1 00:00:00,790 --> 00:00:02,670 Welcome back to Basic Exploit Development. 2 00:00:02,680 --> 00:00:08,680 Before we begin as all male 5.5, we will have a back after analysis forward for your OCP exam. 3 00:00:11,320 --> 00:00:16,840 Better security will supply you with a custom compile binary containing about 12 back characters for 4 00:00:16,840 --> 00:00:20,950 the exam, and they highly emphasize identifying the bad character section. 5 00:00:21,490 --> 00:00:27,400 Bad characters are basically hexadecimal bytes that do not properly render in the debugger. 6 00:00:27,700 --> 00:00:33,220 The either will or will not alter the following bytes within the debugger. 7 00:00:33,580 --> 00:00:37,960 So if it does not alter the following, it's a render error. 8 00:00:38,830 --> 00:00:42,520 If it does alter the following bytes, it's a mangle and truncation error. 9 00:00:43,600 --> 00:00:47,860 Back characters have to be eliminated by merely fitting the buffer of all hex the mode that does more 10 00:00:47,860 --> 00:00:52,330 digits from zero one to F and manually analyzing the stack in the debugger. 11 00:00:52,720 --> 00:00:56,380 Zero zero is known as a universal no byte, so we eliminate it already. 12 00:01:00,390 --> 00:01:02,190 This is the incorrect render effect. 13 00:01:02,460 --> 00:01:04,379 We already eliminated a0a. 14 00:01:04,650 --> 00:01:09,750 So we're counting from zero B, zero C and then zero D turns to zero E. 15 00:01:13,250 --> 00:01:15,350 This is the truncate mangling effect. 16 00:01:16,130 --> 00:01:22,640 Notice how zero a which we eliminated in this section before proceeding to our previous slide. 17 00:01:24,010 --> 00:01:26,770 Has turned it to zero 29. 18 00:01:27,640 --> 00:01:32,470 But then notice how all of the bytes behind it are also mangled. 19 00:01:35,530 --> 00:01:38,140 You cannot eliminate each improperly rendered bite. 20 00:01:38,440 --> 00:01:44,050 You must begin with the first incorrect by and eliminate from there using the repetitive process of 21 00:01:44,050 --> 00:01:45,310 back after analysis. 22 00:01:48,900 --> 00:01:55,590 To to start off of the back character elimination process start off with back here to start PI, which 23 00:01:55,590 --> 00:01:56,700 is in the course pack. 24 00:01:58,160 --> 00:02:01,340 And then insert as a string within their proof of concept. 25 00:02:02,950 --> 00:02:06,940 Then fire your proof of concept and analyze the dump and stack. 26 00:02:09,530 --> 00:02:14,030 Then you mentally read each hexadecimal by and compare against what you see in the debugger. 27 00:02:15,110 --> 00:02:17,480 So we eliminated zero eight. 28 00:02:17,690 --> 00:02:23,030 So what you would do is you delete zero A and then you fire the approved concept again. 29 00:02:23,510 --> 00:02:29,930 We then eliminated zero D, so we delete zero D and then you fire the proof concept again. 30 00:02:30,410 --> 00:02:36,410 You must manually repeat this over and over again until there is no more truncation mangling or a correct 31 00:02:36,410 --> 00:02:37,550 rendering of the bytes. 32 00:02:39,890 --> 00:02:42,410 To run a successful exploitation attempt. 33 00:02:42,680 --> 00:02:47,540 You need to generate show code that does not contain dot characters, back characters or simply incorrect 34 00:02:47,540 --> 00:02:52,700 assembly opcode, and they will either cause the application to crash or divert execution of the application 35 00:02:52,700 --> 00:02:54,050 away from our intended result. 36 00:02:54,680 --> 00:02:59,630 Without eliminating bad characters, attempting to generate code result in non-functional unreliable 37 00:02:59,630 --> 00:03:00,290 exploits. 38 00:03:00,590 --> 00:03:06,950 So either the application will crash or the application will still run, but now becomes unstable. 39 00:03:08,160 --> 00:03:12,570 We will use NSA Venable of the dash p parameter to specify our characters. 40 00:03:12,570 --> 00:03:13,650 What generation code?