Exploit Development (part 5) Python

00:04

all right, so now what we wanna do is actually try and exploit this.

00:10

In our last run, we just gave it for a input and they showed up in memory,

00:16

and they seem to be, well, backwards.

00:19

And here's our return address right here. We recall that is the next instruction in Maine to be executed. So we want to overwrite that return address

00:30

who in this case

00:32

really discount how many bites we need as we'll see

00:36

later exercises. That's not always going to be the case, but we put in forays before your five, the No.

00:44

6789 It looks like we need nine bites of padding

00:50

and then, naturally, four bites to a writer turned address hex. Two digits of the bite.

00:56

So we want

00:57

on by departing and then four bites to overwrite their turn address again. In this case, we can discount.

01:03

So let's run this again. That's run, and then

01:07

we can put in

01:10

nine A's and B's, but eventually we're going to have to use scripting. Anyways, when we start using a return address, it's made of hex instead of just some bees.

01:19

So let's go ahead and do that if we do the dollar sign and then open parentheses, we can run the script here. So could you Python or Pearl or any scripting language that this

01:30

a bunch of system knows?

01:34

So we're gonna use Python for the rest of our exercises. So why don't we use python here? So do Python dash C to tell it to run a command.

01:44

I've been single quotes and I want to scratch

01:47

double quotes a

01:49

times nine

01:52

plus.

01:53

So, of course, around be times for so that's a

01:57

There are 40 one's times nine for patting, and then be which will be the next

02:04

number in hex, which is 42 again, you could look at an ask each art for that. If you

02:08

are not familiar with these

02:10

and for bees is going to be overriding.

02:15

I return address here, so this should make the program cry. Should we want to close up our

02:23

man? So we need a single quote here at the end

02:27

and then closed parenthesis. Who was going to tell it? Execute the script and whatever the output is is going to be

02:36

our argument.

02:37

So in this case, we could have just typed out the A's, But again, we want to turn this into an actual Hexi decimal address. But the only way to do it is using scripting. We just like type and you're a 04844 free. It will take that as a different one, bite characters instead of hex decimal. So

02:57

go ahead and run this. Our break points are still going to be set. We can delete them. Or if we restart HGTV, they'll go away. But otherwise they will stay, and we want them for now.

03:08

Leave them. Go and run it.

03:14

All right, So we hit our first break point again. That is, in Maine. So before we call function

03:20

who we can examine the ex Lodge?

03:23

Let's see.

03:27

I believe it was 12 bytes. Just leave it, say 16 again. We'll just do too many.

03:34

So 16 hicks. A decimal words from ESPN, and that is the top of main stock frame

03:42

notice that we have moved up the stacks. Um, so where our last digits are

03:47

20 here,

03:50

whereas previously in Maine, I believe we were see zero. This is the return address, and this is top of Maine, who have moved up to stack some

04:00

that is to be expected. One of the things that makes a difference about where you end up in the stack

04:05

is going to be feeling to the argument. So since we

04:11

did change the length of the argument, we should expect to move somewhat.

04:16

Shouldn't change our next round, since we've got her

04:20

13 character input, so we should expect to be in the same place next time.

04:27

But there's nothing to worry about.

04:29

What we really care about is our offsets to make sure that our nine A's post for bees will

04:34

overwrite that return address. So as long as our stack rings of the same legs and our data is going in, the same police inside the stack cream, our addresses don't securely matter.

04:46

Okay, so let's examine to make sure that our start for him is the same size was just examined. One hexi decimal word from E V P

04:54

or bottom.

04:56

Here. Now

04:58

this is still main stack frames. They're still rather short 12 bytes.

05:03

All right, let's go ahead and continue

05:06

move us into function where we had our second break point.

05:13

We use Thea Pero to grab previous commands I will again. Look Att dsp?

05:19

Yeah.

05:23

Now we have moved up more

05:26

notice. What hasn't changed here is we're still have the returns dressed. You're a zero for 84 or three.

05:34

We can again do a disassemble.

05:39

I mean to see that. So here is our coal to function.

05:43

When that returns the next address to be executed.

05:46

You're 80 for 8443 such a return address.

05:51

We examine

05:55

E v p. Again. Remember ESPN EVP or now

05:59

inside a function stack frame.

06:02

So Sure enough,

06:03

same size stack for him here.

06:06

Return Address

06:08

the vein

06:09

here.

06:11

All right, so let's continue and hit this drink. Copy? Let that execute

06:15

another great point right after the string. Copy.

06:19

Now we take a look.

06:21

That

06:23

or stack, we have our 41 over here by itself again, all 40 one's. Here is our big days begins here and then where the return address was, we indeed have 42 42 42 42 for upper case Be so our offense Air correct. And we have managed to overwrite that return address. Who is going to happen now is that

06:44

the program will just continue on us

06:46

blindly does it will get rid of stack. Frame here will be wound off the stack,

06:53

and it would just automatically try and load this address so low that address in the I P. And always do info registers. I didn't mention that broken do info registers here and see all of our registers

07:06

again are 42 42 42. 42 will be loaded into the I P. Whatever is at that address, if anything, will be executed next after function returns. If 42 42 42 42 is not that map to an executed herbal portion of memory,

07:27

then we will get a segmentation fault and it will crash.

07:30

Most likely what's going to happen here There. There's no rule that says 42 42 43 42 could not be a valid memory address. You may find cases where it will be who we shouldn't just blindly assume the program's going to crash, but often it will just go ahead and continue.

07:47

This time, we do not get executed. Normally pretty out to the screen, we get a segmentation fault, so it's trying to execute 42 42 42 42. And that's not mapped anywhere. So there's no instruction. They're to be executed. So the program, the stars of its hands and crashes.

08:05

So we called it a mile of service condition. But surely we can do better, right?