1
00:00:00,660 --> 00:00:01,300
Hello again.

2
00:00:01,330 --> 00:00:03,660
Welcome to part two of A Hunters.

3
00:00:04,170 --> 00:00:11,430
And this time we're going to generate ourselves cyclic pattern so we can locate exactly where we are.

4
00:00:11,430 --> 00:00:13,410
Just about to overwrite IP.

5
00:00:14,150 --> 00:00:14,260
So.

6
00:00:14,430 --> 00:00:18,690
NSF Pattern Score three 956.

7
00:00:24,510 --> 00:00:25,920
Copy and paste this up there.

8
00:00:29,220 --> 00:00:36,390
This is commonly known as a cyclic pattern because like I said in earlier videos, this cycles between

9
00:00:36,390 --> 00:00:36,870
every.

10
00:00:38,680 --> 00:00:41,050
Four bytes, every four characters.

11
00:00:41,800 --> 00:00:45,970
And we're just looking for the moment where we're about to overwrite IP as usual.

12
00:00:46,720 --> 00:00:50,710
If you guys have watched the other videos beforehand, you already know what's going on.

13
00:00:54,970 --> 00:00:57,040
So let's just restart the debugger.

14
00:01:03,510 --> 00:01:04,170
File.

15
00:01:05,280 --> 00:01:06,540
Run vulnerable server.

16
00:01:07,260 --> 00:01:08,070
Double click.

17
00:01:11,840 --> 00:01:12,860
From concept to.

18
00:01:15,830 --> 00:01:16,720
That's not working.

19
00:01:17,050 --> 00:01:22,030
That's because you need to play one more time and we get this value.

20
00:01:22,240 --> 00:01:25,960
The value is 63, 41, 33, 63.

21
00:01:26,260 --> 00:01:28,930
I think you guys already know what to do with this.

22
00:01:30,930 --> 00:01:36,150
But basically we are now going to use an offset to locate the section where we're about over IP.

23
00:01:43,610 --> 00:01:46,460
So it's 63.

24
00:01:49,950 --> 00:01:53,850
41, 33, 63.

25
00:02:02,710 --> 00:02:06,910
And we have an exact match that offset 74 Earth Hunters.

26
00:02:07,450 --> 00:02:14,080
This offset value is going to be very, very important in their development process because it's going

27
00:02:14,080 --> 00:02:18,340
to we will eventually have to perform a short jump to reach our egg hunter.

28
00:02:19,400 --> 00:02:25,880
To be able to activate the egg her heart, allow it to scan virtually address virtual outer space.

29
00:02:30,950 --> 00:02:36,950
So let's just verify this member standard exploit development process that this actually works.

30
00:02:38,540 --> 00:02:40,320
Sober a change you will strain.

31
00:02:40,770 --> 00:02:42,600
I'll have these files available for you.

32
00:02:44,480 --> 00:02:57,050
Eagle strain equals A times 70 plus B times four plus C times 256.

33
00:02:57,050 --> 00:02:58,460
Minus four -70.

34
00:03:05,820 --> 00:03:07,680
All right, let's restart the process.

35
00:03:19,860 --> 00:03:20,910
Double click play.

36
00:03:24,180 --> 00:03:30,060
Python proved to play again.

37
00:03:32,430 --> 00:03:39,480
And we verified that we found 44 inches 42, 42, which is basically four half decimal BS.

38
00:03:39,690 --> 00:03:46,380
I'm pretty sure all of you have already done how this works, but now we are proving to be able to hijack

39
00:03:46,380 --> 00:03:52,500
execution by just giving a little immunised that has been reverse, then readdress to something like

40
00:03:52,540 --> 00:03:55,110
GSP within the program.

41
00:03:55,830 --> 00:03:56,700
Restart this.

42
00:04:00,260 --> 00:04:02,270
Mobile phone server.

43
00:04:03,410 --> 00:04:04,340
Toklas play.

44
00:04:05,780 --> 00:04:07,580
And you use the command.

45
00:04:07,610 --> 00:04:09,500
MONA Jump.

46
00:04:09,740 --> 00:04:11,150
Dash r gasp.

47
00:04:15,520 --> 00:04:16,660
This will take a while.

48
00:04:22,350 --> 00:04:22,690
All right.

49
00:04:22,710 --> 00:04:24,960
Click on View a top log.

50
00:04:27,130 --> 00:04:34,990
And we are going to look for a job construction that does not have solar, does not have a safe structure,

51
00:04:34,990 --> 00:04:43,180
reception handler does not have non equitable bit, which means you're able to bypass SLR and data execution.

52
00:04:43,180 --> 00:04:43,690
Prevention.

53
00:04:44,110 --> 00:04:46,510
Now, remember, this is a Windows XP box.

54
00:04:46,680 --> 00:04:50,020
Windows XP never had these working protections.

55
00:04:50,050 --> 00:04:52,870
Not until Windows Vista started being released.

56
00:04:52,990 --> 00:04:56,020
They have to have outer space layout randomization.

57
00:04:56,680 --> 00:05:01,060
So out of all of this, you can just use any of these.

58
00:05:02,880 --> 00:05:04,830
But I'm going to choose the first one.

59
00:05:05,850 --> 00:05:09,030
And I'm going to copy the clip for the address.

60
00:05:13,510 --> 00:05:17,350
And then let's use CPU again.

61
00:05:21,240 --> 00:05:22,800
Minimized to see a better.

62
00:05:25,570 --> 00:05:26,860
And we're going to.

63
00:05:27,830 --> 00:05:31,190
Go to or just go to go to expression.

64
00:05:34,820 --> 00:05:36,560
Don't click on this looks.

65
00:05:38,940 --> 00:05:40,920
Double click to add a break point right there.

66
00:05:44,310 --> 00:05:49,320
And we're going to see if we can hijack the execution.

67
00:05:56,170 --> 00:05:58,240
So let's make a value.

68
00:06:00,130 --> 00:06:01,420
ESG equals.

69
00:06:04,750 --> 00:06:06,370
So let's take a look at that.

70
00:06:06,700 --> 00:06:15,400
That was in little India in the memory interests of 62, 5011, F in little Indian, it would be F.

71
00:06:19,670 --> 00:06:23,570
11 5062.

72
00:06:28,490 --> 00:06:32,870
So we're going to replace the BS with junk DSP.

73
00:06:36,420 --> 00:06:38,460
And let's try to find the concept again.

74
00:06:38,580 --> 00:06:39,600
Proof concept again.

75
00:06:40,740 --> 00:06:41,010
So.

76
00:06:41,010 --> 00:06:41,370
Here.

77
00:06:42,000 --> 00:06:42,720
Press play.

78
00:06:46,830 --> 00:06:47,460
My phone.

79
00:06:51,030 --> 00:06:51,830
Of two.

80
00:06:52,970 --> 00:06:54,980
We hit our break point, as you can see.

81
00:06:56,800 --> 00:06:58,630
We're going to step into this one right here.

82
00:06:58,870 --> 00:07:00,730
That's two buttons away from the play button.

83
00:07:04,640 --> 00:07:07,100
And now we landed where our Caesar at?

84
00:07:12,170 --> 00:07:19,220
Now we will continue to do things such as brute force and the bad characters for information.

85
00:07:19,520 --> 00:07:23,780
We already did this before and the only bad chapter was in no bite.

86
00:07:24,410 --> 00:07:26,480
There is nothing else you should be worrying about.

87
00:07:26,870 --> 00:07:35,720
But for the general exploit development process for exploiting water ability isn't one of our applications.

88
00:07:35,870 --> 00:07:38,450
You must always focus on or bad character analysis.

89
00:07:38,750 --> 00:07:42,620
But I will tell you right now that the only bad chapter in this program is no.

90
00:07:42,830 --> 00:07:43,280
Which is.

91
00:07:44,910 --> 00:07:45,270
There.