1
00:00:01,260 --> 00:00:01,710
Okay.

2
00:00:01,740 --> 00:00:05,610
Welcome back to Introduction to explain zero day discovery and development.

3
00:00:05,610 --> 00:00:13,560
And here we are going to cover coronary bypasses and the basics of compile collection stack guard.

4
00:00:14,850 --> 00:00:20,820
So stack injuries are also known as stack cookies and they are one of the earliest mitigations for buffer

5
00:00:20,820 --> 00:00:22,320
overflow attacks.

6
00:00:22,950 --> 00:00:30,720
Basically the stack canary is a dynamically generated value, which is then place between the point

7
00:00:30,720 --> 00:00:35,580
where the buffer is being overflowed to the instruction pointer.

8
00:00:36,000 --> 00:00:42,150
A stack check function is actually executed to check whether the canary is the same value and if it

9
00:00:42,150 --> 00:00:48,180
is not the same value, it actually exits with stack smashing detected as an error.

10
00:00:48,420 --> 00:00:51,420
So there are many methods to bypass this.

11
00:00:51,420 --> 00:00:57,480
However, if you are dealing with a stack canary, you cannot land a drop chain because you will not

12
00:00:57,480 --> 00:01:01,230
be able to reach an instruction pointer without bypassing the canary.

13
00:01:02,610 --> 00:01:09,810
So we are going to confront the basic Terminator Canary type, which often ends with a bite of a known

14
00:01:09,810 --> 00:01:15,210
value, such as a null byte or a hex F or something like that.

15
00:01:17,190 --> 00:01:20,190
So stack canary bypass methodologies.

16
00:01:20,190 --> 00:01:26,550
Now on Windows, we actually did use a methodology that could bypass stack entries on Windows, and

17
00:01:26,550 --> 00:01:29,040
it's called a structured exception handler overwrite.

18
00:01:29,040 --> 00:01:36,270
So you overwrite the stack in such a way that it actually causes a memory access violation, which triggers

19
00:01:36,270 --> 00:01:36,840
the exception.

20
00:01:36,840 --> 00:01:42,750
Handler And now we can exploit and overwrite the structure exception handler chain totally to get code

21
00:01:42,750 --> 00:01:43,590
execution.

22
00:01:43,590 --> 00:01:45,330
This was covered in our structure.

23
00:01:45,330 --> 00:01:48,240
Exception Handler overwrite a Unicode exploit module.

24
00:01:48,420 --> 00:01:55,140
The second method is indirect calls so you can store indirect calls or functions in some place in the

25
00:01:55,140 --> 00:01:59,520
stack and manually call it to bypass the canary without having the canary being evaluated.

26
00:02:00,000 --> 00:02:06,030
But the most common method is to brute force or leak the canary and repair it before it gets evaluated.

27
00:02:06,030 --> 00:02:12,420
I just want to point out that the last all stack entries are dynamically generated.

28
00:02:12,420 --> 00:02:17,730
So that means that each time at runtime the Canaries are always a different value.

29
00:02:18,240 --> 00:02:23,460
So we will use the last option because it's a very well known method that works on multiple platforms.

30
00:02:24,810 --> 00:02:25,400
Oh, my God.

31
00:02:28,780 --> 00:02:31,990
Leaking the stack narrative format during specified attacks.

32
00:02:31,990 --> 00:02:34,160
So programming bugs.

33
00:02:34,180 --> 00:02:35,320
Let me turn off my phone.

34
00:02:35,500 --> 00:02:43,660
Programming bugs often allow the leakage of memory addresses arbitrary values, including those of stack

35
00:02:43,660 --> 00:02:44,380
canaries.

36
00:02:44,380 --> 00:02:48,040
These are known as format string bugs or format string vulnerabilities.

37
00:02:48,040 --> 00:02:53,080
Stack canaries are dynamically generated runtime meaning the value is different each time you run it,

38
00:02:53,080 --> 00:02:54,250
like I keep mentioning.

39
00:02:54,490 --> 00:02:59,920
So in this link right here, you can actually check out what is a format string attack.

40
00:03:00,610 --> 00:03:06,400
Basically format string bugs are different and depending on what kind of format strings you can print

41
00:03:06,400 --> 00:03:15,610
them as decimal hacks, you can print up values of the stack, you can leak up the base address for

42
00:03:15,610 --> 00:03:18,730
windows exploits to bypass outer space layout randomization.

43
00:03:18,730 --> 00:03:21,490
But that's not the Esler bypass method for Linux.

44
00:03:21,490 --> 00:03:25,900
However, right now we're just fixated on bypassing the stack canary.

45
00:03:27,430 --> 00:03:34,060
So in this section, our Stack Canary bypass, after we leak the stack canary of a format string bug,

46
00:03:34,060 --> 00:03:36,550
remember it's actually dynamically generated.

47
00:03:36,790 --> 00:03:42,550
We ingest and repair the canary between the point where the buffer begins to overflow to return instruction

48
00:03:42,550 --> 00:03:43,150
pointer.

49
00:03:43,150 --> 00:03:48,220
We then land our basic rope chain the previous exercise to obtain code execution and a shell.

50
00:03:48,370 --> 00:03:52,660
This will be the first time they will extensively use power tools because of the features that greatly

51
00:03:52,660 --> 00:03:57,520
conveniences exploit development, building wrap chains and interacting with spawn shells.