1 00:00:07,020 --> 00:00:14,010 Everyone, welcome to this new video, uh, in our software exploitation. 2 00:00:15,300 --> 00:00:21,200 Series of videos, so in this video, we'll take an application and, uh. 3 00:00:22,700 --> 00:00:27,770 A local client application, and we'll exploit it, but before I do that, I just wanted to explain 4 00:00:28,790 --> 00:00:36,500 maybe one important thing to keep in mind is when it comes to exploiting applications or software, 5 00:00:37,700 --> 00:00:41,860 we have three, I would say, especially when we are talking about, uh. 6 00:00:43,430 --> 00:00:50,800 Applications or software, uh, running on the user side, not anything related to the kernel. 7 00:00:50,990 --> 00:00:54,500 OK, so the way we can exploit them. 8 00:00:55,530 --> 00:01:01,370 It's three ways, in my opinion, maybe I missed some one of them, but I think there are only three. 9 00:01:02,070 --> 00:01:05,530 So one of them is by, uh. 10 00:01:06,480 --> 00:01:13,110 By exploiting the client, so exploiting exploiting the client. 11 00:01:13,140 --> 00:01:13,660 OK. 12 00:01:14,040 --> 00:01:16,420 And this is a local exploit. 13 00:01:17,220 --> 00:01:23,870 So what happens in this case is you target the client application and you exploit it. 14 00:01:23,910 --> 00:01:31,770 For example, a user running, let's say, a multimedia application, you send them a malicious file 15 00:01:31,770 --> 00:01:37,710 which gets opened by that multimedia application and you take advantage of a vulnerability in it. 16 00:01:37,920 --> 00:01:40,790 And that's what today's video is actually going to be about. 17 00:01:41,310 --> 00:01:47,700 Or let's say you send them, uh, let's say a word document or a PDF document and they open it with 18 00:01:47,700 --> 00:01:48,600 their application. 19 00:01:48,870 --> 00:01:54,570 And you take advantage of that or let's say take another example where you. 20 00:01:55,860 --> 00:01:56,580 The. 21 00:01:57,970 --> 00:02:00,400 Use, for example, let's say. 22 00:02:01,330 --> 00:02:02,950 Uh, what do we have like? 23 00:02:04,100 --> 00:02:13,110 I think those are all those pdaf worldreader, uh, maybe like an image processor or an application 24 00:02:13,110 --> 00:02:15,360 that opens an image any any. 25 00:02:16,300 --> 00:02:23,080 Client application that could be targeted on the local side, we'll call it like a local exploit. 26 00:02:23,110 --> 00:02:28,720 OK, sir, they are targeting the client application this way now. 27 00:02:29,350 --> 00:02:34,480 Exploiting the client could be done locally and it also could be done remotely. 28 00:02:34,510 --> 00:02:35,260 What does that mean? 29 00:02:35,500 --> 00:02:37,660 So we could also do exploiting. 30 00:02:39,080 --> 00:02:39,820 Declined. 31 00:02:40,160 --> 00:02:43,010 OK, but this time it will be a remote exploit. 32 00:02:44,140 --> 00:02:45,330 How is that happened? 33 00:02:45,340 --> 00:02:52,600 So this one, let's say, like we said, multi-media application, right, we can do that. 34 00:02:52,870 --> 00:02:55,870 We can say like a word processor. 35 00:02:57,110 --> 00:03:00,120 Or let's say a PDF reader or something like that. 36 00:03:00,320 --> 00:03:02,960 These are all options now in this case. 37 00:03:03,170 --> 00:03:04,180 Think of it like this. 38 00:03:05,900 --> 00:03:09,780 Your client goes visit to visit a malicious server. 39 00:03:09,890 --> 00:03:12,260 So now it's kind of a remote exploit. 40 00:03:12,980 --> 00:03:20,840 Again, your client is now doing the visits or you are visiting a site or a server or another location 41 00:03:21,050 --> 00:03:23,030 and your application gets exploited. 42 00:03:23,330 --> 00:03:31,880 So this is what you will let's say an example, could be like the browser if you browse, let's say 43 00:03:32,120 --> 00:03:41,840 some evil website, like browsing through an evil website that will happen or maybe connecting, because 44 00:03:41,840 --> 00:03:47,630 this is also going to be an example later, connecting to an evil IP server with. 45 00:03:48,540 --> 00:03:55,350 With your typical of the client, so your activity is the client, that's it's a client application, 46 00:03:55,360 --> 00:03:55,920 that's true. 47 00:03:56,310 --> 00:04:00,810 But it's getting exploited by visiting that remote site or that remote server. 48 00:04:01,130 --> 00:04:05,340 OK, so I would like to call it on a remote exploit for a client application. 49 00:04:05,670 --> 00:04:08,250 I could be wrong, but I like to call them that way. 50 00:04:08,430 --> 00:04:16,800 And finally, exploiting, uh, exploiting the service or the process or the application, let's say, 51 00:04:17,850 --> 00:04:18,480 remotely. 52 00:04:19,080 --> 00:04:21,060 So this is completely remote. 53 00:04:21,540 --> 00:04:22,010 OK. 54 00:04:22,970 --> 00:04:26,360 And an example of that, like exploiting the. 55 00:04:28,560 --> 00:04:39,570 Uh, let's say a running server running a server or running like running, let's say a Web server. 56 00:04:39,690 --> 00:04:42,180 We will see some of these examples actually. 57 00:04:42,390 --> 00:04:49,230 So the server is running on a remote computer or on a remote system, and you remotely are able to send 58 00:04:49,680 --> 00:04:52,020 some crafted data. 59 00:04:52,260 --> 00:04:56,430 And that data gets, uh, that data takes advantage of. 60 00:04:57,260 --> 00:04:59,210 A vulnerability in that application. 61 00:04:59,510 --> 00:05:02,030 OK, and exploits that application for you. 62 00:05:02,520 --> 00:05:06,030 OK, so these are the three ways of exploiting these applications. 63 00:05:06,050 --> 00:05:10,700 Again, I'm not talking here about any kernel level stuff here. 64 00:05:10,700 --> 00:05:13,130 We are just talking about applications in general. 65 00:05:13,130 --> 00:05:20,090 So clients could be divided into two local and remote local multimedia work PDF, anything like that 66 00:05:20,910 --> 00:05:21,440 remote. 67 00:05:21,620 --> 00:05:27,860 It's when your client application is actually visiting an evil site or a naval service or an e-mail 68 00:05:27,860 --> 00:05:32,210 server or anything connecting. 69 00:05:33,130 --> 00:05:34,690 Who an evil. 70 00:05:35,590 --> 00:05:36,270 Service. 71 00:05:36,310 --> 00:05:36,710 OK. 72 00:05:36,730 --> 00:05:41,800 This is when this happens and here we are also running. 73 00:05:43,340 --> 00:05:50,570 Running a service like service, running remotely the service, yep, good. 74 00:05:51,170 --> 00:05:53,690 So these are all could be considered like. 75 00:05:55,820 --> 00:06:01,790 Client exploit the different exploitation methods will cover most of them, by the way, I think we 76 00:06:01,790 --> 00:06:03,970 are going to cover, if not all of them, actually. 77 00:06:04,700 --> 00:06:07,340 OK, so these are just some notes to keep in mind. 78 00:06:07,370 --> 00:06:10,310 So today, our. 79 00:06:11,330 --> 00:06:17,070 Our example is going to be on an application called View Player. 80 00:06:17,120 --> 00:06:18,590 It's a multimedia application. 81 00:06:19,100 --> 00:06:20,670 OK, so we'll play it. 82 00:06:20,690 --> 00:06:22,070 It's a multimedia application. 83 00:06:22,080 --> 00:06:22,830 We are going to. 84 00:06:23,390 --> 00:06:25,280 So it falls within this category. 85 00:06:25,500 --> 00:06:31,870 OK, so we are going to see how we can exploit this on on this window system. 86 00:06:31,880 --> 00:06:34,630 And this is going to be for demonstration purposes only. 87 00:06:34,640 --> 00:06:41,690 You will see what I mean by that later when we move in through the the explanation and the demonstration. 88 00:06:42,730 --> 00:06:49,480 So we created this and this is, by the way, all of this is on my GitHub, so you can find that this 89 00:06:49,480 --> 00:06:51,170 is version two point four nine. 90 00:06:51,400 --> 00:06:53,280 So make sure you have this one. 91 00:06:53,530 --> 00:06:58,480 There could be, uh, other versions vulnerable, but this is the one I'm going with. 92 00:06:58,930 --> 00:07:02,770 So we'll use this code to create this bad. 93 00:07:02,770 --> 00:07:04,150 And three, you find them. 94 00:07:04,240 --> 00:07:11,800 Three, your file is, let's say, uh, the file, which which is supposed to contain a playlist, but 95 00:07:11,800 --> 00:07:13,600 it's actually not going to contain a playlist. 96 00:07:13,810 --> 00:07:21,310 It's going to contain some junk data to exploit and take advantage of a vulnerability in this application. 97 00:07:21,490 --> 00:07:23,610 OK, so code is very basic. 98 00:07:24,220 --> 00:07:32,080 We are going to create three thousand bytes of ace, put them in this payload called, uh, put them 99 00:07:32,080 --> 00:07:37,780 in this payload, which is called actual payload, then open this file in right mode and then write 100 00:07:37,780 --> 00:07:40,800 this payload into the file and then just close the file. 101 00:07:40,810 --> 00:07:42,250 So that's all we are doing. 102 00:07:43,340 --> 00:07:46,070 OK, and here, if we press at five. 103 00:07:47,610 --> 00:07:49,120 It will create a file for us. 104 00:07:49,410 --> 00:07:50,160 We could even write. 105 00:07:50,190 --> 00:07:55,860 By the way, maybe, uh, print, uh, file created. 106 00:07:58,110 --> 00:07:59,150 Success. 107 00:08:00,830 --> 00:08:04,140 OK, so we can do that just so that we know it's done. 108 00:08:04,210 --> 00:08:12,800 OK, so we now have this file and now what we can do is go to the application and open the file and 109 00:08:12,800 --> 00:08:13,630 see what happens. 110 00:08:14,570 --> 00:08:19,850 So as you can see here, something's going on and the application crashes great. 111 00:08:20,420 --> 00:08:24,290 So it seems the application is vulnerable and actually it is. 112 00:08:24,290 --> 00:08:24,950 I know it is. 113 00:08:24,950 --> 00:08:29,840 But again, the idea here is to explain these concepts and techniques. 114 00:08:31,560 --> 00:08:38,700 Not like to find a zero day in these applications, so let's get our debugger and start playing with 115 00:08:38,700 --> 00:08:39,030 this. 116 00:08:41,990 --> 00:08:43,970 So let's get the debugged. 117 00:08:44,790 --> 00:08:46,560 OK, and load our application. 118 00:08:48,110 --> 00:08:51,790 And yet, here it is, you need to navigate the location. 119 00:08:53,840 --> 00:08:55,970 Just hit OK for these for now. 120 00:08:58,680 --> 00:09:03,690 And we have our application running, so let's the let's run it. 121 00:09:05,140 --> 00:09:08,200 Stop the application from within the debugger, OK? 122 00:09:08,890 --> 00:09:10,900 And then from within the debugger. 123 00:09:11,800 --> 00:09:15,800 Go load that file, which is about, uh, playlist. 124 00:09:16,190 --> 00:09:16,960 Let's do that. 125 00:09:20,870 --> 00:09:27,260 My system needs a reboot, I think, uh, yeah, so open, let's see what happens so we can see here 126 00:09:27,560 --> 00:09:33,620 the application paused and it's saying access violation when executing forty one, forty one, etc. 127 00:09:33,800 --> 00:09:38,290 And that's because there is no other called forty one forty one forty one four to one. 128 00:09:38,780 --> 00:09:41,810 Now we can see E.S.P was overwritten with AZ. 129 00:09:41,810 --> 00:09:44,750 We can see Eddi has some ace pointing here. 130 00:09:45,050 --> 00:09:52,010 We can also see Essiac excuse me, also got written with some A's here and we can look, if we look 131 00:09:52,010 --> 00:09:54,800 at the stack based on E.S.P, this is the top. 132 00:09:55,190 --> 00:10:03,890 We can also see that we have a lot of a written word on the stack if we also go to the dump. 133 00:10:05,070 --> 00:10:11,970 We can see these are all A's written, so we have a lot of ways we can see here, there is a lot of 134 00:10:11,970 --> 00:10:15,090 them being written work on on the system, on the stack. 135 00:10:15,510 --> 00:10:17,610 So we managed to crush the application. 136 00:10:17,610 --> 00:10:24,930 We managed to take control of some registers, and we also managed to take control actually of IP, 137 00:10:25,320 --> 00:10:28,180 which is very important for our exploitation. 138 00:10:28,590 --> 00:10:30,120 So what what does that mean? 139 00:10:30,150 --> 00:10:34,380 It means we do have control over, let's say, a register or IP directly. 140 00:10:34,860 --> 00:10:37,420 So it's a it's a vanilla buffer overflow. 141 00:10:37,620 --> 00:10:38,940 That's what this is really. 142 00:10:39,060 --> 00:10:41,320 And that's why we have direct access to it. 143 00:10:42,000 --> 00:10:44,460 Now, our problem here is. 144 00:10:45,460 --> 00:10:52,990 In the previous example or in the previous videos, which we went over, uh, we kind of knew how much 145 00:10:52,990 --> 00:11:00,070 bites that we need to write in order to reach this location or to overwrite on IP. 146 00:11:00,460 --> 00:11:01,400 In this case, we don't. 147 00:11:01,400 --> 00:11:06,340 So we are now going to introduce another tool which will help us in that way. 148 00:11:06,370 --> 00:11:13,600 I know we may be mentioned moaner in the last video, which was again, which is created by Peter from 149 00:11:13,600 --> 00:11:14,410 the current team. 150 00:11:15,070 --> 00:11:19,300 But in this video, let's take another advantage of Mona and see how we can use it. 151 00:11:20,800 --> 00:11:28,120 So what we need to do is we need to figure out how many bites I need to write on top of the stack in 152 00:11:28,120 --> 00:11:30,830 order to overwrite my return address. 153 00:11:31,300 --> 00:11:32,140 What does that mean? 154 00:11:32,170 --> 00:11:40,050 Maybe I can, like, draw a basic graph and, uh, I must paint like a basic figure to explain the idea. 155 00:11:42,010 --> 00:11:45,890 So if we get this and let's say this is our stack. 156 00:11:46,030 --> 00:11:51,760 OK, so let's consider this is our stack and let's know, I want this here and now. 157 00:11:51,760 --> 00:11:58,710 Let's say let's consider maybe this is where our just to make things easier. 158 00:11:59,320 --> 00:12:03,250 Let's say this is where our return addresses and let's put return here. 159 00:12:04,450 --> 00:12:05,170 So you're right. 160 00:12:05,850 --> 00:12:06,310 OK. 161 00:12:09,180 --> 00:12:10,190 So I'm. 162 00:12:11,490 --> 00:12:12,420 Yep, that's it. 163 00:12:12,900 --> 00:12:19,290 So this is our start and this is what our return address, which is the one that we want to overwrite 164 00:12:19,290 --> 00:12:19,830 with. 165 00:12:21,700 --> 00:12:26,500 Wait a minute, let's use another car, so, yeah, we want to overwrite this with what? 166 00:12:26,500 --> 00:12:29,030 With those A's, right. 167 00:12:29,050 --> 00:12:34,200 We want to override it with zero x forty one forty one forty one forty one. 168 00:12:34,660 --> 00:12:40,780 So we want to overwrite this with this value or we did actually override it with this value. 169 00:12:40,780 --> 00:12:42,040 But we want to find. 170 00:12:43,030 --> 00:12:50,740 What is this location that I need to overwrite with this family or how how far is this from the top 171 00:12:50,740 --> 00:12:55,630 of the stack, for example, or what is the offset that I need to. 172 00:12:56,860 --> 00:13:02,320 Add to the stack in order to reach this location, so we are looking at the. 173 00:13:04,820 --> 00:13:08,150 Here, how many bites do I need to write? 174 00:13:09,710 --> 00:13:12,250 OK, how many bites do I need to write? 175 00:13:13,190 --> 00:13:17,150 In order to what, override the return address? 176 00:13:17,480 --> 00:13:22,250 OK, so let's say you are going to start writing from from here. 177 00:13:22,640 --> 00:13:24,650 Let's say from here you are going to start writing. 178 00:13:24,860 --> 00:13:32,660 OK, how many bytes do you start writing from here all the way down to override these four bytes? 179 00:13:32,720 --> 00:13:33,230 How many? 180 00:13:33,230 --> 00:13:33,890 We don't know. 181 00:13:33,890 --> 00:13:39,290 We in it sometimes it's not easy to calculate, like just manually like the case we did in our test 182 00:13:39,290 --> 00:13:39,860 example. 183 00:13:40,040 --> 00:13:41,350 That was a basic example. 184 00:13:41,360 --> 00:13:43,670 So it was easy to calculate. 185 00:13:43,670 --> 00:13:47,080 But in this case, we need to find another way to do that. 186 00:13:47,090 --> 00:13:55,840 And thanks to researchers such as Peter, that was that's now easy to do to do so if we go and like 187 00:13:55,890 --> 00:13:56,480 Romona. 188 00:13:59,330 --> 00:14:07,150 We'll get the help about all of this, that, uh, this is, uh, all the commands that you can use, 189 00:14:07,160 --> 00:14:14,000 everything here I'm going to just set I want to make sure what I said to my desktop, OK, I'm going 190 00:14:14,000 --> 00:14:20,060 to delete this just so because these were used in the previous video or maybe for my students in class. 191 00:14:20,690 --> 00:14:24,860 So I'm going to do that, delete that and now generate some data again. 192 00:14:25,580 --> 00:14:26,750 But before I do that. 193 00:14:28,540 --> 00:14:36,940 Let's make sure we have our working directory or working folder working order set correctly, so we 194 00:14:36,940 --> 00:14:41,170 have users user one, I think mine is user one. 195 00:14:41,240 --> 00:14:42,580 Let me just double check. 196 00:14:43,380 --> 00:14:50,640 Yet I will use that one and, uh, then we have to stop. 197 00:14:53,710 --> 00:14:55,220 Yeah, let's go. 198 00:14:55,420 --> 00:14:56,830 OK, and then we have Miller. 199 00:14:57,340 --> 00:15:06,470 OK, so we are just to make sure all valid parameter is C users test a new value parameters the same. 200 00:15:06,760 --> 00:15:08,390 So it means we already had that. 201 00:15:08,410 --> 00:15:09,530 I just wanted to make sure. 202 00:15:09,850 --> 00:15:10,160 Great. 203 00:15:10,480 --> 00:15:11,750 So what are we going to do now? 204 00:15:11,770 --> 00:15:14,240 We are going to use the model command. 205 00:15:14,440 --> 00:15:19,550 OK, and we are going to use the pattern, create a command with it. 206 00:15:19,780 --> 00:15:28,540 So we want to create the command pattern so we can either do like this pattern and then create and then 207 00:15:28,540 --> 00:15:30,720 say three thousand we can do. 208 00:15:30,760 --> 00:15:31,730 Is that three thousand. 209 00:15:31,780 --> 00:15:31,990 Yeah. 210 00:15:32,880 --> 00:15:38,000 And say three thousand, we can either do that or if you don't want to, you can just type. 211 00:15:38,980 --> 00:15:41,960 That's also similar to talking patriot. 212 00:15:42,210 --> 00:15:51,330 So now pretend that it's going to it's going to create that pattern, which is now stored in the monitor 213 00:15:51,330 --> 00:15:51,990 directory. 214 00:15:52,400 --> 00:15:53,160 Where is this? 215 00:15:54,090 --> 00:15:58,440 Uh, yet let's go to our desktop. 216 00:16:00,700 --> 00:16:03,760 OK, now one thing about this is let me open it. 217 00:16:04,750 --> 00:16:09,310 What is this and why are we going why are we using this and why are we making this? 218 00:16:09,700 --> 00:16:19,000 So this tool will create a pattern where no or by contiguously after each other will appear twice in 219 00:16:19,000 --> 00:16:21,020 the sequence of bytes again. 220 00:16:21,880 --> 00:16:27,970 The idea here is we are going to create a sequence of bytes depending on the size you provide. 221 00:16:28,000 --> 00:16:37,490 We said three thousand and there will be no four contiguous bytes similar in the same pattern. 222 00:16:37,510 --> 00:16:39,670 So it's going to be unique within that pattern. 223 00:16:39,910 --> 00:16:42,370 Any four bytes within this pattern will be unique. 224 00:16:42,580 --> 00:16:43,420 What does that mean? 225 00:16:43,570 --> 00:16:46,570 It means when I'm going to go and. 226 00:16:47,790 --> 00:16:55,800 Going to drop those bytes from here, start overwriting those four parts that get that get written here. 227 00:16:56,580 --> 00:17:02,440 Those are going to tell me what is the offset from the beginning until this location. 228 00:17:02,880 --> 00:17:08,070 Again, we are going to throw those for those those bytes into the stack. 229 00:17:08,520 --> 00:17:14,560 And now those four bytes, which we will be seeing in IP in the in the debugger. 230 00:17:15,300 --> 00:17:24,940 Those are going to help me identify how much is how much pies do I need to reach this location. 231 00:17:24,960 --> 00:17:29,120 So what's the offset, in other words, to reach this location? 232 00:17:29,210 --> 00:17:31,400 OK, that's why we are going to do that. 233 00:17:31,770 --> 00:17:36,690 And now, again, what it tells you tells you do not copy this because this is truncated. 234 00:17:36,840 --> 00:17:38,100 It's not the full pattern. 235 00:17:38,370 --> 00:17:41,610 The pattern is actually in the in the money directory. 236 00:17:41,820 --> 00:17:43,770 So that's why we created it this way. 237 00:17:44,180 --> 00:17:54,090 OK, I like to usually create copies of this so I can later on, uh, go back and imagine my sequence. 238 00:17:54,090 --> 00:17:55,620 What what did I do first? 239 00:17:55,620 --> 00:17:57,270 What did I do second, etc.. 240 00:17:57,600 --> 00:18:00,720 So I'm going to do that and now I'm going to work on exploit one. 241 00:18:01,050 --> 00:18:03,990 I'm going to copy these three thousand bytes. 242 00:18:04,440 --> 00:18:04,950 OK. 243 00:18:05,880 --> 00:18:07,980 And I'm going to replace this. 244 00:18:09,560 --> 00:18:11,300 With the three thousand bytes. 245 00:18:11,500 --> 00:18:20,060 OK, so now we can close this, we don't need it anymore and now we can, uh, run this again, let's 246 00:18:20,060 --> 00:18:25,250 restart our application because it's already crashed because we we crashed it. 247 00:18:25,260 --> 00:18:26,480 So let's restart that. 248 00:18:28,640 --> 00:18:29,110 OK. 249 00:18:30,540 --> 00:18:33,090 And let's head. 250 00:18:33,400 --> 00:18:35,530 OK, OK, OK. 251 00:18:36,460 --> 00:18:37,290 And. 252 00:18:38,790 --> 00:18:39,990 Let's start the application. 253 00:18:41,430 --> 00:18:41,930 OK. 254 00:18:46,340 --> 00:18:48,830 Let's create this fight so hard to fight. 255 00:18:50,790 --> 00:18:52,120 Belgrade successfully. 256 00:18:52,710 --> 00:18:56,090 Now let's go back and lodge the application. 257 00:18:57,360 --> 00:18:58,230 And. 258 00:19:00,280 --> 00:19:02,440 The file, see what's going to happen. 259 00:19:07,830 --> 00:19:09,690 OK, so we open. 260 00:19:10,670 --> 00:19:11,060 Great. 261 00:19:11,090 --> 00:19:17,140 So, again, the application process or has an access violation, it. 262 00:19:17,660 --> 00:19:19,390 You can see that here, right. 263 00:19:19,850 --> 00:19:25,140 And you can see that there is some value now written where any IP, which is some four bytes. 264 00:19:25,610 --> 00:19:30,080 Now, what we can and you can see here again, these are the some of the bytes that were our part of 265 00:19:30,080 --> 00:19:30,770 our patent. 266 00:19:31,040 --> 00:19:34,090 So we can see those ESP Scott overwritten with them. 267 00:19:34,100 --> 00:19:35,450 We can see that on the stack. 268 00:19:35,900 --> 00:19:39,230 These are the bytes really are mean nothing. 269 00:19:39,530 --> 00:19:43,250 So what we are going to do now here is copy this so you can do that. 270 00:19:44,170 --> 00:19:46,480 And now, instead of putting create. 271 00:19:47,350 --> 00:19:58,450 We will use pattern offset, so pattern of that and just give it the the value is for right now we can 272 00:19:58,450 --> 00:19:58,990 run it. 273 00:19:59,500 --> 00:20:10,360 And what it says, it says that this pattern so these bytes, these parts are H seven B, H in hexadecimal. 274 00:20:10,660 --> 00:20:18,520 And it says these four bytes, which is the H seven B, H, are found in cyclic pattern at position 275 00:20:18,520 --> 00:20:19,620 10, 12. 276 00:20:19,810 --> 00:20:20,710 What does that mean. 277 00:20:21,010 --> 00:20:23,620 It means that we need. 278 00:20:25,770 --> 00:20:29,070 Right over here, 10, 12 whites. 279 00:20:29,400 --> 00:20:37,550 OK, we need to right over here, 10, 12 whites in order to overnight reach this upset. 280 00:20:37,910 --> 00:20:46,550 OK, so if we ride 10, 12 bites, the next four bites are going to be our return address again, if 281 00:20:46,560 --> 00:20:48,390 we like 10, 12 bites. 282 00:20:49,240 --> 00:20:55,960 OK, from the beginning then to the four immediately after that are going to be our return address. 283 00:20:56,440 --> 00:20:56,800 Good. 284 00:20:56,890 --> 00:20:59,260 I'm not good in designing in these drawings. 285 00:20:59,470 --> 00:21:02,680 I know I'm bad, but I hope this explains the idea. 286 00:21:03,190 --> 00:21:04,000 So good. 287 00:21:04,000 --> 00:21:04,790 We have that. 288 00:21:04,930 --> 00:21:07,300 Let's see if this is true. 289 00:21:07,480 --> 00:21:09,580 So let's start the application again. 290 00:21:09,760 --> 00:21:11,610 But this time we'll update our code. 291 00:21:12,470 --> 00:21:17,330 I like to, again, make things step by step and go one step at a time. 292 00:21:17,540 --> 00:21:23,960 It might take some time, but at least we can learn, we can understand what's going on by doing a step 293 00:21:24,320 --> 00:21:25,000 at a time. 294 00:21:25,310 --> 00:21:28,210 So let's do to the T.Y., OK? 295 00:21:28,550 --> 00:21:34,890 And now this time, let's do this and let's multiply this by 10, 12. 296 00:21:35,030 --> 00:21:36,830 Well, let's fill this with what? 297 00:21:37,310 --> 00:21:39,440 Let's fill it with the A's. 298 00:21:39,440 --> 00:21:40,370 Sorry to one. 299 00:21:40,880 --> 00:21:42,200 So we have 10. 300 00:21:43,330 --> 00:21:52,060 Twelve of and then after that, let's put in the IP, let's see if we can really put any IP, what our 301 00:21:52,060 --> 00:21:58,180 Furbies so 42, which is the best for B, we had four of those. 302 00:21:58,300 --> 00:21:58,710 Right. 303 00:22:00,190 --> 00:22:08,620 So now we'll have our if we go back here, we are going to overwrite this with, uh, let's say let 304 00:22:08,620 --> 00:22:11,500 me delete this, because now it's not the same. 305 00:22:11,560 --> 00:22:14,550 OK, so we are going to override this with AIDS. 306 00:22:14,950 --> 00:22:23,660 These will all be AIDS here a A and then A, then A like that, a, etc.. 307 00:22:23,860 --> 00:22:25,210 OK, and so on and so forth. 308 00:22:25,480 --> 00:22:28,780 And then we want to override this, these four bytes. 309 00:22:28,780 --> 00:22:31,510 We want to write them with the BBB. 310 00:22:31,700 --> 00:22:32,170 OK. 311 00:22:33,170 --> 00:22:34,710 It will be overwritten here. 312 00:22:34,730 --> 00:22:36,260 That's what we want to achieve now. 313 00:22:36,440 --> 00:22:37,370 OK, good. 314 00:22:37,400 --> 00:22:44,630 What we want to do next so we we got there is we got the BS and now we need to just pad the rest of 315 00:22:44,630 --> 00:22:49,840 the, uh, the payload because the payload was remember, the payload was three thousand. 316 00:22:49,850 --> 00:22:53,650 That's when we managed to crush the application. 317 00:22:53,660 --> 00:22:57,380 So if we just send this, we are probably not going to crush the application. 318 00:22:58,010 --> 00:23:00,530 So we are going to do calculations a dummy way. 319 00:23:00,530 --> 00:23:05,990 But later on in this video series, we'll show other methods how to do this. 320 00:23:05,990 --> 00:23:09,020 But for now, again, I'm going to use a dummy way. 321 00:23:09,170 --> 00:23:14,570 So please, if you are watching this, I still know how to calculate things. 322 00:23:14,570 --> 00:23:18,290 Maybe a couple of, uh, uh, basic calculations. 323 00:23:18,290 --> 00:23:19,080 I still know that. 324 00:23:19,700 --> 00:23:24,920 But, uh, again, I want to use the basics here and then we'll move to other ways later on. 325 00:23:25,130 --> 00:23:31,250 So for now, what I'm going to use I'm going to do pad one, for example, and I'm going to pad this 326 00:23:31,250 --> 00:23:38,930 with C actually I'm going to pad it with just see, because there's a reason I don't want to send a, 327 00:23:39,320 --> 00:23:41,520 uh, slash xixi. 328 00:23:41,720 --> 00:23:46,680 I will explain that later so we can actually just do X 43. 329 00:23:46,820 --> 00:23:47,080 Yep. 330 00:23:47,130 --> 00:23:47,780 Let's do that. 331 00:23:48,320 --> 00:23:51,890 And then we are going to pad this with the rest of what. 332 00:23:52,070 --> 00:23:52,860 Of the payload. 333 00:23:53,180 --> 00:23:54,680 So let's get our calculator. 334 00:23:55,970 --> 00:24:00,050 And see, what do we have, so we have three thousand, right? 335 00:24:00,800 --> 00:24:05,270 Minus 10, 12 and then minus four. 336 00:24:05,690 --> 00:24:07,730 So we have one nine, eight. 337 00:24:08,580 --> 00:24:17,310 For left of bitts left, OK, we have one nine eight four bytes left, so let's do that one nine eight 338 00:24:17,310 --> 00:24:19,380 four bytes left, OK? 339 00:24:20,260 --> 00:24:31,390 And yeah, let's do this, we don't need anymore, but we need to do now is we need to add the all payload 340 00:24:31,390 --> 00:24:34,630 so we have IP and then we have had one. 341 00:24:34,990 --> 00:24:40,790 And the reason I named it part one is just because later on we might need other pads. 342 00:24:40,790 --> 00:24:41,920 So let's do that. 343 00:24:42,250 --> 00:24:44,950 And let's add another thing here to print. 344 00:24:44,950 --> 00:24:50,260 So, uh, let's say payload length. 345 00:24:51,300 --> 00:24:59,490 Equals and then let's add the line of payload so that we can print that and make sure we are on the 346 00:24:59,490 --> 00:25:00,510 right side. 347 00:25:00,810 --> 00:25:01,890 So let's run this. 348 00:25:03,990 --> 00:25:07,140 Payload length is six, nine, six, eight, why is that? 349 00:25:08,420 --> 00:25:09,260 Named. 350 00:25:24,180 --> 00:25:25,880 How did, uh. 351 00:25:29,340 --> 00:25:31,110 See, I told you, I'm bad at math. 352 00:25:33,060 --> 00:25:35,020 What's going on here? 353 00:25:35,020 --> 00:25:35,280 Uh. 354 00:25:36,980 --> 00:25:40,250 De de de de de de de de de de de la. 355 00:25:42,350 --> 00:25:43,220 Uh. 356 00:25:45,400 --> 00:25:47,530 So, Jonkers, this. 357 00:25:50,190 --> 00:25:52,920 Then we have IP. 358 00:25:57,990 --> 00:25:59,310 Yeah, this should be. 359 00:26:01,640 --> 00:26:02,590 What's her computer? 360 00:26:02,930 --> 00:26:03,640 Let's check. 361 00:26:04,700 --> 00:26:06,020 I'm missing something. 362 00:26:06,940 --> 00:26:07,790 You know, Glenn. 363 00:26:09,700 --> 00:26:11,230 Oh, I know what. 364 00:26:12,620 --> 00:26:14,550 OK, OK, let me change this. 365 00:26:14,570 --> 00:26:17,330 This is being calculated, let me just maybe. 366 00:26:18,360 --> 00:26:23,730 This is, by the way, OK, OK, this is no, this is the reason why I found it. 367 00:26:24,480 --> 00:26:26,170 I forgot to add the slash here. 368 00:26:26,220 --> 00:26:31,350 OK, this is taking this as three bites, it was taking it had three bites. 369 00:26:31,350 --> 00:26:34,080 OK, my mistake now it should be three thousand. 370 00:26:34,880 --> 00:26:40,670 Yep, I told you, I have the basics of calculation's good, so let's continue then. 371 00:26:41,560 --> 00:26:45,190 So, yeah, my math is still working then great. 372 00:26:46,250 --> 00:26:55,160 OK, so what do we do now is let's open the application and what should happen now is we should see 373 00:26:55,160 --> 00:27:01,500 for BES any IP, so let's make sure we have full PS any IP, otherwise they are. 374 00:27:01,520 --> 00:27:05,180 My math sucks like people say so. 375 00:27:05,210 --> 00:27:08,660 Yep, we have the uh, four B's. 376 00:27:08,660 --> 00:27:09,470 Any IP. 377 00:27:10,300 --> 00:27:11,270 Uh. 378 00:27:12,430 --> 00:27:13,360 I can see here. 379 00:27:13,520 --> 00:27:13,990 OK. 380 00:27:14,890 --> 00:27:24,490 And we can see the E.S.P was overwritten with the CS, so it seems our our payload anything, this is 381 00:27:24,490 --> 00:27:30,580 also one good thing to keep in mind so we can see that our payload on the top of the stack. 382 00:27:32,450 --> 00:27:34,920 Got now overwritten with the C part. 383 00:27:34,970 --> 00:27:35,930 So what does that mean? 384 00:27:35,960 --> 00:27:39,860 It means we now have control over the IP. 385 00:27:39,890 --> 00:27:40,490 That's true. 386 00:27:40,520 --> 00:27:48,590 And now if we want our Chalco to work, we added at least part of the payload y because this part is 387 00:27:48,590 --> 00:27:54,370 the one that, as you can see here in this case, got overwritten on on the stack. 388 00:27:54,380 --> 00:27:58,390 So we if we add our payload here, not that, by the way. 389 00:27:58,400 --> 00:27:58,790 Not that. 390 00:27:58,790 --> 00:28:01,430 I mean, the other bytes were not on the stack there. 391 00:28:01,640 --> 00:28:06,320 But the way the way we want to exploit this is by jumping to ESPN. 392 00:28:06,320 --> 00:28:10,160 We can see ISPs pointing to our C, so we need to. 393 00:28:11,120 --> 00:28:16,010 Right, something we need to write on in that area, so if we. 394 00:28:17,110 --> 00:28:26,740 If we ride in the seas area, we will achieve our exploits, so let's update this again and this time, 395 00:28:27,340 --> 00:28:28,000 no. 396 00:28:28,900 --> 00:28:30,010 Reader while. 397 00:28:32,140 --> 00:28:35,570 OK, so what are we going to do now, let's restart the application. 398 00:28:35,740 --> 00:28:36,400 Yes. 399 00:28:36,410 --> 00:28:37,150 And. 400 00:28:42,010 --> 00:28:45,240 I thought, OK, OK, OK, uh. 401 00:28:46,390 --> 00:28:52,920 Start the application, so what do we need to do now, what are we going to do now is we we need a jump 402 00:28:53,080 --> 00:28:56,160 up because we saw ESPs pointing to the top of our stack. 403 00:28:56,590 --> 00:28:59,590 Now, again, this is just for demonstration purposes. 404 00:28:59,600 --> 00:29:05,410 This will not work on Windows 10 because like I said before. 405 00:29:07,010 --> 00:29:07,840 Uh. 406 00:29:08,870 --> 00:29:13,460 The addresses will be different and all of that, I will explain also more about that later. 407 00:29:13,470 --> 00:29:18,000 But for now, let's just pick from our A.l. 408 00:29:18,410 --> 00:29:23,750 OK, let's pick from here and address, which is jump up and just use that. 409 00:29:24,570 --> 00:29:32,070 But this will not work if you reboot your computer, and I will explain more about that later on, but 410 00:29:32,070 --> 00:29:36,150 for now, we just want to do this for demonstration purposes. 411 00:29:36,920 --> 00:29:39,360 OK, so let's now modify this. 412 00:29:40,560 --> 00:29:47,550 With our so let's remove this, all of it, and let's modify that with 34 y, because this is little 413 00:29:47,550 --> 00:29:54,390 endian then and then we have B, C and then we have X 77. 414 00:29:54,960 --> 00:29:56,980 Yeah, I'm not going to do the same mistake again. 415 00:29:57,120 --> 00:29:58,740 So I forgot the X. 416 00:29:59,610 --> 00:30:08,610 OK, so we have 34, 10, B, C, 77, so this is where our jumps up and now let's replace this actually 417 00:30:08,610 --> 00:30:16,390 with Knob's, so we replace this with knobs just so we can jump into that no operation. 418 00:30:16,560 --> 00:30:18,540 We have a breakpoint here, so that's good. 419 00:30:18,570 --> 00:30:20,940 Let's go back to the beginning and now. 420 00:30:22,710 --> 00:30:24,360 Let's create our payload. 421 00:30:25,350 --> 00:30:26,460 So all good. 422 00:30:26,490 --> 00:30:27,970 Everything is working correctly. 423 00:30:27,990 --> 00:30:31,500 Let's go and now load our. 424 00:30:32,680 --> 00:30:33,820 Uh, but by. 425 00:30:34,150 --> 00:30:35,600 OK, so let's do this. 426 00:30:46,180 --> 00:30:47,200 And that. 427 00:30:48,170 --> 00:30:55,460 OK, so we can see the the debugger post where at the break point, that's why it's saying post and 428 00:30:55,460 --> 00:31:00,560 you can see it's pointing to our ISP address because we overwrote. 429 00:31:01,040 --> 00:31:01,550 Where is it? 430 00:31:01,560 --> 00:31:03,680 Where's my my fancy diagram. 431 00:31:03,980 --> 00:31:05,090 We overload this. 432 00:31:05,330 --> 00:31:06,290 Lets me to. 433 00:31:08,010 --> 00:31:16,080 Yeah, we overwrote this actually with what we overvoted with this address, we overwrote this with 434 00:31:16,080 --> 00:31:17,220 this address. 435 00:31:17,240 --> 00:31:19,230 So here now we have. 436 00:31:20,230 --> 00:31:21,760 Zero zero. 437 00:31:22,240 --> 00:31:24,220 OK, now we have this address. 438 00:31:26,040 --> 00:31:32,980 OK, so we we overrode that, and that's why now it's up the jump E.S.P, if I hit a seven to, like, 439 00:31:33,000 --> 00:31:38,870 continue, we will be jumping over into where ever ESPs pointing. 440 00:31:39,030 --> 00:31:47,160 So if we go to S.P. and if we like follow in dump, we can see this is where he is pointing to our knobs. 441 00:31:47,170 --> 00:31:54,810 So we go back here f7 we can see now we are anywhere in the north so we can now slide all the way in 442 00:31:54,810 --> 00:32:02,250 the north and then if we had our Chalco there, we can execute our great let's modify our code at our 443 00:32:02,260 --> 00:32:06,570 Chalco or what you can do sometimes just for let's say. 444 00:32:07,710 --> 00:32:12,330 To make sure things are working correctly, I usually would like to add. 445 00:32:13,290 --> 00:32:17,460 Uh, a software break point here, let me add to that. 446 00:32:18,570 --> 00:32:21,600 Uh, from directly from the code. 447 00:32:22,740 --> 00:32:27,530 And let's start here, uh, let me update this, so I'll call it number four. 448 00:32:29,670 --> 00:32:37,740 So this is for the Kidwai here and here, what I will do is I will add, let's say, four of them. 449 00:32:39,200 --> 00:32:41,780 OK, and I'm going to call this No. 450 00:32:43,560 --> 00:32:44,400 Not one. 451 00:32:44,580 --> 00:32:49,730 OK, I'm going to add four of them are we have a lot of space, but what is enough? 452 00:32:49,770 --> 00:32:57,900 We can do that and then I'm going to add my pad one equals then I'm going to do, uh, I'm going to 453 00:32:57,900 --> 00:33:02,790 do the XY and I'm going to multiply this by also for. 454 00:33:03,780 --> 00:33:07,090 And actually, let me call this bullet point, great point. 455 00:33:07,110 --> 00:33:09,060 Yep, and I'm going to add. 456 00:33:10,170 --> 00:33:18,090 My dad won, and I'm going to do the, uh, I'm just going to send. 457 00:33:19,110 --> 00:33:26,700 She's in there or maybe more not, I'm going to just send sees for now and then multiply this by. 458 00:33:26,880 --> 00:33:32,280 So we have all of these have all of these the breakpoints. 459 00:33:32,670 --> 00:33:37,050 So we need to subtract from this one, uh, eight bytes. 460 00:33:37,050 --> 00:33:40,980 So that means we have seventy six. 461 00:33:41,370 --> 00:33:42,600 Seventy six left. 462 00:33:42,810 --> 00:33:43,560 OK. 463 00:33:44,010 --> 00:33:49,380 And now if we run at five we should create our payload but oh we missed eight. 464 00:33:49,750 --> 00:33:50,750 Uh oh yeah. 465 00:33:50,760 --> 00:33:52,020 Because we didn't add it here. 466 00:33:52,200 --> 00:33:52,580 Good. 467 00:33:53,010 --> 00:33:58,560 So we have junk then we have IP then we have. 468 00:33:59,690 --> 00:34:07,310 Not one, and we have break point and then we have had one, yeah, that's why we missed those eight 469 00:34:07,310 --> 00:34:07,670 bites. 470 00:34:07,920 --> 00:34:08,570 Three thousand. 471 00:34:08,570 --> 00:34:11,080 See my calculations still working good. 472 00:34:11,570 --> 00:34:12,830 So let's go back here. 473 00:34:13,700 --> 00:34:15,740 And let's try to load our payload. 474 00:34:18,040 --> 00:34:20,470 And before we do that, let's just add a breakpoint here. 475 00:34:21,530 --> 00:34:29,410 Just to make sure we we actually jump in there, but also the code we made now will actually create 476 00:34:29,420 --> 00:34:29,960 a breakpoint. 477 00:34:29,970 --> 00:34:33,800 So once we land on this, this is actually also breakpoints. 478 00:34:33,800 --> 00:34:34,550 You'll see. 479 00:34:34,820 --> 00:34:39,050 So if I do now, uh, f7 going to jump. 480 00:34:39,080 --> 00:34:39,390 Uh. 481 00:34:40,580 --> 00:34:41,350 What did I do? 482 00:34:46,220 --> 00:34:47,690 Oh, I didn't load the file yet. 483 00:34:47,720 --> 00:34:48,540 Oh, OK, sorry. 484 00:34:49,160 --> 00:34:50,780 So we load the file. 485 00:34:59,700 --> 00:35:02,430 But that but we are at the jump. 486 00:35:02,460 --> 00:35:06,000 If I hit that seven, we are now at the knob's. 487 00:35:06,330 --> 00:35:10,460 Even if you hit nine, by the way, look, what's going to happen is going to get stuck. 488 00:35:10,470 --> 00:35:12,550 We're at the interrupt. 489 00:35:12,870 --> 00:35:18,060 OK, so this is a break point or an interrupt, which will interrupt the execution. 490 00:35:18,060 --> 00:35:26,520 So now we can control that or actually we know that our code jumped into the knobs and then slide it 491 00:35:26,520 --> 00:35:29,980 into the interrupt so we know we can control that. 492 00:35:30,300 --> 00:35:34,290 Now, let's just update our code with some fancy shall code, so. 493 00:35:34,560 --> 00:35:34,920 Yep. 494 00:35:35,790 --> 00:35:36,540 Remove that. 495 00:35:38,430 --> 00:35:39,360 And. 496 00:35:41,360 --> 00:35:42,120 OK. 497 00:35:42,200 --> 00:35:43,610 OK, OK. 498 00:35:43,880 --> 00:35:44,810 And. 499 00:35:45,890 --> 00:35:50,060 Head Start now, I'm going to call this. 500 00:35:51,200 --> 00:35:54,550 Number five for the UI. 501 00:35:55,560 --> 00:36:01,470 And let's do some modifications again, so we have the knobs, you have the IP, we have the knobs where 502 00:36:01,470 --> 00:36:05,370 we are going to land, then we are going to remove this. 503 00:36:05,610 --> 00:36:07,030 OK, we don't need it anymore. 504 00:36:07,680 --> 00:36:11,530 What we can do is, uh, let's see. 505 00:36:12,730 --> 00:36:16,360 We need our code, so our cell code. 506 00:36:18,080 --> 00:36:21,380 Should be here so we can add let's bring the shall code. 507 00:36:22,380 --> 00:36:24,700 So let's get the Chalco here. 508 00:36:24,720 --> 00:36:31,740 I've already made those, and so let's use this, which is for the calculator for now and then we'll 509 00:36:31,740 --> 00:36:38,730 add something else so we can replace I'm going to put the Chalco that not just so I don't need. 510 00:36:38,730 --> 00:36:43,560 And I think this is, uh, ninety nine bytes we've check now. 511 00:36:44,550 --> 00:36:47,160 So let's do some updates to our code. 512 00:36:49,640 --> 00:36:51,690 Let's see, what do we have here? 513 00:36:51,910 --> 00:36:52,310 Sorry. 514 00:36:53,490 --> 00:37:03,450 Uh, let's just so we can we can see more so we have the junk, we have IP, then we want the corporations, 515 00:37:03,450 --> 00:37:08,070 then we want our show code and then we want the pazzo. 516 00:37:08,960 --> 00:37:17,160 This is ninety nine point, so this is correct, then it means, uh, where does my calculator. 517 00:37:17,870 --> 00:37:24,450 So it means one nine, uh, seven six minus ninety nine. 518 00:37:25,130 --> 00:37:28,040 So we have one eight seven seven. 519 00:37:29,070 --> 00:37:31,830 One 877 let's check. 520 00:37:32,550 --> 00:37:39,480 The good thing is our this one will will show us how big our payload is, let's just make sure we have 521 00:37:39,480 --> 00:37:45,090 everything right, that we have a chunk of the offset, the VIP. 522 00:37:45,330 --> 00:37:47,840 We have our knobs, right. 523 00:37:47,880 --> 00:37:48,720 The four knobs. 524 00:37:49,140 --> 00:37:50,700 Then we have a shell called. 525 00:37:51,450 --> 00:37:55,380 And then this is no longer used by this, I'm going to delete that right. 526 00:37:56,040 --> 00:38:02,010 We have our knob's, then we have our we can even just right here, Chalco just for. 527 00:38:03,030 --> 00:38:05,800 The sake of understanding and the. 528 00:38:07,550 --> 00:38:13,730 Making things easier for you if you want that, so we can add this also at the end, so we have junk 529 00:38:13,890 --> 00:38:18,860 IP operations, then we have our Chalco, then we have our path. 530 00:38:19,070 --> 00:38:24,440 Let's make sure this is three thousand bytes because I don't remember if this OK, so it's not three 531 00:38:24,440 --> 00:38:30,620 thousand, but it means this Chalco is actually for it's missing four bytes. 532 00:38:30,620 --> 00:38:33,350 So it's not really 99. 533 00:38:33,350 --> 00:38:34,250 It's one of three. 534 00:38:36,070 --> 00:38:44,050 This is one of three I like to write that down usually just so I know how big my code is, so we need 535 00:38:44,050 --> 00:38:46,540 to remove three more bites from here. 536 00:38:46,540 --> 00:38:48,730 So this will be one eight seven three. 537 00:38:49,740 --> 00:38:56,810 And now if we create our payload, we should have 3000 flights are what did I do wrong this time? 538 00:38:58,590 --> 00:39:00,670 Uh oh, OK. 539 00:39:01,070 --> 00:39:02,810 Actually, we need to. 540 00:39:04,620 --> 00:39:07,860 So it's one it should be a two one. 541 00:39:09,410 --> 00:39:09,930 Right. 542 00:39:10,450 --> 00:39:12,050 What did I put you on? 543 00:39:12,560 --> 00:39:16,960 So, again, we have our 10 12, which is the offset. 544 00:39:17,420 --> 00:39:20,380 We have eight four bytes, which is for the IP. 545 00:39:20,390 --> 00:39:23,650 We have four bytes here, no operations just to slide there. 546 00:39:24,200 --> 00:39:30,680 And then we have our cell code, which is one of three bytes, and then we are filling the rest of the 547 00:39:30,680 --> 00:39:35,950 buffer with these CS or I'm going to fill them with no operations also. 548 00:39:36,320 --> 00:39:40,780 So the rest of the buffer is going to be filled with also operations. 549 00:39:41,120 --> 00:39:42,170 Let's run it again. 550 00:39:42,830 --> 00:39:43,790 Three thousand bytes. 551 00:39:43,790 --> 00:39:44,440 Great. 552 00:39:44,450 --> 00:39:47,640 Let's now go and execute our application. 553 00:39:47,660 --> 00:39:48,170 So. 554 00:39:49,120 --> 00:39:49,690 We. 555 00:39:52,030 --> 00:39:58,510 Open, but before I do that, I want to also add the breakpoint here, because I keep forgetting that 556 00:39:58,510 --> 00:39:59,110 it could. 557 00:39:59,140 --> 00:40:01,000 So we have a break point. 558 00:40:01,860 --> 00:40:05,340 And now we can go. 559 00:40:06,280 --> 00:40:11,670 And load the bed file open, we are at the John PSP. 560 00:40:11,790 --> 00:40:15,620 OK, so if we hit F7, we are at the knob's right now. 561 00:40:15,660 --> 00:40:16,490 We are not. 562 00:40:16,900 --> 00:40:18,400 This is where our Chalco is. 563 00:40:18,400 --> 00:40:21,130 We are not going to like step into one step at a time. 564 00:40:21,130 --> 00:40:26,200 We might do that later, but for now, I'm not going to do that if I just hit a five. 565 00:40:26,990 --> 00:40:32,410 Then we should have there's a problem here. 566 00:40:33,610 --> 00:40:38,170 Well, then probably we have some bad character in my show called. 567 00:40:40,420 --> 00:40:46,900 We probably have a bad character in my childhood, but that's for another lab for now, what I'm going 568 00:40:46,900 --> 00:40:48,580 to do is. 569 00:40:49,560 --> 00:40:51,990 Let me see if I run this from. 570 00:40:53,250 --> 00:40:55,110 Outside the. 571 00:40:56,570 --> 00:41:02,360 Uh, the debugger will come, we'll explain this in another video, but for now. 572 00:41:03,930 --> 00:41:07,440 Let's just see if this is working, OK? 573 00:41:07,610 --> 00:41:08,160 Uh. 574 00:41:15,750 --> 00:41:19,020 Oh, so we have something wrong going on. 575 00:41:20,710 --> 00:41:24,040 So maybe we have a bad show called. 576 00:41:31,240 --> 00:41:33,690 Let me see here. 577 00:41:35,190 --> 00:41:38,840 We have this all worked out correctly. 578 00:41:40,270 --> 00:41:46,930 I'm going to add maybe eight points for now, I'm going to turn this back to seventy seven. 579 00:41:48,070 --> 00:41:48,550 One. 580 00:41:49,660 --> 00:41:51,220 And see. 581 00:41:52,240 --> 00:42:00,070 We will be testing this more or some similar example later to see where is the because there might be 582 00:42:00,070 --> 00:42:02,980 a attack on this one, I really don't remember. 583 00:42:03,970 --> 00:42:05,640 But it should be working. 584 00:42:06,680 --> 00:42:14,300 OK, so we need to we need to add more and more operations, probably when we jumped, we jumped into 585 00:42:14,300 --> 00:42:21,230 those four bites and the since the shell, it comes immediately after that, it didn't work. 586 00:42:21,830 --> 00:42:23,620 And I would explain, by the way, why? 587 00:42:23,630 --> 00:42:25,720 Because this is because of the. 588 00:42:26,540 --> 00:42:28,070 Let me just go back here quickly. 589 00:42:28,650 --> 00:42:30,230 Let me just go back here. 590 00:42:32,420 --> 00:42:33,350 Get some coffee. 591 00:42:37,030 --> 00:42:38,530 And it's because of. 592 00:42:41,330 --> 00:42:43,780 Let me start this, OK, start. 593 00:42:43,810 --> 00:42:44,620 OK, OK. 594 00:42:47,780 --> 00:42:51,370 And let's get this on, OK? 595 00:42:51,620 --> 00:42:55,100 Go back and now run. 596 00:42:56,510 --> 00:42:58,130 And run the application. 597 00:43:04,630 --> 00:43:06,880 And if we open. 598 00:43:09,340 --> 00:43:14,890 Again, I know what the problem is, is because of the Chalco this immediately after that, so let's 599 00:43:14,890 --> 00:43:17,980 go here just to show you Jump E.S.P. 600 00:43:18,490 --> 00:43:25,630 So now, because this these operations here, actually they will overwrite some of the, uh, the payload 601 00:43:25,630 --> 00:43:26,150 itself. 602 00:43:26,830 --> 00:43:29,610 I I'll explain what that is and how it works. 603 00:43:29,620 --> 00:43:33,640 These are floating point operations which are used to get PC. 604 00:43:34,300 --> 00:43:38,560 Uh, I will explain those, but this is the basics for now. 605 00:43:38,560 --> 00:43:44,020 And I don't want to make things complicated, so I will get back to this. 606 00:43:44,410 --> 00:43:47,710 But now when we jump, we are not jumping into, let's say. 607 00:43:48,610 --> 00:43:54,580 Anywhere here and this is not going to overwrite these because that is still some space and now if I 608 00:43:54,580 --> 00:43:57,070 hit a nine, it should work. 609 00:43:57,070 --> 00:43:58,530 Our calculator is working. 610 00:43:58,540 --> 00:43:59,170 Exactly. 611 00:44:00,010 --> 00:44:02,980 Let's modify our code, so this is working great. 612 00:44:04,100 --> 00:44:13,530 Let's modify our code with a reversal just so that we can have fun, UI and I already have also created 613 00:44:13,530 --> 00:44:16,750 the diversion, so I'm just gonna replace that. 614 00:44:16,940 --> 00:44:21,380 So we have the revolution and the length is three, eight, nine. 615 00:44:22,010 --> 00:44:24,350 So we need to check that. 616 00:44:25,350 --> 00:44:27,890 So I'm going to do that. 617 00:44:28,000 --> 00:44:28,760 Wait, wait, wait. 618 00:44:29,270 --> 00:44:31,790 Did I save this as another one right here? 619 00:44:32,190 --> 00:44:39,960 So I'm going to do this silkroad and this one is we said hash. 620 00:44:40,920 --> 00:44:42,300 Three, eight, nine. 621 00:44:43,680 --> 00:44:46,950 And we need to update these numbers now, so. 622 00:44:48,810 --> 00:44:49,320 Oh. 623 00:44:51,130 --> 00:44:53,650 So what do we need to do here? 624 00:44:53,680 --> 00:44:56,070 Let's go back to our calculations. 625 00:44:56,210 --> 00:44:57,630 I want to. 626 00:44:58,470 --> 00:45:01,580 I calculate this an easier way for you guys. 627 00:45:02,430 --> 00:45:06,030 So we do and 12 plus. 628 00:45:06,810 --> 00:45:10,620 Uh, four plus eight plus. 629 00:45:11,670 --> 00:45:18,210 Uh, 10, 12, plus four, plus eight, plus three, eight, nine. 630 00:45:19,200 --> 00:45:22,500 Then we get this value and if we subtract. 631 00:45:23,640 --> 00:45:28,470 Three thousand will get one five eight seven, so we need one five. 632 00:45:29,520 --> 00:45:30,430 Eight, seven. 633 00:45:30,540 --> 00:45:31,910 Let's just double check it. 634 00:45:32,970 --> 00:45:38,190 And let's save this now, let's run this to make sure we have three thousand bytes. 635 00:45:39,220 --> 00:45:40,660 Oh, we are missing. 636 00:45:41,680 --> 00:45:44,020 Uh, the only thing twenty one bites. 637 00:45:45,140 --> 00:45:46,700 So is this wrong then? 638 00:45:48,990 --> 00:45:51,610 Uh, twenty one bites. 639 00:45:51,630 --> 00:45:53,110 This makes this. 640 00:45:54,300 --> 00:45:55,590 Uh, one. 641 00:45:57,570 --> 00:45:58,620 Six. 642 00:45:59,680 --> 00:46:01,370 Zero eight. 643 00:46:03,290 --> 00:46:04,850 Is that right this time? 644 00:46:06,430 --> 00:46:09,540 Again, one six zero eight letters in great. 645 00:46:10,470 --> 00:46:15,720 So this is where our Chalco, so this is a controversial. 646 00:46:17,080 --> 00:46:19,540 Let's get our threat system. 647 00:46:20,680 --> 00:46:29,080 I already have everything set up here so we can use this command, which is going to create the front 648 00:46:29,140 --> 00:46:37,040 load the console with the handler, set the payload, set my, uh, localhost IP, the part which the 649 00:46:37,040 --> 00:46:41,860 actual code is to connect to and the exit process and then run. 650 00:46:44,340 --> 00:46:47,760 So if I just do that to create my Liselotte. 651 00:46:49,890 --> 00:46:50,510 OK. 652 00:46:52,090 --> 00:46:59,240 Um, OK, so the listener is now running, as you can see, we said the all the configurations. 653 00:46:59,830 --> 00:47:07,320 Now if we go back, I might do a video about Peter's this later, but yeah, for now, we'll, uh. 654 00:47:08,330 --> 00:47:09,240 We do this. 655 00:47:09,350 --> 00:47:11,360 So what do we need? 656 00:47:11,420 --> 00:47:15,770 Yeah, we need to exploit the application, so if we go we'll play. 657 00:47:15,770 --> 00:47:17,500 Ah, OK. 658 00:47:17,780 --> 00:47:19,580 And this time if we load. 659 00:47:20,410 --> 00:47:21,010 The. 660 00:47:22,560 --> 00:47:23,430 The bad backfill. 661 00:47:24,880 --> 00:47:36,100 We should see something happened and here we go, we can see that we have, uh, a shell on on the system 662 00:47:36,850 --> 00:47:41,710 so we can do make Directory A. or actually just echo. 663 00:47:42,840 --> 00:47:43,530 Hello. 664 00:47:45,180 --> 00:47:45,630 Well. 665 00:47:47,320 --> 00:47:48,940 And to low. 666 00:47:50,180 --> 00:47:50,560 The. 667 00:47:52,070 --> 00:48:00,650 OK, so just to double check and we can see that great, so we have access to the system and we saw 668 00:48:00,650 --> 00:48:03,890 how we, uh, exploited that now. 669 00:48:05,000 --> 00:48:06,860 How did I generate the Chalco? 670 00:48:07,400 --> 00:48:12,770 Those were some of one of them was explained in the previous video, the most exploited one. 671 00:48:12,770 --> 00:48:14,500 I will explain that in another video. 672 00:48:14,510 --> 00:48:20,870 But I think you already have there's already a lot of videos out there and a lot of resources. 673 00:48:20,870 --> 00:48:23,900 But I would also do that in an later video. 674 00:48:25,440 --> 00:48:29,550 How to generate that, actually, maybe I can just show it to you now. 675 00:48:29,570 --> 00:48:30,090 What is it? 676 00:48:30,720 --> 00:48:31,560 Yeah, here it is. 677 00:48:31,920 --> 00:48:34,200 So this is how I generated that payload. 678 00:48:34,950 --> 00:48:40,910 And it's three, six, eight, that's why when we did the calculations, we did it wrong. 679 00:48:40,920 --> 00:48:41,380 We did. 680 00:48:41,970 --> 00:48:43,200 I thought it was three. 681 00:48:44,850 --> 00:48:47,240 How much did we see the payload here? 682 00:48:48,290 --> 00:48:53,900 All this is three six eight three, six, eight, so that's why our calculations were wrong. 683 00:48:54,410 --> 00:48:56,690 So, yeah, this is how you can generate this. 684 00:48:57,000 --> 00:49:04,430 I must venture minus P that the shell, the localhost where it's going to be connecting to the listener, 685 00:49:04,430 --> 00:49:12,590 the part where it's going to be listening on and the exit function and then the encoder which I'm using 686 00:49:13,190 --> 00:49:21,050 to encode the bad characters and remove them, minus if I want it in C format and minus P to specify 687 00:49:21,050 --> 00:49:22,890 all the bad values, the bad characters. 688 00:49:23,540 --> 00:49:25,820 And again, we will explain more about this later. 689 00:49:25,910 --> 00:49:29,180 So you need to do then copy this into your code. 690 00:49:29,450 --> 00:49:37,250 And as you saw here, this one we can see we have access to that system by the IP config. 691 00:49:39,350 --> 00:49:45,470 You can see this is my IP address, my windows, and if I check over here. 692 00:49:46,510 --> 00:49:48,280 You can see it's the same IP address. 693 00:49:48,970 --> 00:49:49,390 Good. 694 00:49:49,420 --> 00:49:50,980 So that's it for this video. 695 00:49:51,430 --> 00:49:53,470 I hope it was good or useful. 696 00:49:53,620 --> 00:49:56,740 And we'll see you in another video. 697 00:49:56,980 --> 00:49:57,610 Thank you. 698 00:49:57,730 --> 00:49:59,830 And see you by.