Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode number 29 of the Buffer overflow. Siri's Immunity, The vulgar unfasten
00:08
My name is Alejandro Gonna and I'll be your instructor for today's session.
00:12
The learning objectivity of the session is to understand the concepts behind before awful attack and apply the techniques implemented before overflow attack.
00:22
So let's get down to business, shall we?
00:26
First, let me give you some background of the tools that will be using for this session and the rest of the sessions. The first one's the 1st 1 is immunity buggered, which the tool to help us, you know, right exploits analyze mile work. Basically reverse engineer binary files
00:44
built. You know it has. Ah,
00:47
I don't wanna say easy to use be user interface, but it has a cool user difference. Believe me, the bargain memory allocations are locations with easy, easy. It's ah nightmare. But, you know, this contains are really cool a graphic user interface,
01:04
uh, you know, to perform tasks like keep analysis or stock analogies.
01:11
So basically, is a Windows based reverse engineer. Binary files at Tool.
01:15
Um, you can install it by just following the instructions in the webpage. Look let me give you the Web page
01:23
so you can see what is located.
01:25
Ah is basically here. You know, immunity Inc
01:29
that come And you can just go here and read some background on the tool. But you can't just go here to done allowed it and it just enter your information and it will let you download and execute herbal. And you just need to know, Click next, next, next. And you know you can't actually find me. It isn't you to how to do that.
01:48
You don't have fighting style. This will start for you,
01:53
and you know that's it. There's nothing to show in here.
01:57
On the next tool it's in. It's in a python script kind of a plug in for for immunity, vulgar, which is called Mona Mona. That pipe, which, you know, as you can imagine, a python plugin for immunity vulgar on provides several options to actually
02:14
ah, boost your, um analysis a while easing immunity. But the vulgar
02:21
um, it will help you, you know, find out which modules are loaded. When you actually are executing your buffer overflow. It will help you fine memory addresses which contain specific of strings you're looking for. It will help you with your No, basically, it will help you with your, um,
02:40
thio at capabilities immunity, vulgar toe to create your own exploit.
02:47
And, you know, you can just download it from the coral on which is that the group of hackers that created this. Let me just give you the webpage.
02:58
You can download it from here, and you will be good to go.
03:01
Um,
03:04
you know, monitor pie instead. Really, really long Python Python script. And again, if I mean, you can just search for readers and YouTube and how to install it. And you know, there's no this is not a big deal. Just copy. Paste this in one location and that's it. That's it. No other thing to do.
03:23
And finally, let me give you some background on the technique will be using, which is called fasten. Fasten has several meanings for several people. But in this specific case is kind of a black box test or technique,
03:38
which is basically finding box in, you know, my foreign data injection
03:45
or data input fields. You can you can actually enter whatever number your thing, Whatever. Actually, whatever you think I mean zero. It could be a possibility. If you're self aware, it's actually dividing numbers to see you know how a number divided by Ciro, Uh, how did it behaves?
04:02
Um, a day that doesn't exist. For example. You know, it consists of entering several things.
04:12
Uh, that's the kind of testing your code
04:15
testing your input variables. And in this case, it represents for us. Uh, you know, testing our applications receive the risible nen ability percent,
04:28
which we know it is. So, for example, what will happen if I I enter now 200 characters in this in this field 303. I know you increase the number and see if it fails at some point. Which means that
04:46
you know, the boundary, the variable boundaries were not checked
04:51
or we're not Simon ties. And you can actually create a before overthrow exploit. So for this case will be using something called wound server. Bull server
05:05
is kind of off
05:09
server. Really? What's created? Actually just to ah to
05:15
actually be exploited.
05:17
Ah, purpose. So you can actually see that
05:21
exploit that vulnerability Among other vulnerabilities. For example, let me just drag this window. He will be using our Windows 10 machine. And let me just run the server, which is, you know, basically excusable file.
05:36
And I run in a poor 4444 But, you know, if you don't want to run it in that port, you can change the port or Deacon David a default without specifying any port,
05:46
and will be executed. Important. 9999 s. So if we check here, that's that.
05:55
And fine apps 44444
06:01
and sexually listening. If I kill that
06:04
Ah, it will. Not listening anymore.
06:08
So yeah, just a simple Zach Bone server. Doc executed. Well, you can actually download it again from Google. You can just type well, hope that Ext. And down lower something like that and well, delighted for you. And he had several functions will be exploiting the function that is called Tron
06:27
because that's the one that includes that before overflow with the nobility.
06:30
So let me just first show you Ah, the graphic user interface off immunity, brother, which is right here
06:39
groaning as administrator. Yeah, and this is it. I know it sounds, uh, ugly, and I know it seems scary,
06:48
but no Ah, you know, attached the program we want, which is born server attached. And this is basically the stock we saw in the previous video. As you can see, it's started as past, so we have to run it.
07:02
And, you know, this is the stock now, uh, how do we know? Remember the pointers that we talk about at the beginning? Hopes
07:12
she was a
07:13
just put it again. Here's the i p here, the VP here, the E S p you know, bottom of the stack top of the stock and pointed to the next instruction to be executed, which apparently, is this deal. So as you can see, everything seems in order. So let's change that.
07:32
Let me just create oh, are proof of concept
07:36
right now, um,
07:40
fuss
07:42
and let me just copy pays the Cody here, and I will spill into you. But you know, you guys are really smart, So
07:48
ah, first, just imprinting fall the library's I will need then just put I pee in the port. They Peter Windows machine support the buffer, which will be a bunch of A's letter ace. And you know, I will increase that by 200 every time and we'll appended to this buffer
08:07
and then forced for each string. In this buffer,
08:09
I will bring the fasten trun, which is the function that contained the buffer off overflow vulnerability with, you know, experts. Whatever number is, I create the circuit. I connect to the host import and I send the front and, you know, I closed the circuit and at the end,
08:28
hopes Let me just go back in here, go down. I added a time that sleep so you can actually see how the memory addresses are changing at this continues to execute, because if I don't put that will exploit women ability at one thing, we'll see yet it's running and it's not running anymore. But I want you to see, you know,
08:48
that is sexually
08:50
So let me execute it
08:56
and quickly drag this.
08:58
Okay, so you can see that is changing the adversaries in here.
09:03
You can see that no changing. It's changing. It's changing. Is not doing something like like
09:09
uh,
09:11
that we want, because at the end, uh,
09:13
I don't really care about it,
09:16
because all I want to know that is that it's actually vulnerable to buffer overflow. So as you can see, right now we have a bunch of ace inner E S P, which is the top of the stack. Ah, bunch of, uh,
09:33
a seat in the V p the bottom of the stack and a bunch of AIDS on the I P. Now, I remember you guys the tricky part. We're recreating their fresh or first exploit Congratulations we have or denial of service kind of exploit for discipline ability.
09:52
Because of the answer, the service is crashing mean, as you can see spots
09:56
and says, actually access violation when executing for one. I'm sorry, 41 41 for you, One for the one which is, you know, the letter a the hex of his mom for the letter A and, you know it crashed. That's the point. And if I close here the service open just
10:15
I love that if I go here, the service is not running anymore. But if you saw in the background it wasn't crashing with, uh, let me just drag this out.
10:26
It wasn't crashing with this this this kind of bites. I saw it crash before life around here, but you know it, you know, at the end.
10:35
We're not interested in the top at the end, having more at the top. It will, you know, maybe help us Thio execute whatever pale we want. So it doesn't matter of you. We use this number or this number. Uh,
10:50
because at the end will be using jumping.
10:54
If you leave, you allow me to use that word actually said these the corridor We're jumping to another location by controlling the e i p. We're jumping maybe to another e sp location. John ps, PS and instruction, for example. And we we went to actually see that.
11:11
See that? That's the point s. Oh, yeah.
11:16
So let's modify or initial approve concept.
11:20
Uh, let me just create. Remember, this is just
11:26
bring it in here so you can remember how it looks like.
11:28
Um,
11:30
so I don't want to use that anymore, because I already know that their samples relating there s so I don't want to its star Fossen things. So let me just
11:41
create an I'm sorry. Create a new which is called
11:45
Park Arrow
11:48
before all Focht pie.
11:50
And let me just coffee pays that in here
11:56
and you know, basically just same thing sending all this character's 2 to 2 or server and just replicating that close that one out,
12:07
replicating that
12:07
two,
12:09
or or system. And let me just drag this out so you can get familiar with the process is starting to surface again, Uh, you know, running again. Immunity, the vulgar Assad administrator. Remember, you guys, this is kind of up
12:22
pain in you know where, um Because we have to do this every time. You would crash the service
12:31
every time. So, yeah, we'll be doing that a lot. So again, everything's function correctly.
12:37
Um,
12:41
let me just execute that.
12:46
And it crashed the system
12:50
again. Same behavior. Same. You know, let me just go here to the ESPN and going down following dump. And we have all the letter ace right now, remember,
13:03
they're 41. Is the representation for the letter a while we have it right here. So this is all of our stock to you guys.
13:11
We have fields.
13:13
Just act without a bunch of later. Ace. So cool. Coo coo coo coo coo Will, uh
13:20
how do you think we can proceed? That I mean, now that we know that this is not really a question that I ask all the students that I I have with me. Where do you think we go from here? We already know. Let me just drag this out again.
13:35
Well, really know that we're actually creating a buffer overflow attack. We already know that
13:43
there's there's something wrong with this program. We already know that we're overriding the which at the end, I remember you guys think is something we want Remember we talked about the treat main pointers will be seeing which was waas was the e s p e v p in the a p
14:01
Now that we can control now that we know the doors are both for overflow vulnerability
14:07
And now that we know that we can actually control the e I p. I mean, by controlling, I mean that we can operate it. How do we know the exact location in these, uh,
14:20
in these images? Cat this out.
14:24
How do we know the exact location of the A P in this? All of these characters mean 5000 cards for something almost 12,000 characters. How do we know the exact location could be 5000 4000 I mean, how can we possibly know that?
14:45
Uh, no. We cannot actually find out a fighter out immunity barker.
14:50
So there's a technique and a couple of scripts
14:54
Perla scripts that we can use their art bundle with the famous Our men display framework once again. So, yeah, we'll be doing that in the next video.
15:07
What is fasten or how do we How could you describe Fasten? Well, basically, it's a technique that you can use to start to
15:16
kind of start testing your application kind of quality of shootings technique to see how their application we react, the different inputs. I mean, it could go from any input like malformed data input like, for example, of yourself if divided
15:35
a number trying to enter a zero to see what happens.
15:39
Our reviewer somewhere is actually receiving date. Try to enter a day that is, that does not exist. Ah,
15:48
I know something. Right? And in this case, we enter several numbers, you know, for to see we increased each time. Oh, our input or where we were sending to the data to the program. Does he hard how would reacted and we saw that
16:07
it was crashing the system so
16:10
we can think that there's there's, ah, buffer off low with that ability percent in that. And what is Montana? That pie, which is this is a python script. Kind of a plug in for immunity. Vulgar. Um,
16:23
so we can't actually, uh, test more things or boost or ah, the bargain process. Well, using immunity, vulgar. And while Well, we are a team thing Point. What is immunity, Walker?
16:37
Well, immunity bugger is a tool. Help us to actually reverse engineer.
16:44
Ah, any day that we want, Um,
16:47
help us, Thio. You know, we're, ah, model work creation process. You help us to de bark whatever is in memory so we can actually see how the problem behaves and how we can actually create something to go to specific library. For example,
17:06
this is how the bugger memory, the bugger,
17:08
Averill,
17:10
and this video will learn some concepts behind the book for overflow attack Going planets up today Techniques to execute the before overflow attack.
17:18
And you know, supplemental materials the hacker playbook. This book You will see it a lot in this course and before awful attack. These guys, this is a digital channel are I have recommended to go the channel. They have buffer overflow, among other attacks that you saw in these in these cars.
17:37
So I will have you recommend a good t check them out.
17:41
Looking forward. Ah, did X video. We'll see how to control the EVP, which is the bottom of the stack. The SP which the top of the stock and more importantly, the E I p, which is the court current pointer to the instruction to be executed.
17:56
Because at the end we control the day I pee. We can actually redirect
18:03
or execution to another stack or another, a memory location that we went and execute our own payload. Well, that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor