Nice overview of ipv6, took me a while to figure out it was using privacy extensions, and my day-old snmp dump was worthless.
I would also add, this is a nice bof privesc to practice with, all defences are disabled. So even if you’re not used to gdb, you can still pull a ret2libc using strings, readelf, and strace.
Thank you for the video! I have one small question regarding subnetting in IPV6. You mentioned the upper bound for fe80:/10 is febf:ffffff at 15:25 of your video. 1100b is 0x12 in decimal as you said. However, it represents 0xc in hex. How did you manage to get 0xb (the b in febf)?
Thanks for the video. I created my own vuln-program instead of using “chal” as I think in future we may not easier to found the suitable program to exploit. I did a simple .c program and able to simulate the overflow effect on .20 machine.
However, when I run the program and try to found out the BUF_SIZE via pattern_offset.rb it returned the following message
[*] No exact matches, looking for likely candidates…
When I run my own program, the gdb returned the address is 0x800005a4
I believe it would not same as video address but why my program cannot return the offset number?
Following is the super simple program I google it. Any hint is highly appreciated. thanks!
