1
00:00:00,420 --> 00:00:03,000
All right, everybody, welcome back to Base EXPL Development.

2
00:00:03,000 --> 00:00:08,370
I hope you are excited for our first section of the course, which is exploiting glib HTP Damon.

3
00:00:09,240 --> 00:00:10,620
Sorry, I just had a test run.

4
00:00:12,930 --> 00:00:13,460
Clear.

5
00:00:14,190 --> 00:00:14,610
All right.

6
00:00:15,120 --> 00:00:21,240
So within your course, Pat, you're going to have a file called Live HTP Damon.

7
00:00:21,240 --> 00:00:21,560
Right.

8
00:00:22,320 --> 00:00:25,310
I want you to do GDP, Lyd HTP.

9
00:00:25,710 --> 00:00:26,940
Remember to have GDP.

10
00:00:26,940 --> 00:00:27,710
Petten stalled.

11
00:00:28,500 --> 00:00:29,310
And I want you to run.

12
00:00:29,400 --> 00:00:30,990
Run Dashty irritating.

13
00:00:33,000 --> 00:00:41,970
Now, control be shift, double quote, to break the pain into it, to haves and have a vertical pain

14
00:00:42,030 --> 00:00:43,470
or I mean a horizontal bottom.

15
00:00:44,340 --> 00:00:46,380
I don't want you to do it, see?

16
00:00:48,230 --> 00:00:53,420
Echo pipe, Netcare, Dushanbe, local host.

17
00:00:53,690 --> 00:00:54,480
Eighty, eighty.

18
00:00:59,170 --> 00:01:03,950
Post Space Dollar, sign up to Prentice's.

19
00:01:04,970 --> 00:01:06,150
I can now see.

20
00:01:08,260 --> 00:01:09,920
Let's see, what should I do?

21
00:01:10,280 --> 00:01:13,570
Uh prent a times.

22
00:01:13,660 --> 00:01:14,500
Fourteen hundred.

23
00:01:17,550 --> 00:01:18,450
Press enter.

24
00:01:20,420 --> 00:01:28,910
Control see out of it and you will crash the program, control you to close a bottom pain and take a

25
00:01:28,910 --> 00:01:34,340
look at the VIP registered VIP register says forty one forty one, forty one forty one.

26
00:01:34,400 --> 00:01:38,360
As you can tell, it's translate into four hexadecimal A's right here.

27
00:01:39,140 --> 00:01:43,290
Now, this shows that we have a possibility of controlling E IP.

28
00:01:43,790 --> 00:01:50,540
So in order to find the IP, we need to create a cycle to pattern a site with pattern, which is the

29
00:01:50,540 --> 00:01:54,350
land of fourteen hundred fourteen hundred.

30
00:01:57,950 --> 00:01:58,820
This might take a minute.

31
00:02:12,930 --> 00:02:13,230
All right.

32
00:02:13,260 --> 00:02:13,830
Welcome back.

33
00:02:13,860 --> 00:02:23,810
We have generate our cyclic pattern in about two minutes of waiting, so let's copy all this, starting

34
00:02:23,820 --> 00:02:24,540
with the A's.

35
00:02:25,830 --> 00:02:28,920
Now, here's a trick that I use says Redress.

36
00:02:29,010 --> 00:02:30,130
Just using the castle.

37
00:02:30,990 --> 00:02:31,500
Let's see.

38
00:02:35,160 --> 00:02:36,520
What this?

39
00:02:38,600 --> 00:02:39,830
Run nationally, 80 80.

40
00:02:40,800 --> 00:02:46,710
So after Captain Pace of what's on the bottom, I want you to see environment variable name map, string

41
00:02:47,280 --> 00:02:48,900
map, string equals.

42
00:02:51,490 --> 00:03:04,450
Then I want you to do I post Space Dollar, a map, string height, Netcare in the local host, 80 80.

43
00:03:10,160 --> 00:03:14,270
Remote control see out of it to finish the post and then we can crash the problem again.

44
00:03:14,660 --> 00:03:21,110
Control didn't close a bottom pane and we have IP overwritten with this valley.

45
00:03:22,460 --> 00:03:23,960
Ignore the zero X in the front.

46
00:03:24,590 --> 00:03:26,300
Just take note of the value right here.

47
00:03:26,920 --> 00:03:28,400
My display will take care of the rest.

48
00:03:29,840 --> 00:03:31,130
So let's see.

49
00:03:35,590 --> 00:03:37,060
Just copy and paste this.

50
00:03:39,940 --> 00:03:40,310
M.S..

51
00:03:42,550 --> 00:03:46,580
Pattern officer dash queue for copy paste.

52
00:03:50,910 --> 00:03:53,460
And we have an exact match at offset 1048.

53
00:03:53,810 --> 00:03:54,290
Excellent.

54
00:03:54,800 --> 00:03:57,170
So let's exit this.

55
00:04:00,330 --> 00:04:04,890
It's important to note that while you explain this program, then we need to write the proper IP tables

56
00:04:04,890 --> 00:04:08,640
rules, so let's type IP tables.

57
00:04:10,050 --> 00:04:18,149
Gachet input Dashi GCP does nation import 80 80.

58
00:04:18,149 --> 00:04:20,970
Backslash a commission point localhost.

59
00:04:22,230 --> 00:04:23,370
Dashti a drop.

60
00:04:28,170 --> 00:04:28,410
All right.

61
00:04:28,440 --> 00:04:29,200
Destination.

62
00:04:31,590 --> 00:04:32,190
Dashti.

63
00:04:34,460 --> 00:04:42,800
IP tables, dash input, dash IP GCP, destination four four four four four backslash commission point

64
00:04:43,130 --> 00:04:46,810
Dashti lock host Dashner Drop.

65
00:04:50,490 --> 00:04:50,920
All right.

66
00:04:51,060 --> 00:04:53,620
A, let's restart this program again.

67
00:05:01,480 --> 00:05:02,830
From the bottom.

68
00:05:03,490 --> 00:05:04,150
Let's see.

69
00:05:05,620 --> 00:05:08,340
We're going to print 1048 raise.

70
00:05:12,620 --> 00:05:15,290
Plus BS.

71
00:05:17,450 --> 00:05:22,130
Times four plus sees times.

72
00:05:24,870 --> 00:05:27,420
Fourteen hundred, minus 1048, minus four.

73
00:05:32,750 --> 00:05:34,100
And what do we have here?

74
00:05:34,220 --> 00:05:34,610
Let's see.

75
00:05:34,640 --> 00:05:41,240
Control D. in our IP registers, clearly overwritten before BS.

76
00:05:42,980 --> 00:05:49,280
Not to mention that our E.S.P extensive stack pointer repeats 200 times and has CS.

77
00:05:51,620 --> 00:05:53,880
So this is a very straightforward explain.

78
00:05:53,960 --> 00:05:54,830
I like this.