1
00:00:01,050 --> 00:00:01,890
Hi, everybody.

2
00:00:01,920 --> 00:00:08,940
Welcome back to Basic Exploit Development, and we're going to get started with our assault mail module.

3
00:00:09,480 --> 00:00:14,050
Now, before you do that, I want you to try to do a command.

4
00:00:14,370 --> 00:00:18,120
While you're running the pop three server.

5
00:00:18,360 --> 00:00:19,410
So go to start.

6
00:00:21,620 --> 00:00:22,250
So products.

7
00:00:22,520 --> 00:00:23,120
So mail.

8
00:00:24,110 --> 00:00:27,390
Right click on a sample configuration and run as administrator.

9
00:00:27,410 --> 00:00:29,810
Click Yes Control.

10
00:00:31,070 --> 00:00:41,060
So the port is open and I want you to type the command net show will actually go back to start clicking

11
00:00:41,060 --> 00:00:41,870
all programs.

12
00:00:43,360 --> 00:00:47,170
Accessories command probe run as administrator.

13
00:00:47,290 --> 00:00:47,890
Yes.

14
00:00:48,910 --> 00:00:50,440
I want you to try the command.

15
00:00:50,950 --> 00:00:55,000
That show firewall set up mode to disable.

16
00:00:58,050 --> 00:00:59,650
Command has finished excessively.

17
00:00:59,670 --> 00:01:05,220
This disables the internally built firewall so we can contain for our penetration test of that's all

18
00:01:05,220 --> 00:01:08,970
male and go back to your the distance.

19
00:01:09,960 --> 00:01:13,470
And type in the IP of your.

20
00:01:13,470 --> 00:01:14,940
Let's try to net cap to it.

21
00:01:15,440 --> 00:01:17,360
Net cap Dushanbe.

22
00:01:17,610 --> 00:01:18,140
One, two, two.

23
00:01:18,150 --> 00:01:18,850
What's it say.

24
00:01:18,870 --> 00:01:21,690
122, 61, 25.

25
00:01:23,220 --> 00:01:24,770
Yes it's running it.

26
00:01:24,780 --> 00:01:25,710
Try for 110.

27
00:01:26,650 --> 00:01:27,060
Yes.

28
00:01:27,070 --> 00:01:27,580
It's running.

29
00:01:28,180 --> 00:01:28,450
Good.

30
00:01:29,230 --> 00:01:35,860
Now go back because everything's working now so we can just flood the system for our buzzer.

31
00:01:36,780 --> 00:01:37,590
And run immunity.

32
00:01:37,710 --> 00:01:38,130
Bugger.

33
00:01:39,060 --> 00:01:41,340
Right Click Run administrator.

34
00:01:42,090 --> 00:01:42,600
Yes.

35
00:01:44,270 --> 00:01:44,860
File.

36
00:01:45,230 --> 00:01:45,890
Attach.

37
00:01:47,140 --> 00:01:48,010
Saw by name.

38
00:01:50,130 --> 00:01:50,730
So now.

39
00:01:53,960 --> 00:01:55,670
And then because it's paused.

40
00:01:56,210 --> 00:01:56,900
Press play.

41
00:02:00,760 --> 00:02:04,660
Now go back to your calculus machine, and I want you to take down the script.

42
00:02:07,310 --> 00:02:07,850
Yes.

43
00:02:08,000 --> 00:02:10,100
Gimme some of that buzzer.

44
00:02:13,620 --> 00:02:17,350
So this is going to increment the buffer of a.

45
00:02:17,370 --> 00:02:21,930
So we're going to send to it by 200 characters each time it sends to it.

46
00:02:22,860 --> 00:02:32,520
As you can see, it just sends the string of A's to our target IP address at four 110 and then it quits

47
00:02:32,520 --> 00:02:38,430
the session as soon as it attempts to send the string, because that means that program has not yet

48
00:02:38,430 --> 00:02:39,060
crashed yet.

49
00:02:40,110 --> 00:02:41,150
So let's run this.

50
00:02:45,490 --> 00:02:45,880
Let's see.

51
00:02:45,880 --> 00:02:51,670
How many times do we need to do this before it crashes?

52
00:02:56,180 --> 00:02:58,550
Now there is a weird quirk about the song.

53
00:03:01,360 --> 00:03:02,680
See now the problem, right?

54
00:03:12,880 --> 00:03:20,950
Somewhere within the 2700 range to the 2900 range, a small crash.

55
00:03:37,700 --> 00:03:38,930
Finally we see a crash.

56
00:03:40,070 --> 00:03:42,140
So let's go back now.

57
00:03:42,140 --> 00:03:49,190
Because of the way that we wrote, the python code is actually somewhere just over 2700 bytes that crashed,

58
00:03:50,690 --> 00:03:51,920
not 2900.

59
00:03:52,280 --> 00:03:53,300
If you look at the script.

60
00:03:54,820 --> 00:03:56,980
Because with just a touch of buzz.

61
00:03:57,620 --> 00:04:00,160
When I send it to Stan it out.

62
00:04:00,160 --> 00:04:03,580
But it doesn't actually send out a buffer to 100 days.

63
00:04:04,690 --> 00:04:10,720
Now, go back and I want you to look at something very, very, very interesting.

64
00:04:11,530 --> 00:04:17,350
Notice that the extended instruction pointer, IP says 41, 41, 41, 41.

65
00:04:18,100 --> 00:04:25,570
This leads to the possibility that we might be able to hijack execution of this program if we replace

66
00:04:25,570 --> 00:04:31,570
this with something like a jump DSP call or jump index.

67
00:04:32,500 --> 00:04:34,490
It's a very interesting situation.

68
00:04:35,200 --> 00:04:42,700
And if we go to the extent of Steph Pointer and following, dump your notice as written by hexadecimal

69
00:04:42,700 --> 00:04:45,490
letter S, that's X 41 zero by 41.

70
00:04:49,610 --> 00:04:51,730
And we have some buffer space to play with.

71
00:04:56,540 --> 00:05:04,850
So this is the first section of -- Mill and we are going to continue to work on this until we build

72
00:05:04,850 --> 00:05:06,800
a successful proof of concept exploit.