WEBVTT 00:00.840 --> 00:04.610 Well, in this video, let's try to understand what is next. 00:05.400 --> 00:08.050 Let's first navigate to our working directly. 00:08.190 --> 00:18.090 I'm currently inside 686 and escort 64 and let's create a new directory called Anex and let's navigate 00:18.090 --> 00:20.270 there to annex the rectory. 00:21.660 --> 00:28.160 Now let's copy the vulnerable binary and the makefile from our jump Artex exploit directly. 00:28.650 --> 00:31.500 So I'm just copying them from 00:34.200 --> 00:35.810 jump out the directly. 00:37.110 --> 00:41.160 Let's copy the Makefile and place it in the current directory. 00:41.740 --> 00:47.530 Let's also copy the vulnerable C file and place it in the current directory. 00:48.690 --> 00:49.410 There it is. 00:51.180 --> 00:54.420 Now we have everything we need in the current directorate. 00:54.960 --> 00:58.320 Now let's take a look at the contents of the Makefile. 01:01.180 --> 01:07.270 So these are the kinds of makefile, this is the same old makefile that we have used earlier with the 01:07.270 --> 01:10.210 option dash the execs stack. 01:11.110 --> 01:14.590 Let me show you what this option actually does to our binary. 01:15.160 --> 01:25.660 Let's use the combined make to compile this program and let's use gdb dot slash vulnerable. 01:28.960 --> 01:38.440 And let's run check sake and hit enter this check comes with Jeff, and if you look at this, Anex is 01:38.440 --> 01:43.630 not enabled and this what happens is Stack becomes executable. 01:44.380 --> 01:45.610 Let's quickly check that. 01:46.150 --> 01:50.580 I'm going to put a break point in the beginning of this program, which is main. 01:51.520 --> 01:54.760 Now, let's run the program so it will hit the breakpoint. 01:57.090 --> 02:00.580 As you can see, the program is paused because of the breakpoint. 02:01.570 --> 02:03.780 Now let's take the command with a map. 02:05.190 --> 02:08.370 So we are seeing the memory map of this current process. 02:08.790 --> 02:15.480 And if you see it has an entry for Stack, if you don't want to view the entire memory map and if you 02:15.480 --> 02:23.160 just want to check the stack entry only, you can just specify that using the map space stack command. 02:24.060 --> 02:24.720 There it is. 02:24.970 --> 02:33.540 Now, if you see this entry, the stack is having RW permissions, which means the stack is currently 02:33.540 --> 02:34.320 executable. 02:34.830 --> 02:40.230 This is what enables us to place the shell code on the stack and execute it. 02:40.590 --> 02:42.660 Now let's go this great recession. 02:46.090 --> 02:50.230 Let's copy the outtakes exploit into the current directly. 02:58.050 --> 02:59.780 Here it is now. 03:00.390 --> 03:03.510 Let's quickly make sure that SLR is disabled. 03:09.520 --> 03:19.660 Let's type Suto, disable SLR, DOD assets, and let's quickly verify if it is disabled, that it is 03:19.660 --> 03:21.170 SLR is disabled. 03:22.060 --> 03:24.090 Now let's go back to the previous tab. 03:24.970 --> 03:26.400 Now let's quickly test it. 03:26.440 --> 03:28.060 This exploit is working fine. 03:29.890 --> 03:37.180 Exploit final dogpile cat and let's pipe it to the vulnerable program. 03:38.710 --> 03:39.370 There it is. 03:39.370 --> 03:41.290 The exploit is working fine. 03:41.980 --> 03:50.650 Now let's quit the shell and let's remove the binary from this current directly. 03:52.900 --> 03:53.470 All right. 03:54.070 --> 03:56.770 And let's quickly make some changes to the makefile. 03:58.210 --> 04:04.390 I'm going to remove this and dash the TAC option from this makefile. 04:05.290 --> 04:08.650 So let's just quickly remove this. 04:15.020 --> 04:23.450 OK, so let's save the file and let's compile this program once again by using the command make, this 04:23.450 --> 04:25.700 should produce a new legible binary. 04:25.880 --> 04:26.570 Here it is. 04:27.050 --> 04:31.670 Now, let's quickly test if the jump are exploited steelworks. 04:34.710 --> 04:36.450 Here is the command that we used earlier. 04:36.540 --> 04:37.590 Now let's get another 04:40.590 --> 04:48.000 look at that, the exploit that just what is now failing after recompiling the program by disabling 04:48.000 --> 04:50.580 the option, dash the exit stack. 04:51.240 --> 04:54.510 Let's go ahead and see what happened with this binary using. 04:55.710 --> 04:59.710 I'm just typing GDP DOT 111. 05:01.020 --> 05:04.250 Let's clear the screen so we can view the screen better. 05:05.180 --> 05:08.480 Now, let's type check once again. 05:09.540 --> 05:12.930 And if you notice, we are seeing a different output this time. 05:13.350 --> 05:16.550 Index is enabled like we did earlier. 05:16.710 --> 05:29.400 Let's set up a breakpoint at Main and let's type run and let's type the map stack and look at that flag. 05:29.400 --> 05:31.550 X's missing from the permissions. 05:31.980 --> 05:35.520 That means the stack is not executable anymore. 05:35.820 --> 05:41.850 And Overexploit is trying to place the shell code on the stack and it is trying to execute the shell 05:41.850 --> 05:44.390 code in a non executable space. 05:44.760 --> 05:47.490 So this is what is causing the problem to our exploit. 05:48.150 --> 05:54.420 In the next video, we are going to see a technique called Return to Lipsey, which will bypass this 05:54.420 --> 05:56.310 limitation to give us a shell. 05:56.580 --> 06:03.660 But in later videos, we are also going to see how to use a return oriented programming to actually 06:03.660 --> 06:06.360 enable this executable flag on the stack. 06:06.540 --> 06:13.240 And eventually we will execute our shell code on the stack, even when an expert is enabled. 06:13.890 --> 06:16.260 I hope you understand how Anex works. 06:16.530 --> 06:21.060 See you in the next video where we are going to discuss a return to Lipsey Technik.