Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. And welcome to episode number 31 off the Buffer Overflow Siris.
00:06
But characters,
00:08
my name is Alejandro. Gonna be instructor for today's session. The Learning Operatives of the session is to understand the concepts behind the buffer overflow attack and apply the techniques to implement it before overflow attack. So let's get down to business, shall we?
00:24
First of all, just cleared that one out and let me give you some background about why we care about back characters.
00:32
Uh, before we actually create or payload, we need to identify if the application doesn't support like or use some characters as they can crash or execution flow. You know, this means that they will block or shell code from executing.
00:48
When I say shell colleges, because that's the core will be creative. You know, you can create any any type of payload.
00:54
And you know these characters can again crash. Oh, our affect their execution. Execution flow off your payload.
01:00
The most problematic characters is the new bite, which is, you know, has a hex aqui equivalent off 00 Another example of a common back. Carter's is the carriage return by which has hex key violent off zero d,
01:19
the last one especially dangerous when dealing with some protocols, like puppetry. For example,
01:25
assed, this protocol uses these characters to deter mined. When a command has an or input has end S O, we need to modify off proof of concept to send those back characters. Tow your payload. So
01:42
there's a bunch of places on the Internet where you can actually find but the bad character list, which is a really, really long list. But, you know, you can let me just give you the link to the one that I find I used. But, you know, again, you can use any other,
02:00
uh, tool or Paige,
02:04
Um,
02:05
because you know, yeah,
02:07
any other tool bridge? This is the list that I'm using right now.
02:13
So, yeah, there's that again. If you can just type bad characters list on the Internet and that that's it. So let me just modify or purple concept
02:23
O. B. O.
02:27
And
02:28
here entered this cultural list,
02:32
which again I just took it from from from the page. I just show you
02:37
and other I have that here. I remove all of this because at the end, remember, where will be executed.
02:46
Everything after or bees are created. I mean, after a bizarre created. So let me just put but
02:55
charts
02:58
here. And I remember these will up at this point, we're filling up the from the EVP, which is the bottom of the stack. Then we found out the four e eyepiece and the E S P is the one that we're finding out we're actually executed or payload.
03:15
So we need to see what this application doesn't like.
03:17
So yeah, there's that. So we saved that.
03:22
And, you know, we again have to go to that process that you already know. But, you know, we have to continue doing that.
03:35
We attach it once again,
03:38
we run it
03:39
and we see what this doesn't like
03:44
and, you know, faith in,
03:46
uh, book
03:47
you
03:49
and was executed on and let me drag this out. It's past, you know? Okay, the baby contains okay, but you can see that the PSB right now, it doesn't contain much information. That's telling me something. Um,
04:03
the EVP contains Ford. You know, the 40 ones which are the ace, which is good so far,
04:11
and a AP content to 42 42 42 42 which is representing the four base. The four bees was sent. But you know, if I go here to SP and I put falling dump
04:23
Okay, see the character? Zero. But then I don't see the correct the residual one. Remember that we sent that out in your in your park.
04:31
0001 but I don't see that in your windows XB machine. It stays in zero. It doesn't go from 01 So cereal 000 which is they hex decimal representation off the no bite or the new character
04:49
is clearly affecting the, uh,
04:53
execution flow. So let me just again restored this
05:04
another. I have a running. Let me just, uh, eliminate
05:10
this your character from my string
05:14
and see what other character is actually affecting this.
05:19
So I executed
05:23
and I now see C for two for one tsp me following dump. Okay. 12 Tree for 56789 Do a zero of easy Easy. It seems good so far. Let me see if I can find anything here.
05:42
Anything, anything. Oh, no. I see the FF character, which is the last character, were actually sending Remember?
05:48
S f
05:50
Okay, So, uh, let me just show you the windows here again.
05:58
So it seems that when we deleted the 00 character, which is, you know, a good representation of the new bite in after sending the updated both buffer again the memory *** shelf that are respected characters from 012 f f.
06:15
This means that the only back harder that is actually affecting the flow off up. The execution on this application is 00
06:25
So, you know, it seems that we good to go. I mean, it seems that, you know, just to summarize or paler should not include the character 00 Otherwise, the content for pale wood will change or will not be executed.
06:39
We don't need to find a generic address that the DSP points to at the time of the crash.
06:46
You know, I have seen some people in some media be editorials hard coating the E S P address, and these will work for that specific video. Maybe. But every time you restart the application or restart the operating system, this will not work as it changes for every execution.
07:04
So we need to find a generic again. Address that E s P points too
07:10
s so we can put it on the P. I don't know if that makes sense. Remember the E S P at the top of the stack and the is the address that points to the next instruction to be executed. So right now, again, we need to find a generic generic address. That s P points too
07:30
kind of five. John PSB, for example.
07:32
Uh, we need to find a module or library, for example, a dll that is loaded by the bone server application. And it doesn't change at execution time or reboot on. It has to be, you know, good, readable or executed. Vel
07:47
For that, we used you. Remember that we talked about this at the beginning off of this
07:54
for awful for Siri's the morning at the fight. You know, again, it's a python script that will help us to identify several things like the one we're looking right now. Again, we're looking for all the modules or libraries loaded by the bone server with application crashes,
08:15
depending on what person off immunity? The bugger. Maybe Mona. It's installed already. Let me just show you the application. At the beginning of the series, I really showed you where to download a Demona pipe. The modern python script. Oh, my God. This again.
08:31
And right now, you just have to go to your local P C
08:37
and program files Immunity, Inc. Immunity, bugger and pie commands. And there would you will find the monastery. But you just have to copy paste it basically, which is this one, uh, copy Paste the Monas crypt. And you're good to go. That's it.
08:52
That's how you actually stall Mona. So that's that. And now, knowing that now we have more now in place, we need to find
09:03
what modules are loaded. When when we execute our exploit. And, of course, we need to redirect or execution to that point.
09:15
What is represented by the 00 hex? I put in us an inside joke right now because I did put a dash 00 But you cannot see anything here. So what it's put it, uh, what is represented by that? Well, the new character, as you can imagine,
09:33
what do we care about? But but characters? Because if we actually use,
09:39
but characters in any off if any
09:43
over process in any part of the process because at the end I really showed you how it affects our execution flow. I mean, how it affects our pill will be executed. But this king, This is also true for any memory after us that will be using in the upcoming medias.
10:03
We cannot use memory addresses that actually contains the bad characters
10:07
in any point because at the end, remember that will be using that operas to redirect or execution, meaning that we will use that actress in the Pointer. So if we find an address that is suitable for us for a number of reasons. But it contains that the character 00 again, the new character,
10:26
it will cut the connection. It will never make the redirection to the other part and off course.
10:31
You will never execute our payload. Yeah, that's why we care about my characters.
10:39
This video will learn some concepts behind the buffer overflow attack and we implemented some techniques to execute the bull for overflow attack
10:46
supplemental materials again, the Hiker playbook tree. Ah, amazing book And again, city F one a one of these guys has some had some serious
10:58
concepts and and, you know, exercises you can practice on
11:03
in the next video. We'll see how to read, redirect or execution s so we can put some system address on the I p and actually jumped to another location so we can actually execute her pay. Look what that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor