WEBVTT 00:01.590 --> 00:08.480 In this video, we are going to discuss a technique called jump to register, for example, jump to 00:08.510 --> 00:13.390 audience register, remember to use the vulnerable binary with gets function. 00:13.710 --> 00:19.050 Let's also ensure that we have the working payload that we used against the vulnerable binary which 00:19.070 --> 00:19.780 gets function. 00:20.220 --> 00:26.580 First, let's create a directory called Jump Dash RSX and let's navigate there. 00:27.780 --> 00:29.610 We don't have any files inside. 00:30.210 --> 00:33.120 Now let's copy everything from gets directly 00:36.330 --> 00:37.780 into the current directorate. 00:40.230 --> 00:40.950 There it is. 00:41.250 --> 00:43.490 No, let's remove the files that we don't need. 00:43.980 --> 00:45.450 One of them is called File. 00:47.510 --> 00:55.970 Let's also remove the binary, which is vulnerable, and let's remove the payload and there it is, 00:56.510 --> 01:03.770 we should have three files, exploit that final dogpile makefile and vulnerable dot. 01:03.800 --> 01:12.160 See, let's first combine the program using make and let's make sure that they exploit is working fine. 01:12.500 --> 01:16.370 So I'm going to do a simple test to see if they exploit is working fine. 01:16.820 --> 01:23.210 So I'm just typing exploit Basche final RPN cat dot slash. 01:26.350 --> 01:31.300 There it is, the exploit is working fine now. 01:31.330 --> 01:36.570 What do you want to do is I want to change the makefile slightly. 01:37.540 --> 01:38.650 I want to add. 01:40.320 --> 01:51.630 Nash, now, Nash Pyi, I'm just adding no flag to D.C. and let's remove the one level binary and let's 01:51.630 --> 01:58.770 try and make once again to compile the program and let's try to execute the exploit once again. 02:02.600 --> 02:09.140 Know they exploit still works fine, just that we have added one more flag or makefile, we have changed 02:09.140 --> 02:14.390 the makefile to have this flag because this is required for the next exploit that we are going to right 02:14.990 --> 02:15.300 now. 02:15.320 --> 02:17.960 Let's quickly generate the payload from this exploit. 02:21.390 --> 02:27.570 And before understanding what this jump to register technique is, let's load the vulnerable program 02:27.570 --> 02:37.650 using GDP, GDP that's vulnerable and let's set up a breakpoint at Main and let's run the program using 02:37.650 --> 02:39.790 the payload that we have produced earlier. 02:41.140 --> 02:41.910 There you go. 02:41.920 --> 02:43.020 The breakpoint is hit. 02:43.410 --> 02:53.370 Now, let's type this one, underscore Funt, and let's set up a breakpoint at this red address and 02:53.380 --> 02:55.110 just setting a breakpoint here. 02:56.040 --> 02:58.370 And let's continue our execution. 02:59.900 --> 03:06.710 And if you notice, the second breakpoint is hit and we are currently at this read instruction now, 03:06.710 --> 03:12.880 what I want to do is I want to check if any of the registers are pointing to our buffer. 03:13.520 --> 03:18.860 So let's go to the registers section and let's take a look at the RSX register. 03:21.590 --> 03:28.070 Here it is, Heartaches Register currently contains this value, which is an address that's pointing 03:28.070 --> 03:29.350 to a knock sled. 03:29.870 --> 03:33.980 So let's quickly go ahead and check where this address is. 03:34.610 --> 03:38.320 If you remember, our sled is the beginning of our payload. 03:38.720 --> 03:48.750 So let's quickly check for the beginning of a buffer by typing ex slash 56 arizpe minus 280. 03:50.270 --> 03:50.960 There it is. 03:51.140 --> 03:53.530 If you look at this, this is the beginning of our buffer. 03:53.870 --> 04:01.100 So this confirms we're at the beginning of our buffer's and which is what exactly this address is pointing 04:01.100 --> 04:01.350 to. 04:01.820 --> 04:08.090 Now, if you notice, this is the same address that the oryx is currently holding and this address is 04:08.120 --> 04:09.860 actually pointing to this buffer. 04:10.400 --> 04:20.810 We can quickly check in four registers, IREX, if you see this this address and this address are the 04:20.810 --> 04:21.190 same. 04:21.680 --> 04:30.050 What it essentially means to us is if we can somehow execute an instruction like Jump X instead of hard 04:30.050 --> 04:34.120 coding the address pointing to the novelette, we will still be landing on this. 04:34.130 --> 04:40.580 Novoselic If it is confusing, let's go back to our slides and understand this earlier. 04:40.640 --> 04:47.960 What we have done was we have written this IP address in a way that it redirects the execution to this 04:47.960 --> 04:52.850 nozzle and now we are going to do the same thing, but in a different way. 04:53.420 --> 04:57.860 Now that we know that X register is pointing to the bobsled. 04:58.340 --> 05:05.180 If we can execute jump IREX instruction somehow we will still be able to land on this. 05:05.180 --> 05:13.100 Moslehi so we need to find the address of this jump Arrigo's instruction and we will place that address 05:13.100 --> 05:14.300 in this RHP. 05:14.870 --> 05:15.940 That's the whole idea. 05:16.250 --> 05:17.510 Now how do we do that? 05:18.080 --> 05:23.690 We need to find a file or library which contains the instruction jump at X.. 05:24.290 --> 05:29.930 We will find out the address of this instruction and then we will load that address in this RHP register. 05:30.680 --> 05:37.110 We can search for these instructions which are actually known as gadget's in our one binary itself. 05:37.760 --> 05:45.020 Alternatively, one convenient file that almost always contains the gadgets we want is Lipsey. 05:45.590 --> 05:49.710 Lipsey is a library that almost always loaded into a binary. 05:50.240 --> 05:57.350 In this example, let's find out jump Artex instruction within the binary itself and redirect the execution 05:57.350 --> 06:03.980 by overriding this RHP value with that entries, which eventually redirects the execution to this knob 06:03.980 --> 06:08.050 sled and in turn the execution will land on the shelf code. 06:08.600 --> 06:11.870 That's the idea behind Jump Artex Technik. 06:12.200 --> 06:14.860 That's all for this video in the next video. 06:14.900 --> 06:16.550 Let's do this practically.