WEBVTT

00:00.840 --> 00:02.970
This is where we left off in the previous video.

00:03.300 --> 00:10.800
Now let's discuss how we can make use of this space we have on the stack that is controllable by us.

00:11.350 --> 00:16.650
Let's also discuss how we can make use of this control on the AP register.

00:17.280 --> 00:24.240
A simple idea here is that we will place some Chalco in the beginning of the buffer and then we will

00:24.240 --> 00:28.360
force the IP register to execute the shell code that replaced.

00:28.920 --> 00:31.680
Now the question is, what is Schenkkan?

00:33.870 --> 00:39.240
Chalco is a sequence of instructions that the machine can execute directly.

00:39.750 --> 00:45.810
We don't have to worry about compiling the Shell code because Schenkel is something that can be understood

00:45.810 --> 00:48.250
and executed by the CPU directly.

00:48.750 --> 00:55.410
So in the space that we have on the stack, we can place some code because it can be directly executed

00:55.410 --> 00:56.220
by the CPU.

00:56.700 --> 00:57.650
That's the idea.

00:58.020 --> 00:59.790
But how do we get the shell code?

01:00.390 --> 01:02.400
There are multiple ways to get shell code.

01:02.640 --> 01:04.560
We can use online resources.

01:05.070 --> 01:10.200
We can use a tool called MSF venom, which comes preinstalled with clinics.

01:10.590 --> 01:14.280
We can also write our own channel code in a later section.

01:14.290 --> 01:17.040
We are going to learn how to write our own channel code.

01:17.490 --> 01:23.300
But let's first finish this exploit by using some shell code that's taken from the Internet.

01:23.970 --> 01:29.340
There are multiple resources available online where Shell Code is publicly available.

01:30.090 --> 01:36.540
Shell star dot org and exploit DBE dot com are few places where you can get shell code.

01:37.110 --> 01:43.890
We will have to be extremely careful when downloading Shell code from publicly available resources because

01:43.890 --> 01:49.650
the shell code that you're downloading can have malicious functionality and you may execute it on your

01:49.650 --> 01:50.070
machine.

01:51.460 --> 01:55.450
It can cause damage if it is built by someone with malicious intent.

01:55.900 --> 02:00.310
This is where I suggest you to write your own shall code for the exploit that you are writing.

02:00.610 --> 02:06.650
But just for the sake of completing this exploit, let's take some shall code that's available online.

02:07.270 --> 02:11.980
We are going to take shall code from Standard Arc for this exercise.

02:14.110 --> 02:17.410
This is the same court that we are going to use for this exercise.

02:17.740 --> 02:25.420
This is basically going to give us a big message, shall, when executed, this court is going to execute

02:25.420 --> 02:28.040
Behn message using Xigris.

02:28.720 --> 02:31.690
So let's take a copy of this shall code.

02:34.820 --> 02:37.190
And let's place it in our notepad.

02:38.840 --> 02:41.220
Now let's go back to our washing machine.

02:42.590 --> 02:46.820
Let's also take a copy of this stack.

02:50.760 --> 02:52.190
And let's play straight here.

02:56.290 --> 03:01.050
Let's go back to the virtual machine and let's quit jalebi

03:03.910 --> 03:12.460
now let's copy the latest exploit that we have, which is exploited for Dogpile and let's say it has

03:12.460 --> 03:16.750
exploited five dogpile now exploited five.

03:16.750 --> 03:18.930
Dogpile is what we are going to work with.

03:19.390 --> 03:24.730
So let's open it up using them now.

03:25.510 --> 03:27.640
Let's copy the shall code that we have gotten.

03:34.240 --> 03:38.710
And let's create a new variable called Shall Code.

03:42.120 --> 03:49.600
And let's face it here now, the shell core taken from Shell Standard org is placed in our exploit.

03:49.890 --> 03:52.900
Now, where do we place this shell in our buffer?

03:53.730 --> 03:56.340
Let's examine the stack to understand this.

03:57.980 --> 04:05.420
This is the current situation of our STAC, we have some junk filled in until we reach our IRAP and

04:05.420 --> 04:10.530
after reaching IRAP, we are replacing this register with six caes.

04:11.140 --> 04:18.580
Now we need to replace these six seats in a way that that execution will be redirected under Chalco.

04:19.370 --> 04:26.990
So what we are going to do is instead of the junk this time, we are going to place the code in the

04:26.990 --> 04:28.190
beginning of a buffer.

04:28.520 --> 04:35.450
And obviously the code is not enough to fill in the complete buffer until we override the return address.

04:35.630 --> 04:38.950
So the remaining buffer will be filled with some padding.

04:39.410 --> 04:45.740
And when we want to override the return address, we are going to override it with some address that

04:45.740 --> 04:48.350
is going to point to the beginning of our shell code.

04:49.400 --> 04:56.090
So what happens is when the execution lands on the return address, it will redirect the execution to

04:56.090 --> 05:03.320
the shell core and the shell code will eventually get executed while this is going to work to give some

05:03.320 --> 05:04.560
room for error.

05:04.850 --> 05:12.530
Let us also place some nevzlin just before the shell code that's going to look like this knob stands

05:12.530 --> 05:19.520
for no operation and it basically does nothing but just passing the execution to the next instruction.

05:20.060 --> 05:27.830
The reason we are going to use this nevzlin here is when we override this RFP register and when we pass

05:27.830 --> 05:34.370
the execution to this nozzle, it basically does nothing but slighting the execution towards the shell

05:34.370 --> 05:34.700
code.

05:34.850 --> 05:41.330
And at some point of time, the execution will land on the shell code and the shell code gets executed.

05:42.020 --> 05:47.930
One benefit with this is if you are trying to redirect the execution to the shell code, you have to

05:47.930 --> 05:53.870
be accurate and your interdiction should exactly lead to the beginning of the shell code.

05:54.590 --> 05:56.000
In case of an obsolete.

05:56.100 --> 05:59.270
You don't have to be exactly at the beginning of the nevzlin.

05:59.570 --> 06:02.450
You can land anywhere in between the non-slip.

06:02.750 --> 06:04.150
So that's the advantage.

06:04.490 --> 06:10.550
Now let's go ahead and find out an address that is going to point to the beginning of a buffer.

06:12.320 --> 06:15.810
Here is the stack that we have copied earlier, if you notice.

06:16.100 --> 06:21.590
This is where the buffer is beginning and as we have planned, we are going to fill in some of these

06:21.590 --> 06:23.250
bytes with some nevzlin.

06:23.690 --> 06:26.970
So this address is a good candidate for us.

06:27.230 --> 06:29.000
So let's copy this address.

06:32.000 --> 06:36.350
And let's start here at RHP.

06:39.660 --> 06:46.500
And we will also have to fill in some knopf's in the beginning, as I mentioned, this is going to be

06:46.500 --> 06:50.820
the beginning of the buffer and I'm going to choose platinum's.

06:51.270 --> 06:56.040
So slash X 90 is what we can use to represent ANOP.

06:56.760 --> 06:58.800
So we need 30 of these.

06:59.970 --> 07:02.670
And if you notice, we have not misled.

07:02.670 --> 07:04.230
And Shell called ready.

07:04.530 --> 07:08.710
And still we have two hundred and fifty six is in the junk.

07:09.030 --> 07:15.990
We don't need two hundred and fifty six is now because we are replacing some of this junk with an obsolete

07:15.990 --> 07:17.040
and shell cord.

07:17.370 --> 07:19.670
So let's adjust this length.

07:20.280 --> 07:22.140
Two hundred and fifty six minus.

07:26.840 --> 07:35.720
Length of knob's minus length of shell cord.

07:38.780 --> 07:44.450
All right, we have fixed the total number of errors that we want in the buffer followed by this, we

07:44.450 --> 07:48.620
have eight bees which are going to overwrite and the R, B, B register.

07:48.950 --> 07:53.990
And finally, we will have to change these six C's with this address.

07:54.380 --> 07:57.320
So let's remove these six C's here.

07:59.700 --> 08:06.000
And let's write down this address in reverse order, because it has to be in little Indian format,

08:06.420 --> 08:20.310
slash six one eight, slash X Diddy, slash x f f f f f f, slash X, seven F.

08:20.910 --> 08:23.100
So that should fix the final exploit.

08:23.370 --> 08:31.300
Now all we have to do is we will have to print the knobs and we will have to bend the skin code to it.

08:31.840 --> 08:34.190
Finally, we will have to open the junk.

08:34.740 --> 08:41.880
So we are first printing the obsolete followed by the shell code and then we have junk which will fill

08:41.880 --> 08:47.700
the remaining buffer until we reach our BP eight base are used to override our BP.

08:48.030 --> 08:53.030
And finally our reps filled with the address that is pointing to our non-slip.

08:53.490 --> 08:55.170
So let's save the file.

08:59.180 --> 09:07.580
And let's produce the payload using this exploit 5:00 p.m. and let's save it as payload five.

09:09.830 --> 09:17.420
We can use a hex editor to verify if Panel five has everything we are expecting, so let's type the

09:19.010 --> 09:21.500
payload five hit enter.

09:23.090 --> 09:23.690
Look at that.

09:23.970 --> 09:27.260
Our payload is actually beginning with some knob slid.

09:27.830 --> 09:36.830
After that, we have Chalco and the remaining junk is filled with some years after that, we have eight

09:36.830 --> 09:40.320
bays followed by the address that we have specified.

09:40.610 --> 09:43.370
So this is going to override the return address.

09:43.850 --> 09:44.430
Looks good.

09:44.900 --> 09:48.110
Let's open up the vulnerable program using GDP once again.

09:53.590 --> 09:58.180
Now, let's run the vulnerable program using the payload that we have just produced.

10:04.690 --> 10:05.240
There you go.

10:05.380 --> 10:11.260
Let's hit enter and look at that, the next flight word and we have got a shell.

10:11.830 --> 10:18.980
Now, the next immediate step is to verify this exploit outside Jilib, because that's our end goal.

10:19.000 --> 10:21.710
We are not going to execute or exploit using Gleib.

10:21.970 --> 10:27.230
So let's quickly check if this exploit is also going to work outside Jilib.

10:27.610 --> 10:29.290
So I'm quitting GDP here.

10:37.330 --> 10:43.480
And let's try that level cat.

10:45.570 --> 10:46.790
Payload five.

10:47.800 --> 10:56.790
Let's look at that, there seems to be a bus error and code dumped, usually buzzers occur when your

10:56.790 --> 11:00.170
processor cannot even attempt the memory access requested.

11:00.900 --> 11:01.250
Right.

11:01.350 --> 11:05.820
So let's quickly go through the code dump and see if it is something that we can fix.

11:06.720 --> 11:12.850
Jeremy Dash code and let's open up the code file.

11:14.670 --> 11:15.340
Look at that.

11:15.480 --> 11:19.380
There seem to be some issue here with this address.

11:20.220 --> 11:22.670
Let's examine the stack and see what happened.

11:31.640 --> 11:36.000
If you notice, this is the address which has caused this Sigma's error.

11:36.470 --> 11:42.830
However, our not sledded is actually beginning at a different address outside Jilib.

11:43.340 --> 11:48.650
This is because addresses outside Jilib slightly differ from what you'll see within Greevey.

11:48.920 --> 11:50.350
So we will have to fix this.

11:50.790 --> 11:57.740
Now, we are going to copy this address, which is ending with the 88, and we are going to give this

11:58.040 --> 11:58.910
in our next flight.

11:59.120 --> 12:01.100
So let's quit from Julie Bishop.

12:04.920 --> 12:14.820
And let's Koppio exploit, exploit five p.m. and let's save it as exploit Basche final dot pill, hopefully.

12:21.130 --> 12:25.390
And let's replace this 18 with 88.

12:29.270 --> 12:32.410
That's the address that we have noticed outside GDB.

12:32.960 --> 12:34.520
Now let's save this file.

12:37.370 --> 12:46.940
And let us type exploit Basche final thought here and let's save it as payload dash final.

12:48.680 --> 12:53.270
Now let's run the vulnerable program and let's pass this as inpart.

12:57.020 --> 13:07.730
Let's remember, they got the exploit, worked outside GDP and we have gotten benefits, so great now

13:07.730 --> 13:13.940
we can run whatever the commands that we want, we can just type A. And we can basically run any command

13:13.940 --> 13:17.390
in the context of the target program that we have exploited.

13:17.960 --> 13:18.290
Right.

13:18.290 --> 13:22.670
So let's exit from the shell before we move on to the next topic.

13:22.850 --> 13:28.760
I'm going to make a small change to our final exploit before we move on to the next topic.

13:28.760 --> 13:31.640
I'm going to make a small change or exploit.

13:32.210 --> 13:38.930
I'm first going to open up the exploit exploit final R.P.M. and.

13:45.850 --> 13:52.480
And let's use a function called PAC to automatically convert these endlessness into little alien format

13:52.480 --> 13:52.980
for us.

13:53.500 --> 13:57.040
So let's just copy this address.

14:00.930 --> 14:10.290
And let's pass it to the back function from Paul and let's face it here, and let's change this 18 to

14:10.290 --> 14:10.980
88.

14:12.970 --> 14:17.110
And let's pass the first argument as uppercase.

14:17.110 --> 14:27.370
Q We will have to use Q for longer addresses such as 64 bit addresses and let's save the file and let's

14:27.370 --> 14:30.190
quickly remove payload dash final.

14:30.760 --> 14:35.350
And once again, let's produce payload final to verified exploit.

14:47.280 --> 14:51.570
I'm running may explode with a modified payload and let senator.

14:54.270 --> 14:56.640
There you go, the exploit still worked.

14:57.060 --> 14:59.560
All right, I hope you have enjoyed this video.

14:59.790 --> 15:04.920
Congratulations on building your first stack based buffer overflow exploit.