Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. And welcome to the episode number 30 of the buffer overflow. Siri's controlling the EVP, the E S B and the I. P. My name is Alejandro Gonna and I'll be your instructor for today's session.
00:13
The learning objectivity of the session is to understand the concepts behind the buffer overflow attack and apply techniques to implement a bull for overflow attack.
00:23
So let's get down to business shall way.
00:28
First, let me give you some background on how we left the previous video and basically just tracked this out. Basically, we just find out that there's a vulnerability here and we find out that we are over right in the i p the EVP and the E S P. If I go here and following dump,
00:47
you will see all the ace in this section. So yeah, we're over writing basically everything.
00:52
Now. The tricky part is to find exact location off the baby. It could be a couple of space is just after the EVP. You know, the bottom of the stock. It could be just a couple of spaces before the SP with the top of the stock, and it could be in the middle I mean, that's the problem. How we Can we actually locate that?
01:11
And that's the tricky part. Just drag this out.
01:17
How could you? How do you think we can do that? How can we locate exact location off the E i p on the buffered? I mean, how many A's in this question specifically for this for this proof of concept? How many A's dough I need saying
01:32
too rich. The e i p for Dan, we need to send Well,
01:37
we have a couple of ways to do that. I'm Yeah, a couple of ways to do that. Uh, but the more the more manual one on and they see is what I believe is to use, you know, send a unique string contains all of our characters, Um,
01:53
so we can see what a specific four strings are actually all writing the baby. Now, writing
02:02
almost 6000 difference characters to send to string is, you know, a really difficult task, I must say so we can actually use ah ruby script that comes bundled with the man exploit framework, which is called pattern create.
02:22
Let me just give you the location,
02:30
and she's, you know, explain
02:34
a medical framework. Exploit
02:38
what hell
02:40
they have exploiting here
02:51
after the tools we use ready, down and,
02:55
uh, locate
02:58
part in Korea. I thought he wasn't exploit folder, but no biggie. We could just find the rover script, and that will be all.
03:07
Let me Yes.
03:09
Okay. Oh, tools exploit my bad you guys
03:14
So we can actually use that. And, you know, you will actually create,
03:19
um
03:23
ah, string with different characters, would, you know, unique characters. And what's this disciple of this? Remember, the length is almost expulsion. 6000. And we can just, you know, type enter. Any will create a really long string off characters. Now,
03:42
we copy all of this. And where did you put it? Where do you think we cut you send it right now? Well, we have our approval concept.
03:51
Um,
03:52
cooking. Just go here.
03:55
Uh, puck
03:58
view
04:00
and we can just create something here called I don't know, chars
04:04
equals
04:06
and we put all that in here, and that's a weird and fun. And we can just
04:15
type
04:17
not heater chart.
04:19
And that's it.
04:21
And we have this ready on your windows. We have to close this out. We start the service. Remember? I told you I will be doing that a lot, because at the end, they service crashed every time we weigh overflow. Ah, stock.
04:40
We had a touch or server again. Attached.
04:44
Run.
04:46
And that means drag this out again. I will be dragging this in and out. I'm sorry. This is kind of confusing for you, but I like you to follow me in every step in every click I make for this. So if this is distracting to you, I apologize. I really apologize for that.
05:04
But I don't want you guys to meet anything on this on this on this course.
05:10
So now that I have or poke our proof concept ready to go and use type item ups,
05:17
I was stopping pipelines bucking my windows. XB. Sorry.
05:20
Python
05:23
Look
05:24
before also and I send it and it crashed. Our application is expected, but this time you know it is that we don't have the ace anymore. Or the 41 41 41 in here. We have a specific string, which is, you know, 386 f, um,
05:43
4337
05:45
eso we can actually we know that that there's that. That's the four specific characters that are overriding the E i. P. Now, the other difficult part is to actually locate in our long string. You're almost 6000 characters a string.
06:01
Where is that? Those four strings specifically located.
06:06
Well, we have another tool here. Let me just talk this out again. Another tool, which is great. Locate again this Easter. That way patterns offset
06:20
hopes. Locate Bader and patron
06:26
off. Sit.
06:27
And you know, we have these rough ruby script again. So we just copy based it, and we can tell it to query for, um
06:36
those specific, uh,
06:41
for, you know,
06:43
bite that we found.
06:45
So let me just coffee pays that again,
06:49
and it will tell us a specific location.
06:54
Okay.
06:56
Wow. Okay. Okay. That that that's okay. This number is telling us that after this, uh,
07:04
this location where this amount off characters, we can actually overwrite the e i p. So let's test this out because I don't want to trust this custom.
07:17
What is tripped that we can see here is that we just common this out is living. A city is in case of, you know, any problem, So I type here, Ace. And this will be multiplied by amount off location, basically the location where I can find this four characters.
07:38
Then I will write
07:41
Forbis
07:44
because I want to know that the eye overwrite this four specific bites of the e i p and not, you know, one bite to the life for one guy to the right, the four specific bites and I just
08:01
create
08:03
I just multiply sees
08:05
for, you know,
08:09
I don't want to do the math in my head, so I just go and do that, and that's it. Let's see for before
08:18
or
08:20
exploit again. Ah is useful for us. So again, you guys Sorry about this. But, you know, this is how you have to do things
08:31
and file attach on server attach
08:35
and run and let me
08:39
again drag this out and see if actually, we can actually override this, uh, with her
08:46
specific four beasts and
08:48
boom. There you go. Okay, we have a seat at the top. A TTE the bottom of the script of the bottom of this script. Look at me at the bottom of stock which is suspected is at the end. We're starting. Oh, are proof of concept with Ace. But we have four beasts.
09:07
42 42 44 2 for the AP and we have the rest off the seas for the E S P, which it means that if I go to following dump the rest of the seas. Okay, that's amazing, because at the end we split the stock in three parts. You know, the first part is, the is whatever is contained in the EVP.
09:26
Then we found out the location,
09:31
and when we Then we have the rest of the stock to put the cease. If I go a little bit hiring here,
09:37
just go clean here. You can see the seas the four basis right now, right here
09:43
and then the rest of the ace.
09:48
So, yeah, we actually located that that way. Now, have the location off the e e i p. And we can Now, you know,
09:58
check that we actually, where do we want to do or when do we want to go? You know,
10:05
that's the thing Now,
10:09
now that we can now that we know that we control the execution flow or the execution, you know? Yeah, I think this execution flow all the
10:20
bone server you are for or application. Now we need to introduce our own shell coat in the memory stacks so we can execute whatever we went. Um, so we follow the E S P registered on check. What's in memory location, right? You know,
10:39
just again. What did it wrote? Following Dumb. And we see that s o This is the area of the buffer that seems good. Good match to actually create or implement or own our own shell code.
10:58
What it's part and create. Well, this is Ruby script to actually green. Ah ah, long string of unique characters. Any help us to actually find the location of the E I P.
11:13
Ah. What? It's Potter offset. Well, now that we you know, we
11:20
we use the partner created by the pond and create
11:26
Ruby a script. And now that we know the four specific characters there are overriding the we can look for those four. Carter's location in the partner offset Ruby script.
11:39
In this video, we'll learn some concepts behind the buffer overflow attack and we implement and some techniques to execute the buffer overflow attack
11:48
supplemental materials, the hackers playbook. In this case, I have to recommend you to go to read and practice with the city of 11 dot or so you can actually see how these canneries could work. You know, this is kind of know how the country's work
12:07
and know how to actually explore it.
12:09
Or, you know, some more concepts about the pointers in the stock, so I will highly recommend it to go to that. What page?
12:18
Looking forward in less beer will see how to avoid the back characters, how to avoid a terminating o r or exploit Or, you know, a boy, those characters while creating or payload so we can avoid any problems. Our payload execution.
12:33
Well, that's it for today, folks, I hope your day video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor