1
00:00:00,900 --> 00:00:06,810
Welcome back to explain development in this section, we're going to cover Unicode exploits and structured

2
00:00:06,810 --> 00:00:08,310
exception handler overwrites.

3
00:00:09,750 --> 00:00:16,680
The Unicode problem is that when a program or application uses Unicode encoding, usually for language

4
00:00:16,680 --> 00:00:23,820
compatibility reasons, if we try to inject a buffer into his memory space, it usually gets appended

5
00:00:23,820 --> 00:00:24,630
another byte.

6
00:00:24,630 --> 00:00:32,759
So forty one, which is capital letter A, become forty one zero zero now until 2000 to which this is

7
00:00:33,000 --> 00:00:33,670
20 20.

8
00:00:33,690 --> 00:00:34,650
So it's a long time ago.

9
00:00:34,830 --> 00:00:41,340
Exploiting these applications was considered impossible until Chris Antley published an article creating

10
00:00:41,340 --> 00:00:42,390
arbitrary SharkWater.

11
00:00:42,390 --> 00:00:48,330
Unicode expanded strings that allows exploitation of Unicode and coded applications using what is known

12
00:00:48,330 --> 00:00:51,330
as the Venetian Blinds Technique show code.

13
00:00:51,330 --> 00:00:54,360
Utilizing this method is known as Venetian SQL code.

14
00:00:54,690 --> 00:00:59,880
Now, Chris Ainley did a lot of work at Exploit Development and he actually wrote a book that I highly

15
00:00:59,880 --> 00:01:02,340
recommend is called A Shareholder's Handbook.

16
00:01:02,350 --> 00:01:07,170
You can buy it for about thirty five dollars on Amazon for the second edition.

17
00:01:08,860 --> 00:01:14,200
And this module, Triola logic media player AI, we will repeal use the Venetian blinds technique to

18
00:01:14,200 --> 00:01:21,160
create Unicode compatible exploits, safely overwrite the structure exceptional chain creating our own

19
00:01:21,160 --> 00:01:23,230
Venetian padding to Lynna registers.

20
00:01:23,620 --> 00:01:29,140
Introduce Unical Unicode compatible padding to reach our target register.

21
00:01:29,710 --> 00:01:33,310
Use the Alpha to encoder to create Unicode compatible shortcode.

22
00:01:34,720 --> 00:01:42,460
Now Stack Canary's has been fairly common since the early 2000s, but basically if you use a overwrite,

23
00:01:42,610 --> 00:01:49,720
it can evade the Stack Canaria because we never evaluate the stack canaria that usually is located far

24
00:01:49,720 --> 00:01:52,710
lower compared to the structured exceptional chain.

25
00:01:53,410 --> 00:02:00,490
So basically we abuse the overwrite and usually when we can locate a Pop-Up Return instruction that

26
00:02:00,490 --> 00:02:07,390
is Yancoal compatible, we can avoid the stack area because it never gets evaluated during execution.

27
00:02:08,169 --> 00:02:11,230
But it's not just necessary to overwrite the exception handler.

28
00:02:11,470 --> 00:02:13,930
An actual error must be triggered to exploit it.

29
00:02:14,170 --> 00:02:21,760
So attackers decide to overwrite so far past virtual outerspace for the program to trigger a exception.

30
00:02:22,390 --> 00:02:29,020
Once the structured exception handler, which is pretty much the last line of defense, is overridden,

31
00:02:29,290 --> 00:02:35,590
we can actually insert a pop pop, return an instruction to jump towards our target buffer and shortcode.

32
00:02:36,770 --> 00:02:43,340
In this module, we're going to learn how to perform Unical exploits SRH overwrites register alignment

33
00:02:43,340 --> 00:02:44,510
and payload encoding.