WEBVTT 00:00.990 --> 00:04.300 Well, let's start riding, jump out, be exploited. 00:04.980 --> 00:13.620 Let's first take a look at our days of exploitation and once again, this was the file we used in the 00:13.620 --> 00:14.290 last video. 00:14.730 --> 00:16.430 Now we don't need it anymore. 00:16.470 --> 00:22.970 So let's take a copy of the final exploit that we have copied earlier, which is Exploit Basche final 00:22.980 --> 00:27.610 appeal and let's save it as exploit to that pier. 00:28.830 --> 00:33.660 And now let's open exploit to the art here and. 00:35.700 --> 00:39.770 Let's use two hundred and fifty six days here. 00:41.100 --> 00:47.430 We are not placing the shell cord and knob's in the beginning of our buffer anymore, so we will just 00:47.430 --> 00:53.700 fill in the entire buffer in the beginning with is some displacing. 00:53.700 --> 00:57.030 Two hundred and fifty six is in the beginning of our buffer. 00:58.870 --> 01:05.060 After this we are writing eight BS, followed by the odd IP address. 01:05.460 --> 01:13.230 So as per our original idea, this address is going to be an address of jump arizpe instruction. 01:13.830 --> 01:20.880 So let's keep it as is for now and let's go ahead and find out jump out as we address. 01:21.480 --> 01:27.150 So we will have to find out the address of jump arizpe in our binary using wrapper. 01:27.600 --> 01:43.400 So I'm just saying this file and let's open wrapper and let's use file vulnerable and let's search for 01:43.410 --> 01:49.860 jump arizpe entrance search slash one jump Arizpe. 01:51.570 --> 01:54.930 Looks like there are no gadgets found with this instruction. 01:55.440 --> 01:57.210 Let's increase the depth. 01:58.800 --> 02:05.790 No, look, let's remove this depth so it will try to find out gadgets at all the depths. 02:06.240 --> 02:09.450 So I'm just removing this and let it enter once again. 02:10.500 --> 02:12.480 We are once again out of luck. 02:12.630 --> 02:18.300 We do not have any gadgets containing the instruction arizpe within our binary. 02:18.960 --> 02:25.080 So another option would be to look for call arizpe instruction, which can also do our job. 02:25.380 --> 02:28.380 So let's search for Carl Arizpe instruction. 02:29.160 --> 02:31.980 I'm searching for Carl Arizpe. 02:33.210 --> 02:38.820 Unfortunately, we did not find any gadgets, even with Carl Arizpe instruction. 02:39.600 --> 02:42.450 This doesn't mean we are out of options. 02:42.810 --> 02:46.320 We can search for these instructions in the Lipsey library. 02:47.010 --> 02:49.710 Let's load the vulnerable binary using GDB. 02:57.520 --> 03:04.960 And let's get the location of the Lipsey Library so that we can copy it and search for gadget's, so 03:04.960 --> 03:14.170 I'm just using Breakpoint at me and I just run the program and the breakpoint is hit admen. 03:14.740 --> 03:16.960 Now, let's type the map. 03:18.640 --> 03:23.120 And if you notice this output, this is the location of Lipsy. 03:24.010 --> 03:27.640 Another way to get this is to type the map. 03:28.480 --> 03:30.990 Lipsey, look at that. 03:31.030 --> 03:34.500 This has also, Lawder, the full path to the Lipsey library. 03:34.990 --> 03:36.370 So I'm just copying this. 03:37.930 --> 03:46.020 And let's quit and let's copy this Lipsey Library into our current director. 03:48.040 --> 03:52.840 Now let's use a proper file, Lipsey. 03:55.000 --> 04:01.630 And this is going to load all the gadgets from this Lipsey library for us, Lipsey almost always contains 04:01.630 --> 04:02.220 the gadgets. 04:03.250 --> 04:03.640 Right. 04:03.670 --> 04:08.480 So let's search for jump Arizpe once again. 04:09.280 --> 04:14.550 Unfortunately, we do not have any jump arizpe instructions, even within Lipsey. 04:15.280 --> 04:20.470 So, as I mentioned earlier, we can also search for Carl Arizpe instructions. 04:20.830 --> 04:21.990 So let's do that. 04:23.080 --> 04:32.530 Let's replace jump with the we found one gadget with Carl Arizpe and this is the offset. 04:34.180 --> 04:41.860 If you remember, I mentioned that offset must be added to the base atrous when we get gadgets outside 04:41.860 --> 04:42.330 the battery. 04:42.940 --> 04:46.930 So we are going to add this offset to the base address of Lipsey. 04:47.180 --> 04:51.220 So it gets us the actual address of this call Arizpe Instruction. 04:51.850 --> 04:58.560 Now let's go back and get the basic rules of Lipsey from the AMAP output and let's update the exploit. 04:59.410 --> 05:01.480 So let's first copy this. 05:07.460 --> 05:09.260 And let's pasted in a notepad. 05:13.240 --> 05:20.240 Go back to what your machine and let's look at the binary once again using GDB. 05:20.440 --> 05:26.930 Let's set up a great point at Main, let's run it and let's get the best address of Lipsey. 05:28.780 --> 05:29.450 Here it is. 05:29.470 --> 05:31.570 This is the best interests of Lipsey. 05:31.570 --> 05:36.000 So let's copy this and let's start here once again. 05:37.480 --> 05:44.540 So this address plus this becomes the actual address of Carl Arizpe, right? 05:44.590 --> 05:49.180 So what we can do is we can let people do this calculation for us. 05:49.190 --> 05:54.040 So let's just copy this like this and let's go back to our exploit. 06:00.960 --> 06:09.570 And let's just replace this address with the base address plus offset. 06:15.560 --> 06:21.740 All right, so this should come to the absolute address of the gadget we were looking for when we printed 06:21.740 --> 06:22.550 this payload. 06:22.730 --> 06:29.480 We should not print this junk and then I'd rather we should keep it in the beginning because we want 06:29.480 --> 06:35.600 these knobs and Chilcote to be at the end after overwriting the safe return address. 06:36.050 --> 06:41.390 So let's use junk in the beginning, followed by knobs and followed by the shell cord 06:44.690 --> 06:45.160 on it. 06:45.200 --> 06:46.840 So that should fix overexploit. 06:46.970 --> 06:52.160 So let's save this file and let's try to run this exploit and see if it works. 06:53.450 --> 06:54.950 Exploited to that. 06:54.950 --> 06:57.380 People can't. 06:59.720 --> 07:01.880 Let's pipe it to the vulnerable binary. 07:06.190 --> 07:07.240 They exploit fail. 07:07.350 --> 07:13.200 Let's quickly check if ancillaries enabled, because for this exploit to work as a SLR should be disabled. 07:13.690 --> 07:20.530 So let's open up a new tab and let's navigate to Isela directly. 07:25.160 --> 07:35.900 And let's check if he's anybody there, it is a reasonable probably that's the reason our exploit failed. 07:36.240 --> 07:41.740 So let's quickly disable ASALA and let's once again verify. 07:41.840 --> 07:44.420 As you can see now, we have disabled SLR. 07:45.110 --> 07:50.930 Let's go back to this previous tab and let's try to run this exploit once again. 07:53.360 --> 07:54.890 Look at that exploit. 07:54.900 --> 08:00.750 Look now let's open it up in GDP and examine what happened, right. 08:00.770 --> 08:05.740 So let's first produce our payload using exploit to that point. 08:06.500 --> 08:17.420 Let's say it as a payload to let's use Judy Bédard, slash one level and let's use this as one. 08:17.630 --> 08:22.760 Let's call func and let's copy this to set up a breakpoint. 08:23.510 --> 08:30.240 So I'm just copying this Endris of the instruction and I'm just setting up a breakpoint here. 08:32.210 --> 08:39.230 Now, let's run the binary by passing this payload to as inputted. 08:41.090 --> 08:46.820 And as you can see here, we have hit the breakpoint and we're about to execute this read instruction. 08:47.510 --> 08:52.330 Odyssey is now currently pointing to the address of Col Arizpe. 08:52.970 --> 08:58.420 You can see that here Arizpe is pointing to the address of Col Arizpe. 08:59.060 --> 09:03.310 If you remember, this is the address we have gotten from Lipsey. 09:04.040 --> 09:07.090 We are just overwriting the same return address. 09:07.550 --> 09:13.530 So once this gets executed, this becomes RHP, which is basically called Arizpe. 09:14.000 --> 09:20.870 Now, if you examine the stack right after this, you should see the Nazli followed by our Shenkar. 09:21.350 --> 09:27.980 Now let's go back to our exploit and check the code just to confirm that this is our shell code. 09:28.470 --> 09:31.400 OK, so I'm just going back to the next BAB. 09:43.980 --> 09:51.510 And let's quickly take a look at exploit to dog here, if you see this version called starts with three 09:51.510 --> 09:53.430 one six zero four eight. 09:55.020 --> 09:58.740 And if you see this, it is three one six zero four eight. 09:59.160 --> 10:00.440 So that's the shell code. 10:00.750 --> 10:05.820 But let's check if the complete shall code is copied onto the stack. 10:06.720 --> 10:09.440 We can do that by examining the complete stack. 10:09.990 --> 10:14.820 So I'm just using X slash 50 Arizpe. 10:16.230 --> 10:24.320 If you see this, this is where our shell code is starting 31 C zero forty eight, B, B, D one. 10:24.720 --> 10:27.300 Let's check the bytes that are at the end. 10:28.290 --> 10:30.720 It's zero F zero five. 10:33.750 --> 10:42.810 If you see this three zero five zero five, so the complete code is placed on this stack, if we do 10:42.810 --> 10:46.340 a single step, the bobsled will be on the top of the stack. 10:46.770 --> 10:49.100 So let's do a single step here. 10:49.950 --> 10:57.060 And if you see the nevzlin is at the top of the stack and the next instruction to be executed is called 10:57.090 --> 10:57.750 Arizpe. 10:58.260 --> 11:04.980 So once we execute this call Arizpe instruction, the execution control will be transferred to this 11:04.980 --> 11:08.760 code and eventually the shall code will be executed. 11:09.630 --> 11:14.410 And after the code gets executed, we are going to get a benefit show. 11:14.850 --> 11:18.120 And that completes our Jump RSP technique. 11:18.630 --> 11:25.020 As I mentioned earlier, this is a technique that's commonly used when we have space on the stack right 11:25.020 --> 11:27.730 after overwriting the same return address. 11:28.290 --> 11:32.280 This brings us to an end of basic stack based buffer overflow. 11:32.790 --> 11:37.920 If you remember, we disable all the protections and then we have written these exploits. 11:38.490 --> 11:43.270 If you enable Anex and Asla, these exploits will fail. 11:43.830 --> 11:49.250 We have also used a shell code that's taken from the Internet in the next few modules. 11:49.260 --> 11:53.360 Let's also fix that by writing our own code from scratch.