Hello, everybody, and welcome to the episode number 33 of the Buffer overflow. Siri's creating a payload.
My name is Alejandro Gina, and I'll be your instructor for today's session.
Learning objectivity is to understand the concepts behind the buffer overflow attack and apply the techniques to implement a buffer overflow attack. So let's get down to business shall way.
and we can use our well known and you already saw a couple of beauties about this. The MSF Benham utility from the Medicis played framework to automatically
create or payloads we can just following commands. Just write it right now and myself, Banham and we tell it what payload we want, which is that window's river. She'll basically,
uh, when those shell
DCP and we tell it which will be listening host
in this case or Colin Machine
in this case I know went 2 to 4.
Ah, the function will be see is that the end will want to write our picks code so he can send it in our payload dash dash black form
That's vey fullback. Char's remember that we found that the new character is the only one affecting the execution flow. And then coding will be x 80 86.
and no wait for this to regenerate or code. And we just copy all of this
and we go to our famous proof of concept
and we entered and something called like shell code
No, I just spaced this inside
and I had our shell code. As you can imagine, we'll send it.
Where do you think we can send that it's worth? Let me just
close this out and we'll continue it. Didn't this
what did you It's worth nothing that this is ah, lent off the payload, which is, you know, 251 characters long because we need to maintain or Palin was stable in numbers when we are reading Oh, are you know, the one thing we're sending? So,
uh, now that we know that is 251 bites,
we can modify or or Baylor to actually reflect that. Now, remember that we put on encoding, which was shikata ga nine. We cannot just copy pace this inter buffer since it hasn't D card and procedure pre upended
to the beginning of the buffered Theis indicates that when it's executed, the shell cut first decoding memory before getting executed.
Since our SP register points to the beginning off payload, You know the code which is generated which again it has the car been procedure prep ended to the beginning. We need to provide some space to the S O. They called him Process can take can take place.
So for your first, we use on no operations or not instructions.
Um, which is are represented by the hex hex X 90 at the beginning, eh? So we can leave some space to the carding process. So basically, wouldn't we need to send it the day so we can reach the P.
Then we tell it to go to Ah, this location, which is the jumpy a speed then would tell it to actually decode itself. Not that well. I mean, in this in this problem, this first part, we're leaving the stock. The server is where the bull servers is located.
Because we're telling too jumpy sp to another location. Remember what location that is.
Well, it was the s s function dot the l l on and Now that we're in the stack or in the in the memory space off the s s functioned out dll We can actually start decoding the payload. So the now operations Ni uh, maybe
Then we do send or Shell could remember we named Shell Co two things bearable.
so now we can actually,
now that we send our shell code, we can just leave that and Noor buffer with that. Now, remember that we need to maintain stability in there. So
3 51 which was the length of the of the payload, or shell, or of share coat. And they're no operations. We need to maintain again the instability in this so shell code on operations on dhe. That's it.
And they will be to go, Let's saved it.
And let's see if we can let me just open here. What was the command we used to create that for 41234 Okay, that collision er
and we can just execute our command right now.
Oh, forget to to actually, uh,
So now that we have to that a year we can just executed Ah,
and see what happened,
and we have our commercial back. See us.
As you can see, this is especially dangerous, cause let's see if we might works in here. Okay? Yeah, this is especially dangerous because we don't find we don't sanitize the herb Abel's correctly. We can be exposed to this kind of attack. Now, if I actually,
the application has not failed, As you can see,
that if I just closed this chill,
the application fails
and says the process was terminated. Now, because of
we're not Let me just give you here.
the process failed or, you know, whenever I I actually
change that you are actually, um,
it fails because the MSF Bannon a pence a Mexican process by the file to the end of the shell coat we generated, which causes bone server, which is, you know, a threat. That application to collect the crash when closing or shell
thio to avoid crashing or thread it up. You know, it could be bone server or any other application.
We can use the exit threat method. For example, remember that we generated Ah, here.
Ah, we can just go in here and type except function equal strength.
Okay. And that sustains the same. So let me just generate that again,
okay? And copy paste this new command Disney Shell Code. I'm sorry.
Hoops. Copy. And let me Marty five
or script here. Let me just eliminate all of this
and create a new bearable
and let me just restart the service,
And let me start my listener again
and let me execute this again.
And I got my river Shal back to us and you know, but
this has not crushed just yet. If I just accept this,
you can see that the application continues running
You continue running? Um,
this means that you are you know, we
increase or improved the stability or for payload. So now the application has not crushed. Thes will give us some kind of, you know, were you were created a stealthier program or payload. Because at the end, if the problem doesn't crash, you know, nobody has to call I t
to restart the service or the server. So we're good to go. I mean, maybe we can go on notice
again. so we can just again start another
another listener and just executed Beeton Buyten cold. And we can get back something like that. And what if we want Thio? I don't know if this is kind of a bonus for you guys, but what if we I want to actually go to here?
Receive remote? This look is enabled.
Oh, it is not enabled. But, you know, we can just copy. Copy, paste this and instruction as we're really hacked the machine.
Copy. This instruction has completed successfully, and we can go here and execute this exact same thing. And, you know, remote This citizen able I can't just go here
and type the password. No, I know the possible, But you can just change with, you know, that user or something like that, The password. And, you know, we already I are insight for for victims with, uh, you know,
a graphic user interface. If you guys are not into the shell as I am, you can just go with that. So these now dangers that buffer overflow. Ah, successful before overflow up by a script. Could be, uh and you know,
that's that's a problem. Now I remember that we saw
the SL mail server being vulnerable to buffer overflow. And we exploited that with with ah ah public exploit. And well, we also exploded that with the MSF council exploit
Well, I I highly in cars you to go to create You're wrong exploit
with the exact same process. By the way, you have to change anything. I mean, you have maybe the return address and the baby will be a different locations. But, you know, if you follow the exact same instructions I gave you in this buffer oflove Siri's you can actually create your own payload or dry exploit itself
to ah exploit the vulnerability that buffer overflow with the nobility in the SL mail server.
So I highly encourage you to do that because only practice and you can actually master this technique.
What is executed by the MSF Bennett tool Every past the dash P flag Well, it will tell Thio there must have been on what specific payload we want Thio create. And what was executed by the emissary Ban into it will pass the dash Aflac
Well, it will tell it in what four months we went to we went that payload. It could be
in an executed all four months. It could be an appears to be an equal being a C four months we can actually include in our in our inner code.
In this video, we learn some concepts behind the buffer overflow attack and we plant. And some techniques to execute the buffer off for attack are going to complimentary materials. Harker Playbook three Amazing book and we stick with the catch the flag. One of one guys for these, For these serious
and looking forward in the next video, we'll see how to escalate privileges. We will start our new serious because we just we just end in the buffer overflow Siri's and we'll start the escalation privilege escalations years. Uh, so we can see how to do that in both leaders in the window's environment.
What that's it for today, folks. I hope you enjoyed the video and talk to you soon.