WEBVTT

00:00.390 --> 00:07.470
In this video, let's discuss how to use return to Lipsey technique to bypass Anex protection, since

00:07.470 --> 00:09.640
the attack is not executable.

00:10.050 --> 00:13.740
We won't be able to execute Schenkel that we placed on the stack.

00:14.550 --> 00:19.710
So we will have to go with another approach which will execute a command of our choice.

00:20.400 --> 00:28.260
In our case, we want to execute BENCIC and if we can pass this benefits to our function like system,

00:28.530 --> 00:30.060
it will be executed for us.

00:30.840 --> 00:35.070
Now the question is where can we find the function system?

00:36.060 --> 00:38.760
It will be available in the Lipsey library.

00:39.360 --> 00:45.780
Lipsey is loaded into most of the applications and thus even our vulnerable application.

00:45.780 --> 00:53.820
Lord Lipsey now to put it in simple words, our vulnerable application Lord Lipsey Library.

00:54.330 --> 01:02.220
So using the control we have on the stack, we can call system function from Lipsey and we will pass

01:02.220 --> 01:09.600
the string BENCIC as an argument so that businesses will be executed by the system function and we will

01:09.600 --> 01:13.200
get a show before we execute this attack.

01:13.530 --> 01:17.130
Let's understand how system function works.

01:17.640 --> 01:21.450
So we are going to do that by writing a very simple C program.

01:21.900 --> 01:29.940
Let's switch to our virtual machine and let's create a new directory called Return to Lipsey.

01:31.290 --> 01:37.210
I just call it read to Lipsey and it's navigate to this new directorate.

01:38.250 --> 01:45.030
And let's create a simple C program and let's name it system, not C.

01:47.950 --> 01:53.050
Has include a steady lip NorTech.

01:56.270 --> 02:09.290
Int Main and let's close the curly brackets and let's use system function to execute BENCIC so that

02:09.290 --> 02:10.210
we will get a share.

02:16.030 --> 02:17.930
All right, so this is the program.

02:18.250 --> 02:28.090
Now let's compile this using GTC, so I'm just saving the file and let's use Jinksy System, not see

02:28.810 --> 02:31.460
dashboard system.

02:31.690 --> 02:33.370
This is going to be the output file.

02:34.630 --> 02:35.340
There it is.

02:35.440 --> 02:37.500
Looks like we have compiled it.

02:39.040 --> 02:43.840
Now, let's quickly check if regulation by executing this binary.

02:45.220 --> 02:45.940
Look at that.

02:45.940 --> 02:50.830
We got a shell by executing this simple binary with system function.

02:51.550 --> 03:06.370
Now let's exit and let's load this binary in GDP by using GDP space dot slash system and let's disassemble

03:06.520 --> 03:07.520
the main function.

03:10.120 --> 03:10.520
All right.

03:10.660 --> 03:19.390
So if you notice, there is a call to system function here at this address and just before this call

03:19.390 --> 03:26.650
instruction, there is an instruction which makes it pretty clear that something is being saved in order

03:26.680 --> 03:27.370
to register.

03:27.730 --> 03:28.720
You can see that here.

03:30.040 --> 03:35.800
The address from which the data is referenced is shown in the comments here by Julie B..

03:36.280 --> 03:40.320
So let's examine this particular address and see what's there.

03:41.110 --> 03:49.420
So I'm just typing X, slash X and let's copy this address

03:52.030 --> 03:55.750
and let's sit here and look at that.

03:56.350 --> 04:03.670
As we can see here, it is the Venessa string that is being loaded into the idea register just before

04:03.670 --> 04:05.320
the function call to the system.

04:06.040 --> 04:14.490
As mentioned earlier, Intel 64 bit processors past the first argument to the function using the idea

04:14.500 --> 04:15.070
register.

04:15.770 --> 04:21.490
We can also step through these instructions and see what's being placed in the order register at runtime.

04:21.970 --> 04:32.950
So let's type aside, let's type B space so that we can set up a breakpoint at main and let's type and.

04:35.350 --> 04:37.750
Now let's type aside.

04:38.890 --> 04:42.920
Let's type aside once again, one more essay.

04:43.660 --> 04:50.500
Now, if you see this, this instruction is being executed, as you can see here, after executing this

04:50.500 --> 04:55.200
next instruction, something is going to be placed in this idea register.

04:55.720 --> 04:56.060
Right.

04:56.080 --> 05:02.620
So if you check the contents of audio register at this particular point of time, it just contains the

05:02.620 --> 05:04.530
value X one.

05:05.200 --> 05:06.700
So let's type inside.

05:08.920 --> 05:18.010
And let's check the value of ardia once again and look at that, it contains some address which is actually

05:18.010 --> 05:19.580
pointing to this value.

05:20.110 --> 05:22.290
Let's quickly check what this value is.

05:22.300 --> 05:34.660
I'm just copying this and let's open up a new tab and let's type it call and let's use Hex editor.

05:37.380 --> 05:45.300
With that partnership options and look at that, this is the main message string that we have seen earlier,

05:45.780 --> 05:53.800
the string bean message appears in reverse due to the little Indian format used by the Intel processors.

05:54.330 --> 06:00.390
So essentially, we are going to use the same technique when we write down exploit using return to Lipsey

06:00.390 --> 06:08.700
technique, we shall place the argument to the system, function in the idea register and we can override

06:08.700 --> 06:16.500
the same return address with a gadget that pops a value from the top of the stack in Baghdad, the register.

06:16.950 --> 06:22.740
And immediately after that instruction, we will place a pointer to beneath string.

06:23.310 --> 06:29.460
Finally, we will place appointed to the address of system function, which will execute BENCIC because

06:29.460 --> 06:31.980
it is already placed in the order register.

06:32.400 --> 06:39.060
Now let's quickly take a pictorial representation of how our stack is going to look like in OVEREXPLOIT.

06:40.170 --> 06:45.750
As you can see here in this picture, we are going to fill in the Bufford with some junk to start with

06:46.140 --> 06:51.020
until we reach the IP register, which contains the same return address.

06:51.480 --> 06:58.770
And when we reach this saved return address, we are going to override it with a gadget that pops our

06:58.770 --> 07:00.420
value from the top of the stack.

07:00.990 --> 07:08.820
And this value that is being pumped from the top of the stack is going to be a pointer to Binsted string

07:08.820 --> 07:09.630
from Lipsey.

07:10.650 --> 07:14.900
After that, we place a pointer to system function from Lipsey.

07:15.570 --> 07:23.940
So our first object before writing this exploit is to find out the address of system function and the

07:23.940 --> 07:28.890
offset of been a asset string from the Lipsy library.

07:29.520 --> 07:37.050
After placing the pointer to the system on the stack, we will have to override the next six bytes with

07:37.050 --> 07:45.480
a pointer to exit function because once the system function completes its execution, the address of

07:45.480 --> 07:49.380
this exit function becomes the next instruction to be executed.

07:49.680 --> 07:51.410
And we will exit gracefully.

07:51.900 --> 08:00.590
So we will have to find out the addresses of system exit and BENCIC in Lipsey.

08:01.230 --> 08:03.030
So let's start writing this exploit.