Okay, so now we want to see if we can turn this into some sort of exploit Execute some code that wasn't intended by the developer looking. If we list out our source scared with the list command, remember that we have that third function overflowed that never gets called.
I didn't think of that. It's, um, debugging code that just got left in
as we'll see later when we d'oh our windows Examples. We won't always have this luxury. One. We won't have the source code. And two, there's nothing to say that there's going to be code lying around that we necessarily want to execute.
Well, instead, you some shell code. So, like the medicine payload system where we say we want windows. Interpreter reverse. TCP is our payload.
Then magically with when we run tie in Miss Soto 67 that exploit just magically put the payload in the right place and it executes and we get our interpreter River Shell. So we'll do that manually, will create some shell code and drop it into our exploit in the correct place. And we'll learn all about that in our next exercise. When we move over the windows
But for now again, we'll start with the basics and all I want to do here
is get execution hijacked, printed out to the screen. Not as exciting as a river shell, of course, but it will be technically an exploit. So that's gonna be what we want to do.
where overflowed is. Just because it isn't cold doesn't mean it's not in memory. We just a symbol overflowed.
The first memory just overflowed Here
she you know, our prologue. Here's a push EVP
remember EVP to save the VP from a main or whatever the current function is
pushed onto the stack. So that is the bottom of the new stack frame and then we move
and then subtract in this case eight in hex from SP okay and moves Yes, p up. So basically we have e s p moved up
adding some more space, you know, beyond the scope of what we're doing here. But how a new stack frame is made if you're interested, exploit development. I certainly encourage you to learn some assembly and figure out how these programs work. It is going to vary a little bit from platform to platform again how this is
it pretty much I'll end up doing kind of the same thing. In the end, how they implement it is a little bit different
based on the platform.
All right, so let's go ahead and do what we're gonna do. We want to grab this
address here, and instead of our four bees that just make it crash, we want to put that address
of the first instruction and overflowed into our safe return address.
So instead of going back to Maine, will go instead will be redirected to the beginning of overflowed and will make execution hijacked
All right, so let's do that.
for a little Python script here and we tell it to run.
R B times for we can leave our eight times fine. And remember, that's just padding. To get to the offset of the return address
So we want backslash X to tell If I thought that this is going to be a hexi decimal dress,
backslash x The three backslash x f four and then close Our double closed includes our single clue. So now we have eight times nine plus in Hexi Decimal. The return address is going to be the first address
in overflows. We should be redirected to overflowed. Quit done everything correctly
since the program crashed. It says
already started to do we want to start from beginning We could say yes with a life we get our first break point
we can look at Yes p
again. 12 but long They're changed there.
Go ahead and continue to the second break point
and again, same size here for functions stack frame. We have 08048443 Here.
That's a return address that hopefully string copy will overwrite correctly for us.
We'll continue to the third break point.
All right, so we have our 40 ones are nine A's. This should be a return address.
We should have 0804834
And we look at the command. What we told it. 0804834
But if we actually look at our return address here, it's F for 830408
What has gone wrong here?
it's not exactly backwards. But if you remember that in Hexi Decimal two characters make up a bite. It looks like we're backwards. Bite by bite. So F four is first. Should be at the end.
here are four and then you're eight.
Who again? By my bite It's backwards. If we remember back a couple of videos ago, we had 1 41 off by itself or we still do. It looks like it's the beginning here. And then we have other parts of our staff. Friends have not been over here. Then we have a 41 41 41 41 then we had a no bite
begin at the beginning,
so that was a little bit confusing, right? Why that happened again. Looked like things were backwards. And indeed, seeing this, it looks like there is something that is turning things backwards. But my bite.
So when I first started exploit development, I had no idea what this Wa Sai had not paid enough attention operating systems class, no doubt.
And I was very confused, and I spent lots of time trying to figure out why my exploit wasn't working. So if you learn one thing about actually development, just learned this.
This is something called Indian s. So this comes from
but called Gulliver's Travels. Gulliver on one of his travels, ends up in a place called Layla Put that has
a war going on with one of their neighbors over which side of the egg you should crack. So people who say you should crack that began of the egg are big Indians, people who say you she cracked a little end our little Indians.
So we have kind of the same thing in computer science. So that is Indian. This
spelled like this. So
Indian nous so not like people from India or Native Americans, so with an E. So if you're not familiar with Indian, this encourage you to google it. There are white papers and Wikipedia and such
there are platforms that use big Indian as well. Platforms that use little Indian never really come up with a good answer as to why one is better than the other. Everything I read in the White Papers. Pretty say it makes really no difference in terms of, like speed and things that would
should matter to people who are designing chips. So as far as I can tell, it's really just a preference of the chip developers. But
our until architecture here is little Indian. Chances are most of the chip showing that working with are going to be a little Indian. But it may be big. You'll no doubt if you try every platform, a form you can get your hands on run into something that is big Indian, where you will not have to flip the bites around, but
just is a good rule of thumb. I just remember
chances are a little Indian, so all I need to do to take into account my little Indian. This is just flip our beds around, take the least significant bite and put it first,
and most significant bite will be laughed. So again, just flip it around, bite by bite.
You don't really need to know
the details of how and wise makes a difference to the chip, but again,
if you're interested, I encourage you to look up Indian. This
And if you could come up with a good reason why one is better than the other, that I can stop saying in my videos, that doesn't really make a difference.
All right, so even effect here, let's go back to our
run command and slip these around that we can just say continue on. It does, indeed crash.
So instead of going to 0804834 trust good at 4830408 minutes backwards and that's not mapped, overflowed or in fact, it's not mapped anywhere. So we didn't get our segmentation fault.
So again, let's go up to a run command.
Now we just want to put these bites around. Not too hard to do.
We want four first, at least significant by first
work out nicely for us. Who could run it again? We say yes to restart
and just continue through our 1st 2 break points. We've pretty much got the drift of what's going on there,
but our third great point
look at our memory have our 40 one's again. Same place now. A return address 0804834 Taking into account, Indian nous did indeed fix our problem, which is Try and remember your Indian. This on def Things seem to be backwards.
Oh, I forgot Indian this easy for us to fix.
He wants been lots of time, wondering what's going on like I did just a good rule of thumb.
All right, so now we continue
does pronounce execution hijacked to the screen. One thing to note, though,
after it puts out execution hijacked that we do it. See the segmentation? Well, it does cry.
An ideal way to fix this was would be if we had shell code. Instead of just some function. We would use an exit routine to make the program exit gracefully,
whereas here we don't have any exit routines. After execution, Hijacked is printed out, overflowed, tries to finish and return back
function, which, since we
kind of screwed with things, it's just not going to work. So this is mostly the return address here, so it thinks it's returning back to Maine or to some function, but instead we jump overto overflowed,
so we never save a return address.
So after so that again, this staffer who was going to be gone. This will be gone. That's what we'll load.
So it naturally thinks the program's just designed. Or rather, the platform is designed to think that this will be our return address, since it will be the top of the stack
after Overflowed removes its stack frame. So that should be the same return address. But unfortunately, it's just data from May and Plus
should have a no light at the end here.
But the program just, you know, blindly tries to execute that. It's like, OK, well, you're the top of the stack here, the same return address. So you must be this safe return pointer on Dhe. Sure enough, it's not mapped anywhere, and we get a segmentation fault.
We can kind of fix this in the short term if we want to. We could
take our original return address and put it here. That would redirect us into Maine, but we have destroyed main stack frame, so if you put the original return address here course in little Indian format,
you can see it will also print executed normally to the screen But then again, it will cries. It can't exit properly. So we've pretty much destroyed the program. At this point, we didn't make it
execute commands on our behalf. Get in this case, it just says execution hijacked. Not too exciting. But we will in our subsequent examples you some shell code. Well, enough venom generate it for us
and I will get a nice, more sophisticated working exploit. But again, I learned it this way. This was the first example that really made sense to me. So I do something similar. It was the exact same program. It was similar notion of Well, we
we're supposed to go here, but instead we take control of the CPU and go here instead.
So we get control of where we want to send stuff, and then we send it somewhere else.
in pretty simple example here But I think a necessary building block for beginners to look at the other
exploit development examples will. D'oh. So let's go ahead and do that. Let's switch over the windows and look at a little more sophisticated example