you can bind directories. For example, if you want to run shell as sh, then you need to bind the slashbin, you can b you can bind the /bin directory and it's going to be visible, but it's going to be mounted read only.
Uh it's typically the ro bind read only bind and you could eventually do a read write bind for whatever reason you might want to do that.
You might want to do a redirection. So you take um a a destination with a source and you say well the bin I want it in slash I want to call it binaries I I don't know and then you you you can do that and you have the binder the ro o binder rw binder and if you write d-bin then it already knows okay you want the bin directory if you d- s bin it mounts bin user bin user spin etc lots of the local bin and so on. You can read this stuff and then there are other shortcuts. If you want d- libs then it's going to say okay I will mount all this this libs uh / lib lib execu uh user lib lib 32 etc etc. uh dash user. It's going to mount the user, the typical ones, user bin, user spin, user include, user local, um user local bin, etc. Probably the most interesting is the system mount bin bin and all of user directories and all is going to mount everything plus the /c/var read only.
Notice that uh I think I did not show yet that the devices are mounted. So no no access to devices.
We can have read write on etc etc. So you you are creating a jail that looks on the system that you're currently executing. So you're not starting you're not pulling a jail from anywhere. It's just you you changed your view of your system.
tmp uh rewrite the tmp fs um is going to create a world writable but it's going to discard the things uh when you exit the d-dev is going to allow you to see the devs inside the box d-prock is going to allow you to see the proc fs lin proc and the base deer is uh yeah some other things here overlay you might want to allow readr right on for example /bin but you don't want the your base system to uh to change so you do an overlay means you mount slashbin as an overlay and you can delete files no problem when you stop u box run everything is everything is back because you you never really change the underlying system so uh that's the overlay um option I need to charge the And you can do the OV for lots of other things. So the OV all uh OV save uh the OV save is actually interesting. So if after it exits the you run some software and after it exits it it saves you the differences that happen in the system.
So it's it's really cool if you want to run a system and a program and you want to see which files have been modified um then you run with overlay save. It just runs the it's just going to run the files and um it's it it's just going to run normally and then at the end you can see the files that that that the system modified. Yeah.
Um you can also see say no dev no proc.
So if you do the dash all and so on for example and and some other stuff is coming there then you could say okay I don't actually I don't want those things. So it's you first you say I want those things and then maybe it comes too much stuff and then you say I don't want uh um I don't want that um networking you can say allow net which is an alias to slashnet it's going to allow network connection inside the inside um the the box and no net is the default one you don't need to write this it's deny access.
What is not written here is that uh raw socket IP raw sockets are not are not um are not allowed net uh if you have PF running it can also do net and you can expose like a docker kind of a docker container the host port and the jail port uh on the interfaces and you can do those things.
So for example, if you say 8080 on 80, then you access on port 8080 um what is running on the jail on port 80. That's that's pretty cool. I think >> um net subnet net eress and you for this you need some interfaces and either you configure those things by uh on /c/rc.com or you tell every time okay create the interfaces and it's going to create the interface for you.
Um environment variables are not passed when you open a program. Um the clear end I think this is yes it's the default so no variable uh no variables are passed inherit invar environment so whatever environment variables you have are going to be passed to the pro process that you are executing the set environment you can set some uh some environments and you can pass some environment variables some specific ones uh the term variable is always passed um I think that's a cool resource limitations. The programs that are running in this box can be limited in memory, in CPU time, um, and wall time. You say, you are running this pro process, but I don't want it to run more than 10 minutes. After 10 minutes is game over, and then it goes away after 10 minutes.
You can run the number of processes that start. If you if you box shell, shell can execute some other processes inside.
And you can say well in this jail in this jail that I created I don't allow more than one process to start. So means you can start a shell but you cannot really run any more commands.
number maximum number of file descriptors uh the bandwidth you can limit and the u IO um IO operations you can also limit the um the d-secure that's that's the default it means all the settings are turned on the d-prace so when you start a program pre-trace is not enabled but you could d- allow petrace uh so no pet trace that's Default ASLR is enabled by default. No new privileges. So um the us is going the set user ID set group ID are is going to be ignored. Um so uh means that in this case for the fetch ID it's uh maybe you can change the pre the preference the the the the settings for for for a program. But if you run it in a box and you don't allow the privileges, then it's just going is going to ignore uh those things. Um um prom max is going to in uh implicit um um memory uh mapping protections. Um the node wx. So you you see there's I can go here uh stack page and it's all the settings that I could find that could be enabled is basically uh are basically there. So allow mounting. So because typic why is this allow? Because you have everything turned off by default. So you need to enable things u uh itself. Yeah. Allow raw sockets. Uh allow set host host name for programs to set host name, allow system vipc and no nested jails by default. And this is an interesting one.
uh the if you by default the super user inside the jail is not root although it looks like root it smells like root it tastes like root it's not root so um to enable uh the root inside the box to be root you need to allow s user so allow super user privilege for root inside the jail by default UID0 inside the jail has no super user powers uh Because with great power comes great responsibility.
So it pre prevents privilege escalation even if root is somehow obtained in the in the inside the box. Uh this flag reenables the super user privilege and is required for operations like raw sockets for ping binding privilege ports or changing the host name security level. Um we have uh typically uh freebst starts at secure level zero.
I I never I think I never did a um a video on this on this this thing. This is part of the Mac the the I uh it's not the medium access control.
It's the the Mac framework. Um it's um I I forget it. It it's a security feature.
FreeBSstra work mandatory access control. Yes, sorry.
It's part of the mandatory access control. Why did I forget this? Um, and there are typically a couple of labels.
No, I think I did the the I Yes, the BA and so on. I I had a video on this but they also have um some other things here in the lockdown available mac policies there's the the level the run level sod run level uh run level mech single yes does not Yeah, yeah, yeah, yeah. No, no, no, no, no. This is not the run level as it is. Let me see if I Oh, and the pages were not. So, it's the it's the secure level. I think it's the secure level. Let me Oh, you're not seeing the page as it should be seen.
So, let's put the things here. Previous secure level.
Yes, I think this is Yes. security the mitigations there are a couple more things here where is it securing run yes that's that's the thing here so there are a couple of um a couple of security levels that you can run uh freebst on and I think typically it runs in level zero which is the insecure mode um if you go to level one the secure mode it uh um it it it's described typed here uh a little bit the kernel so for example the kernel debugger might not be entered um so flags may not turn be turned off um discs mounted here blah blah blah may not be opened for writing and etc. So it's this is the first level. It does already some hardening.
The level two, the highly secured level is the same as this one here. Plus the discs may not be opening for right writing mount is uh uh not there. Uh preclude sampering with file systems.
Unmounting them in here. So you cannot mount unmount systems.
And in level three, this is the secure mode is the take whatever is in the high mode and plus IP packet filter rules uh cannot be changed. You cannot uh you cannot change the firewall within level three. And in FreeBSD once you go up a secure level, you cannot go down a secure level. You need to reboot the machine to to to have those things running. So and and here exactly it's a small summary. Zero is the insecure no restrictions. The secure mode one no kernel modules no immutable flags are enforced. The two is the highly secure and three is the network uh the network secure and uh inside box the jails that run run all of them run in secure level three.
you might want to lower when you start the box. But if you don't give this parameter, it's level three.
Identity of the user. What is the user that's going to be run um inside the inside the box? Uh what is the host name?
Um yeah, and that's it. So there are a couple of examples here. For example, let's start. We could start bin ls uh on /bin and we could do box run. We want to mount the bin directory, the dev directory and we don't want network. So let's let's try this. So let's start as root and let's try uh I think I will zoom again because I'll be working the machine. I Oops, that's the wrong thing.
Yeah, that's the the correct one.
I might be doing a video afterwards on on the box run.
Uh so box run. Uh at first let's do a show. It's it was written there I think.
Let's go to the to the page. Yes. And there should be a dash dash display the sandbox configuration. So when I just do box run show, it's going to tell you that uh the there's currently no command going that's going to run. Uh the lib exec is b is bound with read only and / lib is also bound because those are two typical things that you always need but it's as read only. It's fine. Network no network. Uh it's the caller's identity.
In this case I'm root. It's going to be root but remember it's the fake root right no environment variables security p trace is denied set host name and so on so lots of stuff is denied so let's um box run um ls no such file or directly why because let's put here the show because it's not there let's Um let's try dashbin.
And now you see ah now the /b pin is there. So I mount this one here. So let's take the show parameter and ls.
Voila. This is uh we are running ls in in a sandbox. Okay.
So ls-la.
I think we need to do dash here. ls-la slash. So this is the this is what we see. We see the bin directory, the lib directory, lib xa and I think the documentation is wrong. I see var also.
Let's actually see what is inside var.
var run.
Mhm.
Uh oh. Okay. Ldlf so hints. I forgot to document this this part. This is for the the the loader to be able to find the libraries.
Okay, I think I can try here. En what are the environment variables? Oh, no such file. Which enth?
User local bin. Ah, okay. So then let's let's not mount bin but let's uh bind user local bin. Okay, I think uh use a user bin. Sorry, user bin. Let's just bind this one. And um and now with a dash show you can see well uh user bin is now mounted as read only because I'm asking that that that thing and we have here um yeah and we have the n only one environment variable is available possible to sandbox an yeah for sure it is for sure it is possible Um it is possible to do it. Uh let me let me show you the the other things. So sorry let's uh let's get the bin here and get the shell. Okay, I started the shell now.
Term cap uh database is not there. So using dumb terminal settings. Okay. um ls ls is there. So as you can see I started the proc. Let me go to the other terminal that you see that this is actually uh this is actually uh let's start let's start another one here that this is actually a jail. So if I do JLS for jails, you can see oh there is under tmp box run there is um there's a jail that has been mounted and this is what is allowing box run to um to do the tricks that it's doing. So if you go here I exit this. So no more box run and I go to the other and I type in JLS.
Those things are gone. Huh.
So I uh did not try yet an X11 application but for sure it is it is possible because you can you can do whatever you want here basically. Uh the reason I created this application is because I also use this at work. So um yeah it's uh I I do funny things um at work.
Anyways, um let's with the with the shell. Do we have ping? Ping not found.
Oh. Oh boy. Where is ping? Which ping?
Spin. Okay, let's mount spin. Spin. So, I'm asking for the pin and spin.
LS. Now we have pin and we have spin. Do we have ping? Yes, we have ping. Ping.
8888.
Operation not supported.
It's not supported because we don't have network. Okay. Then let's add network dash network ping operation not permitted because ping requires raw sockets. Let's add raw sockets. Allow uh raw sockets.
Ping.
It's not permitted. Oh god. What is it happening? Why is it not allowing?
Because ping is a set UID binary. Yeah.
ls-l ag uh user bin user bin ping.
Uh which ping which not found. Uh where was it? Where was the ping? Which ping? Not ping. Ping spin. Yeah. Yeah.
LS L A S pin ping.
Yeah. And you see that this is a set UID binary. A set UIU ID binary for root. So here zero. It doesn't know how to resolve this. I think because etc is not mounted. Yeah. Oh, it's only resolve.com only. We only have resolve.com here.
Um well I told you that we are not super user inside this. So although I have a hash here who am I this is uh well uh yeah where which who am I? Who am I? This is user bin. Okay let's mount that also.
All got bind user pin and who uh user bin user bind bind not bin bind. Mhm. Who am I? I'm actually zero. I'm root.
Um the S uh in the thing the S stands for as user. Um as user it's the oops S user.
It's the where is it? The S.
Uh allow S user. Where is the S user?
It's the super user.
Yeah. Super super user is disabled.
Exactly. This is the S is for the super user which is root. Root is a super user. But there is a distinction here between being root having super user privileges and being root without super user privileges. So effectively the root is not root.
So for ping we need to be root really.
So um and this we uh we need dash allow as user user and now ping 8888 and oh still not there because because the devices are not there. Oh god I forgot that. Okay then d-dev.
Okay ls slashdev is there ping 8888.
Hey, finally finally we have uh we we can ping but as you can see this uh this uh box run uh really limits uh a lot what you what you can do in the in the system right here I'm doing all the all these things um let's say I wanted to do an X11 application or something like that well I I could just say all I don't care give it all d- network super user I don't need to bind this anymore because user user bin is already there so I say I want everything I want network I want raw sockets I want the super user to be super user and I want devices ping 88 and it and it works um but now I'm I'm in this machine Now, let's do some some really cool thing.
So, okay. So, I'm going to run again inside the box. Okay. And remove everything. This is the disaster command, right? Do you want me to press it? Let's do it.
May not be removed. Okay. /bin readonly file system. Uh, can I do anything here? What? Uh, lip or spin?
No, everything that is mounted is mounted as read only. Let's go to the other terminal. Okay, here again with JLS and um as you can see we have again another box here and DF we see here all the things that are mounted here. Okay, so um yeah, the it's not very nice. I think mount shows a little bit better. Yeah, it shows a little bit better. Um, so we have these lots lots of stuff are mounted in in in here. Yeah. So it it does all of this automatically for you.
Pipe less. Um, so under slash pin you have the you have the Yeah, it's /bin is mounted under TMBB box and so on. not set ID, no set ID, read only, all of these things are really really bad. Okay, dev FS is is bed and and whatn not. So if I want um I want to have an overlay system, let me see. Hopefully I don't have a bug in my software uh with the stuff I'm going to show. I I can reset the machine at no problem. Um, by the way, maybe it's not a bad idea to to take a snapshot now. Uh, hello. Yeah, take snapshot just in case. So, okay, let's go to the console and allow super user. Let's forget about this allow super user and raw sockets and whatnot and the network. I don't care about this, but I want uh overlay bin and ov bin.
Um Mhm. It's not going there. OV dash overlay.
Verlay.
Okay. Verlay.
Yes. OV bind. Ah, okay. I don't have OV all. Mhm. Okay. Let's Let's just go for the OV all. I didn't implement the other ones. It's the OV bind. Okay. Okay.
Maybe I wanted to show that. So, OV bind slashbin.
Okay.
Resource deadlock avoided. Okay. I have a bug in my program. I need to to check that. Uh then let's let's just uh do the following. dash all ovall ov-all okay so now I have the entire system kind of available to me um with the bin dev and so on and now under slash bin I have all these files that's uh let's let's actually go to user local bin okay here I'm going to remove all of these things. Boom. It's gone.
Hey, no more files in / user local bin.
Yeah, it's gone.
Let me exit the box. Let me start again.
User local bin. Oh, everything is there.
Because it's an overlay thing, meaning you want to change things, go ahead, change it. It's not affecting the file system. It's not affecting my file system.
Um yeah, very very simple, very very elegant, I I think. Um let's let's try again the shell. So do I have uh GDB? So GDB not found. Okay, then on the main system pkg install or search search GDB. I could use lldb.
I'm just a little bit lazy.
uh GDP. Okay, then let's just install.
Let's just install.
Uh uh yeah, RM takes a wild card. Yes. Yes, it it can take a wild card. There is um ah there was a really nice there was a really nice um uh Yeah, let me open that one. So, Google the Unix haters handbook.
Yeah, this is it's a this is an old one. You might want to check this book. It's it's a really cool a really cool book.
Um, if you don't know if you don't know this, the Unix handbook.
Um, our LSD our LSD and uni. Okay. Um uh when was this published? This was 1994. First printing 1994. Yeah, it's available online from MIT from the website uh to Ken and Dennis without whom this book would not have been possible.
So let's let's read a little bit because you are asking about the star um and uh table of contents forward things are got a lot the Unix status contributed blah blah blah Unix uh sex drugs and Unix standardizing unconformity unconformity Unix myths welcome new user cryptic command names accidents will happen and so on the Unix attitude documentation online for programs not for users and so on. Send the V the Vietnam of Burger. Okay, I post for IM. Okay, let let's go here.
Let's let's let's see some really cool things here. I'm I'm diverting. I'm always diverting.
Let me just see the Unixators, the Vex.
These are really old. 1987. My god, this is this is long time ago. The pros and cons. Come on. Come on. I I remember reading this thing here. And there is uh I almost thought, okay, what is Simon and Garuncle doing here? But it's Simon Garfinkle. Okay, good. Uh then so on. Um let's conventions, the unit haters disclaimer, blah blah. Come on. Sorry you are seeing lots of stuff scrolling um anti forward yes your judgments blah blah blah bonapeti okay I think from Dennis Richard this is worth to read I have succumbed to the temptation you offered in your prefer I do write you off as an as envious mal contents and romantic keepers of memories the systems you remember so fondly tops me identics list machines are not uh just out of pasture they are fertilizing it from below you're Judgement are not keen. They are intoxicated by metaphor. In the preface, you suffer first from heat, lies, and malnourishment, then becomes prison in a gulag. In chapter one, you are in turn infected by a virus wrecked by drug addiction and handled by puffiness of the genome.
Yet your prison without coherent design continues to imprison you. How can this be if if it has no strong places? The rational prisoner exploits the weak places, creates orders from chaos instead. Uh okay. Uh I thought it was a little bit better. Bonapet. Okay. No, let's let's continue. I wanted to get into because we were discussing about the dashes and so on and two of the main project of RSD and Unix. I don't think it's a coincidence. Okay. The so they say yes they say Unix is the first computer virus. Um, viruses compete by being as small as adapt adaptable as possible. They aren't very complex.
Rather, they carry around the baggage necessary for a types like respiration, metabolism, and locomotion. They only have enough DNA or RNA to get themselves replicated. For example, any peculiar influenza strain is many times smaller than the cells it infects yet. It successfully mutates into a new strain strain um about every other flu season.
Occasionally the viral lance goes way up and the resulting epidemic kills a few million people whose immune systems aren't nimble enough to kill the invader before it kills them. Most of the time they are nothing more than a minor annoyance and avoidable yet ubiquous.
The features of a good computer virus are very small. Verus don't do very much, so they don't need to be very big.
Some folks debate whether viruses are living creatures or just pieces of destructured nucleotidic acids and protein. Portability. A single virus virus can invade many different types of cells and with a few changes even more.
Animal and primate virus often mutate to attack humans. Evidence indicates that the AIDS virus may have started as a Simeon virus. ability to commander resources of the host. If the host didn't provide the didn't provide the virus with safe heaven for and energy for replication, the virus would die and so on. So, and here Unixes possess all the hallmarks of a highly successful virus. In its original case, it was very small and had few features. Minim minimality of design was paramount because it lacked features that would make it a real operating system such as memory m files, high speeded input output robot fther.
A more functional operating system would have been less portable. Unix feeds off the energy of its host and so it can read. This is this is gold. This is gold. the history of the plague, the roots of the plague date to 1960s and so on.
And but I there's the dash here. Come on. Sex, drugs, and munics and so on.
Standardizing and conformity. Come on.
It it I I'm sorry I'm again scrolling very fast, but I'm searching. I'm there is um there is a reason for this madness. Welcome user. uh the logical command cryptic yeah cryptic command names such as cprm and ls so that no one can know what those commands are um uh after that there is the excuse for continue this transition the impact of aka existing code blocks if a vendor replaced RM would say remove then every book describing unit would no longer apply to its system and every shell script that calls RM would also no longer apply such a vendor might as well stop implementing the posik standard while while he was it. Accidents will happen. So, um, yeah, there we go. And here we start with the RM thing. So, let's see here. Accidents will happen. I think I found the section I wanted.
Users care deeply about their files and data. They uh they use computers to generate, analyze, and store important information. They trust a computer to safeguard their valuable belongings.
Without this trust, the relationship constraint. Unix abuses our trust by steadfastly refusing to protect its clients from dangerous commands. In particular, there's RM that uh that most dangerous uh commands whose data is deleting files. All unique noviceses have accidentally or irre irretrievably deleted important files. Even experts and CS admins accidentally delete files.
The bill for lost time, lost effort, and file restoration probably runs in the millions of dollars annually. This should be a problem worth solving. We don't um we don't understand why the unique senti are uh in denial at this point. Does misery love uh uh does misery love company that much? Okay.
Files die and require reincarnation more often under Unix than other operating systems. Here's why. The Unix file system lacks version numbers.
Okay. Automatic file versioning which gives new versions of files new names or a numbered extensions would preserve previous versions. This would this would prevent new version. Okay. Then it's by design. Unix programs have a a criminally lax attitude toward towards error reporting and checking. Many programs don't don't bother to see if all of its bytes in their output file can be written to the disk. Some don't even bother to see if their output file has been created. Nevertheless, these programs are sure to delet their input files when they are finished. The Unix shell not its client's expense star.
Having the shell expand star prevents the client programs such as RM from doing any sanity check to prevent murder and mayhem. Even DOS verifies potentially the dangerous dos. Yeah.
Commands such as Dell star under Unix.
However, the file deletion program cannot determine whether the user type rar or rm these things. And we can check that because echo oops echo star is actually are actually the file names. It actually expanded the star into into that thing. Yeah, good. Uh this situation could be alleviated alleviated somewhat if the original command line was somehow saved and passed uh onto the invoked client command. Perhaps it could be stuffed into one of those handy environment variables. Okay. File deletion is forever. Unix has no unddelete command. With other safer operating systems, deleting the files marks the blocks used by that file as available for use and moves the directory enter entry for that file into a special directory of deleted files. If the disk fills up, the space taken by deleted files is reclaimed. Most operating systems use the two-step delete and purge idea um to return the disk blocks. Um this isn't rocket science. Even McIntosh back in 19 in ' 84 separated throwing things to the trash from emptying the trash.
RM is forever. I think we start here.
Um, so anybody uh else um so someone who typed this by accident rmaro to rm star redirect to O has gotten their files deleted what you actually so you have a file name O which is empty and that's it.
Mhm.
So uh now it comes the new the cool thing. So it's discussions from that. I have had two similar disaster running it. Once I was removing a file system from my disk which was something like / usr full bin I was in slash user fu and had removed several parts of the system by rm-r dot slash this one and so on. But when it came to time to don I missed the period the system didn't like that much.
So um what does it mean? The dot means that it's the current directory bin. But if you say rm /bin, it's what I've done before. You are removing the files from the operating system not from the current directory which which could be my user directory.
So it could be under let's go here. It could be under test and I could create a directory bin.
Yeah. And here here I have basically a a bin directory actu. Uh so mk uh dear bin sorry that that would have been the that would have been it. Yeah. Rm- r dot bin. Okay. Dot slashbin is removing the bin directory. But if you take this one out it looks different, right? So here I can do that. No problem. And that directory is gone.
So um Unix except for example consider the extra fun how do I unddelete a file someday you are going to accidentally type something like rm star dofu and find you just deleted star instead of starfu you added a space there yeah consider it a write of passage of course in a right of passage so this was an email circulating uh in in no other industry. Could the manufacturer take such cavalier attitude toward a faulty product? But your honor uh but your honor, the exploding gas tank was just a right of passage. Ladies and gentlemen of the jury, we will prove that the damage caused by the failure of the safety catch on your channel was just a right of passage to its users.
Now comes the interesting thing. This is I think is here. Let me see a little bit forward.
M changing RM's behavior is not an option.
So after being bitten by RM a few times, it um the impulses rises from alias uh to uh rises to alias RM command. So that it does RMI. The dash I is to confirm I think. So um man R uh RM.
Oh, and I just see that you're not really seeing the book as um I'm I'm really sorry for that. Request confirmation before attempting to remove each file. Okay. And I'm going to go here. You could have posted this that I'm not really showing the the entire text and I'm sorry for that. So would al alias RM2 RM- to ask for confirmation.
Um or better yes uh better yet to replace RM command with a program that moves the files to be deleted to a special hidden directory such as till the deleted districts lull innocent users into a false sense of security.
Um so 19 uh 1990 um on our system RM doesn't delete the file rather it renames in some obscure way the file so that something else called unddelete not an RM can get it back. This was made some system administrator this was made um this has made me somewhat incautious about deleting files since um since of course I can always unddelete them. Well, no I can't. The delete file command in MX didn't work this way nor nor does the d command in det which is a plug-in I think for immex or for vim.
This of course is because the unddilion protocol is not part of the operating operating system models um of files but simply a part of the clutch someone in uh put in the shell command and happen uh that happens to be called rm. It's an alias. So when you alias a command that alias is only going to to work inside your shell. Yeah. So if you if you try to change the default behavior of a command and you go n I'm so used to having rm- i by default in my shell.
Well, I'm using Emacs or using another program to delete stuff and lo and behold, it doesn't know about dash I.
As a result, I have to keep two separate concepts in my head. Deleting a file and rming it and so on. Okay, but there is more fun. Um I'm this is still not what I wanted to show.
Uh I'm uh RM I think it's here. I think it's here.
Let me see.
So let let me let me start reading here.
We mentioned that the shell performs wild card expansion. that is it replaces the star with a listing of all the file names in directory. This uh this is flaw number one. The program should be calling a library to perform wild card expansion.
By convention, programs accept their options as their first argument, usually present uh preceded by a dash. This is flaw number two. options, switches and other arguments should be separated identities as they are in whatever systems. Finally, Unix file names can contain most characters including non-printing characters. This is flaw number three.
These architectural change uh choices interact badly. The shell lists files alphabetically when expanding star and the dash comes first in the lexographical cast uh system. Therefore, file names, and maybe you never had this, but it can happen. File names that begin with a dash appear first uh when star is used. Oh, these file names become options to the invoked program.
Uh yielding unpredictable, surprising, and dangerous behavior.
Uh uh yeah expected it to be one file and then not all I assume it includes hidden files. Yes, the h file thing it's it's also written in the book here that um that the dot u the implementation of the of the dot was uh was an accident.
Yeah. To hide files with dots. Um read read this book. I mean is 300 400 pages is is really cool.
Uh but here um it's I think it was this one was the the stuff that I wanted to to to check or it took me 60 pages but I think I found it.
There is the story of a poor student who happened to have a file called dash r oh oh in his home directory as he wanted to remove all his nondirectory files. I presume he time typed RMAR and yes it does remove everything uh except the beloved - r file. Luckily our backup backup system was fair uh fair good. Um some unique systems uh turn this file name as a switch bug into a feature by keeping a file name I in their directories. type rm star and the shell will expand this to rm- i whatever which yeah it's it's wild impossible file names yes I'm exactly in the in the section I wanted we've known people several people who have made a typo while renaming a file that resulted in a file name that began began with a dash move file to dash file now just try to name the file back move dash file two to file one we can Try that. That's That's actually a really fun thing to do.
Um, so where is it?
Touch uh file one now. Move file one to dash file two. Right, it's there. The dash dash file two.
Uh, yes, it uses the stuff as a flag.
Now move dash file two to file one and hey illegal option because this is uh the parser the command line parser saw that you put a file name so the next ones have to be uh are no longer arguments they are actually files named so it dash file two is there so now it's you're like how the heck do I edit this Yeah. Yeah. Use the single. So, um, remove dash file. Uh, I think this is going to work. And no. Oops. No. Illegal option.
Okay, we have a problem.
You know why I like like so much? I I never said this, but install Midnight Commander. That's why I really like so much Midnight Commander is because I don't dare to I don't think about those things. I just go to Midnight Commander file two. Delete. It's gone. Okay, this file is gone. So, Midnight Commander always saves me. And you are always seeing in the videos I'm using Midnight Commander. There's a reason for this madness. It's I'm I'm from very old days. I remember this kind of stuff with dash here, dash there. And um yeah u now you saw I I deleted the file without problems but let's try to do this in the command line. So touch file one move file one to dash file two and I think with single quotes dash file two and it's still not working rm I think slash ah come on where's the slash the back slash in this keyboard uh is uh it's running on a Mac Um h so those are no backslash. So I I'm not allowed to do a backslash in this keyboard apparently.
Uh very bad.
No no backslash here. I can do this. Um so here uh here. No. Ah here. Here is the backslash. Okay. I found it.
So, back dash file 2. Still not.
Can we even delete this damn thing from the from the command line? I let let's read the book. I think they have the solution.
Um, no, it's it's not the key from the bottom row. This is this is a Mac keyboard. It's it's where I have the beta key. So images uh um uh Mac German keyboard layout.
Yeah. And it's this key here. So option beta gives me not beta set gives me the backslash. So not not in the in the bottom. So this is the keyboard layout that I have here. Yeah.
Okay, we Houston, we have a problem. How the How the heck do we remove that file?
Well, you saw I with Midnight Commander, I did it. Uh, remove dash file. No, comma file something. There might be a way. Let me let me see. Remove uh I I'm always typing in the wrong thing. So, remove star file two. No, because it expands. It expands.
It expands the things RM ah I think yes they yeah yeah yeah yeah yeah exactly there's the dash yes Unix provide I I had forgotten about this yes you have to put a dash and then do the things look really yeah come on every time I'm putting this so rm dash dash file 2 no no no no it's dash Dash. Come on.
Or did I delete the file? No, I deleted the file. So, touch file one.
Move file one to dash file two. Remove dash dash file two. Yes, now it deleted.
Now it deleted because after the dash dash uh the the parser knows that whatever is following are no longer uh command line arguments. So um or parameters command line parameters. This is this is awesome. So they say here with a single one none of the other things worked right. I mean the the touch um the touch let's touch here.
Let's do that.
rm-file 2.
This does not work. Uh with a single quote, it does not work with a backslash. It does not work.
Um no, it it has RM dash file 2.
Maybe now it works. Now it worked. Now it removed file two but it because it I I don't know about the parsing here but it was like okay I'm going to try to remove that one. I cannot remove that but let's continue removing what is on the on the right hand side double quotes but plus um yeah so and let's I created a snapshot here right uh so touch dash r uh touch dash r now we have a dash r here so M star.
Boom.
And all the files are gone because of the dash r.
Good. Um yeah.
Oh, and and this is also working the I Yes, I forgot that one. So, uh remove I'm always clicking the wrong thing here. Remove that dot slash dot this thing. No, no, it's dash r. Yes, yes, yes, yes, yes. It it deleted the file. Okay, so um yeah, touch. Yeah, bad option.
Amuse your friends. Confuse your enemies.
Let me I I think it's possible to have stars also in file names.
Um, oh, this is a nice one. Let me see.
Make their fu link f remove fufu is a directory. So, I think okay.
Uh, quality do not allow to move fs to Yeah, it they learn some things. Yeah, here's a way to amuse and delight your friends. Make this touch full/utilder.
Then show your victim the results of your incarnation. Yes. So ls full star.
Ls fullar because when you do this, you're actually looking inside the directory. So let let let's try that. uh make their f and the next command was uh ls make there ls ls- fft fu fu okay and I have no idea what's happening here but fu is there ls fu and okay um rm FU RMD. This is okay. Make their f touch. So um so R RMD de Fu does it. No, it actually worked. So some of the things are not working anymore.
Make the F touch. Okay. Make their ah every time here clicking wrong. Make their fu touch fu/fu tilda. If I can type a tilda in the keyboard. Um.
Uh.
Come on. You can do a tilda.
I was not ready for this.
You're just looking at me, typing mad at my keyboard, looking looking for a tilda. I think the tilda is not there.
Uh, and if you see the the the keyboard there is absolutely it it it looks completely different the the keyboard not only it's madness with with Mac German keyboards I tell you. Okay, I I cannot point until then. Um move d-file to dash file. Uh let me see. So touch file move dash file to dash file. I think this will work. Yeah, this this is working. Yeah, because after this and the dash dash is is is something in POSIX that tells you what follows there cannot be interpreted as dash dash A- I or or whatever dash like ls-l if I do ls-l is a parameter but if I do d-l then it's start searching for dl as a file so it's it's no longer interpreting the dashes as commands and the problem the all the problem starts that that the d them um that the d them uh dashes that them files can start with dashes. So if I do echoar you see that there is the file there that's exactly what they are saying in in this book that it comes like this and when you do ls star it's going to tell you well uh the e option is not there because ls has the dash i f i l and doesn't know about e.
So let's see the uh the f is there the i the l and the e is not there. So it's going It's trying to do dash lf F L Pi H like like this. I can do it. But now dash file doesn't know it.
I'm not sure if this is part of POSIX but um um yeah it's part of traditional Unix.
Uh yes, cat dash. Ah yes, cat dash is also a cool one because it it's the file name dash also represents standard input. So cat is going to cat the first file then the second file then the third file. So you need to type in ctrl d three times to get the prompt prompt back. So, um, uh, cat dash dash dash and one, two, three. Yes. One, two, three. Control this.
Um, yeah.
Awesome. Well, um, this Yes, I I think this one here, this has been fixed recently. Let me let me try to see if this is if this is still there. So I think this is no longer there. Uh but this is not operating system. This is um this is something from the compiler. So v vi file c let's um int main void. Let's just write here something. Oops. And again the keyboard these ones I I'm more or less used to it. Print um hello.
Yeah. Okay. CC dash o file.
Yeah. I almost did the wrong the wrong thing. So output to a file the file dash c. Okay. And and it compiled. It's the file is there. Okay, good. Hello. Now, sometimes I also I I did this mistake so many times. So, it tries to compile a non-existing file or in this case, let's actually remove file.
So, CC file C file. So, I'm going to try to compile file and output file C.
And now we are lucky. file.c has survived because this is this uh GCC now knows oh you are trying to write to the same file but a couple of versions before if you did stuff like this your file was gone you have lost with the here yes it it you didn't compile this but C GCC was just deleting the file yeah no no questions asked Well, you can you can read about this this book. So, um I I'm I'm going to make love. Don't know how to make love stop.
I think some of those things are are uh so make love. Uh don't know how to make love stop.
Uh RM means uh RM god. God does not. How would you date income? Unmatched.
How did the sex change operation go?
Modify.
It's too this too good. Sleep with me.
Bad character. Got the light. No match.
Okay, this one I'm not going to say it.
Um, uh, is is this even working now? Uh, is this even working nowadays?
Okay, not found.
Good. Good.
Oh, no, it's percentage. Percentage, not uh, no, I did percentage, right?
So some of the some of the commands have um have changed the name.
Drink bottle opener. Bottle cannot open.
Opener not found. Make deer matter. Cat matter. Matter cannot create. Okay. Um yeah. So it it's a really nice book. You can you can you can find it online. It's called uh it's called the Unix haters handbook. It's it's full of of really cool things. It's a It's a little bit dated, a little bit old, but it's a really nice uh a really nice thing. Now, I again I went into a tangent and I completely forgot what I was doing. I I was doing something with the box um with box run or so.
Uh let me see if I can see in my history. Um a touch file and whatever.
Uh oh god, I I'm trying. Oh, maybe um CSH you have mail. Uh this is no such that yes it was.
Yes. Yes. No such job. It was sea shell.
No such job. Okay. Thanks. It was it's sea shell. Yes.
Ah good good uh good things here.
Uh uh so yeah history one pipe pipe less what was I add user rim ssh shutdown.
I was looking at something with with with the box.
Um yeah because we were I removed some files or whatever and we were discussing about that. This is I think is the RM- man RM but um yeah this this this streaming went from really crazy stuff from from the fat G to to weird and wild things. I I was not expecting that, but um I think that's pretty cool. Um so um yeah. Um and um the bubble wrap. I'm I'm bedzled now myself. I don't know. I don't know what what to do. Um uh what happened to the machine?
Um yeah. Can we can we recover the the snapshot?
Shut down.
There are a couple of cool things. Uh uh 1 hour. How long is Yeah, I I might need to change the title of this video. This is this is not the or the fat G and uh and getting the fat lady to sing something like that. I don't know. It's some some cool name has I I have to change it because this is uh can you tell an example of a use case roll back? Um yeah. So um I'm I will tell you an example of a use case and um oops part of the use cases that I have is um I want I'm I'm training software developers on developing secure software and and so on. And some of the things that I do involve getting um sandboxes um so sandbox examples where the developers can uh work on the operating system and and do stuff. Yeah. And I don't want to create a jail. The the jail is too much for me. Um, I I really just want I want them to um uh to start uh to start the the a shell and be able to do whatever they want.
They can delete files, they can rename files, they can do whatever they want, but I don't want them to affect the main system that that I have. This is point number one. Point number two, there are several users in the system. If you if you create a jail, well, with ZFS, it's a a little bit easier because uh when you create several jails, it doesn't um you don't need to copy the entire file.
So, it it just creates another layer on top of things. Uh but I still want to avoid those things. So I can just start the box run like 20 different times and I have all the same configuration for all the users and it's my system basically the main one. So whenever I install something for a user, everyone gets the the things. It's it's really a poor man's jail as I said before. So instead of getting a container or getting a gel, I just run stuff with a with a box run and it does it really easy. Yeah.
Yeah. And and this is this is basically this is basically uh why I'm using it for uh did I I rolled it back already, right? Yeah. Yeah. It's going to be lost. Rolling. Done. Okay.
So, oh interesting. This even rolls back with um with the with a command with the memory and so on that I did not know.
Uh and as you can see I I just installed the system and I'm I'm I really I'm not installing any any jail or anything. I'm not it's not occupying any extra space in my disk. It's it's just um I'm just running a software in a a boxed environment on my local system. Yeah. I use it's like my own system is my own jail. Yeah. Um and and that's basically it. And I I want to allow modification of some files and um um so it's it's it's as simple as that. I won't find find uh find control about about those things. If you look at the bubble wrap at the bubble wrap thing uh for for Linux and I in I I do have some Linux machines also and they do the same uh the same stuff. This is like um um a docker container but the the issue with the docker it has to pull a container to your local machine and it takes time to pull and sometimes it takes time to start. You see that when I do a box run with this thing here it's like boom I'm there. It's it's milliseconds and I have an entire system.
It's if I installed 50 GB of software in my in my in my uh in my disk, it's everything is available to the to the shell to this shell here. It's just that it's running in a in um in a box. And if you try to change some files, try to do whatever, fine. Do it. When box run exits, everything is is is gone. Yeah, there's no problem. And you want to run box uh do the box run 50 times. You start it 50 times and it's like you have 50 jails with 50 gigabytes which is a fake thing, you know. So it's it's it's basically faking everything.
Um yeah and so what do they say here? Many things focus on providing infrastructure for system and orchestrations to run containers. These tools are not so to give unprivileged users which is also unprivileged users. Yeah. Yes. That's another thing that I didn't I didn't discuss. Yeah, because I'm doing I'm running this as root. But look, I can actually uh test Mhm. box run box run uh system shell.
There you are. I'm I'm a regular user.
And with box run, I'm I just I I'm I'm viewing the world in a different way.
Yeah.
Yes, box run is installed as a set UID binary in the disk. Yeah, if there are some buffer overflows or something, it a little bit problematic. But since I'm not really taking any input from users, uh I mean it's just a command line arguments.
There could still be something there. I mean, we can still uh do uh something like this. maybe try to do a buffer overflow on the on the parameter itself.
Now, so um let me see. I do have one one tool that um pkg install pattern uh in install pattern pkg search pattern. This is this is a a software that I am maintaining myself.
Exploit hash pattern. Okay. Pkg install exploit pattern.
And I'm I I'm going to do probably another tangent on this one here to to discuss a little bit what uh what is exploit pattern and how to use it. Uh since today I'm feeling hacky.
So test test. Um uh this installs a a a tool that is called pattern and I can ask for a pattern of 10. This is 10. I can ask a pattern of 100. I can ask a pattern of thousand. And I I will explain you what this is in soon. But I can say box run and put a pattern here of thousand. So this means I'm putting 1,000 characters as an argument to box run. Does it take offense to that?
file name too long. Yeah. Um it's trying to execute this this thing. This is how powerful overflows are basically are basically run uh are basically done.
I hope I I looked at the code long enough but there might be issues. I mean like there are issues everywhere but I don't think that box run has any um should have any vulnerabilities now.
uh box run and um so all dev net allow raw sockets and um in this case we definitely allow s user sh.
Okay.
Uh here we are uh a normal user but we allow s user because here we can ping 8888. Oh permission is is not permitted.
Um probably because we are I yeah I don't have the permission to allow the changing of of of the users. Yeah. So man um box run uh there is some additional permissions that are missing here. Uh let me see if I can see here.
Limit allow pit trace. So no ah I was looking at the pit trace. Yes, I was installing GDB ASLR uh and I uh yeah, no privilege. No, there is a allow raw sockets and set host name quotas preserved read allow as user security level identity host name.
I would need to check this uh how how to allow a user an unprivileged user to ping anything because currently the uh a normal user is not allowed to change to a to a root user for example. Ignore set ID. Yes, new private.
Exactly. Allow new priv.
Allow new priv.
Let me see. No, maybe this is not there.
Okay. I I I don't remember this very well, but let's see the GDB not found.
Root. I was looking for GDB.
Uh pkg search uh pkg install gdb.
And I'm going to show a little bit something that I also do um uh that I show to software developers.
Um and what I wanted to do here was under well actually let's look log in as root it doesn't matter box run um history where is the I think it's the all yes 35 so box run all I don't need net I don't I I don't need dev I just say all with sh and now I try to ls and gdb / bin / lls so I try to debug uh inside box and continue program is not being run uh yeah here gd could not determine a path or index and so on it's it's it's you're not allowed to prace inside inside um this box. So no no pet trace is allowed.
Uh this is reading symbols. No debugging symbols. So run. Yeah. Okay. Sorry. It's not continuous run. Starting prace operation not permitted. Exactly. This is the error that the error that I was looking for.
So, and now okay, why why is it didn't like me exiting the system?
Yes. Okay.
Interesting. Why did it die? He um let's see. Uh 21 173 killed. Okay. I I don't know. It didn't really like that it it could not attach uh box run allow pit trace. I think I didn't test this before but pin ls run.
Yeah, now you can see now we allow pit trace and and we can run um we we can debug a program. Yeah.
So yeah, lots of restrictions inside inside the box the the box thing. So it it takes whatever software you have and um it's is just going to um just uh going to um put it in uh run it with lots of restrictions.
Good. So this is the stuff I wanted to show before I went into the unique siters thing. Um now let me show you another thing which is here. No I don't want root. I want test.
So let let's go here with the test. Make dear uh test. This is not very original but okay. Test C. So um let's try to write a program and I will show you how to um how to exploit that that thing. So int main void. I'm I'm a little bit lazy writing the program now. So return zero.
Uh and for now terminal. So I'm going actually I'm going to write a make file.
Um let's just say here all and GCC.
I'm going to do it for 32 bits because it's a little bit easier to show. Dash O test. C. Okay. File name wake file. Come on. Yes. Make make GCC. Come on. Not fun. But no, I did not install GCC. I installed GTP.
Okay. Uh, no problem. Whatever. I use CC. Come on. Make. Yes.
And if I do the test thing, there's nothing there. I can. Okay, this I don't need anymore. Let's do a print f. Uh, hello with this. Yeah, I I remember these things. How to type in the back. Yeah, it's warning the libraries are not there. Whatever. So, okay. Hello.
And now we are going to take a command some some stuff from the command line.
So int arg count cal counter and char arg variable and uh if arc c less than two if I can type in the less less than two and here this is this thing here. Oh okay uh exit. Let's let's just do like that. So make uh actually let's let's print uh a message here before uh and it's not exit it's return here because exit is not existing.
So make yes yes yes yes return number we need to to give it an uh something here.
Okay test hello. Uh yeah I give me something okay make so test give me something or test two hello okay so if I don't give an an argument it asks me to give me an argument once I give something it asks here hello okay this is the the first part um now let's just call a function um function an f uh that is going to take a char star as a very very simple very stupid thing here. Actually I should I should try to to do the include stuff uh std io and hopefully it doesn't complain anymore. Yeah, doesn't complain.
And let's do a bad thing. So I'm going to put a char here.
char um buffer with 10 characters and here just to demonstrate things I'm going to put an int x equals zero and now print f x is this one here x.
So now I'm going to call instead of the hello I'm going to call f with arc v one. Oops.
So it's arg v1 the first parameter and here we should have x is x is zero. Okay. x is zero. That's the that's the parameter.
Now X is that one. And uh let's put another one. Uh S is S.
Doesn't sound too well what I just said, but S is S. Okay. Um that goes into the direction of the Unix things. Okay. So good.
Now we have the the test here. We can say X is zero. the S variable, the str uh is that thing there. So, no, a buff is is a variable. It's in the stack. So, what I'm going to do now is string uh copy buff comma buff, s here instead. There's too many s's here. I'm just going to call this SDR. Uh, so it sounds better. Sorry, it's uh uh so probably they want the string that Mhm.
Okay, we have it here.
test with here the so the str is one to one two that that value there now what I'm going to do is something bad I'm going to because we are copying a string to the buffer but the buffer is limited to 10 characters so what happens if we put more than 10 characters okay so these are more than 10 characters and what we see is bam we see two things that happen.
First one most obvious is a segmentation fall with the core dump.
Uh and the next one is something that we did not expect the x variable that was zero. Now it has some some strange value.
Okay. So what the heck is happening here? what I when I'm discussing these things with with developers and so on I always say you you have to look from down to up which means from here to there and if this would be the return address of the function then uh and overwriting the buffer goes from down to up means I if there is a buffer overflow it is going to write over x and at some point in time is going to write over the return address of f uh And once you control the return address, you control the execution flow of the program.
Why this is I'm not we could go into the technical details on why this is uh but just take it for granted now that that it is like that. So the return address is there. So it's the return address is put when you when you do a call here.
when you call the function it has to put the return address in the stack and this variable is in the stack and this is this is why this is called a stack overflow yeah so and if we want to know exactly the offset at which this happens we have several things we can start GDB we can do some really complex stuff and so on or we have the lazy person's way which is my way which is using this pattern thing so and the pattern generates for example a a pattern of length 12 or let's generate a pattern of length 13.
Okay. So let's first build this step by step. I'm going to do some magic here which is pattern pattern five. Okay. So what is this doing the dollar parenthesis and so on.
This is saying execute the pattern five and whatever comes as standard output use it as an argument. It's like I just wrote the aa something. So the pattern five which is this stuff here I just use it as an argument to this program. So this is in some some systems you put back ticks you know you've seen already the back ticks right? So echo with back ticks you see the same thing. Okay. So, I could also do pattern pattern uh no sorry uh test test with the back ticks and it does the same thing. I don't like the back ticks because I use different keyboards and sometimes it's difficult to find the stupid back tick and therefore it's easier for me to find these things here in the keyboards I use. And this is exactly the same effect as the this is the back tick thing.
Um, good. But this is not overflowing the stack. So, let's put let's put like 20. Imagine we don't know this thing here. So, imagine you really don't know what what this uh this thing here. So, forget about that. Now, I I have a program that's called test like the box run. And I'm just going to try to write 200 characters. I'm I'm not going to I mean, I can also write 200.
It doesn't matter. Yeah. or 1,000 does doesn't matter. I know that because I develop test I know that more than 10 is already enough. Uh and I'm going to run this and I'm going to get the same thing segmentation fault.
And now I want to know where can I control for example the variable X at how many letters do I need to put in here to control that? Well, we can write that one there. 1 16 316 66 29 45. And it's going to tell um oh uh cannot tell uh actually interesting pattern. Let me see. Length pattern length. Ah uh uh uh pattern. Okay. Okay.
Okay.
Let's I will I will write this in a in an easier way.
Um I'm going to write this in an easier way. We could conf we could um convert this number to exodimal but we just do pattern like this. 61 41 uh 33 61. Yeah. And then it tells me um there is no guard rail here. No guard rails for sure.
Uh so this pattern occurs at the first position 10. So even if I don't know the code here, I I know that I can cause a core dump and this variable is controlled. I can know it's controlled at position 10.
How about that? How about them apples?
Uh and this means again remember going from down to up it overrides 10 values and the next thing that is going to write down to up is going to be the variable x. If I put another variable here, int y equals 0, whatever. And I do the same thing. I run the test. And now I have another pattern actually, which is um 35, 61, 41, and 34. And it's at position 14. It moved four because an int 32-bit machines is are four bytes. Uh 4 * 8 bits 32 bits. Yeah, of course.
Um and now how the heck do we control the how do we get the how do we control the the the return address?
Well, we have a core dump here. So, let me start GDB test with uh test.core.
Yeah, exactly. It runs over that that's that's what a stack overflow is. It's just runs over the variable and there we go and we just write into memory. Yeah, unbounded rights. Yeah, that's that's the that's the thing. So the the base the main problem is that this function is an evil function that is just copying the stuff here into there without doing any length checking. Does the does the target have enough memory for the for what the source is uh is there? Yeah. Is is giving? Yeah. It's it's just saying copy whatever you want. Yeah.
So, now now let's start GDB with um with the core. And it's going to tell us here something. It's going it tells it stopped at this variable here. It stopped at this variable. Okay. Let's exit this and ask at what offset is that 0x20 60 93 AD. It just happens 20 60 93 AD unable to convert input.
Interesting.
Um let me think why is this not working now? Um, let me let me actually try maybe not put so many things. So, oh 20 20.
Didn't it core dump? That's that's an interesting thing. Uh, 20 40. Now it core dumped. GDB with a core dump.
Actually, remove test.core.
Let's let's just make sure that that the core is a fresh core.
Uh here cordant and gdb test with test.core.
And now it's still the same address which I don't like. Uh there is something fishy on going here. 20 60 93 AD. And this guy doesn't like this. Um unable to convert this this thing. Okay, no problem. we run this thing GDB.
Uh why is this becoming so difficult? I don't know. Maybe maybe there are some additional mitigations, some protections that have been added here.
Um let me see. So run with uh pattern 40.
And we still have the same thing. back trace and it goes off the rails here.
Okay, let's let's just do the following. Uh since I don't really know what's happening there, this might be um I was not prepared for that. Uh let's just do the following. Okay, so 1 2 3 4 5 6 7 8 9 10. So now what you're seeing is really some exploit techniques.
Uh 1 2 3 4 here. You you remember the 10 plus the four. Okay. And x is still zero. Now I should control x. Let's put uh x 6 x 6 x 6 x 6 x 66 x. And there we go. 78 78 78. If we go and look at the aski table ask table.
Um so picture. Yeah, that's cool.
So here where is the 78?
78 exodimal is X. Okay. X. There we go.
So this is the X there that we wrote. So with X. How many X's did we write? Is this big Indian? Little Indian. Let's just put um a capital A. The capital A at the end is 41. Yeah. M. So let's run this. And we see here the 41 is the first one. So it's actually written the other way around. I will tell you one cool secret here or not secrets cool a cool thing. Uh the 012 3 and so on in in in ASKI. This is actually 303 1 32 and so on in hexadesimal. So it's relatively easy. If I want to write 30 there, I just write the number zero here. So let's let's do it. Zero. And there is there you go. There's the number three 0. So let's just write 1 2 3 4. And we see 3 1 32 33 and 3 4. So it's written the other way around which is the big Indian little Indian thing. So if I write 4 3 2 1. Yeah. It gets 31 32 3. So re forget about the three. It's one two three four. Yeah. So what I'm saying here is that I fully control I'm fully controlling the I'm fully controlling the the the variable X.
Okay, now I'm going to do some really bad things. This is just for demonstration purposes and I think I know why this is not working. Let me just think a little bit. uh in GCC how to make sure that that the text segment goes to address let's just put a typical one uh 08 um 420 0 1 2 3 4 5 6 7 8 1 Okay, so no no it's Uh yeah, that that is the the thing that I'm I'm looking for. So I'm going to take this window out hopefully here to the other screen and I'm going to change the the file here a little bit. So I forget about what I'm doing is this is this is just for demonstration purposes to make life a little bit easier. Um 0 0 x uh uh 4 0 2000 0 0. Okay.
So make and forget for really forget about this.
Um let's go to test.c buffer overflow again. Uh so I I need um let's let's try to do the pattern again instead of doing the things let let me try to do the uh first remove test core.
Okay remove test.core and now rec uh and then again dot slash test with pattern 100 whatever makes this guy happy. test test.core and now oh it's still in the same address. There is something weird going on here. So okay, forget about that again. Then let's continue what I was doing. So this is I'm I'm controlling the things here now. And what I'm going to do now is I'm going to put X's 1 2 3 4 segmentation fault.
Okay. 1 2 3 4. this I I think I think that I should do the I have the gut feeling that I have to do stuff there.
So let's uh uh let me do another thing. GDB test break uh main.
Okay, the address is there. Okay, so good. Let me just put here um another function void um not called.
I just want to get a function that is not called.
Yeah, not sure. It's it's maybe maybe the ASLR, but I'm not compiling this thing with ASLR. I I need to check exactly what what might be wrong here.
Um, hey hello there.
So I have a function here that I it's called the not called function that just says hello there. Okay, let's compile this. And now I will try to GDB the test and print not called. This is at this address 84. So I'm going to write this address here so I don't forget. 0x 04 42080.
Okay, this is this is the address. Now let me try to see if I can call that function.
So I would need to put these values here. But these values are hexadesimal.
So what I'm going to my gut feeling tells me that they are here. So 1 2 3 4.
I'm going to put here an echo dash and e. And now let me just say something like that to make sure that things are actually Yes. Yes. Yes. Yes. This is not good.
The dash ne this is not good. Um this is let me try bash test 1 2 3 4 5 6 7 8 9 0 1 2 3 4 and then 4 3 2 1 1 2 3 4 echo dash ne 1 2 3 4 5 and so on.
Now it looks a little bit better. Yes.
I'm I'm doing the overflow to try to see where is the return address because if if you remember uh I said that there is a return address because when you call this function here when you call this function it has to put the address of the next line. Yeah, it has to put it in the stack and when the function returns it it it gets that that value from the stack and it jumps there. But if I can overwrite the stack with a with the address of not called then I can jump to the not called function. Right? And this is what I'm trying to do. Um and before I'm I was just trying to see if this is working here. So uh yes I have the x6x and now if I do uh let's put here back slash x30. If you remember x30 is a is the hexadesimal value for the number zero. I should see here zero whatever there we see there we go. We we see this.
Now if I put the number 1 2 3 4 here I still see 1 2 3 4 0. Yeah. And I want the 1 2 3 4 5 6 7 8 9 10. Okay. This is hackers.
they will just try these things uh quite a lot of time right and there are tools that simplify the the this these things here so okay here I overflow the buff variable then I have here four variables for four things so a a a bb okay so this is overflow writing over the x variable writing over the uh the y variable and then uh writing over the x variable there are two more there There is one more thing that is stored in the stack before the return address and that is the base pointer. So I'm going to write here base base base base base. And now I think this is the return address. This is my guess. Okay, that that would be the the return address. Um so let's try to see if I write the return address.
And you remember I have to write it the other way around.
I'm going to write with 8 Z.
Now, uh 20 uh the two 0 I don't like two more too too much.
This is not a really nice uh value. And I will tell you why. Because two is a space is a space. And I know those things by heart. And if this is a space, this means that this is not going to work probably. Um 4 um X come on where X um 2 the 4 Z and 08 and of course this did not work because of the two I think I this is this is what happens when you don't prepare the when you don't prepare the things. So let let me change this to a five.
I I'm just doing this stuff headocock.
No. So I'm not really preparing anything here. Um as I do many things in this channel. So uh now I put instead of the two I put a five. And hello there.
Hello there. There we go.
So uh what happened here? What the heck happened here? Um, and let me just think a little bit.
I'm searching for something. Just give me a second.
Um, yes. I think I have I think I have here something.
What the heck is this guy doing?
Uh, let's Oh, my my chair. It squeaks like crazy. I I need to I need to uh remove the I I need to check this change my my chair. I don't know if you hear all the squeaks and so on. Okay, I think I'll have to remove my my mouse and put another thing here.
Yes. So, mouse is not working. Um, PowerPoint.
You don't hear the the chair. Okay, that's good. It's squeaking here all the time.
So, stop that.
No, wrong wrong side of the display.
So, hey, what the heck?
So, what the heck happened? Uh, as I was wait, as I was saying, we have the stack, okay? And we have the um the function whatever. And here we have an int x and here we have the buffer with um 10.
Yeah, there is a char here whatever and and so on. And what I said is look at the stuff in this direction and here this would be the return address. So if we look at the stack if the stack is um yeah if it is like this. So the stack so the stack grows in this direction and the memory grows in this direction memory and stack.
Okay. So this is like two um this is like uh two trains going um going opposite directions. Yeah. Thousand of years. There are lots of stuff online that also show this but yes this is um it's uh expensive stuff. Yes.
So um no what the heck happened. So the the stuff that I'm using is is some material I also uh also use uh at work but okay uh we have the return address.
This is this thing here. Let's put the dot there. Then I said that we have a a base pointer here. Let's not discuss what this is.
And we have the an integer here.
And then we have an integer.
And then we have here the buffer. The buffer. This is how the stack looks like. This is this one here. So what happens is when I call inside the main I call f with whatever. And this means that this return address is placed in the stack.
And when you call the things here, we we could go really deep on this. I I uh I I really like the this this kind of things. But anyways, there's the here the functions typically have um I think it's called the prelude. I I'm always missing this word, the prelude and the post post whatever. I'm I always I know this is the prelude and and I I forget about this. The prelude is basically the part that creates the stack frame.
Okay, the stack frame.
So, and uh inside here the function whenever so I I took a string from here and this string is overwriting inside inside this thing here. So, if I change the color, it's going I I I took out my mouse.
Let's put uh let's put this color here.
So it means that I start writing stuff here and I start writing in this direction because memory is growing in this direction here and now it's going to write in this direction.
So when there is an overflow this guy is going to die. This guy is going to die. And this guy here, this is the evil guy. Okay, this is this is what we want because we want to control we want to control the return address here and this means uh and this is the the Oops. This was the tests that I was basically doing is I was looking at at the variables here and I found this address for this guy here. Okay, I found the address for this guy here. Uh actually I had two variables there. So this was 10 here. I didn't have a single integer. I had two of them. So this is was four * two. Yeah, this was eight values. Then I said there is a base pointer. So four more. And then there is the there is this thing here. Yes. I don't write fours like this. I hate these fours. I write my fours are old school. Yeah.
Because four is my favorite number and I write fours like this. Uh if you write fours like this I I don't like them.
Okay.
Uh the the return address when you when you are in the main the return address is the is is the is the address of the next instruction that is here. Okay.
It's the it's whatever it's it's there.
If you have a print whatever this has address X and this is going to be written here. Okay. The X. So when you do a call for this, you put the address of the next thing. You put it in here because when this function returns return here is going to go there. Okay?
It's going to go to the next line in the code.
I don't care where this this value is going at the end. So because when I overflow this buffer, I overflow in this direction as I was saying before, right?
So I the overflow happens here and I can see all the bad things that I can do.
I'm going to overflow this integer. I'm going to overflow another one. I'm going to overflow the base pointer. But what I want is to overflow the return address because once I control the return address, I control where execution flow is going to. Okay. And that is that is definitely Yeah, just keep this um this is definitely where I want to go. And where I want to go is um uh is going to the uh hello there. You see hello there. So what did I put here? I put those things here. They are enough to overwrite those variables here. Enough to overwrite those things. And then I put here the value I put is the address here. And if you remember I actually changed this in the code to a five to make just to make it easier. So let let's not think too much about memory memory addresses. This is a a really fun game, but it doesn't uh doesn't really matter so much.
Anyways, um this is if you read the the things here, it's 8. There it is. The 8 0 the 5. There it is. The 5 0 the 4 0 and 08 and 08. It's here. cannot see so well but this is and once you write this when this when the f function is returning when this function is returning from here it's going to jump to this address and this is why you see the printing this printing that prints here prints that and then bam it goes to the hello hello there okay it didn't go to the main it should have gone to this line here okay it should have gone here to I don't know print uh print f blah blah blah blah blah. Okay, it should have gone here but it didn't go there. So I can compile also this make and it still prints the hello there because I changed the flow of execution.
Um I I I will stop here because I I I can I can talk hours and hours non-stop about this. Um this is the simplest the simplest exploit that you can have. This is called an arc injection. An arc injection.
And let me try to let me try to show you uh two potential mitigations because we're talking about mitigations and so on.
So one of the first ones is address space layout randomization. Okay.
Um well you see the problem is with this is that every time every time I'm um I'm calling I'm I'm running this program every time the the address of this function is is at this position 08405080 always the same. It's predictable.
uh in fact this was one of the reasons so I I I lower the defenses of the program because I actually I'm asking the compiler please put the functions at this address more or less it's not exactly this but it's kind of in this range here that's uh and this defeats the purpose of address space layout randomization if I cannot know where the address of the function is I cannot know where to jump to. So first thing let's try to see what address base layout randomization is. Uh at this point here let's uh before we call the function here actually let me comment this out. I'm going to print here address is percentage pa not called.
Okay, let's compile this thing again.
Make and run uh it I I don't care about overflow for now. So, but here you see the address is exactly the one that I determined before. It's the uh let's actually put this in a nice way. Um I think it's 08 if I'm not mistaken.
Conversion or maybe dot does it conversion with W format precision. Yeah. Yeah. Yeah. Yeah. Yeah.
Okay. Yeah. Forget about that. So, I'm just trying to make this look nice, but uh I wanted to see a zero here because this is 08 4 0 5 0 8 0. Mhm.
It doesn't matter. It's the the the zero is missing there. But the problem here, you see, is that every time I run this, it's always at the same address. Okay.
In fact, if I compile this program here like uh take out this thing here. Let's let's not ask for that. But uh let's just compile the program like this. And here this is a different address.
Okay. But it's always the same.
Okay.
So that's bad. Now let's try to compile pie.
Let me see if this is working. uh files.
Okay, this is already interesting.
Uh print f cannot be preempted.
FP Mhm.
relocation cannot be ah okay it's a it's an interesting thing uh uh so h interesting in 32bit so the the mitigation under under FreeBST doesn't take the doesn't take the uh the position independent executable that's what you need for address space layout randomization um let's try P I think P is another position independent code. Okay. Uh why is this not doing what I want? My keyboard is going crazy. Okay. Make uh No, it FP. Mhm. Maybe maybe I'm maybe I'm doing the the wrong the wrong thing here. Yes, it's FIP.
Fpipe. Okay. Test now.
Uh yeah, give me something. 34. Oh, we have this thing here turned on, but it's not giving us uh random addresses.
Let me try to turn on F pick. I don't think that this is going to do much. Yeah.
And so what I'm trying I'm asking the compiler is please give me random addresses when the program starts. And you can see that this address is very well predictable. Uh an attacker can predict this address. So that's bad.
Why is this? Um so no not box run manication.
Let me see. ASLR.
Yes. and karn elf ASLR for 32 bits. So let me see cctl current elf because I I compiled 32 as lr dot enable.
It's currently zero. It's set to zero.
It's not enabled.
Let's enable.
Okay. Now we enabled ASLR. Now let's go back to the to the program without recompiling.
And it's not doing anything. That's really bad. It's not doing it.
Um, pi enable.
No. Yeah, it's not working because we should get different values every time.
It might be something with a 32bit binary. So, I'm going to remove the 32-bit here.
I'm I'm not very happy about that, but let's uh try here. And it's still the same. Okay. Um else, let me Come on. We need to get ASLR. ASLR. I know it works.
I mean, I'm Where are we going? Current L64.
So it's the same thing but for 32 for 64 bits it's enabled and pi uh enable one. Okay. Why is this not not getting the different addresses?
I'm getting confused here. Okay.
So in previous team I am compiling with FPI and FPIC.
The CCTL for 64 and 32bit has ASLR turned on. Why is the why is this not working? What am I missing? I don't think it requires reboot. No, no, no, no. Compiling with this the fix the tool chain CC FP pie with uh with capital letters. Um maybe the pi. Okay, maybe this is fp. The other the pick is for the uh yes, ctl. Let's see. ELCTL test and uh and the LCTL basically tells us that no SLR disabled. Uh what is this? File test features disabled is unset.
Mhm. So those mitigations of course force. Okay. Dash E plus ASLR.
I think that this is this with boots. We don't need that. But we can try this.
Plus E uh - E plus uh ASLR.
I think interpreting ASLR is not please. Okay.
Oops. What the heck? Uh, and is disable ASLR is set. I don't think that this is forced. Dash E plus ASLR is a little bit strange. Um, but I think it's I'm having the wrong It should be capital letters.
I'm sorry. I'm I'm a little bit insistent on this. I don't know why. Uh why this is not doing the things that I want?
It's not there. I really don't understand.
Um I need to to check this a little bit more.
No, it's always there. I'm I'm definitely missing here something that that those addresses are the same.
I'm current elf ASLR enabled. Pi enable 32bit core. Uh check the program overrides confirm prox-v.
Yeah, it has to it has to do it. And this is not so nice if it is not really doing it's if it's not really honoring the the the things. Um this is um a 15.1 beta 2 and current um controls.
Uh it's enabled.
ASLR enabled and PI enable. Uh no, not the PI, it's the PI enable the PI PI. That's that's weird.
Today many weird things are happening.
Okay. Um then let's try another mitigation. F uh stack protector. I think it's called like that.
Let's type in make. Yes.
And now I'm going to run test here. It still runs. But now oops. Uh edit test. C.
I still need to call this function. So make make come on. Uh here and here. And now I go and here we have a cord up. Okay.
The problem that we have here. So I'm going going to try to show you this. Try to spawn a new shell. That That might be an interesting That might be an interesting thing. Um, where did I go to test?
Um, test one, two. No, it's still going in the same something weird is is is happening here. Um, I know that those numbers, they need to change because this the address of the function needs to needs to change, but I'm I'm missing some point here. I'm yeah I'm not sure exactly why but I'm missing something but what I wanted to show is the another thing. So let's forget about about the ASLR for now.
Uh so give me something here when I'm compiling. So let again let's let's do the dash g make and obg dump I think capital d on test.
Yes.
So what we need to see here is on the main this is function main and right before the function main I see it already but okay so this is the function f here and you remember I said there is the prelude there's the prelude and whatever I forget this is here this these three instructions that is that are here this is the prelude push bp move and subtract subtract practice is creating the the stack frame. So those three instructions are very typical uh for the prelude.
And now let let's actually before I show the other part let me let me compile without the stack protector and let me just take the PI and so on. It's no anyways not working now. Uh and let's uh let's do an object dump again.
So we have the we have those things here and it's um yeah it's it's doing some things here in assembly blah blah and so on and at some point in time it does uh it does two things two things here this is the this is the last part of the program so it adds something to the RSP because before it had subtracted subtracted 10 zero from RSP and now it adds that that thing and pops the pops the thing.
Yeah. So it's three things. So it had pushed this thing. So it uh it undo what is undoing what he has done before adding popping returning. Forget about in three.
So this is this is the first part in the function. This is the the second part.
So here is the return instruction is where where we really where we really get the function by the ball so to say because if we overwrite the return address at this point when this when this is trying to return uh it's going to return to the address that we want.
Now you saw me doing the uh putting a stack protector. Okay.
And now let's see the difference that we have here. So mine the original the the the prelude the prelude is still the same but the postlude or whatever I forgot forget always the name. This should no longer look the same.
And why is it looking the same?
Oh god this is uh this is really bad. Uh ah because I'm looking at main. You see maybe it's 2:00 in the morning. It's a little bit late. Okay. Um let's go here.
F is the function. This is the the thing that we have. We have the push. So one the three. So this is the prelude. And now let's look at the other one. We have the same thing. Adding popping returning.
But but before that we actually have some additional we have two additional instructions that were not there before which is move here and then compare and or actually three instructions sorry. So move this thing here and then compare and if if the not equal jump to the 71 uh 7 F1 7 F1 is here and you can see stack check fail. This is called a stack protector.
The stack protector works like this that here before this return address. Now I would have to move things a little bit down here. Oops, you cannot. So let me just add a dot insert uh shape. Put a dot here.
So it's a value that put you put in in this area. So between the base pointer and the return address, you put uh you put a value there. And this value is again like ASLR is very difficult to to to know what this value here is. So when you overwrite the things here before returning the assembly code is looking loading the value from base pointer and comparing there's actually there more instructions that I forgot this one here R A X whatever. So this probably here is is also this is maybe the first one uh from the instruction pointer and so then there's some loading here and then it doesn't matter the important thing is that there is a value being compared with jump not equal. So uh why uh so basically if you override this thing here and then before returning you are trying to compare a value that you cannot guess what it is.
If the value doesn't match, you don't return and you go to stack failure.
It Yes, exactly. Not only it knows the address, but the stack protector knows the the value that is here.
The reason why this is called stack canery is because of the old cold mines that people uh in the old days uh they would bring a canary down to in the cold uh not the cold in the coal mine uh and if if you are digging the earth and some gas is leaking the the humans cannot uh feel that u and they would of course they would die but it would take some time and canaries apparently they are very sensitive to this. So um it's very simple either the canaries were alive or the canaries would be dead. Nowadays you probably put some gas detector some electronic device but in the old days the in the cold mines they used to bring uh birds down the canaries and they would be singing and as long as the bird are singing then you are safe and this is basically what why this is it's Microsoft calls it a stack cookie. Yeah, it's the cookie monster who is stealing my cookie. No. So, uh, if someone kills the canary, you don't you don't go for the return address. That's that's basic that's the that's the idea here. So, when you protect the stuff with the with the stack fail like this, it's basically gone. The if if I try to go here to this one here and do the stack protector, f stack uh protector.
Uh now it's a little bit difficult to um to do everything again because I think I take took out uh yeah I I took out the things. Um but I so I'm not going to do it. But you can believe me that if I I reproduce exactly the same things I've done before to try to to try to put the value in the return address, it's not going to work. um because it's it's it's just going to to to stop with a st with a stack failure.
I think actually the the error might be a little bit different. Let me see. It says segmentation fault core dump and it's actually the the message is not very different from the other one. Uh so so this is one of the mitigations. This is not the mitigation from the operating system by the way. This is a com a mitigation from the compiler.
Yeah, it's the same thing. So the stack protector is not there but yeah but uh it's it's it's still giving the the cord but in this case uh the the object and again if I try to debug the things oh I need to enable debugging symbol so that it looks a little bit better. Uh now it's a 32-bit binary. Uh yeah. So this is why I should prepare things a little bit better, you know. I'm just going randomly here telling things. So this now looks 32-bit assembly a little bit different but it's the same things. It's push move subtract prelute and now we have just uh add pop return without any stack protector thing. Yeah.
So the the stack failure is not there.
no stack protector. Uh, and when we go and enable the stack protector here, we're going to see those those things floating around make and main and the function is here. And we see already the stack check file here.
Uh I got the stack protector active with a with a compilation option -f stack protector.
So this the stack protector does exactly the this thing. So uh Google stack protector and it's probably explaining the same thing. Yeah. Stack frame pointer version. No it's not really some weird uh some weird stuff here. Canary. Yeah.
This is this is this is more or less target overflow and so on. Yeah. This is the stack card. Yes. Simple stack smashing protection. Mhm. Yeah. It's more or less what I'm explaining, but this is some other some other stuff.
Mhm.
Tech protection.
There is there is used to be a really nice website. Um let me see maybe um maybe I can ask here uh uh what is a nice uh open resource to learn hacking techniques. Okay. And I think uh ports we know this is not the portiger thing. Uh no there is awesome hacking there are always the whole awesome websites uh so awesome something awesome this awesome hacking collection of so you just write awesome whatever if you go to a website with from GitHub you're going to see that some awesome stuff uh so awesome freebies yeah collection of awesome FreeBSD stuff Yeah, it's also here uh really cool and awesome hacking, asset discovery, bug bounting, cellular hacking, cyber security, CTFs uh uh uh not really. Uh SQL injection is uh is no longer no longer a big a big thing. I would say embedded IoT security infosc um main frame password tracking.
No, there's prompt injection. Oh, this is really cool. Uh but there is um other useful repositories. Well, there is quite a lot. Oh, the GTF bins. That's also pretty cool. Pre-programming hacker 101.
uh payloads, Linux kernel exploitation reging the the damn the damn website. How what is the name for that? Uh um hacking course online free. Try hackme. No ethical hacker. No. No.
No. I don't think it's this one here.
No, that's not the one.
It's It looks like an old website. Heck this site. No, no, no, no, no, no, no, no. You know, not the try hackme.
Definitely not.
Master Academy.
Is this the one? No, definitely not.
Ah, too many too many things here. Um, best website introduction.
Uh, hecker one. No, it's not the hacker one thing. No, definitely not. Um, maybe is is the Reddit still a thing or the was always a yes. Uh, white hacking uh computers. I recommend this. No, TM. So, you want to no hackers? No. Damn it.
There's a really nice There's a really nice website and I cannot find it now.
Um, with videos in Hindi tactical hacker try hacker. No, try hacker 101 as a not Udemy and all these kinds of things. No, no, no, no.
It's um I I don't know where where it went to but um No, no. Okay, it doesn't matter. So, everyone is selling hacking courses nowadays. Yeah. So, you can you can get these things everywhere. And there are a couple of of um of uh things like five hours of hacking course and and whatever. Yeah, if you have time for that then be my guest. Um the problem with this course is that you lose 5 hours here and then you didn't learn everything or maybe you didn't learn what you wanted to learn and then you maybe thinking that the ethical hacking for full course is there and then it's seven hours that you're going to lose and whatever. So, there should be some some good material. Um, and this website that I'm trying to search this had it does have some really nice things because it tells you exactly what you want to learn and it takes you to the resource that that that is there. But, um, yeah.
Anyways, I'm not happy that I didn't get ASLR running. I'm really um really a little bit um surprised. Um, but at least I I've shown the stack protector.
There is there are more things um could could discuss uh for for a little bit longer but um I think uh yeah uh it's uh it's really uh really interesting. Yeah, cyber security is it's it's the the stuff I work on.
So, um, yeah, the the fetch ID, that's why it's it's going back now a little bit full circle. Um, it's, um, it's not a buffer overflow or no, no, this is a this is a buffer overflow buffer.
Yeah, there we go. You see that? This is a buffer overflow. And so um they they explain exactly where is the local variable with the credentials and so on.
And there is a buffer overflow exactly like I shown before I shown with controlling the things and and whatnot and uh here they compute the capacity compute whatever and 60 bytes blah blah and there there you go. So it you don't have the uh the the capacity for for for doing whatever. I mean here how can we how can we say so let me if uh str len str bigger uh if this is bigger than 10 yeah bigger than 10 return something like that yeah so if you if you do stuff like this and test blah blah okay and now it's it's not no longer doing the things it's protected now okay so this is uh how you do the defensive programming. So um uh and there are the other functions which is for example strpy.
This is um copy strings. This is um the strpy is copying at most some length of characters. So it doesn't overflow doesn't allow the overflow because it it it does the the things correctly. So I'm just going to finalize this again. So uh and I'm fully aware that this is very late and I also need to go to bed. So so I'm going to say SDR and CPY and use here now number nine uh because of because of lots of things um and test here. So what you see is I say don't copy more than nine characters. Okay, one is the null terminator for the string. So here not nothing happens anymore. Okay.
No more no more buffer overflows.
And uh yeah this is the guard rail. This is basically the guardrail thing.
All right. Um I I went places I was not expecting at the at the beginning of the stream.
So yeah.
have I think I I I'll I'll I'll stop for for now. And um yeah, may maybe I do a video on the FetG. Um I initially I was thinking I'm just going to do the Fat G and then just stop the stream and then I'm going to make a V. I probably I can still make a video out of this if I I just take the first parts and ignore the last ones. Or or maybe not. Let's see. I tomorrow I think I need to go and play with my daughters.
Yeah. So I I think so. So thanks a lot.
I also think it it was also really fun for me the the the the stream today. So yeah, I'll I'll stop for now. It's 2 2:30 in the morning here almost.
So thanks uh thanks for being there and um I hope we can see each other then next time. Yeah. Take care and uh and bye-bye then. I'll stop the stream now.
Take care. Have a nice evening. Bye-bye.
We'll
Related Videos
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 views•2026-05-28
How agent o11y differs from traditional o11y — Phil Hetzel, Braintrust
aiDotEngineer
450 views•2026-05-28
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanation💯✅
LearnwithSahera
1K views•2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 views•2026-05-29
Search Algorithms Explained in 60 Seconds! 🤖💨
samarthtuliofficial
218 views•2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 views•2026-05-30
Introduction to Problem Solving Part - 1 | Lecture 1 | Intermediate DSA
ascensionix
107 views•2026-05-29
🚀 BCS613C Compiler Design | Module 1 to 5 Schema Evaluation 🔥 | VTU 6th Sem 💯 #VTU #bcs613c #exam
Pranavaa-y4y
104 views•2026-06-02
