Hello, everybody. And welcome to the episode number 32 off the buffer overflow Siri's redirecting execution.
My name is Alejandro Gonna and I'll be instructor for today's session.
The learning operatives of the session is to understand the concepts behind the buffer overflow attack and apply the techniques to implementable for overflow attack.
So let's get down to business, shall we?
First again, Let me remind you what the morning that pied iss and is just a plugin of the immunity vulgar so it can help us find out more about the memory where we're executing our you know, our payload or exploit
in this case, in this scenario, it will help us. You know, um,
find out what modules are loaded when we crash applications. We can actually, you know, jump to, uh, to that other module. Oh, our address. So let me just
show you how to do that. First, let me grab this out. And remember that in this case, we already have something crashed. So let me just crash it again
because we went to find out something that was being loaded at the crash time.
Okay, now that we have loaded that yes,
my park is I don't want to send by characters anymore. I will not leave That commented, so we can know how we have bean processing in all of this.
we crashed our application.
And now that I want to find out which modules are loaded in memory when duplication was crashed,
so just stop here at the bottom of the windows screen right here.
And that's it. I think in certain. Entered that and I can see a lot of modules being loaded. All these three murder precise.
Now, the point right now is to remember a couple of things.
I remember that I told you that the range of the memory does not have to contain back character. We identify in the previous video, you remember, the bad character affecting the execution flow was the 00 character, which is, you know, the representation of the new Carter.
Uh, so that's one criteria. And the other criteria is to have some others that doesn't contain memory protection.
Uh, like, for example, a SLR out space layout Run. Devastation A Again A s L R. Uh, Yeah. You cannot
find these models sometimes, and you will have to implement techniques techniques to bypass such protections. But this is beyond this this discourse, because this will know
this is beyond scores. Well, creating a before overflow, but that their techniques that you can use to actually bypass day the other space layout, random ization protection or any other protection. So for this case, thes two actresses look good to me. For example, all of them have false false
ah, years allowed, for example, falls
and enforce again. So yeah, let's grab this one.
you kill you Could, you know,
at any other you know, memory. You could use any other member memory address, but let's let's just the 1st 1 which is just a dll which is, by the way, being loaded from the bulletin server application eso we need now to Now that we know what,
remember the name E s s funk
dot the l l remember that name. Uh, now that we know that name, we need to find a jumpy sp instructions so we can reach this module by jumpy s B. I mean, we already are in the bone server. That exit module or stock. I'm sorry.
And we are. We now know the location, so we need to tell that e a p
to jump to the top of the stack off these dll
and if that makes sense, but yeah, that's that's what we need to tell it. So we need to find a jumpy sp s instruction so we can tell it to go to the top of their E s s function. That deal
for that I go to the executed all modules list. Let me just
and you can see that there's, ah, this our function in there, uh, you know, and just double click on it. And I'm, you know, in that module, that module is loaded. That's the point. Uh,
here, you can see that on the top of the immunity, the vulgar. Now I need to again Fine. Um,
jumpy sp So I just go here, right? Click search for command, for example.
I put jump your speed which is already in there. Remember Jumpy s B y type find and he gave me this address. Now this is really important because I need Thio.
Put that a specific address in my e i p. You know, you cannot in any in their rare case that you don't find a jump. Yes, but you can still go search for the secrets of romance and just type
Let me just stopping here.
And no, I did not found so that's OK. We're really found or jumpy as being that application. If you don't find anything in that, um,
in that module or, you know, in that region, you can always go to all modules. Am at the top.
Ah, here on and you can find the X function. And you can see that on Lee. One of them is marked as execute herbal, which is that Dr 60 Region. But you know,
you can try to use that actress. Remember that we selected the address without memory protection for the s s function process. We're free to use instruction for any level in section for this module. And not only the ones marked acts executed ble
s so you can tell Monets. Look for Jumpy s P instruction in their entire region,
bypassing dis command. Let me. Well, first, let's find out What's the hex of Cuba? Lint off a champion's be extraction so we can let me just check this out
and we can actually tell it. Thio, let me just find Locate. Not Awesome. Another
off the mat. Disciplined framework.
Let me just copy that
run it and pass it. The instruction jumping, spin, instruction jump dsp
and we'll tell us an extension is f f e Ford. Okay, that's fine
ff before. So I go back to my Mona, um, to my bone immunity vulgar with Mona
Python script, and I tell it to go to find from Yes
which is, by the way, for string and X
ex before, which is basically fine. Ah, jumpy sp And I wanted to find in all the in all the modules or the module specific. E um
Remember the name of the module, which is
and Cee. Cee are What's what was the name of module?
Phillips wasn't s s e
Ah, it's s o. Look at me as e s s functioned at the l.
So we typed out and we find total nine pointers
which is good. You know, my point is that there's good. In fact, if you take a look at the 1st 1 that came from that command, it's actually the one we're using or the one we selected at the beginning. 6 to 60 to 51 a one a f
right, That's different. We can actually use any of this as long as they don't contain any bad characters. Which is? It seems they don't. They don't contain 00 so and they all they all are jumpy space. Remember FF the Ford F before? No, they all are jumpy SP. So we're getting that in that matter.
but let's stick with the 1st 1 Which was this? This one specifically the one that market right now s Oh, let's just double check. Let's just
execute this and you can see that's already in their 6 to 50 11 a. F just to see if it actually goes to a jumpy S B. And in fact, it goes to a jumpy SP. So we're good in that matter. I mean, just we're just awful checking. That
s so now that we know that this is the this actually contains a jumpy SB let me just
let me just close it out Anyway. We have to
restored service. Not now that we know that, um,
what address we need to use when we can actually change. Um, sorry.
We can actually change are a proof of concept.
Um, so we can instead of those four beasts, because those were busy for work for over it. Over Right in.
We're over right in the eye piece. So we not need to put that. So remember that
we need to put it in reverse as the 32 bit architecture restores actresses in memory in the little Indian Forman. So yeah,
You know, the very end of the string. 11
and 62. And we have our address right now.
Now the execution will flow. Will not go to a non existent offers Like the four bees we were saying before. In this 42. 42 42 42 you will go to a really address with a jump. Is peace awaking execute or shell coat?
So basically, we're telling the stack of the program. Okay, You know what don't Don't continue. Ah,
with danger stack on executing whatever was to be executed next. Actually, go to this other location. Where way have ah ah Jump sp Um uh you know, we have the entire stuck for ourselves and we like to actually execute this payload.
Not what payload are we going to execute?
That's the one we're going to create next in our upcoming medias.
Let me just say this one out.
What is executed by the Mono Modules Command? Well, it will show us all the modules modules that are loaded in memory. When we crashed the application, these will help us to see if we have another model that we can jump to.
Oh, our other stocks. We can jump to you and, you know, find out.
Um Oh, see if we can actually use one of them to execute our payload.
What is executed by the Monas crypt? We passed that Dash s flack. It will search for specific string on a specific module. If way tell that s o we can in this in this media which we search for a chump is B string
in a specific module Was Wes the S s function.
Dll So yeah, that's what you can't cheat by passing that flag
in this video, we'll learn some concepts behind the buffer overflow attack, and we implemented sound techniques to execute the before offer flow Attack supplemental materials again the hurricane playbook again. Amazing book and you know it's still with the catch the flag 101 guys
In the next video, we'll see how to create a neck secure or Pedro's we can actually go from from, you know, controlling controlling the AP. Tell the a pity Jump to another SP, and from that DSP, which is the top of the stock execute or payload,
was That's it for today, folks, I hope in your DVD a and talk to you soon.