Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers using the python command to create your own exploits. Python is a scripting language that is used to run commands and discover a breakpoint.

Video Transcription

00:04
all right, so now what we wanna do is actually try and exploit this.
00:10
In our last run, we just gave it for a input and they showed up in memory,
00:16
and they seem to be, well, backwards.
00:19
And here's our return address right here. We recall that is the next instruction in Maine to be executed. So we want to overwrite that return address
00:30
who in this case
00:32
really discount how many bites we need as we'll see
00:36
later exercises. That's not always going to be the case, but we put in forays before your five, the No.
00:44
6789 It looks like we need nine bites of padding
00:50
and then, naturally, four bites to a writer turned address hex. Two digits of the bite.
00:56
So we want
00:57
on by departing and then four bites to overwrite their turn address again. In this case, we can discount.
01:03
So let's run this again. That's run, and then
01:07
we can put in
01:10
nine A's and B's, but eventually we're going to have to use scripting. Anyways, when we start using a return address, it's made of hex instead of just some bees.
01:19
So let's go ahead and do that if we do the dollar sign and then open parentheses, we can run the script here. So could you Python or Pearl or any scripting language that this
01:30
a bunch of system knows?
01:34
So we're gonna use Python for the rest of our exercises. So why don't we use python here? So do Python dash C to tell it to run a command.
01:44
I've been single quotes and I want to scratch
01:47
double quotes a
01:49
times nine
01:52
plus.
01:53
So, of course, around be times for so that's a
01:57
There are 40 one's times nine for patting, and then be which will be the next
02:04
number in hex, which is 42 again, you could look at an ask each art for that. If you
02:08
are not familiar with these
02:10
and for bees is going to be overriding.
02:15
I return address here, so this should make the program cry. Should we want to close up our
02:23
man? So we need a single quote here at the end
02:27
and then closed parenthesis. Who was going to tell it? Execute the script and whatever the output is is going to be
02:36
our argument.
02:37
So in this case, we could have just typed out the A's, But again, we want to turn this into an actual Hexi decimal address. But the only way to do it is using scripting. We just like type and you're a 04844 free. It will take that as a different one, bite characters instead of hex decimal. So
02:57
go ahead and run this. Our break points are still going to be set. We can delete them. Or if we restart HGTV, they'll go away. But otherwise they will stay, and we want them for now.
03:08
Leave them. Go and run it.
03:14
All right, So we hit our first break point again. That is, in Maine. So before we call function
03:20
who we can examine the ex Lodge?
03:23
Let's see.
03:27
I believe it was 12 bytes. Just leave it, say 16 again. We'll just do too many.
03:34
So 16 hicks. A decimal words from ESPN, and that is the top of main stock frame
03:42
notice that we have moved up the stacks. Um, so where our last digits are
03:47
20 here,
03:50
whereas previously in Maine, I believe we were see zero. This is the return address, and this is top of Maine, who have moved up to stack some
04:00
that is to be expected. One of the things that makes a difference about where you end up in the stack
04:05
is going to be feeling to the argument. So since we
04:11
did change the length of the argument, we should expect to move somewhat.
04:16
Shouldn't change our next round, since we've got her
04:20
13 character input, so we should expect to be in the same place next time.
04:27
But there's nothing to worry about.
04:29
What we really care about is our offsets to make sure that our nine A's post for bees will
04:34
overwrite that return address. So as long as our stack rings of the same legs and our data is going in, the same police inside the stack cream, our addresses don't securely matter.
04:46
Okay, so let's examine to make sure that our start for him is the same size was just examined. One hexi decimal word from E V P
04:54
or bottom.
04:56
Here. Now
04:58
this is still main stack frames. They're still rather short 12 bytes.
05:03
All right, let's go ahead and continue
05:06
move us into function where we had our second break point.
05:13
We use Thea Pero to grab previous commands I will again. Look Att dsp?
05:19
Yeah.
05:23
Now we have moved up more
05:26
notice. What hasn't changed here is we're still have the returns dressed. You're a zero for 84 or three.
05:34
We can again do a disassemble.
05:39
I mean to see that. So here is our coal to function.
05:43
When that returns the next address to be executed.
05:46
You're 80 for 8443 such a return address.
05:51
We examine
05:55
E v p. Again. Remember ESPN EVP or now
05:59
inside a function stack frame.
06:02
So Sure enough,
06:03
same size stack for him here.
06:06
Return Address
06:08
the vein
06:09
here.
06:11
All right, so let's continue and hit this drink. Copy? Let that execute
06:15
another great point right after the string. Copy.
06:19
Now we take a look.
06:21
That
06:23
or stack, we have our 41 over here by itself again, all 40 one's. Here is our big days begins here and then where the return address was, we indeed have 42 42 42 42 for upper case Be so our offense Air correct. And we have managed to overwrite that return address. Who is going to happen now is that
06:44
the program will just continue on us
06:46
blindly does it will get rid of stack. Frame here will be wound off the stack,
06:53
and it would just automatically try and load this address so low that address in the I P. And always do info registers. I didn't mention that broken do info registers here and see all of our registers
07:06
again are 42 42 42. 42 will be loaded into the I P. Whatever is at that address, if anything, will be executed next after function returns. If 42 42 42 42 is not that map to an executed herbal portion of memory,
07:27
then we will get a segmentation fault and it will crash.
07:30
Most likely what's going to happen here There. There's no rule that says 42 42 43 42 could not be a valid memory address. You may find cases where it will be who we shouldn't just blindly assume the program's going to crash, but often it will just go ahead and continue.
07:47
This time, we do not get executed. Normally pretty out to the screen, we get a segmentation fault, so it's trying to execute 42 42 42 42. And that's not mapped anywhere. So there's no instruction. They're to be executed. So the program, the stars of its hands and crashes.
08:05
So we called it a mile of service condition. But surely we can do better, right?
08:13
So let's see, Indeed, if we can.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor