Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers executing unintended code. Participants receive step by step instructions to create shell code to insert into an exploit. This lesson focuses on the endianness command which is used to store multiple data bytes.

Video Transcription

00:04
Okay, so now we want to see if we can turn this into some sort of exploit Execute some code that wasn't intended by the developer looking. If we list out our source scared with the list command, remember that we have that third function overflowed that never gets called.
00:23
I didn't think of that. It's, um, debugging code that just got left in
00:27
as we'll see later when we d'oh our windows Examples. We won't always have this luxury. One. We won't have the source code. And two, there's nothing to say that there's going to be code lying around that we necessarily want to execute.
00:39
Well, instead, you some shell code. So, like the medicine payload system where we say we want windows. Interpreter reverse. TCP is our payload.
00:47
Then magically with when we run tie in Miss Soto 67 that exploit just magically put the payload in the right place and it executes and we get our interpreter River Shell. So we'll do that manually, will create some shell code and drop it into our exploit in the correct place. And we'll learn all about that in our next exercise. When we move over the windows
01:07
But for now again, we'll start with the basics and all I want to do here
01:10
is get execution hijacked, printed out to the screen. Not as exciting as a river shell, of course, but it will be technically an exploit. So that's gonna be what we want to do.
01:22
So I need to know
01:25
where overflowed is. Just because it isn't cold doesn't mean it's not in memory. We just a symbol overflowed.
01:33
The first memory just overflowed Here
01:37
she you know, our prologue. Here's a push EVP
01:41
remember EVP to save the VP from a main or whatever the current function is
01:48
pushed onto the stack. So that is the bottom of the new stack frame and then we move
01:53
Yes, PG and e v p
01:59
and then subtract in this case eight in hex from SP okay and moves Yes, p up. So basically we have e s p moved up
02:12
and
02:14
and we have the SP
02:16
adding some more space, you know, beyond the scope of what we're doing here. But how a new stack frame is made if you're interested, exploit development. I certainly encourage you to learn some assembly and figure out how these programs work. It is going to vary a little bit from platform to platform again how this is
02:36
implemented. But
02:37
it pretty much I'll end up doing kind of the same thing. In the end, how they implement it is a little bit different
02:44
based on the platform.
02:46
All right, so let's go ahead and do what we're gonna do. We want to grab this
02:52
address here, and instead of our four bees that just make it crash, we want to put that address
02:58
of the first instruction and overflowed into our safe return address.
03:02
So instead of going back to Maine, will go instead will be redirected to the beginning of overflowed and will make execution hijacked
03:10
Execute.
03:12
All right, so let's do that.
03:14
Then we can go up
03:16
for a little Python script here and we tell it to run.
03:20
We want to take out
03:22
R B times for we can leave our eight times fine. And remember, that's just padding. To get to the offset of the return address
03:30
have be times four.
03:32
So we want backslash X to tell If I thought that this is going to be a hexi decimal dress,
03:39
we want 08
03:42
backslash X
03:44
You're a four
03:47
backslash x The three backslash x f four and then close Our double closed includes our single clue. So now we have eight times nine plus in Hexi Decimal. The return address is going to be the first address
04:03
in overflows. We should be redirected to overflowed. Quit done everything correctly
04:13
since the program crashed. It says
04:15
already started to do we want to start from beginning We could say yes with a life we get our first break point
04:25
skin cousin man
04:27
we can look at Yes p
04:32
on you baby
04:36
again. 12 but long They're changed there.
04:43
Go ahead and continue to the second break point
04:51
and again, same size here for functions stack frame. We have 08048443 Here.
05:02
That's a return address that hopefully string copy will overwrite correctly for us.
05:09
We'll continue to the third break point.
05:15
All right, so we have our 40 ones are nine A's. This should be a return address.
05:21
We disassemble
05:25
overflowed.
05:30
We should have 0804834
05:35
And we look at the command. What we told it. 0804834
05:43
But if we actually look at our return address here, it's F for 830408
05:49
What has gone wrong here?
05:53
Well,
05:55
it's not exactly backwards. But if you remember that in Hexi Decimal two characters make up a bite. It looks like we're backwards. Bite by bite. So F four is first. Should be at the end.
06:09
A three second
06:11
here are four and then you're eight.
06:15
Who again? By my bite It's backwards. If we remember back a couple of videos ago, we had 1 41 off by itself or we still do. It looks like it's the beginning here. And then we have other parts of our staff. Friends have not been over here. Then we have a 41 41 41 41 then we had a no bite
06:33
begin at the beginning,
06:36
so that was a little bit confusing, right? Why that happened again. Looked like things were backwards. And indeed, seeing this, it looks like there is something that is turning things backwards. But my bite.
06:49
So when I first started exploit development, I had no idea what this Wa Sai had not paid enough attention operating systems class, no doubt.
06:58
And I was very confused, and I spent lots of time trying to figure out why my exploit wasn't working. So if you learn one thing about actually development, just learned this.
07:08
This is something called Indian s. So this comes from
07:11
but called Gulliver's Travels. Gulliver on one of his travels, ends up in a place called Layla Put that has
07:17
a war going on with one of their neighbors over which side of the egg you should crack. So people who say you should crack that began of the egg are big Indians, people who say you she cracked a little end our little Indians.
07:31
So we have kind of the same thing in computer science. So that is Indian. This
07:38
spelled like this. So
07:41
Indian nous so not like people from India or Native Americans, so with an E. So if you're not familiar with Indian, this encourage you to google it. There are white papers and Wikipedia and such
07:53
there are platforms that use big Indian as well. Platforms that use little Indian never really come up with a good answer as to why one is better than the other. Everything I read in the White Papers. Pretty say it makes really no difference in terms of, like speed and things that would
08:09
should matter to people who are designing chips. So as far as I can tell, it's really just a preference of the chip developers. But
08:16
our until architecture here is little Indian. Chances are most of the chip showing that working with are going to be a little Indian. But it may be big. You'll no doubt if you try every platform, a form you can get your hands on run into something that is big Indian, where you will not have to flip the bites around, but
08:33
just is a good rule of thumb. I just remember
08:35
chances are a little Indian, so all I need to do to take into account my little Indian. This is just flip our beds around, take the least significant bite and put it first,
08:46
and most significant bite will be laughed. So again, just flip it around, bite by bite.
08:52
You don't really need to know
08:54
the details of how and wise makes a difference to the chip, but again,
08:58
if you're interested, I encourage you to look up Indian. This
09:03
And if you could come up with a good reason why one is better than the other, that I can stop saying in my videos, that doesn't really make a difference.
09:11
All right, so even effect here, let's go back to our
09:18
run command and slip these around that we can just say continue on. It does, indeed crash.
09:24
So instead of going to 0804834 trust good at 4830408 minutes backwards and that's not mapped, overflowed or in fact, it's not mapped anywhere. So we didn't get our segmentation fault.
09:41
So again, let's go up to a run command.
09:45
Now we just want to put these bites around. Not too hard to do.
09:52
We want four first, at least significant by first
09:56
a three
10:00
0408
10:03
So this should
10:05
work out nicely for us. Who could run it again? We say yes to restart
10:11
and just continue through our 1st 2 break points. We've pretty much got the drift of what's going on there,
10:18
but our third great point
10:22
look at our memory have our 40 one's again. Same place now. A return address 0804834 Taking into account, Indian nous did indeed fix our problem, which is Try and remember your Indian. This on def Things seem to be backwards.
10:39
Oh, I forgot Indian this easy for us to fix.
10:41
He wants been lots of time, wondering what's going on like I did just a good rule of thumb.
10:48
All right, so now we continue
10:52
does pronounce execution hijacked to the screen. One thing to note, though,
10:56
after it puts out execution hijacked that we do it. See the segmentation? Well, it does cry.
11:03
An ideal way to fix this was would be if we had shell code. Instead of just some function. We would use an exit routine to make the program exit gracefully,
11:15
whereas here we don't have any exit routines. After execution, Hijacked is printed out, overflowed, tries to finish and return back
11:24
to the previous
11:28
function, which, since we
11:31
kind of screwed with things, it's just not going to work. So this is mostly the return address here, so it thinks it's returning back to Maine or to some function, but instead we jump overto overflowed,
11:43
so we never save a return address.
11:46
So after so that again, this staffer who was going to be gone. This will be gone. That's what we'll load.
11:52
So it naturally thinks the program's just designed. Or rather, the platform is designed to think that this will be our return address, since it will be the top of the stack
12:05
after Overflowed removes its stack frame. So that should be the same return address. But unfortunately, it's just data from May and Plus
12:15
should have a no light at the end here.
12:18
So it's like, OK,
12:20
whatever.
12:22
But the program just, you know, blindly tries to execute that. It's like, OK, well, you're the top of the stack here, the same return address. So you must be this safe return pointer on Dhe. Sure enough, it's not mapped anywhere, and we get a segmentation fault.
12:37
We can kind of fix this in the short term if we want to. We could
12:41
take our original return address and put it here. That would redirect us into Maine, but we have destroyed main stack frame, so if you put the original return address here course in little Indian format,
12:54
then
12:54
you can see it will also print executed normally to the screen But then again, it will cries. It can't exit properly. So we've pretty much destroyed the program. At this point, we didn't make it
13:05
execute commands on our behalf. Get in this case, it just says execution hijacked. Not too exciting. But we will in our subsequent examples you some shell code. Well, enough venom generate it for us
13:18
and I will get a nice, more sophisticated working exploit. But again, I learned it this way. This was the first example that really made sense to me. So I do something similar. It was the exact same program. It was similar notion of Well, we
13:37
we're supposed to go here, but instead we take control of the CPU and go here instead.
13:41
So we get control of where we want to send stuff, and then we send it somewhere else.
13:46
So
13:48
in pretty simple example here But I think a necessary building block for beginners to look at the other
13:56
exploit development examples will. D'oh. So let's go ahead and do that. Let's switch over the windows and look at a little more sophisticated example

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor