WEBVTT 00:01.050 --> 00:01.680 All right. 00:01.830 --> 00:03.600 Let's start writing our exploit. 00:03.600 --> 00:09.300 So in this video, we are going to create a drop chain manually from scratch. 00:09.720 --> 00:17.040 First, let's make sure that we are inside the rope directory and let's create a file called Robert 00:17.040 --> 00:21.180 Peel and let's start writing our exploit. 00:21.750 --> 00:31.680 Let's begin by using a shebang user in Perl, and let's use this line as usual 00:34.470 --> 00:40.940 for flashing the output and let's create a variable to have some junk. 00:40.950 --> 00:47.250 So like we did earlier, we are going to use 256 is here. 00:47.400 --> 00:51.330 This is the offset to reach our BP. 00:51.720 --> 00:53.430 So we are going to 00:56.430 --> 00:57.990 specify that here. 00:58.380 --> 01:03.810 We are going to write comments in every line so that it will be clear of what we are doing once we finish 01:03.810 --> 01:04.920 writing the exploit. 01:05.220 --> 01:07.800 So this is offset to our BP. 01:14.080 --> 01:22.750 Well, once this is done, we will be spending eight days, that is, to overwrite our BP 01:28.690 --> 01:40.840 that it is now let's use six seas to start with and this is going to override R.I.P.. 01:41.470 --> 01:45.730 Now, let me show you the diagram of the stack at this point of time. 01:47.020 --> 01:56.260 This is how it looks like we have filled in 256 days plus eight days, which equals to the junk here. 01:56.290 --> 02:02.380 So after that, we are overwriting the saved return address with six C's. 02:02.800 --> 02:09.040 If you remember, our plan is to call and protect function with appropriate arguments. 02:09.190 --> 02:16.150 So we will need to set up the registers RBI, RC and RDX with appropriate values. 02:16.180 --> 02:22.120 So let's begin by searching for those gadgets in Lipsey using wrapper. 02:22.240 --> 02:28.030 So I'm switching to my virtual machine and let's open up a new tab. 02:29.920 --> 02:34.450 Let's make sure that we have Lipsey Library available in the current directory. 02:34.480 --> 02:36.170 Yes, we do have it. 02:36.190 --> 02:40.920 Now let's launch wrapper and let's load. 02:40.930 --> 02:41.740 Let's see. 02:49.090 --> 02:53.500 So the first step is to set up the register RDA. 02:53.860 --> 03:00.850 If you want to pop some value into the register RDA, we need to have a gadget with the instruction 03:00.850 --> 03:02.020 pop RDA. 03:02.110 --> 03:08.290 So let's search for pop RDA instructions in Lipsey. 03:10.300 --> 03:11.060 Look at that. 03:11.080 --> 03:14.990 We found one instruction here which meets our requirements. 03:15.010 --> 03:20.620 It has the instruction pop radii and it ends with the read instruction. 03:20.860 --> 03:24.460 So we are going to use this offset in our exploit. 03:24.730 --> 03:34.000 I'm just opening the exploit once again and I'm going to replace these six C's with the address of Pop 03:34.180 --> 03:34.660 DI. 03:34.900 --> 03:37.930 So let's use PAC. 03:40.780 --> 03:50.350 Q, let's see, underscore base plus the offset that we have just gotten, which is this. 03:52.120 --> 03:56.180 So this is going to give us the address of pop the. 04:00.180 --> 04:04.410 Let's also copy these instructions so we can use this in the comments. 04:04.650 --> 04:11.100 So I'm just removing this rip here and let's use this as the comment. 04:11.490 --> 04:11.940 Nice. 04:11.970 --> 04:15.300 Now, if you notice, we do not have the lib base. 04:15.570 --> 04:18.180 So let's quickly open up a new tab. 04:19.750 --> 04:27.580 And let's load the vulnerable binary using GDB and let's set up a breakpoint at main and let's run the 04:27.580 --> 04:32.250 binary and let's use VM map Lipsey. 04:34.090 --> 04:36.130 That should give us the base address of lib. 04:36.370 --> 04:49.570 So I'm just copying this here and I'm just going to create a new variable called Lib C base and I'm 04:49.570 --> 04:51.160 going to use this here. 04:51.310 --> 04:54.850 So that should give us the actual address of this gadget. 04:55.090 --> 04:57.790 Right now, we are pretty much done with this. 04:57.790 --> 05:04.180 Now, the next step that we need to do is we need to specify the value that we want to pop into our 05:04.390 --> 05:05.110 register. 05:05.320 --> 05:09.040 So that's going to be the base address of the stack. 05:09.040 --> 05:16.570 If you remember, the first argument to protect is the address aligned on a page boundary and we are 05:16.570 --> 05:22.390 going to use base address of stack for that and that should go into our register. 05:22.390 --> 05:28.840 So let's go ahead and find out the base address of Stack and let's place that in our exploit. 05:29.950 --> 05:30.370 All right. 05:30.370 --> 05:35.770 Let's clear the screen and let's use the map stack. 05:36.730 --> 05:39.400 This is going to be the base address of stack. 05:39.400 --> 05:49.600 So I'm just copying this and let's open our exploit and let's use junk and let's use the same pack function 05:49.600 --> 05:55.090 with Q 464 bit addresses 05:58.630 --> 06:02.560 and let's paste the base address of the stack. 06:03.460 --> 06:05.680 Let's quickly add a comment here, 06:09.940 --> 06:12.070 base address of stack. 06:12.850 --> 06:13.210 All right. 06:13.210 --> 06:15.250 So we are done with the first argument. 06:15.280 --> 06:19.450 Finally, let's print the variable junk so we can produce the payload. 06:20.080 --> 06:23.380 I'm just printing junk here. 06:23.830 --> 06:33.880 Now let's give it executable permissions and let's run Robert Peel and produce the payload and save 06:33.880 --> 06:35.380 it as payload one. 06:36.730 --> 06:39.280 Now let's load this binary using gdb 06:41.680 --> 06:50.050 and let's set up a breakpoint at main and let's run the binary using the payload as input. 06:52.240 --> 06:59.550 Now let's get the disassembly of one underscore function and let's set up a breakpoint at this thread 06:59.560 --> 07:00.490 instruction. 07:01.090 --> 07:05.080 We just want to check if everything is fine so far without exploit. 07:06.850 --> 07:07.510 All right. 07:08.230 --> 07:11.020 Let's quickly check if stack is executable. 07:12.900 --> 07:16.890 As you can see, stack is not executable at this point of time. 07:17.760 --> 07:23.940 Let's clear the screen and let's type continue so that the execution will continue and we will hit the 07:23.940 --> 07:24.780 breakpoint. 07:25.020 --> 07:31.290 If you notice, we are about to execute this red instruction which is actually pointing to the address 07:31.290 --> 07:34.410 of pop die, which is actually our gadget. 07:34.620 --> 07:43.290 So if you type C, we should land on this gadget and we are about to execute, pop, die. 07:43.410 --> 07:49.830 And once this instruction gets executed, whatever the value that is placed on the top of the stack 07:49.860 --> 07:52.790 is going to be popped into our die. 07:52.920 --> 07:56.490 Currently the register contains something here. 07:56.760 --> 07:59.490 Now let's type ACI before that. 07:59.490 --> 08:02.010 Notice what we have on the top of the stack. 08:02.040 --> 08:03.980 This is the base address of stack. 08:03.990 --> 08:05.760 We can quickly double check that. 08:08.530 --> 08:09.850 You can see this here. 08:10.930 --> 08:16.090 This is the best address of the stack, and that's what we have here. 08:16.870 --> 08:21.430 So let's type ACI and examine the register. 08:24.000 --> 08:31.140 Look here, we do have the best address of stack in the register, so the first step of our exploit 08:31.140 --> 08:33.180 is successfully completed. 08:33.870 --> 08:36.750 Now let's quickly review what we have done so far. 08:38.220 --> 08:43.050 We have placed 256 A's plus eight B's. 08:43.410 --> 08:45.810 That's the offset to RFP. 08:45.930 --> 08:55.170 And once we reached RFP, we have placed the address of a gadget which contained the RET instructions. 08:56.420 --> 09:05.060 After placing that address here, we have placed the base address of stack and once this idea gets executed, 09:05.210 --> 09:11.810 the value which is being pointed by RSP Register, which is here, which is the top of the stack is 09:11.810 --> 09:14.540 going to be popped into our register. 09:14.840 --> 09:16.790 So that's what we have done so far. 09:16.820 --> 09:21.620 We have set up the first argument that we need for MX protect function. 09:21.920 --> 09:27.350 Now let's go back and set up the second argument just to give you a recap. 09:27.560 --> 09:32.780 Our site should contain the second argument and the value that we are going to use. 09:32.780 --> 09:35.090 Is this right? 09:35.090 --> 09:42.110 So let's go back to the virtual machine and find out a gadget that contains the instruction pop side. 09:42.620 --> 09:45.200 Let's quit from this GDB session. 09:48.120 --> 09:53.130 And let's search for gadgets with the instruction pop odyssey. 09:54.810 --> 09:55.350 Here it is. 09:55.350 --> 09:59.450 We found a gadget with pop outside red. 09:59.490 --> 10:03.630 So let's copy this address and let's go back to our exploit. 10:08.230 --> 10:12.430 Let's once again use junk pack. 10:19.390 --> 10:25.600 Let's see, underscore base plus the offset that we have just gotten from rapper. 10:27.880 --> 10:29.260 Like we did earlier. 10:29.350 --> 10:31.330 Let's just copy this. 10:33.360 --> 10:35.580 And let's use it as a comment. 10:36.810 --> 10:40.260 So that's the address of Pop RC Red. 10:40.650 --> 10:44.580 Remember, we don't have to worry about the base address of Lipsy. 10:44.610 --> 10:50.850 It is going to be constant because we are only dealing with an and ASLA is disabled. 10:51.960 --> 10:52.350 All right. 10:52.350 --> 10:55.350 So we are done with this instruction now. 10:55.350 --> 10:59.940 We will have to set up the value for this pop site instruction. 11:02.100 --> 11:03.830 As we just discussed. 11:03.840 --> 11:05.880 This value is going to be. 11:07.700 --> 11:11.810 0601010101. 11:12.170 --> 11:15.170 There is no hard rule that you should take this value. 11:15.260 --> 11:21.950 I'm just taking this because I was just using this value in 32 bit exploit development because in 32 11:21.950 --> 11:28.340 bit exploit development, this is the largest value that you can take without causing any null bytes. 11:28.340 --> 11:32.960 So in this exploit, we are not going to deal with null bytes anyway. 11:32.960 --> 11:36.980 So I'm just taking the same value and let's see if it works. 11:37.250 --> 11:43.250 So I'm just commenting here. 11:44.660 --> 11:47.960 Size of the memory region. 11:55.160 --> 12:06.890 All right, now let's once again save this file, produce the payload, and let's save it as payload 12:06.920 --> 12:13.970 to it is easier to debug while we are at the beginning once after completing the full exploit, if it 12:13.970 --> 12:18.290 is failing somewhere in between, it will be slightly harder to debug it. 12:18.440 --> 12:24.290 So it's a good practice to check as and when we are finishing something since we are done with setting 12:24.290 --> 12:28.610 up the second argument, let's quickly make sure that everything is working fine. 12:28.820 --> 12:36.110 So let's load the vulnerable binary using GDB and let's set up a breakpoint at main. 12:37.220 --> 12:47.630 Let's run this binary using the payload that we have just generated and let's use this as one func. 12:49.760 --> 12:50.630 There is a typo. 12:50.660 --> 12:52.160 Let's quickly fix that. 12:52.940 --> 12:53.630 There you go. 12:53.810 --> 12:58.010 And let's set up a breakpoint at read instruction once again. 12:59.330 --> 13:01.340 We are going to do this multiple times. 13:01.820 --> 13:05.090 So you have to be patient enough while writing this exploit. 13:06.350 --> 13:15.050 Now let's clear the screen and let's type C to continue execution so we will land on the breakpoint. 13:16.640 --> 13:17.420 There you go. 13:17.450 --> 13:23.600 Now, we have already seen this first gadget being executed earlier, so I'm just going to quickly type 13:23.660 --> 13:25.130 C now. 13:25.130 --> 13:29.390 This is going to pop the base address of stack into our die. 13:30.560 --> 13:37.530 Once after executing the pop, the read is the next instruction that we are executing and this read 13:37.580 --> 13:43.760 instruction is going to redirect the control to the instruction that is on the top of the stack. 13:44.030 --> 13:49.130 If you notice, the address is ending with the D 5 to 9. 13:49.160 --> 13:51.500 This is what we are going to execute next. 13:51.620 --> 13:56.360 And if you check the top of the stack at this point of time, this is the same address. 13:56.360 --> 14:02.930 So this read is redirecting the control to the address that is available on the top of the stack. 14:02.930 --> 14:06.020 And if you remember, this is the address that we placed. 14:06.020 --> 14:09.650 This is the address of Pop RC Gadget. 14:09.890 --> 14:10.940 Here it is. 14:12.080 --> 14:12.350 Right. 14:12.350 --> 14:17.930 So and that's the reason why we are placing the addresses of these gadgets one after the other. 14:18.860 --> 14:26.120 Now, if you execute this RET instruction, we should land on the next gadget which contains pop RSA 14:26.120 --> 14:26.990 instruction. 14:26.990 --> 14:33.650 So let's type C now we are about to execute pop RC instruction. 14:33.770 --> 14:40.370 If we execute this pop RSA instruction, what are the value that is on the top of the stack should be 14:40.370 --> 14:42.650 popped into RSA register. 14:42.950 --> 14:50.570 If you notice, currently RSA Register contains the value zero and the top of the stack contains the 14:50.570 --> 14:52.520 size that we specified earlier. 14:52.520 --> 15:00.890 So if we type C RSA should contain this size, there it is. 15:00.890 --> 15:05.330 You can see here RSA Register now contains this value. 15:05.870 --> 15:08.600 So that completes our second step. 15:08.600 --> 15:13.220 Once again, let's review the stack using a pictorial representation. 15:14.690 --> 15:16.520 This is what we have done so far. 15:16.700 --> 15:24.800 We have placed pop the red, we have placed the base address of the stack and then we have used pop 15:24.800 --> 15:26.870 RSA, Red Gadget. 15:26.900 --> 15:34.310 When it is executed, the value on the top of the stack, which is the size that we specified, is popped 15:34.310 --> 15:35.990 into RSA Register. 15:36.590 --> 15:44.060 Remember when this red instruction is executed, r.p is going to be pointing to the next instruction, 15:44.060 --> 15:52.460 which is going to be here right when our app comes here, RSP comes here, remember that. 15:52.460 --> 15:56.720 So that it will be easier for you to understand what RSP is pointing to. 15:57.230 --> 15:57.650 All right. 15:57.650 --> 16:02.450 Now let's start working on setting up the third argument for MW Protect. 16:03.290 --> 16:09.920 Once again, to recap, the third argument is going to be placed in ADX register and it is going to 16:09.920 --> 16:12.710 contain the value 0x7. 16:12.710 --> 16:15.260 So that stack becomes executable. 16:15.980 --> 16:16.460 Right? 16:16.460 --> 16:19.460 Let's switch to the virtual machine and let's set it up. 16:20.090 --> 16:22.700 Let's exit from this Jeff Shell 16:25.610 --> 16:36.530 and let's edit Robert Peel and we will need a gadget with pop RDX instruction. 16:36.620 --> 16:38.600 So let's go to Wrapper Shell. 16:40.120 --> 16:45.480 Let's search for top RDX. 16:46.500 --> 16:50.880 Unfortunately, we did not find gadgets of our interest. 16:50.880 --> 16:54.270 So what we can do is we can increase the depth. 16:54.630 --> 16:59.580 So let's specify two here and let's search for the gadgets once again. 17:01.170 --> 17:01.890 Interesting. 17:01.890 --> 17:03.650 We have gotten some gadgets. 17:03.660 --> 17:06.690 This is what I'm going to go with, pop. 17:06.750 --> 17:11.460 RDX is what we wanted and it has read instruction. 17:11.880 --> 17:15.270 It has one additional instruction that we will have to deal with. 17:15.480 --> 17:17.850 I'm going to show you how we can deal with that. 17:17.850 --> 17:22.230 But you can actually go with this instruction or this instruction. 17:22.320 --> 17:26.220 Both of them are looking simple, so I'm just going to go with this. 17:27.060 --> 17:35.730 I'll copy this and let's edit the exploit junk pack 17:39.120 --> 17:45.510 and let's use let's see, underscore base plus the offset. 17:48.150 --> 17:51.420 Now let's copy the instructions. 17:57.650 --> 17:59.140 And let's paste it here. 17:59.980 --> 18:00.390 All right. 18:00.400 --> 18:02.470 Now we will have to specify. 18:05.200 --> 18:08.650 The value that is to be popped into the register. 18:08.830 --> 18:10.720 So let's use pack. 18:16.980 --> 18:19.290 And let's use 0x7. 18:19.620 --> 18:21.180 It's as simple as that. 18:21.390 --> 18:25.440 Now we can quickly add a comment here. 18:26.430 --> 18:31.080 Permissions read, write, execute. 18:33.030 --> 18:41.250 Now, if you notice, after pop is executed, this value is going to be popped into RDX. 18:41.460 --> 18:48.240 After that, before executing this read instruction, pop art 12 is going to be executed. 18:48.570 --> 18:56.130 What that means is we will have to place some junk value here so that that will be popped into our 12 18:56.130 --> 18:59.340 register before we execute that instruction. 18:59.820 --> 19:08.160 Now, the next step is to set up some dummy value for this pop art instruction, because when this pop 19:08.380 --> 19:15.090 12 instruction gets executed, it expects some value to be popped into the register at 12. 19:15.120 --> 19:18.030 So let's set up some junk value here 19:20.760 --> 19:29.310 back and let's use zero x 41, 41, 41 six times. 19:31.890 --> 19:40.340 And let's simply add a comment, dummy, for pop art. 19:42.510 --> 19:44.430 So that should do it. 19:44.460 --> 19:50.370 Now, let's save the file and let's, as usual, produce the payload. 19:50.940 --> 20:00.870 Let's call it payload three and let's use gdb be vulnerable and let's load this binary and let's set 20:00.870 --> 20:02.310 up a breakpoint at main. 20:02.700 --> 20:11.280 Let's run this binary using this third payload which is payload three and let's use disassemble one 20:11.280 --> 20:16.080 function and let's set up a breakpoint at this address 20:21.780 --> 20:25.590 and let's type continue so that our breakpoint will hit. 20:27.330 --> 20:28.050 Here it is. 20:28.050 --> 20:31.290 We are once again about to execute our gadgets. 20:31.470 --> 20:39.510 So let's type C, C, see, this is the second gadget. 20:39.720 --> 20:42.030 Now we are at Pop RDX. 20:42.450 --> 20:46.050 Let's quickly take a look at the contents of RDX register. 20:46.050 --> 20:50.400 At this point of time, if you notice, it contains the value zero. 20:50.550 --> 20:57.210 So let's type C so that this value seven will be popped into the register, RDX. 20:58.950 --> 21:01.980 Let's quickly take a look at the contents of RDX. 21:01.980 --> 21:02.790 There you go. 21:02.820 --> 21:05.070 It now contains the value seven. 21:05.970 --> 21:10.410 Now this is our extra instruction that we didn't want, but we have no choice. 21:10.410 --> 21:12.720 We need to include this in our exploit. 21:13.050 --> 21:18.090 So let's type C before that, let's take a look at the top of the stack. 21:18.090 --> 21:22.320 This is what we placed on the top of the stack, six A's. 21:22.320 --> 21:26.760 So this is going to be popped into the register at 12. 21:27.030 --> 21:33.600 So let's type a, C and look what we have are 12 register here. 21:34.440 --> 21:37.290 This is the value that we have just popped, right? 21:37.290 --> 21:39.930 So that means we have set up everything that we want. 21:39.930 --> 21:44.220 Now all we need to do is we need to call and protect function. 21:44.490 --> 21:50.340 So let's go ahead and find out the address of protect function once again. 21:51.300 --> 21:52.230 Here it is. 21:52.230 --> 21:54.270 Let's quickly copy this. 21:56.890 --> 22:02.530 And let's exit from the shell and let's edit the file. 22:02.560 --> 22:03.730 Robert Peel 22:09.880 --> 22:12.880 Junk Pack. 22:16.540 --> 22:19.960 Q And the address of Protect. 22:26.200 --> 22:29.140 Let's add it in the comments and Protect. 22:29.350 --> 22:35.620 Now before we run this in GDB, let's take a quick look at our slides to understand the stack that we 22:35.620 --> 22:36.730 have built so far. 22:37.300 --> 22:39.520 So this is where we left off earlier. 22:39.670 --> 22:47.680 Now, after this, our AP comes here and we have placed the address of this gadget as the next instruction 22:47.680 --> 22:48.730 to be executed. 22:48.730 --> 22:51.310 And we have set up two values for this. 22:51.310 --> 22:55.600 RDX and RTL registers in the next two entries. 22:56.050 --> 23:02.230 RDX is going to have this value seven and at 12 is going to have these six A's. 23:02.470 --> 23:08.860 After doing this, we found the address of M Protect and we have placed that here. 23:09.130 --> 23:16.120 Once M Protect gets executed with all these parameters, the stack is going to be executable and the 23:16.120 --> 23:17.950 control will come here. 23:18.100 --> 23:22.630 Here, we will have to place some address that points to the shell code. 23:22.900 --> 23:29.950 Let's first check if M protect is turning the stack into an executable one. 23:29.980 --> 23:36.400 Once that is done, we are going to place an address here so that we can redirect the execution to our 23:36.400 --> 23:37.120 shell code. 23:37.510 --> 23:41.680 Let's switch to the virtual machine and let's save this file. 23:43.840 --> 23:45.660 Let's produce new payload. 23:45.670 --> 23:53.890 Let's call it payload for let's use gdb dot slash vulnerable dash queue. 23:55.180 --> 23:57.310 Let's set up a breakpoint at main. 23:58.150 --> 24:01.000 Let's run this program using payload four. 24:03.010 --> 24:03.760 Here you go. 24:06.800 --> 24:11.660 Now let's once again find out the address of read instruction 24:14.150 --> 24:16.610 and let's set up a breakpoint here. 24:18.950 --> 24:24.320 We can simply use the up arrow to see the history of commands that we executed. 24:24.320 --> 24:30.320 But I just want to get the disassembly every time I come here, because that gives you a clear picture 24:30.320 --> 24:32.120 of why I'm doing something. 24:32.480 --> 24:35.060 So I'm just copying this address. 24:35.720 --> 24:40.010 Let's set up a breakpoint here and let's continue the execution. 24:41.960 --> 24:49.220 Now, before we execute these instructions, let's quickly take a look at the output of the map stack 24:49.220 --> 24:49.730 command. 24:50.870 --> 24:54.440 If you notice, currently the stack is not executable. 24:54.530 --> 24:57.650 Let's type C rather. 24:57.650 --> 25:05.960 Let's probably find the address of and project and let's set up a breakpoint here. 25:12.020 --> 25:12.830 There it is. 25:13.100 --> 25:18.770 Now, if we type C to continue the execution, we should hit this breakpoint. 25:18.770 --> 25:20.600 If our exploit is working, fine. 25:20.720 --> 25:22.340 So let's hit enter. 25:23.780 --> 25:24.540 There you go. 25:24.560 --> 25:29.240 The breakpoint is hit and we are now inside the protect function. 25:29.480 --> 25:37.760 Once again, if you check the output of the map stack, the stack is still not executable because we 25:37.760 --> 25:39.980 are still in the beginning of m protect. 25:40.010 --> 25:47.780 Once we execute some of the instructions in m protect, we should see the stack being executable. 25:53.410 --> 25:54.160 Look at that. 25:54.700 --> 25:56.830 Now the stack is executable. 25:56.860 --> 26:04.510 This means once end product finishes its execution, it is going to return back and there we can start 26:04.510 --> 26:06.100 executing our shell code. 26:06.220 --> 26:11.500 So let's go back and add the shell code to our exploit and finalize it. 26:11.890 --> 26:24.430 Let's quit and let's use dot PL and let's grab the shell code that we have written earlier. 26:24.760 --> 26:33.430 So I'm just going to quit this wrapper and let's navigate to shell code directory. 26:34.890 --> 26:36.280 And let's go to exit. 26:36.300 --> 26:36.900 We. 26:38.730 --> 26:44.300 And let's take a look at the contents of exploit dash final appeal. 26:45.030 --> 26:49.980 If you remember, this is the excavation code that we have written earlier. 26:50.100 --> 26:51.840 So let's copy this 26:56.670 --> 27:04.830 and let's create a variable called shell code here with the shell code that we have created. 27:06.510 --> 27:10.800 And let's also place some knobs in the beginning. 27:12.360 --> 27:15.180 I'm just going to use about 30 knobs. 27:20.260 --> 27:20.590 All right. 27:20.590 --> 27:22.330 So we have knobs and shell code. 27:23.110 --> 27:30.070 We will have to adjust this offset here by including the length of the knobs and shell code so we can 27:30.070 --> 27:33.760 properly overwrite our BP and AP registers. 27:34.450 --> 27:50.950 What I'll do is I will use 256 minus the length of the shell code, minus the length of knobs. 27:51.970 --> 27:57.580 That should still give us 256 bytes, which is the offset to RVP. 27:58.630 --> 28:04.030 Finally, we will have to print this knops shell code and junk. 28:04.150 --> 28:08.410 So I'm just going to use knops dot. 28:08.410 --> 28:10.180 So it will be appended. 28:10.600 --> 28:12.640 Shell code dot junk. 28:12.790 --> 28:20.500 So our payload contains 13 ops followed by the shell code and followed by the rest of the payload that 28:20.500 --> 28:21.820 we have just created. 28:22.120 --> 28:30.190 So let's save the file and let's produce the payload using file name payload five 28:33.880 --> 28:37.210 and let's load the vulnerable binary using gdb. 28:39.870 --> 28:41.970 And let's set up a breakpoint at main. 28:41.970 --> 28:45.300 Let's run it using payload five. 28:47.190 --> 28:57.240 And let's once again use this as one underscore funk and let's set up a breakpoint at this red instruction 29:00.990 --> 29:02.610 and let's continue with the execution. 29:02.610 --> 29:04.410 So it will hit the breakpoint. 29:06.500 --> 29:07.170 Here it is. 29:07.180 --> 29:10.050 Now we are about to execute this read instruction. 29:10.440 --> 29:12.330 Now let's type C. 29:13.650 --> 29:15.780 Let's type C until. 29:17.490 --> 29:19.680 We reach and protect address. 29:23.790 --> 29:24.300 Here it is. 29:24.300 --> 29:29.140 Now we are at the right instruction and we are about to execute and protect function. 29:29.160 --> 29:31.060 Now, at this point of time. 29:31.080 --> 29:37.170 If you execute the entries on the stack, we should be able to see the shell code. 29:42.900 --> 29:43.500 Here it is. 29:43.500 --> 29:45.600 If you notice, here is our bobsled. 29:45.840 --> 29:48.540 So let's just take this address. 29:50.270 --> 29:52.100 And let's quit. 29:52.910 --> 29:59.900 Let's open our exploit and let's use this address here. 30:01.010 --> 30:08.960 So once the project finishes its execution, it will return to this address, which is actually pointing 30:08.960 --> 30:09.590 to our ops. 30:10.190 --> 30:15.910 And once the execution lands on the bobsled, it will eventually reaches the shell cord. 30:15.920 --> 30:19.790 So once the control reaches the shell cord, we are going to get a shell. 30:20.120 --> 30:20.510 Right. 30:20.510 --> 30:29.180 So this is hardcoded address of bobsled. 30:30.680 --> 30:31.010 All right. 30:31.010 --> 30:42.440 So let's save the file and let's try to run this exploit drop dot pl and let's use cat 30:45.710 --> 30:46.010 one. 30:48.620 --> 30:49.790 Let's type it. 30:50.720 --> 30:52.310 There is a segmentation fault. 30:53.240 --> 30:55.070 Let's check if we have a code file. 30:56.520 --> 30:57.690 There is no core file. 30:57.690 --> 31:06.330 So let's use you limit dash see unlimited and let's run the file once again. 31:08.510 --> 31:11.420 There is a segmentation fault and we have a core file. 31:11.960 --> 31:18.590 Let's type gdb dash core and space core. 31:19.010 --> 31:26.360 So this should allow us to analyze the code dump and looks like this is what is causing the segmentation 31:26.360 --> 31:26.960 fault. 31:27.500 --> 31:34.010 So let's copy this address and let's see what it is pointing to. 31:34.400 --> 31:40.940 X slash 50 g x and let's use this address. 31:42.050 --> 31:49.250 Ideally, this should be pointing to the knop slide which is here, but it is pointing to this null. 31:49.280 --> 31:51.830 So that's the reason why the exploit failed. 31:51.830 --> 31:56.210 So the address is slightly different outside gdb. 31:56.240 --> 31:59.420 So let's copy this address and see if it helps. 31:59.990 --> 32:01.460 I'm just copying it here. 32:02.900 --> 32:03.710 It's quit 32:06.470 --> 32:07.580 dot pl. 32:11.630 --> 32:19.370 And let's replace this address with what we have just in place it here. 32:20.630 --> 32:26.510 And let's save the file and let's run the exploit once again. 32:28.730 --> 32:30.710 Let's hit enter once again. 32:31.040 --> 32:33.770 Let's type some command and look at that. 32:33.770 --> 32:35.510 The exploit worked. 32:35.810 --> 32:41.960 So we've got a shell even when there is an X bit enabled and we got the shell using the custom shell 32:41.960 --> 32:43.580 code that we have written. 32:43.730 --> 32:50.140 So basically in this exploit, everything is written from scratch, including the shell code. 32:50.150 --> 32:56.420 And if you have practically done everything that is shown in the course till now, that's a great achievement 32:56.420 --> 32:59.150 and you should really appreciate yourself. 32:59.420 --> 33:02.330 I hope you have enjoyed building this drop chain. 33:02.360 --> 33:04.950 I know it is tiring to do it from scratch. 33:04.970 --> 33:11.420 We can use some automated tools to generate this, but doing it manually gives you a clear picture of 33:11.420 --> 33:13.340 how rope chains are built. 33:13.610 --> 33:19.190 I hope you have enjoyed the journey of building rope chains, and that's the end of this video.