All right, let's work on our next example. This time it is going to be a network based exploiting our previous example. It was all local. There will be certainly local exploits if you continue and exploit development.
We saw some client side attacks.
We did that section something like Adobe Reader, Music Player Anything but is local local privilege escalation, for instance. But these next few are going to be network based. So, like many of the exploits we used in this class, we will
have something listening on the port that's vulnerable, and we will attack it over the network
for this example. We're going to use one of those x p and we'll have Callie
So on X p, we actually need to make a possible change. So if we open up the example control panel we currently have filed Villa FTP running good and stop that.
Open up that port 21 key peopie for another FTP server.
You can close that up
and I want to go to the war. Ftp Fuller.
We have our were FTP programs here, so we actually want this
yellow thing that looks like part of a state. Really?
This is FT. Peters is the war F T P d demon. Open that up
and then click okay through the opening banner that says he wrote it
on dhe need to put this online by the fault. It is off line because it says down here.
So we would want hit this lightning bolt up here. There you go. Online. And sure enough, it's online. It's listening on the i p address of X p on 4 21
So what we want to do now, before we start exploiting it, is we want Thio like we did with G B. And the previous example we want took it up to a D bugger. There are
many different options, really. For de buggers and windows, probably the most powerful would be windy bugger when DVD, which is
a little bit, I think, more complicated than the one we're going to use. We're gonna use one that I like to use called immunity de bugger.
It is pretty powerful. It has its limitations. You can't do any colonel debugging with it. So in that case, we'd have to use when he bug. But I like you immunity de bugger when I have the option,
and I think it's especially nice for beginners. Fillets,
I have immunity. Bugger. It is this red, black and green three leaf clover
and it opens up a graphical window for us.
And so we want to attach to war. FT Piece will get to file
I have a list of our processes,
so we want war ftp, easiness, *** listening on TCP Port 20 ones. We look at the listening column we could see for 21. Here
we can click attach,
and we see that attaches to the process. And it's Paul is a DVD breakpoint. Basically, it pauses when they d. Bugger attach is
so what we want to do
is the play button up here to tell it to continue. The program will run so we can attack it.
Now it's running that down here at the bottom, right,
going to make the CPU when no bigger maximized it, I can
make the thought bigger.
I typically don't make it bigger than it starts to, like run off the screen,
but you can make it bigger. If you go to options and appearance
Fonz, you could make it bigger?
No, much bigger, really. But you can make it bigger. Like if I'm teaching in front of the class. I typically do,
but you could make yours
bigger. So even stayed on your screen senses this recorded.
But you do have that option. You want to teach this yourself? It's kind of worth knowing that it looks microscopic going projector.
All right, so this is running and we are hooked up to the D bugger. And I made the CPU window maximized. I have four pains here.
Go to different windows. You could go to view, thanks to file.
And we will see some of these other views. We work through these examples. Some of them we won't say with the CPU when their their fault here.
So we have our CPU here at the top. Left top, right. We'll have our registers. You have a sec at GTX,
and we have our dunk
here at the bottom. Left and bottom. Right. We have our stack.
All right. So, actually, we need some sort of exploit here for war. STP We pop over to Callie.
You look at the materials that are included with the course. I do have some exploit skeletons. We don't have to know much python for this class. We did, of course, cover a bit of python previously on our
but I gave me the exploits skeleton. So this is just war ftp scale that pie. And as you can see, I copied it onto Kelly's death top so you can download that file is included with the course.
This has the basic python code
so we can focus on trying to build our exploits, trying
my change directories to death. Stop
The cat war FTP scaled up high,
but first we have usually been Python tells it to execute Python interpreter
socket. That's going to be a pipe on library
that the name implies that's up a network socket
with the buffers are variable named buffer equals a times 1100
s Socket that socket blah, bitty blah. So that's just how you set up a socket and pipe on You're not familiar with it. You could basically just google it
structures like this in different programming languages.
Not really something you need to memorize in your head. You can always look it up. Of course. That's probably what I did when I first read this.
I kill it to connect the dots. Connect. We are going to have to change this I p address to the i p address of your ex machine. So I will look up mine, of course. And yours may be different.
And port 21 that is the
put out a response if we receive one. When we send
the correct syntax for
giving the user name to an FTP server, Does this user space whatever our user name is and then hit, Enter So
flush our slush in back, Sarge are
and her username is buffer. Remember, buffers eight times 1100.
They're basically giving it a really long user and probably much longer than the developers expected. He would want to type in the user name that long, But that's generally how exploit development goes. We give it unexpected input that the developer
no was coming and possibly make the program do something strange
again. We print a response. If we were C one and then just to finish the log in, would you pass
based on then the password.
obviously there is no use your call eight times 1100. So we just need some passwords. I just gave it a password.
All upper case is the password
and the way close the socket. So we just need to make it Take our user name and password and try and process it in order to get the vulnerability
So if you copy this onto the desktop, you may have to do a C H plus X. Of course,
you make it extra cute. Herbal
on. We didn't need to change that. I p address
And what is my idea? Dress worth tp actually told me 192.18 That one. About 76 chain jurors to meet your environment accordingly.
That is the only change we need to make right off the bat. We leave at a time 1100 as our attacks during as our long user name. We'll make changes so that as we work through this example
again, we've got our simple source code here so we don't have to worry about
the nitty gritty of the python code. I encourage you to learn at least one programming language. Well, Python is used a lot
and information security. Ruby is also used a lot.
Not so much pearl. I used to write and pray all the time, but,
uh, not many people use it anymore. She's always a good one too. No, I encourage you to know a bit of lots of languages and at least a lot of one language. But
I don't really have to for exploit development. Honestly, just
basics is probably enough.
All right, let's go ahead and run this
not flash war FTP scaled up. I would want to give it any arguments we've heard coded our I p address in. We could instead take that as an argument if we wanted Thio.
We get printed out for the screen
are welcome banner that says, Please enter your user name which we d'oh
and it says use your name. Okay, Need password. And if we were called, we do send over the password and then close the socket So everything worked as expected from this side. But of course, what's really interesting is what happened over here.
So here we have our war ftp an immunity de bugger where we left it.
We left. It was running. Now, if we look down here at the bottom right, it is paused and says we gotta access violation while executing 41 41 41 41. While do we remember what 41 is in? Hacks
That'll tell us so hectic that small 41 if we've forgotten,
is going to be over here. And the second column
41 Big A. Just like in our previous example. So we sent at 1100 Big A's. So it looks like those big days, much like our previous example. They over right
that saved return address. We don't know what our functions or called or anything. At this point, we don't have any source code for this, but
chances are we overrode Summer save, save return address on When the function popped off, we tried to load that same return address. It was overwritten by some A's
41 41 41. 41 is not map to the process.
And it could be this no hard and fast rule that says 41 41 41 41 will always make it crash to continue an exploit development. No doubt you will find examples where it doesn't cry.
But for now it did in this example. So I tried to execute that that memory dress and crashed. Well, you see, there seemed to be a lot of 40 one's on our stack,
and it looks like we've got some 40 ones in some of our registers. Two e, s, P, E V P and E D. I. I'll have some A's in there.
So in our previous example, we could just look at our d bugger output. We could count. We need got 98 years to get to our return address, which is for but it's long so we could do eight times nine plus B Times floor. We don't really have that luxury here. We don't know
what a czar, which we have 1100 of them
to begin with, and we don't necessarily know that what's showing up in memory necessarily starts it a number one. It might. It might not.
I don't really know how it's being processed. There's some sort of log in functionality that's trying to check our user name and password, and it crashes at some point here, so we don't really know what's going on. You do some reverse engineering to try and figure it out, but the more advanced.
So we need some way to figure out which four aces are
so traditionally what one would. D'oh,
open up Note Pad here So you show it to you
traditionally, what one would d'oh! Who'd be break it into, like eight times? 500 plus
be times while 550. This is 1100
150 be times 550 restarted. Send this exploit string. And if it's ever written with
41 41 41 41 we know is in the first half. And if it's ever written with 42 42 42 42 we know it's in the second half to say it's in the first half than we would restart. Do eight times 225 plus
see Time's 5 50 eggs. We know that the second part is not
where it is. So then you know we run it again, and if It was a sze wee nose in the first half. It was bees we know is in the second half and then say it's in the first half again. We'd split that in half the slowly but surely with lots of tedious work, narrow it down to the exact four bites,
which was tedious and boring, and I can't believe people did that. First of all, they did. Naturally, we have a better way of doing this. So that's what we will do in the next video is try and solve where exactly are
safer turn pointer over. It happens in the attacks during a swell up
where, exactly, we have control of these registers because they will come in handy as well. In our previous example, with Lennox, we just jumped to another function. But I mentioned that we're going to use shell code here that we're gonna generate with him as a venom. The more traditional way of doing exploit development.
So we'll need somewhere to put it. And it looks like controlling those registers might be a good place to start