WEBVTT

00:00.810 --> 00:05.610
Welcome to the module return oriented programming are, in short, Ropp.

00:06.460 --> 00:12.880
Before we jump into to return related programming, let's try to understand the need for a return oriented

00:12.880 --> 00:21.130
programming when compiling the vulnerable program, we have enabled IMEX, which made our stagnant executable.

00:22.440 --> 00:28.350
To bypass this protection, we used the return to flimsy technique which allowed us to redirect the

00:28.350 --> 00:35.610
program's execution flow into a function called system, which is available within Lipsey Library.

00:36.610 --> 00:41.470
Wilders return to liberty is a classic technique that almost always works.

00:41.890 --> 00:42.810
There is a problem.

00:43.360 --> 00:48.870
We are pretty much limited to executing what functionalities the Lipsey Library has.

00:49.720 --> 00:53.000
For example, we can get a cell by using system.

00:53.440 --> 01:00.290
Similarly, we can only invoke the APIs that it has and we cannot write custom code and execute it.

01:00.700 --> 01:01.690
That's the challenge.

01:02.200 --> 01:09.340
If you want to execute shall code even when your stack is non-executive, all we can do that by using

01:09.340 --> 01:11.080
return oriented programming.

01:11.740 --> 01:19.360
Essentially, we are going to use some instructions that will turn our stack into executable once again

01:19.720 --> 01:23.110
and then eventually we will execute our code.

01:23.920 --> 01:24.810
That's the idea.

01:25.510 --> 01:27.280
But how can we achieve that?

01:27.910 --> 01:35.410
We need to find out certain gadgets that can be used to turn the stack into executable and then we will

01:35.410 --> 01:38.920
need to chain them in a way that they work reliably.

01:38.920 --> 01:43.750
For us, a gadget is simply a sequence of instructions.

01:44.500 --> 01:47.380
Shortly we will understand how gadgets look like.

01:47.800 --> 01:53.290
Don't worry, if you don't understand the terms, gadgets and gadget change, we are going to see them

01:53.290 --> 01:59.800
practically and you will be able to clearly understand these concepts by the time we finished writing

01:59.800 --> 02:00.790
the gadget chains.

02:01.600 --> 02:07.810
So essentially using the buffer overflow vulnerability we have, we will have to execute and protect

02:07.810 --> 02:08.380
function.

02:08.680 --> 02:16.270
So it will change the memory predictions on our stack, meaning it will turn the non executable stack

02:16.270 --> 02:18.070
into executable stack.

02:18.800 --> 02:24.970
Now, in this case, since we are on a Linux machine, we can use a function called end product to change

02:24.970 --> 02:26.440
the protections on the stack.

02:27.040 --> 02:32.530
We are going to write this chain manually from scratch, although we can use some automated tools to

02:32.530 --> 02:33.160
generate it.

02:33.370 --> 02:34.540
We are not going to do that.

02:34.870 --> 02:37.690
We are going to manually write this chain from scratch.

02:38.170 --> 02:44.770
But before we get into the details of Emperor and how we are going to build the change, let's understand

02:44.770 --> 02:46.920
some basics about chains.

02:47.860 --> 02:52.690
We are going to use rubber, the same tool that we have been using to find gadgets.

02:53.260 --> 03:00.430
And we will use rubber to first find gadgets and then we are going to construct the stack by strictly

03:00.430 --> 03:03.340
following these conditions that are shown on the screen.

03:04.480 --> 03:11.590
Rule number one, we will have to place the gadget chain on the stack in a way that it disables Anex

03:11.800 --> 03:13.770
and then Jumpstart Encored.

03:14.560 --> 03:17.550
Once an X is disabled by using our rope chain.

03:17.890 --> 03:23.260
We will be able to execute Shell called rule number to each gadget.

03:23.350 --> 03:29.770
Must transfer the control to the next gadget because we are going to pick individual gadgets and we

03:29.770 --> 03:30.880
are chaining them together.

03:31.840 --> 03:35.950
But how will control be passed from one gadget to another?

03:35.950 --> 03:39.490
One that's possible by using the Thirroul.

03:40.060 --> 03:42.610
So there comes rule number three.

03:43.240 --> 03:48.700
We should only consider gadgets that are ending with a read instruction.

03:49.330 --> 03:55.660
So the first gadget ends with read instruction, which eventually transfers the control to the next

03:55.660 --> 03:59.530
instruction, which is placed immediately after the first gadget.

03:59.980 --> 04:05.410
So we will make sure that each gadget contains read instruction at the end of it.

04:06.100 --> 04:12.070
So the next gadget that is placed immediately after the first gadget will be executed when the first

04:12.070 --> 04:14.110
gadget finishes its execution.

04:15.020 --> 04:21.130
Once again, this may be confusing right now, I'm going to draw the stack visually while building this

04:21.240 --> 04:26.080
option so you will get a sense of what I'm talking about when we write the gadget chain.

04:26.870 --> 04:33.140
But before jumping into writing a gadget chain, I want to provide a bit of theory so you will be able

04:33.140 --> 04:37.280
to easily understand what we are doing while riding the gadget chain.

04:38.700 --> 04:47.220
Now, rule number four, all the required parameters are available in relevant registers in this case,

04:47.520 --> 04:54.360
we are going to use a function called end product and it requires a bunch of arguments which we will

04:54.360 --> 04:55.440
discuss shortly.

04:56.010 --> 05:03.450
We will have to arrange the stack in a way that those arguments are available in appropriate registers

05:04.200 --> 05:05.040
right now.

05:05.070 --> 05:09.650
Rule number five, we are going to place a lot of bytes on the stack.

05:09.870 --> 05:11.510
So space is a requirement.

05:11.730 --> 05:12.990
Let's keep that in mind.

05:13.710 --> 05:21.360
And the last rule, rule number six, if there are any instructions in the gadget that we do not need,

05:21.840 --> 05:28.050
we will have to carefully handle them because we don't always get the gadget with only the instructions

05:28.050 --> 05:28.740
that we want.

05:29.700 --> 05:35.870
For instance, let's assume that you are looking for a gadget with the instruction pop RDX.

05:36.510 --> 05:40.410
So essentially what you need is pop, RDX, rect.

05:41.010 --> 05:42.570
So this is the gadget you need.

05:42.870 --> 05:47.010
But it is also possible that this gadget may not be available.

05:47.790 --> 05:54.270
So you may have to work with a gadget which has some additional instruction in between your required

05:54.270 --> 05:56.550
instruction and the return address.

05:57.210 --> 06:00.240
For instance, let's take this gadget as an example.

06:00.720 --> 06:06.320
You have pop at 12 also, and you don't want to use this instruction in your gadget chain.

06:06.930 --> 06:13.790
In this case, even this instruction has to be carefully handled to be able to reliably execute your

06:13.800 --> 06:14.290
option.

06:15.150 --> 06:16.350
So keep that in mind.

06:16.890 --> 06:23.110
When we get into this kind of gadgets, we are going to practically see how to deal with such gadgets.

06:24.090 --> 06:30.560
So keep these instructions in mind while I'm building that option, I'm going to make use of these conditions.

06:30.870 --> 06:36.960
So keep a copy of these rules in your mind and make sure that we are following these while building

06:36.960 --> 06:37.760
the gadget chain.

06:38.460 --> 06:38.970
All right.

06:39.330 --> 06:40.680
That's all for this video.

06:40.680 --> 06:47.760
In the next video, we are going to see how empathetic works and the arguments required by end product.

06:48.300 --> 06:51.840
Once that is done, we will start building our Rob chain.