1
00:00:01,360 --> 00:00:05,680
Hello, everyone, welcome to a new video of our binary exploitation series.

2
00:00:06,980 --> 00:00:12,260
Last time we were able to change the flow of our program and we were able to make it to our message

3
00:00:12,270 --> 00:00:16,160
board memory address instead of returning back to the main function.

4
00:00:17,490 --> 00:00:21,240
But since the very first bite in our message, both is the old boy it.

5
00:00:22,960 --> 00:00:29,620
The execution stopped, and that's why we were not supposed to have an in our show.

6
00:00:30,850 --> 00:00:34,300
I tried to draw it here so you can understand in a better way.

7
00:00:35,360 --> 00:00:36,260
So again.

8
00:00:38,470 --> 00:00:46,090
The zero X or here, ninety eight means not or no operation from its name, it doesn't do anything.

9
00:00:46,120 --> 00:00:53,950
So once we hit anywhere in this new operations called bobsled, it will slide all the way down until

10
00:00:53,950 --> 00:00:56,230
it finds another instruction.

11
00:00:57,560 --> 00:01:04,010
So instead of making our message, our return address to point to the very beginning of our show code,

12
00:01:04,010 --> 00:01:09,620
which is here is for you, for you zero, we're not supposed to do that because we have a nobody here.

13
00:01:09,620 --> 00:01:14,840
So we make it maybe be zero zero zero anywhere inside this.

14
00:01:15,530 --> 00:01:18,500
No operations or an upscaled once to do that.

15
00:01:18,500 --> 00:01:24,860
It will slide all the way down until it finds a different instruction before we generate our show.

16
00:01:24,860 --> 00:01:25,810
Colditz Exactly.

17
00:01:26,030 --> 00:01:29,630
Calculate exactly how many bytes we need to reach the return address.

18
00:01:30,350 --> 00:01:33,560
But before the return address, there was another address that was needed.

19
00:01:33,560 --> 00:01:37,360
Right this one, this address needed by the string format function.

20
00:01:37,370 --> 00:01:44,630
So we need to calculate how many bytes before this one just opened the PyCon.

21
00:01:47,140 --> 00:01:52,950
Length, so that's one twenty seven plus the no bite, that's one twenty eight, right?

22
00:01:55,420 --> 00:01:56,140
OK, good.

23
00:01:56,890 --> 00:02:05,890
We have Chalco here, but you can generate your own code using something like MSM venom like this one.

24
00:02:07,460 --> 00:02:13,190
But of course, we need you can change just to us, that's where we need to do.

25
00:02:13,970 --> 00:02:19,310
And here it's eighty six and then servers to keep up with the IP address in your port.

26
00:02:19,910 --> 00:02:23,000
And we can also add something here to make it.

27
00:02:25,410 --> 00:02:26,220
Smallest.

28
00:02:33,010 --> 00:02:33,690
Here you go.

29
00:02:33,730 --> 00:02:34,950
We got our show good here.

30
00:02:35,110 --> 00:02:39,270
Of course, I'm not using this one because I really have on my show Kota Off on the Internet.

31
00:02:39,280 --> 00:02:47,500
It's RiverCity special, which I'm going to copy here to check the and so called equal.

32
00:02:52,740 --> 00:03:03,870
So it's seventy six flights, so we already have we really have one twenty one twenty eight bytes total

33
00:03:04,200 --> 00:03:07,610
to reach our first address of our strength for math function.

34
00:03:08,130 --> 00:03:13,950
So if we subtract seventy six, our show code from that, we get fifty two.

35
00:03:14,490 --> 00:03:14,810
Right.

36
00:03:14,870 --> 00:03:16,530
So we have fifty two bytes.

37
00:03:16,530 --> 00:03:18,720
One of them of course is the little byte.

38
00:03:19,260 --> 00:03:28,410
So fifty one will be for the knobs that I already have my exclusive temp file that I created here.

39
00:03:28,410 --> 00:03:38,980
So I have my target IP port the now the null byte, my fifty one knob's which is slash X ninety and

40
00:03:38,980 --> 00:03:44,550
then the validators which is the same address as our message above, and then my show code that I just

41
00:03:44,550 --> 00:03:48,660
copied and I have after that.

42
00:03:50,310 --> 00:03:53,160
So show code and then the valid address.

43
00:03:53,160 --> 00:03:53,520
Right.

44
00:03:53,910 --> 00:03:56,670
And then 12 bytes of junk.

45
00:03:56,670 --> 00:03:57,600
You remember that.

46
00:03:58,110 --> 00:04:05,070
And then again the message boards address, which points to our show code from the very beginning,

47
00:04:05,070 --> 00:04:06,590
from the 90s.

48
00:04:07,080 --> 00:04:09,870
But here we I did a little bit of change.

49
00:04:11,070 --> 00:04:17,760
The message board here, the one that I'm using, it's not a zero, remember, because if you look here,

50
00:04:17,760 --> 00:04:21,330
we don't want to start from zero because it has no byte in the very beginning.

51
00:04:21,720 --> 00:04:28,510
But we can start from Besar so we can start from here from inside the normal operations, like the knob

52
00:04:28,510 --> 00:04:29,280
and instructions.

53
00:04:30,030 --> 00:04:33,230
So I change to to make it be zero instead of a zero.

54
00:04:33,840 --> 00:04:38,910
Of course you can make anything, anything inside this knob sled where you can make and c0 the user

55
00:04:38,910 --> 00:04:39,510
doesn't matter.

56
00:04:41,490 --> 00:04:43,770
I'm going to start my program again.

57
00:04:51,420 --> 00:04:58,200
OK, so this is a single good time and stop here after destroying Fermat function.

58
00:05:03,370 --> 00:05:03,730
OK.

59
00:05:12,710 --> 00:05:15,680
Let's execute our file.

60
00:05:17,680 --> 00:05:18,010
Nice.

61
00:05:18,400 --> 00:05:24,760
So if we step in now before we get to the return address, the return destruction.

62
00:05:26,760 --> 00:05:27,960
Let's check our SEC.

63
00:05:30,820 --> 00:05:36,340
It points here to our zero address, right, this one here if we check it.

64
00:05:40,750 --> 00:05:48,100
It's exactly from inside our operation to see all these knap operations and then our show code will

65
00:05:48,100 --> 00:05:50,110
start from here.

66
00:05:51,560 --> 00:05:53,180
All the way until.

67
00:05:54,260 --> 00:06:00,830
This one CD, Katie, so that means if we step in one more.

68
00:06:01,670 --> 00:06:08,780
It actually started or an upright step in again and again and again, it will keep sliding this cold,

69
00:06:08,780 --> 00:06:10,900
not that it will keep going down.

70
00:06:11,540 --> 00:06:13,250
So will it continue for now?

71
00:06:15,240 --> 00:06:21,980
Of course, you got segmentation fault because it's running, but actually executed our bean bean.

72
00:06:22,620 --> 00:06:27,930
So let's actually do this in real environment here without the GDP.

73
00:06:30,270 --> 00:06:32,040
Let's make sure it's not running.

74
00:06:37,350 --> 00:06:42,150
And now I'm going to bring another show here, this one.

75
00:06:47,840 --> 00:06:52,310
It's set up Ngarkat to listen for PT. One, two, three, four.

76
00:06:52,340 --> 00:06:58,370
This is my reverse show bought and now I'm going to execute my 10th.

77
00:07:00,340 --> 00:07:00,600
Nice.

78
00:07:00,700 --> 00:07:01,500
We've got a connection.

79
00:07:04,430 --> 00:07:06,410
It's executed some commands.

80
00:07:10,610 --> 00:07:11,960
And move this here.

81
00:07:19,480 --> 00:07:20,170
Very nice.

82
00:07:21,850 --> 00:07:25,640
Now, we actually have a few issues with this exploit.

83
00:07:25,780 --> 00:07:33,010
First, the address we use is not supposed to be fixed if it's a law enabled, which is address space

84
00:07:33,340 --> 00:07:34,410
at randomisation.

85
00:07:34,940 --> 00:07:38,530
I already disabled it, but let me enable it and show you what I mean.

86
00:07:39,520 --> 00:07:41,410
First, I'm going to kill my program.

87
00:07:46,080 --> 00:07:50,230
OK, and then I'm going to issue this comment.

88
00:07:52,950 --> 00:07:59,400
Which will enable SLR, but remember that GDB by default disables eSolar, so.

89
00:08:03,090 --> 00:08:06,900
Let's start GDB again, let's enable eSolar.

90
00:08:11,360 --> 00:08:17,690
OK, so if you're a member of this valid address from before, let's actually examine this address.

91
00:08:20,530 --> 00:08:24,250
So zero zero zero for every.

92
00:08:25,250 --> 00:08:27,560
It was easier before I remember.

93
00:08:30,480 --> 00:08:38,430
It says here cannot access memory addresses at zero, 40, 40, a zero, right?

94
00:08:38,820 --> 00:08:40,110
So let's do something.

95
00:08:40,410 --> 00:08:44,810
We're going to recompile using the dash.

96
00:08:45,360 --> 00:08:48,690
Gee, I'm going to show you something here real quick.

97
00:08:53,380 --> 00:08:55,600
OK, OK.

98
00:08:56,890 --> 00:09:00,210
So if we look here before we do anything, if we look at the message both,

99
00:09:03,130 --> 00:09:04,700
what's the address, OK?

100
00:09:04,870 --> 00:09:13,860
Oh, I forgot Destler Stuart again off and then brakemen.

101
00:09:15,400 --> 00:09:15,760
OK.

102
00:09:19,790 --> 00:09:30,140
Oh, I did eSolar off, it should be on, OK, so long on and then very.

103
00:09:32,720 --> 00:09:36,110
Now let's examine the message.

104
00:09:36,110 --> 00:09:39,310
Bullfighter's has changed.

105
00:09:39,320 --> 00:09:45,950
Right now it's a zero ten four nine zero zero striding.

106
00:09:47,840 --> 00:09:48,150
Right.

107
00:09:48,450 --> 00:09:53,900
So break me and run our program.

108
00:09:56,690 --> 00:10:00,260
It's now four DB zero zero.

109
00:10:00,530 --> 00:10:05,390
So we notice it was the very first bite on the on the right side.

110
00:10:05,390 --> 00:10:09,440
Here it is zero and the first one on the left, which is zero zero.

111
00:10:09,560 --> 00:10:12,950
But you can't see it because it's not it's not here now.

112
00:10:12,950 --> 00:10:13,730
But yeah, it is.

113
00:10:13,910 --> 00:10:21,360
It's zero zero zero zero zero for the two bytes in the middle there changing for DB zero.

114
00:10:21,410 --> 00:10:25,430
And the one from before it was where is it.

115
00:10:26,690 --> 00:10:28,280
It was four, nine, ten.

116
00:10:29,180 --> 00:10:30,560
So that's a problem.

117
00:10:30,560 --> 00:10:34,730
The other problem is the valid address that we used in our code.

118
00:10:36,170 --> 00:10:39,920
Remember that we use this address as a valid address is going to be the same thing.

119
00:10:39,920 --> 00:10:47,120
So we need another address first, a valid address to be fixed, address not changing even with a Celeron.

120
00:10:47,570 --> 00:10:53,300
And then we need to somehow guess the message, both address.

121
00:10:53,870 --> 00:10:54,320
Right.

122
00:10:54,410 --> 00:11:00,920
So are we going to actually brute force the message above, address the memory address, but we will

123
00:11:00,920 --> 00:11:03,200
do this in our next video.

124
00:11:03,950 --> 00:11:06,530
Well, thanks for watching and see you in the next one.