WEBVTT

00:00.480 --> 00:10.980
Let's create a new file called Exploit One Dot Point and let's start with actually bang to slash user

00:11.220 --> 00:13.880
slash mean slash pull.

00:15.390 --> 00:17.010
Let's also write this line.

00:19.500 --> 00:27.270
This line forces are flush after every right or print, so the output appears as soon as it is generated

00:27.270 --> 00:28.730
rather than being buffered.

00:29.340 --> 00:37.320
Right now, let's create a new variable called junk and let's give it two hundred and fifty six s,

00:38.400 --> 00:40.980
which is the offset to our BP register.

00:41.490 --> 00:46.210
So after filling in 256 is the will be all right.

00:46.260 --> 00:48.380
Are BP registered using our exploit.

00:48.840 --> 00:51.810
So this is offset to our BP.

00:53.730 --> 00:54.120
All right.

00:54.120 --> 00:55.290
So let's come it out.

00:59.990 --> 01:02.390
And then let's append.

01:06.240 --> 01:07.080
Eight Beest.

01:11.060 --> 01:15.260
All right, so this is going to override our BP.

01:19.180 --> 01:24.650
And after this, we are going to override in the same return address, which is IRAP.

01:25.030 --> 01:30.280
So as I mentioned earlier, we need to use six bytes for this instead of eight.

01:31.180 --> 01:31.560
All right.

01:31.570 --> 01:38.800
So let's use six CS here, and this is going to be our saved return address.

01:39.560 --> 01:39.930
All right.

01:39.940 --> 01:43.210
So once this is done, we can just print the junk.

01:43.820 --> 01:47.660
Now, our return to exploit code starts from here.

01:48.190 --> 01:52.190
Let's update the exploit with the details that we have gathered so far.

01:52.750 --> 01:59.410
Now, before doing that, let me quickly show you a picture of how the stack is going to look like with

01:59.410 --> 02:01.360
the details that we have gathered so far.

02:02.680 --> 02:03.380
Here it is.

02:03.520 --> 02:08.130
Are going to fill in with the junk initially until we reach IAP.

02:08.590 --> 02:15.520
And once we reach the RFP, we are going to fill that in with the address of the gadget, which contains

02:15.520 --> 02:17.840
the instruction pop idea.

02:18.460 --> 02:24.160
So that's going to be this, the Lipsy base, plus the offset of this gadget.

02:25.060 --> 02:32.770
After that, we are going to place the address of businesses because when this pop, the instruction

02:32.770 --> 02:40.330
gets executed, whatever the value that is on the top of the stack is going to be popped into our and

02:40.330 --> 02:45.040
we want that top of the stack to be the address of BENCIC.

02:45.280 --> 02:49.030
So that becomes an argument to system function.

02:49.810 --> 02:57.100
So the next six minutes are going to be the address of business, which once again this has to be the

02:57.100 --> 02:58.960
best address plus offset.

02:59.570 --> 03:05.620
After that, we are going to place the address off system and once the system function executes, we

03:05.620 --> 03:09.580
are going to get a shell because the argument is actually BENCIC.

03:10.180 --> 03:16.450
And when we exit from the shell, the control is going to be returned to the next instruction, which

03:16.450 --> 03:19.430
is going to be the address of exit function.

03:19.960 --> 03:24.570
So when this instruction gets executed, we are going to exit gracefully.

03:25.360 --> 03:28.120
So let's try to add these details to our exploit.

03:28.780 --> 03:36.220
Let's switch to the virtual machine and let's replace these sequences with the address of our gadget.

03:36.830 --> 03:42.490
Before that, let's create a variable called Lipsy and this core base.

03:44.380 --> 03:53.460
I'm just going to copy the address of this Lipsey base, which is this and let's split it here.

03:54.010 --> 03:56.020
So that's going to be Lipsy base.

03:56.900 --> 04:06.520
Now we are going to overwrite this return address with Lipsey base, plus the address of the gadget

04:06.760 --> 04:08.910
with the instruction pop idea.

04:09.430 --> 04:13.180
So let's use back Q.

04:15.500 --> 04:25.010
And Lipsey underscored base plus the offset, which is this let's copy this.

04:27.680 --> 04:36.470
And let's start here, let's end it with a semicolon, we are using the option Q in the PAC function

04:36.890 --> 04:43.660
because we want to convert 64 bit addresses to little Indian format in 32 a bit exploit development.

04:43.670 --> 04:50.720
We typically use N, which is used for potato producers, but in case of 64 bit addresses, we will

04:50.720 --> 04:51.880
have to use this option.

04:51.890 --> 04:59.290
Q Right now the next line is going to contain the address of business edge.

04:59.840 --> 05:07.610
So let's use junk and that's appended here using Paak once again with the option.

05:07.610 --> 05:12.350
Q And let's use Lipsey underscore.

05:16.250 --> 05:19.970
Base plus the offset of benefits.

05:23.930 --> 05:24.470
Here it is.

05:24.500 --> 05:26.110
This is the offset of benefits.

05:26.110 --> 05:31.280
So let's quickly copy this and let's face here.

05:32.840 --> 05:33.320
All right.

05:33.320 --> 05:39.040
So the next line is going to contain the address of system.

05:39.830 --> 05:41.070
So let's write that here.

05:43.310 --> 05:48.190
I'm going to use Q and address of system function.

05:48.590 --> 05:53.720
Is this as I mentioned earlier, it's not the offset.

05:53.720 --> 05:56.120
So we don't have to added to the Lipsey mess.

05:56.480 --> 05:58.620
We can just directly use this address.

06:00.080 --> 06:06.350
I'm just going to the next line, which is going to be the address of exit function.

06:08.080 --> 06:16.880
OK, so let's use pack with the same option and let's paste the address of exit here.

06:17.250 --> 06:23.450
So I'm just copying the address of exit and let's face it here.

06:25.220 --> 06:25.660
All right.

06:25.670 --> 06:28.160
So we are pretty much done with our exploit.

06:28.260 --> 06:31.790
We have written everything that we planned earlier.

06:32.590 --> 06:42.190
Let's quickly and the comments this is the address of system and this is the address of the exit audit.

06:42.200 --> 06:44.450
So we have pretty much everything we wanted.

06:45.080 --> 06:48.860
We begin with the best address of the Lipsey Library here.

06:49.490 --> 06:58.490
After that, we fill in some junk until we reach the AP register and we are adding the Lipsey base and

06:58.490 --> 07:00.530
the offsets using Perl.

07:00.980 --> 07:05.270
We don't want to do any manual calculations as Perl can do it for us.

07:05.810 --> 07:11.060
Assigned to that, we have multiple addresses which have to be written in little alien format manually.

07:11.420 --> 07:17.300
So to avoid writing these in little endian format manually, we are using Paak function with the option.

07:17.300 --> 07:24.980
Q QE is used to convert 64 bit addresses to little alien format, so we are just passing these 64 bit

07:24.980 --> 07:27.860
addresses to the back function using the option.

07:27.860 --> 07:28.160
Q.

07:28.820 --> 07:36.950
Now let's save the file and let's try to run this exploit and just going to give it executable permissions.

07:40.920 --> 07:50.470
There it is, no, let's try not exploit one, not comma cat, and let's pipe it to our vulnerable program.

07:51.270 --> 07:59.010
I'm just hitting enter, let's hit enter once again and let's check if we have got in a shell by typing

07:59.010 --> 07:59.730
some command.

08:01.620 --> 08:04.270
As we can notice, there is a segmentation fault.

08:05.310 --> 08:08.380
Now let's try to understand what's causing this issue.

08:08.790 --> 08:13.680
Let's run the vulnerable binary in GDP and see where the exploit is failing.

08:14.250 --> 08:21.060
So I'm just going to clear the screen and let's produce the payload so that we can use it in GDP.

08:22.170 --> 08:24.150
I'm just calling it payload one.

08:25.080 --> 08:28.110
Now let's load the binary using Gleib.

08:33.330 --> 08:42.510
Now, let's set up a breakpoint at Main and let's run the binary using payload one.

08:44.930 --> 08:54.530
And let's use this as one function so we can set up a breakpoint at this red address and just copying

08:54.530 --> 08:59.000
this and let's set up a breakpoint at this address.

09:00.410 --> 09:03.680
Now, let's continue so that we can hit this break point.

09:05.720 --> 09:06.290
Look at that.

09:06.470 --> 09:07.910
We have hit the break point.

09:08.210 --> 09:10.610
So the execution is now stopped.

09:11.120 --> 09:18.050
And the next instruction that is to be executed is direct instruction, which is the last instruction

09:18.050 --> 09:20.430
in one underscore Funt function.

09:21.260 --> 09:28.220
Now, once after this instruction is executed, if you notice we are going to land on our gadget with

09:28.220 --> 09:30.110
the instruction pop idea.

09:30.590 --> 09:38.300
So once this idea is executed, whatever the value that is on the top of the stack is going to be popped

09:38.300 --> 09:43.950
into our register, which is going to act as an argument for the system function.

09:44.660 --> 09:49.300
Let's try typing and say, look at that.

09:49.310 --> 09:52.070
Now we are about to execute this pop idea.

09:52.490 --> 09:58.780
And currently the top of the stack is this, which is actually pointing to benefit, which is expected.

09:59.150 --> 10:01.330
So everything is fine until here.

10:01.820 --> 10:07.010
So let's take the PC and we have a read instruction type aside.

10:08.600 --> 10:13.840
And after that it looks like we are only inside the system function.

10:14.450 --> 10:17.070
So everything is working as expected.

10:17.510 --> 10:18.680
Let's type see.

10:19.280 --> 10:25.780
So the execution will continue and there is a problem.

10:26.690 --> 10:33.940
There is a move, EPP's instruction here, which is actually causing this issue on some of the 64 bit

10:33.950 --> 10:34.600
machines.

10:34.640 --> 10:41.290
This seems to be a non-issue if the stack is not sixteen by a line while calling system function.

10:41.330 --> 10:42.290
This might happen.

10:42.800 --> 10:50.540
To fix this, we can simply add a read instruction before the idea gadget addressed by executing read

10:50.870 --> 10:55.400
it will pop off eight bytes on top of the stack and return to that.

10:55.670 --> 10:58.730
So it will realign the stack to 16 bytes.

10:59.720 --> 11:05.400
This blog post and nicely explains this problem along with the basics of stack alignment.

11:05.780 --> 11:11.360
So I would highly recommend you to go through this blog to better understand this stack alignment issue

11:11.360 --> 11:12.510
that we have just faced.

11:13.080 --> 11:13.480
All right.

11:13.490 --> 11:20.870
So with that, I'm just going to fix this part by adding the address of reconstruction before the address

11:20.870 --> 11:22.490
of the pop gadget.

11:23.120 --> 11:26.960
So let's quickly go through how the stack is going to look like now.

11:27.770 --> 11:30.820
Currently, this is how our stack is looking like.

11:31.280 --> 11:37.880
Now we are going to add the address of reconstruction here instead of the address of this gadget.

11:38.360 --> 11:41.250
So every other address will slide down accordingly.

11:41.690 --> 11:43.880
So this is how it is going to look like.

11:43.970 --> 11:50.510
We are going to find out the address of reconstruction and we are going to place that here and all the

11:50.510 --> 11:53.790
previously placed addresses will slide down accordingly.

11:54.290 --> 11:54.650
Right.

11:54.680 --> 12:02.410
So let's go ahead and find out the address of reconstruction, using rubber and opening up a new domina.

12:04.010 --> 12:05.330
So let's use the wrapper.

12:06.500 --> 12:13.550
And instead of getting a shell and loading the binary, we can simply use that flash file and specify

12:13.550 --> 12:15.380
the library here, which is Lipsey.

12:15.800 --> 12:21.290
And we can use that flash search and we can specify red.

12:23.540 --> 12:29.810
So this is another way we can search for gadgets, so we have got an output and if you look at this

12:29.810 --> 12:34.630
address, there is a reconstruction and this seems like a good candidate for us.

12:35.000 --> 12:37.250
So I'm just copying this offset.

12:39.560 --> 12:41.990
And I'm going to post it here.

12:48.030 --> 12:54.090
So this is the corporate address, just to have the full list of addresses at one place I have just

12:54.100 --> 12:58.790
visited here, what we can just directly pasted in the explosion itself.

12:59.340 --> 12:59.650
Right.

12:59.670 --> 13:01.830
So let's go back to the exploit.

13:04.790 --> 13:15.920
Let's exit from this judicial and let's use them, exploit one doctorial once again and let's add this

13:16.400 --> 13:19.310
address here, junk.

13:21.080 --> 13:21.650
Pack.

13:26.460 --> 13:34.830
And let's use Lipsey underscore bass, because this is an offset that we have gotten, so we will have

13:34.830 --> 13:37.200
to add it to the best interest of Lipsey.

13:37.830 --> 13:39.480
Looks like there was a typo earlier.

13:39.600 --> 13:43.170
It's part of the common thread.

13:43.950 --> 13:48.600
And the current one that we have just gotten is basically correct.

13:49.380 --> 13:49.880
All right.

13:49.890 --> 13:53.280
So this should fix the problem that we have faced earlier.

13:53.580 --> 13:58.140
So let's save the file and let's type.

14:00.330 --> 14:03.820
This command and if it works, we should get a show.

14:04.830 --> 14:07.580
Let's hit enter once again and let's take it.

14:08.070 --> 14:09.260
And there you go.

14:09.900 --> 14:11.230
They exploit looked.

14:12.480 --> 14:18.360
Now, let's try to practically understand why this address of exit is needed here.

14:18.970 --> 14:23.340
Now let's go back to the explode once again and let's type exit.

14:25.460 --> 14:30.540
Let's take exit once again and look at that, it has gracefully exited.

14:31.130 --> 14:35.870
Now, what do you want to do is I want to edit the exploit.

14:38.140 --> 14:47.620
And I will remove this address of exit instead, I will just add some junk.

14:53.400 --> 14:59.250
I am probably going to add six A's, which are 640 once.

15:02.190 --> 15:03.080
That should do it.

15:03.090 --> 15:10.530
So let's save the file and let's go back to the previous terminal and let's execute the exploit once

15:10.530 --> 15:10.800
again.

15:13.170 --> 15:14.720
Once again, we have gotten the shell.

15:15.150 --> 15:19.100
Now let's fix it and look at that.

15:19.590 --> 15:22.800
There is a segmentation fault when we are exiting.

15:23.370 --> 15:30.510
The reason is after completing the system con when the control returns to the next instruction we have

15:30.510 --> 15:38.580
specified, six is as the next instruction to be executed and these six A's are just junk and thus it's

15:38.580 --> 15:39.990
causing a segmentation fault.

15:40.350 --> 15:46.800
And that's the reason why we wanted to place the address of exit immediately after the address of the

15:46.800 --> 15:47.620
system function.

15:48.360 --> 15:51.550
So that brings us to an end of return to Lipsey attack.

15:52.020 --> 15:54.710
Let's quickly take a recap of what we have done.

15:55.230 --> 16:02.370
We have basically enabled an exhibit on our vulnerable binary and then we have built an exploit by not

16:02.370 --> 16:04.230
placing any code on the stack.

16:04.470 --> 16:12.060
But we have just made use of a few addresses in Lipsey Library and then we redirected execution to the

16:12.060 --> 16:13.050
Lipsey functions.

16:13.050 --> 16:19.950
And in turn we go to show this is a classic example of how a return to Lipsey exploits work.