WEBVTT

00:01.470 --> 00:03.540
This is where we left off in the previous video.

00:03.900 --> 00:10.050
Now let's find out the offset at which RBD being ordered to do this.

00:10.060 --> 00:16.320
We are going to use some features available within Jeff since we came to know that there is a crash

00:16.320 --> 00:22.890
with 300 characters to proceed further with our analysis, let's load the executable once again using

00:22.890 --> 00:23.490
Jollibee.

00:28.400 --> 00:32.990
Jeremy Bascule daughter slash vulnerable

00:36.230 --> 00:40.700
inventor, and we should see the screen where the binary is loaded.

00:41.420 --> 00:49.060
Now let's run the command pattern space, create three hundred.

00:49.430 --> 00:51.740
So we are doing this within just a minute.

00:52.100 --> 00:55.090
This is going to produce a pattern of length.

00:55.100 --> 00:59.480
Three hundred, we can use this pattern instead of using 300 A's.

00:59.660 --> 01:05.890
So we will be able to identify which four characters are actually overriding the HBP register.

01:06.350 --> 01:06.590
Right.

01:06.740 --> 01:09.840
So let's hit Enter the River.

01:10.130 --> 01:12.590
Now, I'm just going to copy this.

01:14.720 --> 01:17.870
And let's open up a new terminal.

01:19.600 --> 01:29.230
And let's copy the file, exploit one dark pill and let's save it as exploit 2:00 p.m. and now let's

01:29.230 --> 01:37.240
open up, explain to our people and let's replace these 300 is with the pattern that we have obtained

01:37.540 --> 01:38.350
from Jeff.

01:41.490 --> 01:43.240
All right, I have pasted it here.

01:43.380 --> 01:46.860
Let's close the double quotes and there you go.

01:47.220 --> 01:49.200
Now, let me just save the file.

01:50.850 --> 01:53.340
Let's quickly check if it is working or not.

01:55.020 --> 01:57.080
Seems like it is working fine.

01:57.570 --> 02:05.430
So let's not exploit to people and let save the output into a file card.

02:05.430 --> 02:06.460
Payload two.

02:07.890 --> 02:19.380
Now let's go back to the Judy Wetangula and let us type run that payload to let us render.

02:22.130 --> 02:28.490
Look at that, there is a segmentation fault once again, there doesn't seem to be any pattern overwriting

02:28.490 --> 02:29.880
the AP register.

02:30.320 --> 02:36.780
However, once again, the IVP appears to have been overwritten with eight bytes from our payload.

02:37.280 --> 02:41.880
If you look at this, this is what our baby register is currently holding.

02:42.290 --> 02:48.580
So let's quickly confirm that this is from our pattern by using pattern such command from Jeff.

02:49.160 --> 02:50.150
Let's copy this.

02:53.070 --> 03:08.190
And let's clear the screen and let's use pattern space search and let's give this input and let's look

03:08.190 --> 03:08.540
at that.

03:09.000 --> 03:13.600
It says The pattern is found after two hundred and fifty six bytes.

03:13.980 --> 03:18.120
So we found the offset to our BP, which is 256 minus.

03:18.900 --> 03:25.350
Even though we are unable to override Arizpe, we can calculate the possible offset to our IP based

03:25.350 --> 03:27.510
on the offset we have gotten to our BP.

03:28.290 --> 03:35.100
If our payload is properly reaching Oraibi, it has to be overwritten immediately after our BP.

03:35.460 --> 03:39.180
But for some reason this Oraibi is not being overwritten.

03:39.480 --> 03:41.790
We will understand why that is in a moment.

03:42.040 --> 03:44.820
But for now, let's try to add eight more bytes.

03:44.820 --> 03:48.320
So this offset to our BP and let's see what happens.

03:48.810 --> 03:53.160
So I'm just quoting here and.

03:54.360 --> 04:00.820
Let's copy this exploit to here and let's save it as exploit tilapia.

04:01.410 --> 04:11.040
Let's open up this file, exploit to Dark Pier and let's quickly delete this line and let's create the

04:11.040 --> 04:12.120
variable once again.

04:14.520 --> 04:16.920
Let's give it two hundred and fifty six is.

04:21.410 --> 04:25.320
And let's spend a bucks here.

04:26.870 --> 04:30.040
OK, so this should be overriding the odd beep.

04:30.260 --> 04:35.910
So if our analogy is correct, we should see eight BS in our BP register.

04:36.370 --> 04:37.550
Now let's spend.

04:45.840 --> 04:52.020
Eight sees to this, so essentially what we are trying to do is we are giving two hundred and fifty

04:52.020 --> 04:58.680
six is to reach our BP and then we are overriding our BP with a base.

04:59.010 --> 05:05.850
And according to our earlier technology, we should be able to override our IP register immediately

05:05.850 --> 05:08.150
after overriding our BP register.

05:08.610 --> 05:14.680
So we are giving eight more bites, hoping that we will see these eight CS in our IP register.

05:15.120 --> 05:17.340
So let's just add a comment here.

05:17.810 --> 05:24.690
This is for our BP and this is for our IP.

05:26.460 --> 05:33.180
OK, so let's save the file and let's produce the payload.

05:36.740 --> 05:38.020
OK, so we're done.

05:38.060 --> 05:46.190
Now let's run the Binley once again using Jilib and let's run it using our payload.

05:49.250 --> 05:52.820
Let's hit enter once again.

05:52.850 --> 05:59.090
The application crashed and there is a segmentation fault, but the segmentation fault doesn't seem

05:59.090 --> 06:01.690
to be showing us anything useful.

06:02.120 --> 06:04.530
So let's type in four registers.

06:05.270 --> 06:08.810
We can also use the registers shown by Jeff.

06:08.810 --> 06:12.550
But just to keep it simple and typing in, for instance.

06:13.670 --> 06:24.860
And if you notice, the odd BP Register has a piece, this is expected, but our IP register still holds

06:24.890 --> 06:28.430
the same old value that we have been seeing from the beginning.

06:28.940 --> 06:32.240
OK, now I don't want to keep the suspense on anymore.

06:32.540 --> 06:38.880
I'm going to explain why this RHP register is not containing the values from our buffer.

06:39.480 --> 06:41.960
Now, let's quickly go back to the slides.

06:42.350 --> 06:50.060
And in 64 bit architecture, it is worth knowing about the usable address space, the usable address

06:50.060 --> 06:53.820
spaces from this to this.

06:54.200 --> 06:56.180
These are canonical addresses.

06:56.780 --> 07:03.740
Now, attempting to use noncanonical addresses like this will cause a segmentation fault.

07:04.080 --> 07:10.940
So so far we have been noticing the segmentation fault due to the fact that we were overriding our IP

07:10.940 --> 07:17.810
register with a noncanonical address instead of an address from a valid range, which is this.

07:18.440 --> 07:24.740
Now, this simply means we cannot override all 64 bits of the RHP register.

07:25.280 --> 07:30.890
We should override the lower 48, but only to avoid this segmentation fault.

07:31.400 --> 07:38.120
Now, let me switch to the washing machine and let's also see the memory maps of this process

07:40.870 --> 07:42.650
time via map.

07:43.010 --> 07:45.500
And if you see the output, these are the memory maps.

07:45.830 --> 07:51.610
If you closely observe all the entries should be only in canonical address range.

07:51.860 --> 07:57.090
If you notice here, the first two bytes are not similarly here.

07:57.140 --> 08:03.260
The first two are notes similar to here and also the best ideas of Lipsey.

08:03.260 --> 08:05.250
The first two bytes are nuts.

08:05.690 --> 08:13.520
So essentially, if you look at this, all the userspace addresses are only making use of the 48 bits,

08:13.520 --> 08:17.330
but not the 64 bits except for the last line.

08:17.390 --> 08:20.180
This is true for all the other addresses.

08:20.480 --> 08:27.140
So all the lines, excluding the last one, describing the memory regions in userspace and all of them

08:27.140 --> 08:29.930
are having annuls on the first two bytes.

08:30.350 --> 08:36.110
The last line, which is this is called, refers to a page and kernel space, and that's the reason

08:36.110 --> 08:39.220
why it is making use of the higher two bytes as well.

08:39.650 --> 08:45.800
But otherwise, if it is a userspace address, it will only be using the addresses in canonical address

08:45.800 --> 08:46.250
range.

08:47.000 --> 08:47.260
Right.

08:47.660 --> 08:53.960
So the key takeaway here is that all the userspace addresses are in canonical address.

08:53.960 --> 09:02.120
Reg, keeping this in mind, let's override RHP register with six bytes instead of aid bytes.

09:02.570 --> 09:04.880
So let's go back to our previous terminal.

09:06.680 --> 09:16.400
And let's copy this, exploit our and let's save it as exploit for our let's open it up using them

09:20.120 --> 09:24.470
and let's replace these eight seas with sixes.

09:28.550 --> 09:37.400
All right, so let's save the file and let's produce the payload using Explorer at 4:00 p.m. and let's

09:37.400 --> 09:41.630
save it as payload for once again.

09:41.720 --> 09:45.750
Let's start the binary and run it using this new payload.

09:46.610 --> 09:50.780
So I'm just using the previously used command to load the binary.

09:51.290 --> 10:01.040
And let's use a run space card payload for let's hit enter.

10:02.710 --> 10:04.100
And there you go.

10:04.740 --> 10:11.650
We managed to successfully override the RHP registered this time the segmentation fault clearly shows

10:11.650 --> 10:17.830
that our address with six seats is in Oraibi, which has caused the crash.

10:18.280 --> 10:21.160
Now, let's quickly confirm it by checking the registers.

10:25.210 --> 10:25.990
Here it is.

10:26.230 --> 10:34.870
As you can see, the AP register is now holding six seats and the BP register is holding the Forbess

10:34.870 --> 10:35.830
as expected.

10:36.400 --> 10:46.270
Now, let's also observe the stack exhibit and let's say we want to print 50 entries and we want to

10:46.270 --> 10:50.030
print the hex values in 64 bit formats that I'm using.

10:51.190 --> 10:59.510
And let's use Arizpe minus probably 280, because 256 is what is required to reach our BP.

11:00.070 --> 11:04.300
So I'm just using 280 to see some more entries even before the buffer.

11:04.840 --> 11:08.130
So I'm just hitting enter the go.

11:08.500 --> 11:11.380
If you look at the output, there are a bunch of errors.

11:11.620 --> 11:19.000
And then we placed Faldo's and after that we have six CS.

11:19.180 --> 11:26.140
So this is our RHP Everything that we have placed inside the buffer is currently available on the stack

11:26.410 --> 11:27.880
and that's the good news.

11:28.300 --> 11:35.020
Now, the key takeaway from this observation is that we managed to identify how much junk is required

11:35.200 --> 11:37.390
to be able to control the AP register.

11:37.810 --> 11:44.800
And we also noticed that most of the characters that we are placing in the buffer are available on the

11:44.800 --> 11:45.250
stack.

11:45.850 --> 11:46.170
Right.

11:46.390 --> 11:47.680
So this is a good news.

11:47.920 --> 11:53.470
We are going to make use of all these details to write our final exploit, but that's all for this video.

11:53.710 --> 11:59.200
In the next video, we are going to discuss how we can use this buffer that's being placed on the tag

11:59.440 --> 12:00.820
for our own benefit.