WEBVTT 00:00.120 --> 00:08.250 I'm switching to my washing machine and let's clear the screen and let's first copy everything from 00:08.250 --> 00:09.690 the annex entry. 00:10.140 --> 00:17.120 So I'm just copying from Anex and I'm just copying everything here. 00:17.880 --> 00:25.400 As you can see, we have the vulnerable binary, the vulnerable program, and we have the previously 00:25.410 --> 00:27.900 hidden exploit along with the makefile. 00:28.560 --> 00:29.030 All right. 00:29.100 --> 00:34.030 So we have pretty much everything we have now before we proceed further. 00:34.350 --> 00:42.300 Let's go back to the slides once again and let's remind ourselves that ASALA must be turned off for 00:42.300 --> 00:42.990 this exploit. 00:43.390 --> 00:45.640 So let's turn off ASALA. 00:46.890 --> 00:53.580 The reason we are turning off SLR is we are dealing with how to bypass Anex in this lecture. 00:54.060 --> 01:00.510 In a later lecture, we will discuss how to bypass both Anex and ASALA in one exploit. 01:00.930 --> 01:01.240 Right. 01:01.260 --> 01:04.260 So let's only focus on Anex in this lecture. 01:04.260 --> 01:14.670 So I'm just going back to Asnar directly and let's type disable SLR Dot S.H.. 01:15.300 --> 01:18.240 So this script is going to disable SLR for us. 01:18.740 --> 01:22.110 Let's also quickly verify if SLR is disabled. 01:22.680 --> 01:25.870 As you can see, SLR is disabled here. 01:28.140 --> 01:32.430 Now let's once again navigate to return to Lipsy directly. 01:34.500 --> 01:39.480 Now, let's start writing the exploit, let's load the vulnerable binary using Jollibee, 01:42.870 --> 01:45.690 and let's set up a breakpoint at Main. 01:48.070 --> 01:55.420 And let's run it, as mentioned earlier, there are a few things that we want to do here. 01:56.050 --> 02:02.650 We want to find out the address of the system function, and then we want to find out the address of 02:02.650 --> 02:10.230 exit function, followed by the address of message to find out the address of the system function. 02:10.660 --> 02:16.760 We can simply type P space system. 02:18.370 --> 02:23.550 So this is going to be the address of system function from Lipsey. 02:24.190 --> 02:29.980 I'm just copying it here and let's pasted in a notepad. 02:32.740 --> 02:35.290 Remember, this is the absolute address. 02:35.320 --> 02:37.870 We don't have to add it to the seabass. 02:38.590 --> 02:45.000 Now, there is another way to get the same, which is X info system. 02:46.840 --> 02:53.700 This output also shows the same address, which is ending with one B for one zero here. 02:54.130 --> 02:59.410 So getting the address of system function from Lipsey is as easy as that. 02:59.980 --> 03:00.460 All right. 03:00.460 --> 03:04.030 We are done with finding out the address of the system function. 03:04.660 --> 03:07.960 The next one is to find out the address of exit. 03:08.510 --> 03:12.550 We can find it the same way we found the address of system function. 03:12.820 --> 03:15.950 Select Type B space exit. 03:17.020 --> 03:17.790 Here it is. 03:17.800 --> 03:20.340 This is the address of exit function. 03:20.350 --> 03:25.090 So let's copy this and let's face it here 03:28.450 --> 03:29.380 in our notes. 03:35.410 --> 03:39.880 Now, we have gotten the address of system as well as exit. 03:40.240 --> 03:44.110 Now it's time to get the address of business edge from Lipsey. 03:44.470 --> 03:46.000 There are few ways to do this. 03:46.240 --> 03:52.080 The easiest way to find out the address of Binsted String is to use string's command. 03:52.510 --> 03:55.630 So let's open up a new tab. 03:57.930 --> 04:06.840 And let's first make sure that we have Lipsey Library available within our working directly, so I'm 04:06.840 --> 04:10.110 just grabbing the Lipsey Library from here. 04:10.550 --> 04:13.290 I'm just copying the location of Lipsey Library. 04:13.980 --> 04:17.550 And let's copy that into the current. 04:19.020 --> 04:21.650 Now, we have Lipsey in the current directly. 04:22.020 --> 04:29.570 Now we can run string's command against this Lipsey library to find out the offset of BENCIC string. 04:30.270 --> 04:35.030 So before that, let's take a look at the help options with strings. 04:35.040 --> 04:38.100 Come on, let's take a quick look at the help. 04:38.610 --> 04:43.770 We are going to scan the entire file so we can use that for that. 04:44.100 --> 04:52.860 We want the address to be printed in hex format that can be specified using Dashty Space X, which is 04:52.860 --> 04:56.930 going to give us the location of the string in base 16. 04:57.480 --> 04:58.470 So let's type. 04:59.950 --> 05:11.470 Let me first clear the screen and let's take String's Dash A to Space X and let's provide the input 05:11.470 --> 05:18.790 file, which is the Lipsey Library, and let's pipe the output and grep for benefit stream. 05:21.640 --> 05:22.440 There it is. 05:22.450 --> 05:25.510 If you notice, we got the offset that we wanted. 05:26.020 --> 05:27.160 So let's copy this. 05:28.990 --> 05:35.170 We need to add this offset to the Lipsey messages, so let's first place this in our notepad. 05:36.760 --> 05:37.450 This is 05:41.320 --> 05:43.010 vintage offset. 05:44.050 --> 05:51.220 OK, now we need to have the best address of Lipsey so that we can add this offset to that base address 05:51.220 --> 05:56.270 and we can get the absolute address of benefit string in Lipsey Library. 05:57.070 --> 06:03.910 So switching back to my washing machine and let's take a look at the output off the map. 06:03.910 --> 06:04.300 Come on. 06:04.300 --> 06:04.900 Once again. 06:05.470 --> 06:08.710 And if you notice, this is the best address of Lipsy. 06:09.220 --> 06:10.300 So let's copy this. 06:12.740 --> 06:17.600 And let's face it here, Lipsey is. 06:21.560 --> 06:27.560 There is another way to get this business address from Lipsey, that is by using the wrapper. 06:28.070 --> 06:37.910 So let's go back to the virtual machine and type wrapper and let's quickly take a look at the help options. 06:39.410 --> 06:47.210 If you look at this, we can load the file by using Dash F and we can actually specify dash, dash, 06:47.210 --> 06:52.100 string option, which will actually look for the string in all data sections. 06:52.520 --> 06:58.240 So let's use this option and see if we can find out the business offset. 06:58.790 --> 07:07.240 So I'm clearing the screen and I'm typing ropa dash dash file lipsey. 07:08.300 --> 07:13.580 This is where we want to search for the benefit string and let's specify the string 07:16.280 --> 07:18.530 slash bin slash S.H.. 07:19.930 --> 07:26.140 Look at that, we have got in the offset once again, let's quickly copy this and let's check if it 07:26.140 --> 07:30.070 is the same value that we have gotten earlier using strings come in. 07:35.900 --> 07:39.030 Yes, it is, these two offsets are the same. 07:39.620 --> 07:43.590 So this is another way of getting string offset from Lipsy. 07:44.390 --> 07:44.840 All right. 07:44.960 --> 07:51.500 Now we have gotten pretty much everything that we wanted except for the gadget that pops our value into 07:51.500 --> 07:52.930 the register idea. 07:53.300 --> 07:55.980 So let's use Ropa to find it out. 07:56.810 --> 08:04.330 I am switching back to my washing machine once again and I'm typing rapper and let's load Lipsey Library. 08:06.950 --> 08:08.270 Now the file is loaded. 08:08.300 --> 08:10.130 We can search for our gadgets. 08:10.580 --> 08:20.330 Such space slash one slash let's type idea because this is the instruction we want in the gadget. 08:20.660 --> 08:21.760 So let's hit enter. 08:23.150 --> 08:27.580 And if you look at this, we have gotten a gadget here with this offset. 08:28.520 --> 08:30.770 I'm going to pick this gadget for now. 08:30.860 --> 08:37.220 I'm going to explain how to pick a specific gadget later when we learn return oriented programming. 08:37.910 --> 08:43.330 But for now, just remember, the gadget has to end with direct instruction. 08:43.670 --> 08:47.780 So I'm just copying this offset. 08:49.000 --> 08:49.480 And. 08:51.290 --> 09:00.200 I'm just placing it here once again and remember, this is also an offset, so to get the actual address 09:00.200 --> 09:04.210 of this gadget, we will have to add this to Lipsey Base. 09:04.940 --> 09:08.990 So now we got everything we needed to start writing overexploit. 09:09.410 --> 09:12.920 So let's switch to our virtual machine and start writing this XPoint.