1
00:00:00,900 --> 00:00:02,310
Let's see if we're recording this.

2
00:00:02,310 --> 00:00:03,240
We're recording.

3
00:00:03,270 --> 00:00:03,600
All right.

4
00:00:03,600 --> 00:00:04,710
Welcome back.

5
00:00:04,890 --> 00:00:07,170
So we know that we crashed.

6
00:00:08,160 --> 00:00:09,690
We can go back to Von.

7
00:00:10,350 --> 00:00:14,150
We can still run the bugs before our payload.

8
00:00:14,160 --> 00:00:17,040
Or we can just press R and the control C out of it.

9
00:00:17,640 --> 00:00:22,340
And now we need to find the base address for the C Standard Library.

10
00:00:22,350 --> 00:00:25,710
The easiest way to do this is type V map.

11
00:00:27,060 --> 00:00:28,680
Sorry, too many amps.

12
00:00:30,980 --> 00:00:37,150
Your C scanner library for Ubuntu, which is the bunch of 2004 version that I'm using.

13
00:00:37,160 --> 00:00:39,110
This Dr. container is located here.

14
00:00:39,500 --> 00:00:46,250
What you want to do is take copy and paste this and save it as your base address so we can use a new

15
00:00:46,250 --> 00:00:50,000
debugger or feature called Set Set.

16
00:00:50,090 --> 00:00:54,770
Dollar sign base equals this memory address.

17
00:00:55,070 --> 00:00:57,710
The fact you want to print it, print it out.

18
00:00:57,710 --> 00:01:08,570
You can actually just do something like print, hex copy and paste that minus dollar sign base.

19
00:01:10,370 --> 00:01:13,360
Which is the distance between this section and this section.

20
00:01:13,370 --> 00:01:18,710
Remember this, because this is actually a much more convenient method than the write up that I wrote

21
00:01:18,710 --> 00:01:20,270
on Google Docs.

22
00:01:20,540 --> 00:01:24,260
So what you want to do is edit your exploitation script right now.

23
00:01:24,290 --> 00:01:33,200
We already know we can overwrite the return instruction pointer at 216 bytes, so we're going to comment

24
00:01:33,200 --> 00:01:33,890
this out.

25
00:01:34,250 --> 00:01:43,490
If we're going to write lib C based address equals this value.

26
00:01:48,290 --> 00:01:50,360
Now we need to find.

27
00:01:53,330 --> 00:02:00,380
Our shell function within this application, which means that actually searches through all the modules.

28
00:02:00,380 --> 00:02:08,180
So ji to be bet petta I'll have to do the type fine signal quote then shell.

29
00:02:10,750 --> 00:02:13,880
This is the absolute address of Ben Shell.

30
00:02:13,960 --> 00:02:20,650
So what you do is that since we save it as a base address, you just set another variable set abs for

31
00:02:20,650 --> 00:02:23,530
absolute and save it as that.

32
00:02:24,310 --> 00:02:30,460
If you want to find the offset, offset is like a relative virtual address, but in Linux it's a distance

33
00:02:30,460 --> 00:02:42,250
between the very top of this memory address that's located for the standard library and the actual distance.

34
00:02:42,580 --> 00:02:48,730
So you can do a relative virtual address that's a Windows term, but it's called an offset in Linux.

35
00:02:49,150 --> 00:02:54,340
And you can actually print down the distance the offset.

36
00:02:54,940 --> 00:03:01,660
So it will be ABS minus base.

37
00:03:04,130 --> 00:03:12,440
This valley right here is the offset distance, so we can actually add a variable in our exploit for

38
00:03:12,440 --> 00:03:13,310
our rock chain.

39
00:03:14,030 --> 00:03:25,370
So we go back to our ID and then we can type shell equals loop C base address plus this memory address.

40
00:03:31,610 --> 00:03:34,370
The next gadget you want to look for is assist call.

41
00:03:34,700 --> 00:03:38,900
So you want to go through this key system.

42
00:03:40,250 --> 00:03:42,650
We found the absolute address of this.

43
00:03:42,890 --> 00:03:46,190
And to save time, we're going to do print packs.

44
00:03:47,660 --> 00:03:51,200
This address, minus dollar sign base.

45
00:03:52,960 --> 00:03:54,610
Which is this offset.

46
00:03:57,500 --> 00:04:03,890
So we're going to type this call equal of flip sea base address, plus this address.

47
00:04:10,080 --> 00:04:11,880
Finally, we need an exit call.

48
00:04:11,880 --> 00:04:13,320
So pe exit.

49
00:04:14,280 --> 00:04:16,170
We have this absolute address.

50
00:04:18,720 --> 00:04:21,510
And we're going to do P slash X.

51
00:04:23,860 --> 00:04:26,320
This address, minus dollar sign base.

52
00:04:32,120 --> 00:04:36,470
Call Seabass address, plus this NAMI address.

53
00:04:38,750 --> 00:04:46,970
Now, I want you to find the other parts of your rock gadgets, and we are going to be using ROPPER.

54
00:04:48,860 --> 00:04:49,550
Let me see.

55
00:04:50,210 --> 00:04:50,720
Yes.

56
00:04:50,720 --> 00:04:57,680
ROPPER And I want you to use ROPPER against this specific shared object file, which is like a Linux

57
00:04:57,680 --> 00:04:58,850
version of a doll.

58
00:04:59,780 --> 00:05:05,030
So we're going to do control B shift by to make another terminal bash.

59
00:05:05,210 --> 00:05:06,110
ROPPER.

60
00:05:09,010 --> 00:05:10,120
This C library.

61
00:05:12,890 --> 00:05:13,490
Oops.

62
00:05:13,490 --> 00:05:14,030
Sorry.

63
00:05:14,270 --> 00:05:17,600
Proper file.

64
00:05:29,370 --> 00:05:30,750
Let's let it load.

65
00:05:39,500 --> 00:05:41,390
My guy was taken a while.

66
00:05:58,360 --> 00:05:59,110
Finally.

67
00:06:00,530 --> 00:06:13,830
So first we need to do is top RTI returns so search death one pop RTI because the way that x 64 college

68
00:06:13,860 --> 00:06:22,520
convictions work is that it requires you to execute to send the first argument into the RTI.

69
00:06:22,550 --> 00:06:29,690
What we're actually doing is that we're setting the show variable to bind show in the Lipsey library

70
00:06:30,530 --> 00:06:33,860
as the first argument in our in the RTI Register.

71
00:06:34,040 --> 00:06:35,480
For one, those will be different.

72
00:06:35,480 --> 00:06:36,830
I will make another video.

73
00:06:36,830 --> 00:06:44,990
Explain the 64 bit column conventions, which is the main difference between that and 32 bit exploitation.

74
00:06:45,560 --> 00:06:52,400
So we have the pop RTI equals live C base address plus this offset.

75
00:07:02,020 --> 00:07:08,980
Finally we need a return because in 64 bit exploitation you need to properly align the stack.

76
00:07:09,010 --> 00:07:12,340
Otherwise the show code will just break.

77
00:07:13,030 --> 00:07:22,300
So we are going to look for search dep one rect and we find one at the very conveniently right here.

78
00:07:24,010 --> 00:07:30,190
So we're going to do ret equal lip see base address plus.

79
00:07:31,890 --> 00:07:32,580
Here.

80
00:07:37,860 --> 00:07:40,380
I think that will be enough for this module.

81
00:07:40,380 --> 00:07:46,470
And then in later modules we'll show you how to construct a proper rock chain and exploit this and create

82
00:07:46,470 --> 00:07:47,190
our shell.