WEBVTT 00:00.660 --> 00:01.380 In this video. 00:01.380 --> 00:09.360 Let's try to understand how it works and what it requires in its arguments so that we can make our stack 00:09.360 --> 00:10.230 executable. 00:11.220 --> 00:15.600 To start with, let's first go through the main page of end product. 00:15.690 --> 00:18.300 It basically requires three arguments. 00:18.450 --> 00:22.320 The first argument should be kept in the register. 00:22.800 --> 00:30.360 The second argument should be kept in the outside register, and the third argument should be kept in 00:30.360 --> 00:32.010 the RDX register. 00:32.400 --> 00:36.960 That's as for the calling conventions in Intel, 64 bit processors. 00:37.320 --> 00:44.070 Now let's see what these arguments are and what values we should put into these registers. 00:44.430 --> 00:49.170 Let's switch to the virtual machine and let's type. 00:49.440 --> 01:01.950 Man two And protect, if you look at this and predict is a function which is used to set protection 01:01.950 --> 01:11.040 on a region of memory, in our case, it's going to be stack and it requires three arguments an address 01:11.040 --> 01:14.730 that is aligned to a page boundary size. 01:14.730 --> 01:18.720 This is the size of the memory where we want to change the protection. 01:18.720 --> 01:22.410 And the third argument is the protection value itself. 01:22.800 --> 01:27.480 If you look at these options, the memory cannot be accessed at all. 01:27.510 --> 01:30.510 If you set up prot underscore none. 01:31.230 --> 01:38.760 If you want to make it read only you need to set plot underscore raid and if you use pro underscore 01:38.760 --> 01:41.100 right, the memory can be modified. 01:41.100 --> 01:46.920 And finally we can use prop underscore exec to make the memory executable. 01:47.190 --> 01:51.060 We can also use the combinations of these three values. 01:51.270 --> 01:57.930 We can use bitwise or of these three values and it produces the value seven. 01:57.930 --> 02:04.710 So we can use the value seven to make our memory region readable, readable and executable. 02:04.950 --> 02:06.210 So this is clear. 02:06.210 --> 02:10.440 The third argument is going to contain the value seven. 02:10.560 --> 02:14.160 Now, let's come back to the first and second arguments. 02:14.430 --> 02:20.700 The second argument is going to contain the size of the memory region that we want to change the permissions 02:20.700 --> 02:21.270 on. 02:22.000 --> 02:23.920 In 32 meat processors. 02:23.920 --> 02:32.800 The maximum number that we can put without worrying about null bytes is x01010101. 02:33.280 --> 02:40.420 We are going to use the same value in our case even here in 64 bit exploitation as null bytes are not 02:40.420 --> 02:42.910 bad characters in our target program. 02:43.150 --> 02:50.230 Finally, the first argument, which is an address that must be aligned to our page boundary, this 02:50.230 --> 02:53.230 can be the base address of our stack. 02:53.770 --> 02:59.320 Now to put it in visual format, this is what we will have to do to start with. 02:59.740 --> 03:02.460 M Protect requires three arguments. 03:02.500 --> 03:09.010 The first argument goes into D and this can be the base address of the stack. 03:09.400 --> 03:19.240 The second argument goes into RSI and as I mentioned, we are going to use this value 01010101. 03:20.100 --> 03:23.280 The third argument goes into RDX. 03:23.400 --> 03:31.020 The production value is going to be seven, which is basically a bitwise or of pro-trade prod, right, 03:31.020 --> 03:32.670 and prod exec. 03:33.240 --> 03:38.370 Finally, followed by these three values we will have to call and protect. 03:38.370 --> 03:45.510 So m protect function will pick the values of these three registers as arguments and it will turn our 03:45.510 --> 03:51.060 stack into executable before we actually try this in our exploit. 03:51.090 --> 03:56.010 Let's test our theory by manually changing these values in GDB. 03:56.430 --> 04:00.120 So let's switch to the virtual machine and test our theory. 04:00.810 --> 04:05.040 Let's first navigate to x86 underscore 64. 04:05.610 --> 04:08.850 Let's create a new directory called ROP. 04:09.570 --> 04:16.590 Let's navigate there and let's copy everything from red to lib. 04:16.590 --> 04:17.520 See directory. 04:22.770 --> 04:24.870 And let's place them here. 04:26.550 --> 04:27.210 All right. 04:27.480 --> 04:32.250 Even though we have placed all of these things, we are only interested in the vulnerable binary. 04:32.580 --> 04:35.010 So let's load it using gdb. 04:40.030 --> 04:42.400 Let's set up a break point at Main. 04:43.680 --> 04:46.110 And let's run the program. 04:48.420 --> 04:52.200 Now let's make sure that the stack is not executable. 04:52.530 --> 04:57.240 I'm just clearing the screen and let's type check sig. 04:58.020 --> 05:00.840 And if you see this, the next bit is set. 05:00.870 --> 05:10.410 Let's also check the output of VM map using this command VM map space stack and if you see this stack 05:10.410 --> 05:12.690 is currently not executable. 05:13.560 --> 05:19.770 Now, since we have typed this command, let's take a copy of the base address of stack. 05:20.070 --> 05:25.080 So I'm just copying it here and let's paste it here in our notepad. 05:26.160 --> 05:32.670 Now, what we want to do is we want to call and protect with the custom values as arguments to it. 05:33.150 --> 05:35.140 What are those values going to be? 05:35.160 --> 05:38.850 They're going to be the same values that we just discussed. 05:39.030 --> 05:43.140 Argument one is going to have the base address of stack. 05:43.380 --> 05:50.370 Argument two is going to have the size and argument three will have the value seven, which is going 05:50.370 --> 05:53.490 to make the stack read right and executable. 05:53.760 --> 05:55.350 But how do we do that? 05:55.800 --> 06:00.450 We will have to somehow execute and protect in this GDB session. 06:00.660 --> 06:08.250 One way to do it is to identify the address of and protect and then redirect our execution to and protect. 06:08.640 --> 06:15.270 So let's find out the address of and protect by typing space and protect. 06:15.930 --> 06:17.960 This is the address of protect. 06:17.970 --> 06:22.830 I'm just copying it here and let's paste it here. 06:24.510 --> 06:31.080 Another way to get the same address is to type this and protect. 06:32.340 --> 06:38.010 If you see this, we have gotten the same address here, which is the beginning of protect function. 06:38.310 --> 06:47.700 Now, let's set up a breakpoint here at this address by using the space star and the address. 06:49.880 --> 06:53.810 Now we will have to redirect the execution to this address. 06:53.840 --> 06:55.070 How do we do that? 06:55.370 --> 07:00.740 We can actually set the value of the IP register to be this address. 07:00.920 --> 07:09.110 But before doing that, let's first check the values of the registers R.D, RSI and ADX. 07:09.560 --> 07:12.200 So I'm just using info registers. 07:13.970 --> 07:14.900 There it is. 07:15.410 --> 07:18.590 ADX currently contains this value. 07:19.100 --> 07:24.860 RSI contains this value and RB contains this value. 07:25.310 --> 07:30.950 Now let's set the values required in these registers and continue our execution. 07:33.050 --> 07:36.640 I'm going to use set RB. 07:37.040 --> 07:42.380 If you remember, this is supposed to be the base address of the stack because that's where we are going 07:42.380 --> 07:44.480 to change the memory predictions on. 07:44.570 --> 07:48.620 So let's copy the base address of the stack, which is this. 07:50.690 --> 07:54.690 And let's set this idea. 07:54.710 --> 07:57.650 Register to have the base address of the stack. 07:58.310 --> 08:07.670 Now, let's also set up the register the with the value 0x01010101. 08:08.180 --> 08:10.670 That's good enough to place our shell code. 08:11.540 --> 08:12.980 Now, let's also set up. 08:14.620 --> 08:18.580 RDX with the value of 0x7. 08:19.090 --> 08:21.010 This is what we discussed earlier. 08:21.010 --> 08:28.120 To have read, write, execute permissions on stack, we need to set up the value seven in RDX register. 08:28.630 --> 08:35.890 Now, the last thing that we need to do is to redirect the execution to protect function so that these 08:35.890 --> 08:38.290 arguments will be used with protect. 08:38.560 --> 08:41.620 So let's copy that and predict address here. 08:46.940 --> 08:57.560 And let's use set an IP and let's paste the address of and protect function. 08:57.950 --> 08:59.030 Let's hit enter. 08:59.540 --> 09:06.290 Now, if we continue the execution, we are going to redirect the execution to M product and we should 09:06.290 --> 09:07.400 hit the breakpoint. 09:07.700 --> 09:08.120 All right. 09:08.120 --> 09:11.330 So let's type C and continue the execution. 09:11.390 --> 09:15.110 Before that, let me quickly show you the stack once again. 09:17.030 --> 09:17.660 Look at that. 09:17.660 --> 09:19.960 It is still not executable. 09:19.970 --> 09:23.510 So let's type C to continue the execution. 09:25.070 --> 09:29.660 If you notice, we hit the breakpoint here on my protect function. 09:30.260 --> 09:34.520 Let's quickly check the values of the registers that we have modified. 09:35.540 --> 09:39.170 RDA contains the best address of the stack. 09:39.560 --> 09:46.370 RSI contains this value and ADX contains this value which is seven. 09:47.000 --> 09:47.680 Nice. 09:47.690 --> 09:50.050 These registers have the values we needed. 09:50.060 --> 09:54.650 Now let's do a single step until the stack turns executable. 09:55.100 --> 10:02.090 Because with these values our theory is that the stack should become executable when RM product is called. 10:03.070 --> 10:05.740 All right, let's keep executing, see? 10:06.400 --> 10:12.070 So I'm just typing sy and hitting enter multiple times. 10:13.510 --> 10:18.910 Let's also monitor the permissions on stack by using the map stack. 10:19.540 --> 10:22.720 If you notice, the stack became executable now. 10:23.050 --> 10:29.620 That means our theory is correct and we should be able to turn stack into an executable one by following 10:29.620 --> 10:32.020 the theory that we have discussed so far. 10:32.590 --> 10:39.670 Obviously we can't use GDB to change the instructions at runtime while running the exploit, so we will 10:39.670 --> 10:46.390 have to somehow use our exploit to make these changes in a way that m protect picks the values that 10:46.390 --> 10:47.020 we want. 10:47.530 --> 10:49.030 That's all for this video. 10:49.180 --> 10:52.600 In the next video, we will begin to write this exploit.