WEBVTT 00:02.050 --> 00:08.860 We have successfully written and exploit that works against our vulnerable binary, our vulnerable binary 00:08.860 --> 00:14.590 users, ECPA function, FDCPA function, terminate the buffer. 00:14.800 --> 00:23.590 When Unallied is encountered in 1864, BIT processors currently only use the least significant 48 bits 00:23.590 --> 00:24.760 of our chat address. 00:25.210 --> 00:33.850 This means our return address to override RHP should be off 48 bits and the remaining higher 16 bits 00:33.850 --> 00:35.350 must be filled with zeros. 00:35.890 --> 00:42.470 Any instructions gadget's placed after the return address will not be executed as SDR. 00:42.470 --> 00:46.970 SIPA will terminate the input once null bytes are encountered. 00:47.820 --> 00:55.300 Now our goal for now is to understand some more variants of buffer overflow attacks on 64 bit Linux 00:55.300 --> 00:55.880 binaries. 00:56.680 --> 01:00.640 So let's update the source code of our 111 program. 01:00.970 --> 01:04.840 To have its function instead of FDCPA. 01:04.840 --> 01:10.680 Function gets function doesn't terminate the buffer when an element is encountered. 01:11.020 --> 01:18.790 So we will be able to place more data on the stack even after overwriting IP register before we update 01:18.790 --> 01:19.510 the source code. 01:19.870 --> 01:23.580 Let me quickly show you what happens with FDCPA function. 01:24.070 --> 01:33.660 I'm switching to my washing machine and let's copy our final exploit, which is exploit final dash Peire 01:34.120 --> 01:47.170 and let's call it Nestea CPI dot p.m. and let's open it up and start SIPA p.m. and let's try to add 01:47.530 --> 01:50.920 some more stuff after overwriting the return address. 01:51.820 --> 01:53.650 So I'm just adding junk. 01:58.590 --> 02:04.710 Let's probably add some seats here, let's say, for seats. 02:07.260 --> 02:19.260 And let's save the file and let's produce the payload from this file, SDR, S.P.I, Dot p.m. and let's 02:19.260 --> 02:22.950 call it a star CPI dash payload. 02:24.330 --> 02:32.600 Now let's open up this payload using a hex editor expects the SDR, SIPA Dasch payload. 02:34.230 --> 02:38.580 If you look at this, our payload has some NUL bytes in between. 02:39.180 --> 02:45.930 If we try to exploit our current vulnerable binary using payload like this, it will terminate this 02:45.930 --> 02:49.380 buffer when the first byte is encountered. 02:49.950 --> 02:54.440 So the remaining buffer will not be copied by staff CPI. 02:54.870 --> 03:03.070 That's the problem we are trying to avoid by using its function instead of FDCPA in our vulnerable program. 03:03.750 --> 03:06.030 So let's update the vulnerable program. 03:06.240 --> 03:09.750 The use gets function instead of ECPA. 03:12.300 --> 03:24.960 I'm making a new directory here called GET and let's copy one notable dot C under gets and let's also 03:24.960 --> 03:31.920 copy the Makefile into this directory and let's navigate to the gets directly. 03:33.180 --> 03:35.870 And we have these two files available here. 03:36.630 --> 03:44.900 Let me open up my vulnerable dot C and let's edit it to have guests function instead of FDCPA. 03:46.230 --> 03:48.630 I'm going to make a few more changes as well. 03:50.160 --> 03:51.840 Let's use print F. 03:57.590 --> 03:58.160 Hi there. 04:02.110 --> 04:02.680 And. 04:05.180 --> 04:07.820 Let's remove this SDR S.P.I. 04:13.760 --> 04:16.320 And that's right, and gets buffer. 04:20.510 --> 04:24.740 And let's not pass any arguments to this. 04:26.040 --> 04:29.270 Instead, we will be getting it from the street in. 04:37.080 --> 04:40.860 All right, let's also change the declaration at the top. 04:41.600 --> 04:46.530 We are not passing any arguments now, so let's just remove this. 04:48.090 --> 04:48.600 All right. 04:48.600 --> 04:50.350 So this looks fine to me. 04:50.670 --> 04:55.730 Let's just quickly save the file and let's see if we can combine it. 04:56.280 --> 04:58.830 I'm just going to use this makefile once again. 05:00.890 --> 05:07.760 Looks like we have a garden available by now, we can use the same exploit that we have developed earlier 05:07.970 --> 05:14.900 to exploit this winery, the IP address may need to be slightly adjusted if it causes a segmentation 05:14.900 --> 05:15.280 fault. 05:15.500 --> 05:18.650 So let's try the exploit against the new winery first. 05:19.970 --> 05:21.980 Let's copy the final exploit we have. 05:26.100 --> 05:34.230 Into the current military and let's try to run it this time, we will have to use a different way of 05:34.230 --> 05:39.940 running the payload against the vulnerable binary because we are not using SDR CPI anymore. 05:39.960 --> 05:41.280 We are using its function. 05:41.520 --> 05:44.670 So we will have to pass the input from Estulin. 05:45.180 --> 05:54.810 So to do that, I'm just using that exploit Basche final RPN and let's run Cat and let's fight this 05:54.810 --> 05:57.540 into vulnerable and hitting. 05:57.540 --> 06:00.810 Enter and let's hit enter once again. 06:01.680 --> 06:03.690 Let's try to type any command. 06:04.860 --> 06:06.780 Looks like there is a segmentation fault. 06:08.130 --> 06:12.960 So let's open this code file gdb dash code code. 06:14.130 --> 06:18.030 If you look at this, this is the address which is causing the segmentation fault. 06:18.630 --> 06:20.370 So let's examine this tag. 06:25.860 --> 06:33.360 If you observe the stack, the address that is pointing to the knob sled is here, which is ending with 06:33.360 --> 06:42.870 the Aetate, but the address that we have used to override the return address is ending with DDH eight, 06:43.020 --> 06:45.460 and that's exactly the reason why they might fail. 06:45.840 --> 06:48.090 So let's copy this address. 06:50.680 --> 06:58.540 And let's quit from Grib and let's update the exploit with the corporate address. 07:09.220 --> 07:17.160 It has to be the était, let's save the exploit and let's try to execute it once again. 07:20.060 --> 07:27.560 Let's hit enter, let's hit enter once again and let's type in any command to check if they explode, 07:27.560 --> 07:36.200 would look at that, they explode word and we are able to execute system commands with some minor changes. 07:36.200 --> 07:43.400 The same exploit that we have written for available binary, which is having FDCPA function, has worked 07:43.610 --> 07:48.580 even for another binary which is having gets as its well and will function. 07:49.130 --> 07:54.200 We are going to use this new binary as our target binary throughout the remaining course. 07:54.530 --> 07:55.760 That's all for this video. 07:56.060 --> 07:57.260 See you in the next one.