WEBVTT 00:01.020 --> 00:07.650 So far, we have discussed a few different techniques to execute our shell called using stack based 00:07.650 --> 00:09.450 buffer overflow vulnerabilities. 00:10.080 --> 00:14.190 Now let's discuss another technique called jump arizpe. 00:15.060 --> 00:21.990 This is a rather common technique and a lot of articles and blogs on the Internet show this technique 00:21.990 --> 00:26.420 in general when they talk about stack based buffer overflow attacks. 00:27.540 --> 00:31.500 Let's create a new directory called Jump Dash Arizpe 00:36.990 --> 00:38.760 and let's navigate their. 00:43.870 --> 00:46.060 Let's copy the vulnerable binary and. 00:47.240 --> 00:54.110 Let's copy the vulnerable binary and the latest working exploit from the jump attacks directly into 00:54.110 --> 00:55.090 the current director. 00:55.850 --> 01:00.590 So I'm just copying jump dash attacks. 01:02.030 --> 01:07.060 Let's copy everything into the current military and we should have all of them. 01:08.330 --> 01:11.420 As you can see, we have all the files in the current directorate. 01:12.290 --> 01:21.470 Now, let's take a copy of this exploit and let's save it as exploit one dot here and let's edit this 01:21.470 --> 01:21.830 file. 01:25.690 --> 01:29.290 And let's remove all the things that we don't need. 01:31.680 --> 01:44.680 Let's remove the lobster shall code and let's also remove the slime and let's make it junk equals two 01:44.680 --> 01:46.270 hundred and fifty six days. 01:48.040 --> 01:53.590 And we have a base to override our BP. 01:54.610 --> 02:02.260 And let's use six BS to override our IP. 02:10.390 --> 02:18.280 And let's use some more junk to fill in, so I'm just adding eight six. 02:23.250 --> 02:27.990 Similarly, I'm just appending eight beest. 02:34.200 --> 02:36.780 Let's also append eight E! 02:42.170 --> 02:46.340 And finally, I'm just appending eight F's. 02:49.040 --> 02:59.510 All right, so let's just remove this last line and let's also remove this line and let's just print 03:02.180 --> 03:02.690 junk. 03:04.760 --> 03:05.330 That's it. 03:06.410 --> 03:12.590 Now we are going to start working on the exploit once again, as usual, and first going to create our 03:12.590 --> 03:15.140 payload file using this exploit. 03:15.620 --> 03:17.450 So I'm just saving the file. 03:17.990 --> 03:23.540 And let's use exploit one dot pill and let's produce a payload card. 03:23.900 --> 03:24.890 Payload one. 03:26.750 --> 03:27.290 All right. 03:27.290 --> 03:36.200 Now let's use gdb dot slash vulnerable and let's use Breakpoint at Main. 03:36.860 --> 03:40.120 And let's also do this as well. 03:40.130 --> 03:41.090 And it's quite fun. 03:42.770 --> 03:46.370 And let's set up a great point at the right address. 03:52.470 --> 03:56.920 And let's run the program by passing our payload as input. 03:57.660 --> 04:04.440 I'm just hitting enter the first break point, which is that Maine is hit. 04:04.930 --> 04:05.880 Let's continue. 04:08.100 --> 04:15.000 If you see there is another breakpoint, which is at the instruction of one function, we are about 04:15.000 --> 04:16.410 to return to the calling function. 04:16.710 --> 04:19.830 So before doing that, let's just print out the stack. 04:21.180 --> 04:25.910 I'm using X, slash 50 X and Arizpe. 04:27.570 --> 04:35.160 If you look at this output, this is the state of the stack just before the crash, starting from Arizpe, 04:35.520 --> 04:44.100 we have six B's which are going to be pumped into our once the next instruction is executed and the 04:44.100 --> 04:52.390 next eight bytes will become the top of the stack and those arizpe will be pointing to these CS after 04:52.560 --> 04:54.770 that instruction is executed. 04:55.410 --> 05:03.960 What it means is anything that is coming after these six beams will be pointed by ADP at the time of 05:03.960 --> 05:04.590 the crash. 05:05.130 --> 05:09.480 So we can also use this space to place our Chalco. 05:10.140 --> 05:15.090 We have only used a few CS followed by D, E and FS. 05:15.690 --> 05:20.400 So instead of these characters we can actually place Chalco here. 05:21.300 --> 05:27.050 If you remember earlier we placed a shell called before the same return pointer. 05:28.110 --> 05:35.610 The technique we have used is really helpful if we don't have enough space after RHP, there may be 05:35.610 --> 05:41.250 cases where you don't have enough space to place the shell code in the address where Arizpe is pointing 05:41.250 --> 05:41.510 to. 05:42.090 --> 05:44.740 But in this case, it doesn't seem to be the case. 05:45.190 --> 05:50.910 Let's try to place the Schenkel here instead of placing it in the beginning of the buffer, which is 05:50.910 --> 05:53.010 being pointed by the ATX register. 05:53.790 --> 05:57.770 Now, this is the idea behind this jump arizpe technique. 05:58.440 --> 06:05.790 We will place the shell called immediately after the ATP value and then we will place the address of 06:05.800 --> 06:13.830 jump arizpe in the ATP value and thus it will directly jump onto the shell cord which is placed here. 06:14.280 --> 06:20.100 Now let's take a look at a pictorial representation of this so you can better understand what we are 06:20.100 --> 06:20.810 talking about. 06:22.230 --> 06:30.180 Now, we have filled in the initial buffer with some junk until we reach our IP register and then we 06:30.180 --> 06:38.310 are going to override this saved return address with jump arizpe address, which in turn will point 06:38.310 --> 06:40.590 to the shell cord that's going to be placed here. 06:41.520 --> 06:45.570 If we have more buffer left, we can place some junk here. 06:45.570 --> 06:52.380 And then if not, we can leave it right after placing our complete call, we are only worried about 06:52.380 --> 06:53.790 the space for the shell cord. 06:54.090 --> 06:57.450 So let's go ahead and try to create this exploit.