WEBVTT 00:01.620 --> 00:05.500 All right, let's ride or jump eggs exploit. 00:06.030 --> 00:07.810 We are going to do a few things here. 00:08.220 --> 00:13.230 First, we need to find out the jump oryx instruction within the target binary. 00:13.650 --> 00:18.270 After doing that, we are going to use that address to override RHP. 00:19.320 --> 00:25.260 We have everything that we need in the current military already, and there is one additional tool that 00:25.260 --> 00:32.570 we are going to use in this exercise, that is Rockfeller robbery's already installed in this area. 00:33.300 --> 00:40.320 As you can see, it loads this operation and we can use this robot terminal to search for gadgets or 00:40.320 --> 00:41.830 instructions that we want. 00:42.420 --> 00:44.640 Now, Robert is already started. 00:45.180 --> 00:49.740 Now let's load the file vulnerable, which is available in the current directory. 00:50.790 --> 00:55.250 And if you see this, it has loaded gadgets from us, from this binary. 00:56.100 --> 01:01.380 Now we can search for those gadgets using the instructions of our choice. 01:02.130 --> 01:07.100 We are going to use this tool rather extensively when we are going to write rock change. 01:07.350 --> 01:12.360 But for now, we are going to search only for one instruction that is jump out. 01:13.440 --> 01:16.710 OK, now let's search for the instructions that we want. 01:17.220 --> 01:22.650 I'm typing search and I'm specifying the depth, which is one. 01:24.090 --> 01:26.910 And let's type jump at X. 01:27.330 --> 01:29.040 This is the instruction that we need. 01:29.490 --> 01:30.720 So I'm just hitting enter. 01:32.420 --> 01:39.630 If you observe this output, it says the target binary has jump IREX at this offset. 01:40.310 --> 01:42.860 That's what it means and that's how we need to read it. 01:43.250 --> 01:43.780 All right. 01:43.790 --> 01:48.320 We have got the address of Jump Artex gadget in the target binary. 01:48.530 --> 01:51.530 And this value can be directly used, you know, exploit. 01:52.130 --> 01:55.120 Remember, we found the gadget within the same battery. 01:55.310 --> 01:59.000 So we do not need to add the best address to this offset. 01:59.000 --> 02:05.810 We found if we find the gadgets in libraries like Lipsey, we will have to add the best address. 02:05.810 --> 02:12.530 When we use those gadgets in the exploit, we will use Lipsy for gadget such extensively. 02:12.740 --> 02:17.550 And you will understand what I mean by this when we learn a return oriented programming. 02:18.020 --> 02:28.280 So for now, let's go back and update our exploit using this value and creating this Raposo and and 02:28.340 --> 02:30.320 just quickly going to copy this. 02:31.970 --> 02:34.460 And let's open or exploit. 02:37.390 --> 02:45.940 And let's replace this value that we have used to override earlier with the value that we have just 02:45.940 --> 02:47.140 gotten from Iraq. 02:48.940 --> 02:49.630 There it is. 02:50.260 --> 02:55.290 So we now have RHP filled in with a jump IREX address. 02:55.570 --> 03:02.740 If everything goes as planned, this Oribe should execute the instruction which jumps to ADEX. 03:03.190 --> 03:10.720 What it means is it should execute jump attacks and we should jump to the ATEX address, which is basically 03:10.720 --> 03:17.560 pointing to the nevzlin and thus we should execute the obsoleted and then eventually we will land on 03:17.560 --> 03:20.300 this shell called Solectron they exploit. 03:20.320 --> 03:22.060 And let's check if it works. 03:22.750 --> 03:24.100 And saving the final. 03:26.450 --> 03:28.610 This is the command to explain the program. 03:30.330 --> 03:31.270 Let's type it. 03:32.300 --> 03:32.860 There you go. 03:33.680 --> 03:34.240 Great. 03:34.250 --> 03:36.630 They exploit work and they got a shell. 03:37.100 --> 03:43.580 I like this demo of using wrapper to get an address from the binary and then use it in our exploit to 03:43.580 --> 03:48.990 relax the execution from our IP to our specific instruction and from there to our nevzlin. 03:49.550 --> 03:52.640 I hope you enjoyed this video and I hope you like this technique. 03:52.970 --> 03:54.140 That's all for this video. 03:54.290 --> 03:55.480 See you in the next one.