1
00:00:00,090 --> 00:00:00,390
Hey.

2
00:00:00,420 --> 00:00:05,090
So welcome back to Introduction to Exploit and Zero Day Discovery and Development.

3
00:00:05,100 --> 00:00:10,050
This is going to be the final section of our summer 2022 remastering.

4
00:00:10,050 --> 00:00:16,320
There will be more content coming after winter 2022 so after December.

5
00:00:16,379 --> 00:00:20,160
But right now we're going to cover 64 bit Linux.

6
00:00:20,160 --> 00:00:21,900
SLR Bypasses.

7
00:00:23,010 --> 00:00:32,310
So briefly, SLR was not even optimized or even used for almost half a decade when it first came out

8
00:00:32,310 --> 00:00:35,810
and there's actually a multiple implementations of SLR.

9
00:00:35,820 --> 00:00:43,080
They may randomize the first two bytes of a Windows application for 32 bit Windows operating system.

10
00:00:43,080 --> 00:00:47,490
They might randomize the last four bytes for our Linux 64 bit system.

11
00:00:47,520 --> 00:00:54,420
Implementation of outer space layout randomization really differ between the time the operating system

12
00:00:54,420 --> 00:01:02,040
platform and architecture, but for some time, outer space layout randomization was not fully utilized

13
00:01:02,040 --> 00:01:11,100
because it was causing performance applications and to bypass ASLA, it was as simple as basically loading

14
00:01:11,100 --> 00:01:18,840
or picking out functions or sections of the buffer of dynamic link libraries or shared object libraries

15
00:01:18,840 --> 00:01:22,770
that do not have asleep protection compiled with it.

16
00:01:23,370 --> 00:01:30,180
However, while that was the norm a decade ago, many binaries now have ASL are enabled by default being

17
00:01:30,180 --> 00:01:37,080
able to bypass adverse base layout randomization, non executable data, execution prevention, stack

18
00:01:37,080 --> 00:01:42,270
coronaries and buffer overflow protection is essential for modern user mode exploit development.

19
00:01:44,220 --> 00:01:51,300
So in this section of the course, we have four bypasses using shell code lists drop chains not normally

20
00:01:51,300 --> 00:01:52,350
I don't distinctive phi.

21
00:01:52,350 --> 00:01:58,620
The difference between shell code lists and shell code involved rope chains, except that a shell code

22
00:01:58,620 --> 00:02:03,930
of all rob chain actually puts your shell code right on the stack and then has Rob Chain point to it.

23
00:02:04,470 --> 00:02:10,289
But we can do shell code lists, so it's just an entirely Turing complete function.

24
00:02:10,590 --> 00:02:17,340
That means as Turing as an Alan Turing, the man who created what he called the the automatic machine

25
00:02:17,340 --> 00:02:18,600
or the Turing machine.

26
00:02:18,810 --> 00:02:27,660
So when we take over the instruction pointer, we're going to use a drop chain first to abuse a unused

27
00:02:27,660 --> 00:02:34,890
shell function call, then a misconfigured CIS call to a binary, and then a more advanced overwrite

28
00:02:34,890 --> 00:02:37,290
to that data segment with a CIS call.

29
00:02:38,040 --> 00:02:45,150
And finally, which where I'm going to cover a lot more detail in this lecture is our RET to attack

30
00:02:45,180 --> 00:02:48,900
our most advanced subject, which will be the focus of this section of the course.

31
00:02:50,280 --> 00:02:58,050
So a plot stands for procedure linkage table and the got is called the Global Offset Table.

32
00:02:58,050 --> 00:03:02,580
So if you read the documentation, I'm going to put in the resources for you in this lecture.

33
00:03:03,210 --> 00:03:12,090
Basically when you compile a language with ASL are enabled, compile a C program that's dynamically

34
00:03:12,090 --> 00:03:12,750
linked.

35
00:03:13,560 --> 00:03:16,950
It does not have a global offset table entry.

36
00:03:16,950 --> 00:03:23,760
You actually have to run the program first so that the linker for your operating system can actually

37
00:03:23,760 --> 00:03:27,240
get the offset for the function that you're trying to do.

38
00:03:27,330 --> 00:03:34,590
So here we are trying to figure out how to call print F to print a string.

39
00:03:34,590 --> 00:03:38,370
We don't have a global offset table entry yet.

40
00:03:38,700 --> 00:03:45,060
However, it's going to call the linker is going to linkers and provide an offset and then the global

41
00:03:45,060 --> 00:03:50,190
offset table is going to be populated with the offset of the function to print up from the standard

42
00:03:50,190 --> 00:03:51,090
C library.

43
00:03:51,360 --> 00:03:57,900
So you have to run the program at least once, debugger or attach or not to have the global offset table

44
00:03:57,900 --> 00:03:58,830
populated.

45
00:03:59,310 --> 00:04:10,770
So I also notice this is that the red plot technique can also result in different offsets between whichever

46
00:04:10,770 --> 00:04:12,720
operating system that you're attacking.

47
00:04:12,720 --> 00:04:13,830
So be aware of that.

48
00:04:13,830 --> 00:04:17,430
I've tested this in Linux as well as Ubuntu,

49
00:04:20,430 --> 00:04:27,600
so the goal of the RET to plot attack is to overwrite and alter the value of our print f function's

50
00:04:27,600 --> 00:04:35,070
global offset table entry to no longer print a print f but as system instead the offset is known beforehand

51
00:04:35,070 --> 00:04:37,440
by calculating the disk between system and print.

52
00:04:37,440 --> 00:04:37,890
F.

53
00:04:37,890 --> 00:04:42,510
After the application is first run, we will walk through the steps of the wrap chain in the following

54
00:04:42,510 --> 00:04:43,500
screenshots.

55
00:04:44,670 --> 00:04:52,680
Okay, so now let's start with our rock chain that we have talked about before by altering the global

56
00:04:52,680 --> 00:04:54,090
offset table entry.

57
00:04:55,290 --> 00:04:59,880
So this right here on the left is where we hit our return at the end of.

58
00:05:00,150 --> 00:05:02,630
At any function in our Rob chain begins.

59
00:05:07,850 --> 00:05:11,640
So right now the instruction pointer is pointing to a pop RTI.

60
00:05:11,660 --> 00:05:15,830
It's going to pop the print f address into the RTI register.

61
00:05:16,760 --> 00:05:23,270
A further note you probably want to take note that the hardcoded shell function is actually located

62
00:05:23,270 --> 00:05:23,960
right here.

63
00:05:29,420 --> 00:05:34,940
We are now going to pop the value of the return stack pointer into the return base pointer, which is

64
00:05:34,940 --> 00:05:36,380
going to be on our next slide.

65
00:05:36,740 --> 00:05:43,780
And right now, remember that the RTI Register is actually holding the value of print f.

66
00:05:46,830 --> 00:05:55,230
So because we do a terrific calculation, we're actually going to subtract the value of the return base

67
00:05:55,230 --> 00:06:02,820
pointer, which holds the offset between print, F minus system, and then we're going to restore it

68
00:06:02,820 --> 00:06:08,160
as a quad eight byte quadrant into the return location of the RTI Register.

69
00:06:09,450 --> 00:06:13,860
And if you watch closely right here where my mouse cursor does that in the next slide.

70
00:06:16,460 --> 00:06:18,200
It now becomes a system call.

71
00:06:26,130 --> 00:06:26,970
So.

72
00:06:27,750 --> 00:06:29,160
Oh, I should have went back.

73
00:06:30,180 --> 00:06:37,410
The next instruction was to pop another valley into the RTI register, and the valley that I was popping

74
00:06:37,410 --> 00:06:40,530
in was the variable shell.

75
00:06:41,910 --> 00:06:52,800
So right now it's going to execute system with the first variable shell because that's your 64 bit calling

76
00:06:52,800 --> 00:06:53,550
convention.

77
00:06:57,460 --> 00:07:02,890
And if you were to delete all the breakpoints and then continue debugging and set another breakpoint

78
00:07:02,890 --> 00:07:10,870
at B star system and then continue execution, it would stop right here with a call to Shell, which

79
00:07:10,870 --> 00:07:12,550
was normally print f.