WEBVTT 00:00.870 --> 00:06.690 All right, this is my virtual machine, and I have already logged in and I'm currently inside the X 00:06.690 --> 00:09.450 86 and 64 directory. 00:09.690 --> 00:15.430 As I mentioned earlier, this is the working directly through all the courts now within this victory. 00:15.450 --> 00:20.250 I have another directly called simple underscore buffalo floor. 00:20.700 --> 00:23.730 And within that, I do have two different files. 00:24.150 --> 00:27.810 The first one is Makefile and the second one is vulnerable. 00:27.810 --> 00:28.620 Dot seat. 00:29.250 --> 00:31.260 As I can guess, the file vulnerable. 00:31.260 --> 00:36.060 Daudzai is a simple C program which is vulnerable to Buffer overall. 00:36.600 --> 00:38.280 If you look at this C program, 00:41.460 --> 00:46.610 we have a function named one underscore function, which is having an argument. 00:47.040 --> 00:52.680 This is basically the argument to the program itself and that's being passed into a variable called 00:52.680 --> 00:58.860 input, which in turn is being copied into another variable, which is a category of length. 00:59.130 --> 01:00.500 Two hundred and fifty six. 01:01.110 --> 01:05.250 However, we are performing this copy using FDCPA function. 01:05.760 --> 01:12.810 This ECPA function doesn't do any bounce checking and thus we will be able to write more than two hundred 01:12.810 --> 01:15.300 and fifty six characters into this buffer. 01:15.720 --> 01:22.920 And that's when the buffer of lowercase and if this overflown buffer is written onto the stack, and 01:22.920 --> 01:28.830 if we can somehow override the return address of this function, we will be able to control the flow 01:28.830 --> 01:30.150 of the entire program. 01:30.570 --> 01:35.010 And that's the reason why this is called a stack based buffer overall. 01:35.910 --> 01:37.960 Now, let's proceed to exploit this program. 01:38.580 --> 01:41.160 Before that, we need to have a combined binary. 01:41.460 --> 01:46.920 I have created a simple makefile to make our life easy and to also avoid mistakes. 01:47.430 --> 01:48.730 So here it is. 01:48.750 --> 01:49.890 That's the second file. 01:50.490 --> 01:55.680 Now, if you look at this, when you run make command, this line will be executed. 01:56.640 --> 02:03.450 We are simply using GTC and we are passing the program vulnerable Nazih as input and we are producing 02:03.450 --> 02:05.760 the binary vulnerable as output. 02:06.270 --> 02:08.990 There are two important arguments that are worth noting here. 02:09.300 --> 02:11.970 The first one is ethnos stack protector. 02:12.510 --> 02:16.740 What this is going to do is it will be able stack guarantee protection. 02:17.310 --> 02:20.480 And the second one is Dasch, the exec stack. 02:20.850 --> 02:26.800 This is going to disable next bit for this executable so that the stack will be executable for us. 02:27.530 --> 02:33.130 Essentially, we are disabling Anex using this option bash the exact stack. 02:33.780 --> 02:39.840 This is important before proceeding with this example, because as I mentioned earlier, to start with, 02:39.840 --> 02:43.410 we are going to exploit this binary without any protections. 02:44.010 --> 02:47.420 We don't want to build on binary with protections at this point of time. 02:47.940 --> 02:54.540 We are going to discuss how to bypass some of these protections like Anex and SLR in later videos. 02:54.930 --> 02:59.520 Now, let's go ahead and disable SLR as well before disabling it. 02:59.700 --> 03:02.010 Let's quickly check the value of the file. 03:06.810 --> 03:18.240 Pronk, we need to have sort of here slash this slash colonel slash randomise 03:20.730 --> 03:23.820 underscore, we underscore space. 03:24.600 --> 03:25.440 Let's surrender. 03:27.300 --> 03:27.960 Look at that. 03:27.990 --> 03:31.380 This file randomise underscore we are in this space. 03:31.590 --> 03:36.210 Has the value to this means ASALA is fully enabled. 03:36.600 --> 03:41.730 Now let's go ahead and disable SLR by writing the manual zero into this file. 03:42.450 --> 03:50.060 Now to simplify this process of verifying whether SLR is enabled or disabling SLR or enabling Arsala, 03:50.430 --> 03:52.430 I have written a few helper scripts. 03:53.070 --> 04:03.270 So in my ex 086 Underscore 64 directory, I created another folder called Asla and inside this I do 04:03.270 --> 04:10.020 have three different files that simple helper scripts to help us with enabling and disabling SLR. 04:10.410 --> 04:18.840 Let's first check the file verifying dash SLR dot such as you can see it is just doing a simple cat 04:18.840 --> 04:24.290 on this file so we can also use this file to verify if salaries enabled. 04:25.080 --> 04:28.410 As it can see currently ASALA is fully enabled. 04:29.430 --> 04:35.820 Now if you want to disable SLR, we can use the file disable dash SLR, dot S.H.. 04:37.230 --> 04:44.180 As you can see, this is writing the value zero into this file, so let's quickly type pseudo dot, 04:44.190 --> 04:47.810 slash, disable dash, SLR dot message. 04:48.990 --> 04:53.130 Now let's once again verify if A is enabled. 04:54.620 --> 04:55.200 There you go. 04:55.430 --> 05:01.790 The value is now set to zero, so ASALA is now disabled on this mission. 05:02.360 --> 05:05.760 Now we are fully ready to exploit this vulnerable program. 05:06.050 --> 05:09.590 So let's compile it and produce the executable binary. 05:10.490 --> 05:22.340 So let's go to simple Buffalo Placeholder and let's quickly type make this should have produced a new 05:22.340 --> 05:23.930 file which is vulnerable. 05:24.530 --> 05:27.650 Now let's quickly type file space vulnerable. 05:29.090 --> 05:33.510 As you can see, this is an alpha binary and it's a 64 bit binary. 05:34.220 --> 05:36.790 Let's quickly go ahead and run it and see what happens. 05:43.480 --> 05:53.980 Nothing happens, let us probably pass a simple argument and observe what happens once again, nothing 05:53.980 --> 05:54.460 happens. 05:55.000 --> 06:00.430 It is intentional that it doesn't do anything apart from taking input and then copying it into another 06:00.700 --> 06:03.110 variable, using a Stackpool function. 06:04.000 --> 06:04.260 Right. 06:04.600 --> 06:06.220 So that's all for this video. 06:06.370 --> 06:10.150 In the next video, we are going to see how to crash this application.