Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody, and welcome to the episode number 33 of the Buffer overflow. Siri's creating a payload.
00:08
My name is Alejandro Gina, and I'll be your instructor for today's session.
00:12
Learning objectivity is to understand the concepts behind the buffer overflow attack and apply the techniques to implement a buffer overflow attack. So let's get down to business shall way.
00:24
Just clear this out
00:26
and we can use our well known and you already saw a couple of beauties about this. The MSF Benham utility from the Medicis played framework to automatically
00:38
create or payloads we can just following commands. Just write it right now and myself, Banham and we tell it what payload we want, which is that window's river. She'll basically,
00:52
uh, when those shell
00:54
reverse
00:59
DCP and we tell it which will be listening host
01:03
in this case or Colin Machine
01:07
releasing important
01:10
in this case I know went 2 to 4.
01:12
Ah, the function will be see is that the end will want to write our picks code so he can send it in our payload dash dash black form
01:25
its windows.
01:26
That's vey fullback. Char's remember that we found that the new character is the only one affecting the execution flow. And then coding will be x 80 86.
01:42
She cut the line
01:48
and we hit Enter
01:49
and no wait for this to regenerate or code. And we just copy all of this
01:57
and we go to our famous proof of concept
02:02
and we entered and something called like shell code
02:08
equals
02:10
No, I just spaced this inside
02:13
and I had our shell code. As you can imagine, we'll send it.
02:19
Where do you think we can send that it's worth? Let me just
02:23
close this out and we'll continue it. Didn't this
02:27
what did you It's worth nothing that this is ah, lent off the payload, which is, you know, 251 characters long because we need to maintain or Palin was stable in numbers when we are reading Oh, are you know, the one thing we're sending? So,
02:47
uh, now that we know that is 251 bites,
02:51
we can modify or or Baylor to actually reflect that. Now, remember that we put on encoding, which was shikata ga nine. We cannot just copy pace this inter buffer since it hasn't D card and procedure pre upended
03:07
to the beginning of the buffered Theis indicates that when it's executed, the shell cut first decoding memory before getting executed.
03:17
Since our SP register points to the beginning off payload, You know the code which is generated which again it has the car been procedure prep ended to the beginning. We need to provide some space to the S O. They called him Process can take can take place.
03:36
So for your first, we use on no operations or not instructions.
03:40
Um, which is are represented by the hex hex X 90 at the beginning, eh? So we can leave some space to the carding process. So basically, wouldn't we need to send it the day so we can reach the P.
03:58
Then we tell it to go to Ah, this location, which is the jumpy a speed then would tell it to actually decode itself. Not that well. I mean, in this in this problem, this first part, we're leaving the stock. The server is where the bull servers is located.
04:15
Because we're telling too jumpy sp to another location. Remember what location that is.
04:19
Well, it was the s s function dot the l l on and Now that we're in the stack or in the in the memory space off the s s functioned out dll We can actually start decoding the payload. So the now operations Ni uh, maybe
04:39
that's you know,
04:41
Then we do send or Shell could remember we named Shell Co two things bearable.
04:48
Uh,
04:50
so now we can actually,
04:54
now that we send our shell code, we can just leave that and Noor buffer with that. Now, remember that we need to maintain stability in there. So
05:04
3 51 which was the length of the of the payload, or shell, or of share coat. And they're no operations. We need to maintain again the instability in this so shell code on operations on dhe. That's it.
05:21
And they will be to go, Let's saved it.
05:26
And let's see if we can let me just open here. What was the command we used to create that for 41234 Okay, that collision er
05:39
and we can just execute our command right now.
05:46
Oh, forget to to actually, uh,
06:08
So now that we have to that a year we can just executed Ah,
06:15
and see what happened,
06:16
and we have our commercial back. See us.
06:21
As you can see, this is especially dangerous, cause let's see if we might works in here. Okay? Yeah, this is especially dangerous because we don't find we don't sanitize the herb Abel's correctly. We can be exposed to this kind of attack. Now, if I actually,
06:39
the application has not failed, As you can see,
06:42
that if I just closed this chill,
06:46
the application fails
06:47
and says the process was terminated. Now, because of
06:54
we're not Let me just give you here.
06:57
Okay? Uh,
07:00
the process failed or, you know, whenever I I actually
07:05
change that you are actually, um,
07:10
it fails because the MSF Bannon a pence a Mexican process by the file to the end of the shell coat we generated, which causes bone server, which is, you know, a threat. That application to collect the crash when closing or shell
07:26
thio to avoid crashing or thread it up. You know, it could be bone server or any other application.
07:33
We can use the exit threat method. For example, remember that we generated Ah, here.
07:41
Ah, we can just go in here and type except function equal strength.
07:50
Okay. And that sustains the same. So let me just generate that again,
07:58
okay? And copy paste this new command Disney Shell Code. I'm sorry.
08:03
Hoops. Copy. And let me Marty five
08:07
or script here. Let me just eliminate all of this
08:13
and create a new bearable
08:16
shell. Code
08:18
equals
08:20
and just pays that
08:24
and save it
08:26
and let me just restart the service,
08:31
attach it again.
08:37
So I just attach it
08:43
right
08:45
And let me start my listener again
08:50
and let me execute this again.
08:52
And I got my river Shal back to us and you know, but
08:58
this has not crushed just yet. If I just accept this,
09:05
you can see that the application continues running
09:09
right here.
09:09
You continue running? Um,
09:13
this means that you are you know, we
09:16
increase or improved the stability or for payload. So now the application has not crushed. Thes will give us some kind of, you know, were you were created a stealthier program or payload. Because at the end, if the problem doesn't crash, you know, nobody has to call I t
09:35
to restart the service or the server. So we're good to go. I mean, maybe we can go on notice
09:41
again. so we can just again start another
09:46
another listener and just executed Beeton Buyten cold. And we can get back something like that. And what if we want Thio? I don't know if this is kind of a bonus for you guys, but what if we I want to actually go to here?
10:01
Receive remote? This look is enabled.
10:05
Oh, it is not enabled. But, you know, we can just copy. Copy, paste this and instruction as we're really hacked the machine.
10:15
Copy. This instruction has completed successfully, and we can go here and execute this exact same thing. And, you know, remote This citizen able I can't just go here
10:26
and type the password. No, I know the possible, But you can just change with, you know, that user or something like that, The password. And, you know, we already I are insight for for victims with, uh, you know,
10:41
a graphic user interface. If you guys are not into the shell as I am, you can just go with that. So these now dangers that buffer overflow. Ah, successful before overflow up by a script. Could be, uh and you know,
10:58
that's that's a problem. Now I remember that we saw
11:01
the SL mail server being vulnerable to buffer overflow. And we exploited that with with ah ah public exploit. And well, we also exploded that with the MSF council exploit
11:18
Well, I I highly in cars you to go to create You're wrong exploit
11:22
with the exact same process. By the way, you have to change anything. I mean, you have maybe the return address and the baby will be a different locations. But, you know, if you follow the exact same instructions I gave you in this buffer oflove Siri's you can actually create your own payload or dry exploit itself
11:43
to ah exploit the vulnerability that buffer overflow with the nobility in the SL mail server.
11:48
So I highly encourage you to do that because only practice and you can actually master this technique.
11:58
What is executed by the MSF Bennett tool Every past the dash P flag Well, it will tell Thio there must have been on what specific payload we want Thio create. And what was executed by the emissary Ban into it will pass the dash Aflac
12:13
Well, it will tell it in what four months we went to we went that payload. It could be
12:18
in an executed all four months. It could be an appears to be an equal being a C four months we can actually include in our in our inner code.
12:28
In this video, we learn some concepts behind the buffer overflow attack and we plant. And some techniques to execute the buffer off for attack are going to complimentary materials. Harker Playbook three Amazing book and we stick with the catch the flag. One of one guys for these, For these serious
12:46
and looking forward in the next video, we'll see how to escalate privileges. We will start our new serious because we just we just end in the buffer overflow Siri's and we'll start the escalation privilege escalations years. Uh, so we can see how to do that in both leaders in the window's environment.
13:05
What that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor