1 00:00:00,630 --> 00:00:01,200 Hello again. 2 00:00:01,200 --> 00:00:03,780 Welcome back to Basic Exploit Development Egg Hunters. 3 00:00:04,170 --> 00:00:09,510 And today we're going to show you how to generate bogus shout out to see if we can find another buffer 4 00:00:09,810 --> 00:00:13,410 for this egg hunter code right here to work. 5 00:00:13,860 --> 00:00:19,560 Remember, we already resolve the issues where they kind of would not run because we jut back 70 bytes 6 00:00:19,950 --> 00:00:22,680 for after right after our jump ESP instruction. 7 00:00:23,310 --> 00:00:29,340 So that way we always land in this egg hunter and this will hunt for our egg, which is built in great 8 00:00:29,340 --> 00:00:29,730 speed. 9 00:00:29,810 --> 00:00:31,260 W00t. 10 00:00:33,480 --> 00:00:38,130 So right now we need to locate a second buffer to see if we can actually find anything. 11 00:00:42,430 --> 00:00:45,550 What you want to do is generate a cycle pattern again. 12 00:00:50,630 --> 00:00:52,700 Of a thousand bytes just to make sure. 13 00:01:03,250 --> 00:01:05,410 We already have that cyclic pattern right here. 14 00:01:07,900 --> 00:01:08,410 Okay. 15 00:01:10,510 --> 00:01:12,370 We will add a new cyclic pattern. 16 00:01:19,730 --> 00:01:27,080 And then we're going to use a separate command in this volunteer application so that we can figure out 17 00:01:27,080 --> 00:01:28,190 what is going on. 18 00:01:54,200 --> 00:01:57,140 All right, so let's call this sheltered. 19 00:02:01,680 --> 00:02:04,650 And then we're going to create another command. 20 00:02:07,110 --> 00:02:10,860 So articles talking to us, talking on the score. 21 00:02:10,860 --> 00:02:13,770 I'm not so a good fox dream. 22 00:02:16,230 --> 00:02:18,750 And then we're to see if we can find this. 23 00:02:19,290 --> 00:02:20,250 And what tools? 24 00:02:21,700 --> 00:02:25,350 Cheetah like must show code. 25 00:02:27,910 --> 00:02:39,050 Best architect make sure to always use to Prentice's IP address is always a string and of course always 26 00:02:39,050 --> 00:02:39,590 an integer. 27 00:02:41,080 --> 00:02:44,290 I received 24 of us and a man. 28 00:02:44,710 --> 00:02:47,080 One that's not close. 29 00:02:57,010 --> 00:02:57,760 Save that. 30 00:03:05,150 --> 00:03:06,560 Let's just take a review of the code. 31 00:03:10,560 --> 00:03:15,870 So remember, we're trying to send this to locate a second larger buffer that we can fit our shell code 32 00:03:15,870 --> 00:03:19,110 into, and then we want the egg hunter to find it. 33 00:03:21,020 --> 00:03:29,150 So let's first just test that we can actually see this that all 1000 bytes of it would actually fit. 34 00:03:29,750 --> 00:03:35,660 So this time we're going to look for try a new command and one of libraries for a burger. 35 00:03:36,560 --> 00:03:41,890 And it's going to find a cyclic pattern that we just generate aspect shock code. 36 00:03:46,240 --> 00:03:48,490 So let's close out this. 37 00:03:49,580 --> 00:03:50,180 You start? 38 00:03:51,760 --> 00:03:53,020 This terrible server. 39 00:03:57,800 --> 00:03:59,050 The two accounts that began. 40 00:04:02,740 --> 00:04:03,220 So. 41 00:04:09,640 --> 00:04:12,970 Find a bona fide amnesty. 42 00:04:17,970 --> 00:04:19,110 Let me maximizers. 43 00:04:20,459 --> 00:04:26,940 So we did locate another section of the buffer or open the program itself that has a thousand bite length 44 00:04:27,510 --> 00:04:28,050 right here. 45 00:04:29,150 --> 00:04:35,930 So we know that somewhere else in this program, we actually have a way of 800 to reach it. 46 00:04:38,820 --> 00:04:39,630 So go back. 47 00:04:43,410 --> 00:04:44,640 Now if you concept. 48 00:04:46,440 --> 00:04:47,970 And let's make a show called 49 00:04:51,330 --> 00:04:55,050 Woo Woo plus 1000 days. 50 00:04:55,710 --> 00:04:57,300 Remember, what is our egg? 51 00:04:58,170 --> 00:05:05,730 The egg hunter scans virtual outer space for bytes at a time until it finds a double instance of the 52 00:05:05,730 --> 00:05:06,090 egg. 53 00:05:06,330 --> 00:05:08,010 Why not a single day? 54 00:05:08,400 --> 00:05:11,050 Well, the suns and moons align the correct way. 55 00:05:11,070 --> 00:05:17,430 You might run into the situation where, right within memory, it would have been just a single vote. 56 00:05:17,910 --> 00:05:23,940 And then your egg hunter would mistakenly try to execute it, causing the execution to be diverted. 57 00:05:23,940 --> 00:05:25,050 And you won't get a shell. 58 00:05:25,650 --> 00:05:27,420 That's why they use two eggs. 59 00:05:34,060 --> 00:05:36,340 Let's see if I'm doing our thing correctly. 60 00:05:43,480 --> 00:05:47,500 All right, let's detach the debugger. 61 00:05:49,310 --> 00:05:49,730 Oops. 62 00:05:52,080 --> 00:05:53,030 I mean debugger. 63 00:05:53,080 --> 00:05:55,510 File server. 64 00:05:57,440 --> 00:06:00,140 Darren go to. 65 00:06:02,470 --> 00:06:07,180 Our speed instruction at a breakpoint by clicking at. 66 00:06:13,100 --> 00:06:13,220 Hi. 67 00:06:15,650 --> 00:06:16,010 Hi. 68 00:06:17,310 --> 00:06:18,540 We had our break point. 69 00:06:19,500 --> 00:06:20,370 Step into it. 70 00:06:22,220 --> 00:06:22,880 Short jump. 71 00:06:23,820 --> 00:06:24,780 To our egg hunter. 72 00:06:27,240 --> 00:06:30,720 And let's put a museum up for a bit. 73 00:06:33,340 --> 00:06:34,900 Let's put this. 74 00:06:35,470 --> 00:06:35,860 Yes. 75 00:06:36,040 --> 00:06:37,540 Put your breakpoint in a second. 76 00:06:38,910 --> 00:06:41,340 Command S.A.S.. 77 00:06:44,310 --> 00:06:45,440 And keep incrementing. 78 00:06:56,370 --> 00:06:57,240 Skip over here. 79 00:07:02,990 --> 00:07:07,850 As you can see from the right, this is how the country is constantly incrementing. 80 00:07:08,300 --> 00:07:10,970 So press play to jump over to this section right here. 81 00:07:15,460 --> 00:07:17,710 And look, our is right there. 82 00:07:20,300 --> 00:07:24,320 Within the index register so successfully located eg. 83 00:07:28,590 --> 00:07:32,670 And then it was have to execute it, which is now the A's. 84 00:07:33,540 --> 00:07:38,910 And now we can put our malicious code inside where these A's are at.