Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson focuses on verifying offsets. Participants receive step by step instructions on which commands to use to verify offsets. The lesson also discusses how to set a breakpoint using the bp command.

Video Transcription

00:04
All right, so now let's verify those offsets.
00:08
So let's go ahead and restart. Were FTP you over here?
00:20
Get that error. So you must remember to get rid of that
00:26
ftp demon dot dot Believe that.
00:31
And if it doesn't, you don't get that era. You don't need to do that. So let's restart again.
00:37
That's time. Always remember to do that. Play
00:43
Lightning Bolt. We're running. All right, So what's come over too?
00:47
Callie again on Open Up Our War FTP Scaled up high again. Let's comment out of her equals our pattern and recreate buffer and so equal to us. A Times
01:00
485. Remember that that is our offset to the I p plus B
01:08
times four such before bites for E. I. P. Remember, there were four extra fights for the colon convention for
01:15
Cem arguments.
01:18
It will be ripped off when
01:19
for returns to see times
01:23
who are the argument. And then I'm not very good at arithmetic. So typically, what I do do buffer plus equals that's going to upend the buffer. So I want D
01:36
times
01:38
1100 mine ish length. So alien
01:42
of never
01:46
so buffers gonna be 485 plus four plus four. So we want the total strangling to be 1100.
01:53
Andi don't necessarily have to have it be just a long I. Generally, once I find something that does work, I stick to it Why,
02:00
you know, add more possibilities of things changing. So I found 1100 work, so you might have a question. How did we know 1100 characters work? And that was absolutely a good question. We will, in the absolute next. Yeah, the next one.
02:17
Our next
02:19
example. We will look at something called Fuzzing that will allow us to find crashes in the first place. For this one, kind of like when we did our episode of 67 we first learned medicine Lloyd and said, Just believe May that this vulnerability is there. And sure enough, we found it using vulnerability scanners in check function,
02:38
other methods that we used for vulnerabilities, discovery. It was indeed there something here was telling you 1100 characters does it on. We'll stick with that and we will do flooding next and see finding a cries in the first place.
02:55
All right, so we still get the length. 1100 Zord is patting it out with these. What we expect to see is
03:04
three times four. So 42 42 42 42 in the I P. And then we should see
03:09
four bites of padding and then
03:13
and E S p we should see the beginning of our D's. And again, that's where we've chosen to put our shell code. We have 607 characters to work with.
03:21
So some of this
03:23
1100 characters is
03:25
not showing up
03:29
movie it is.
03:30
Maybe that's what's lasted. 607.
03:32
See, I'm not very good at arithmetic. Yeah, little looks about right. Yeah, because there's seven. Looks like, Yeah. Okay.
03:40
This is why I just let it do the arithmetic for Makes my earth and stick against not that great. So silly change. We need to make their make sure we do plus equals here in the second line that is going to upend. We just do it equals all. You'll get us some D's and it probably won't crash at all.
04:00
All right, go ahead and run it
04:03
again. This is just verifying our offsets. Hot mug over to X p. And sure enough, we get access violation when executing 42 42 42 42
04:14
with him to our registers, we see it
04:16
on. We should automatically be following SP in the stack. But we can right click on a register and say Follow and stack.
04:26
And that should be the beginning of our Gs if we go up one. Sure enough, here's our seas. Who's Arby's? Who E. S P is pointing at the beginning of our D's who if we put our shell code there,
04:39
it will.
04:41
If we can get the SP, Of course it will send us to the beginning of those D's Are shell code on. We can execute from there. We don't have
04:49
that execution prevention on. We can execute off the stack This fine.
04:55
So of course, our next question is how do we get to E. S p? I got a little bit ahead of myself there. Okay, just go to E S p. But how do we get to DSP?
05:03
Well, we just heard. Could be addressing
05:06
Really? That's a pretty bad idea.
05:10
It may move around particularly between platforms. It's not always gonna be in the same place. So anything that we hard code like that that may possibly move.
05:19
We'll make our exploit more unstable. We like it to be a CZ universal, unstable as possible. So it's generally a bad idea, that's what this one we have another problem.
05:31
Looks like he s p that 00 a f f g
05:36
for eight year zero is the null byte. And it turns out that in many cases, the no light is a bad character. It does
05:46
represent the termination of a string. So if what you're working with is being
05:51
used a string by the programs, who is calculating that via string? If it sees an old light, it will say, Okay, that's the end of the string and everything that comes out here. Well, this we dropped off.
06:02
So since our
06:04
yeah, if you ever write is 485 bites in, that nobody would be at the end when we turn it into a little Indian.
06:12
So everything after I pee would disappear. So all of our nice deeds that were used for shell code wouldn't be there anymore. So we actually don't have the option, the hard code this in. Anyways,
06:25
begin your head of taking my word for it. That no bite is a bad character. It isn't always a bad character, Not necessarily. You're always gonna have a string
06:34
in this case, since it's the username, chances are it's gonna be a strength.
06:39
But it's certainly possible that you'll run into exploits where it's not a string and
06:44
the nobody will be just fine. Or you may find some instances where you are forced to use in the old light
06:49
on Dhe. Then you just lose everything after it and hopefully you're still able to exploit it. You'll see lots of things, and you continue in export development. But
07:00
it is a bad character. Here is actually a couple more bad characters.
07:03
The bad characters for this one are no,
07:09
you're a and your D, which are part of our enters. Our
07:14
excellent are in black slip in. And then finally, there is 1/4. When I was a bit confused when I first saw this one
07:20
40 in Hex is the at symbol. If you look at man asking, you can see that. But why the at symbol. But as it turns out, since this is a user name
07:30
and, um,
07:32
FTP the actual specifications for it is use your name at server.
07:38
So if I have,
07:40
um,
07:41
that symbol
07:43
in my user name,
07:46
it gets a little confused because it's like, Okay, this is a survivor. Then there's out in there, so it's just part of the specifications. I mean, that's really the key to bad characters is you have to follow the specifications for whatever political you're using
07:59
and, however, is being interpreted by the underlying program.
08:03
You're bad characters are mainly gonna very based on what it expects to see what it's capable of
08:09
processing. So in this case, 40 is also a bad character who is an FTP user name.
08:16
So I mean, 00 and zero a zero, dear, be common. The 48. Now see that a bit less usually at symbol is fine,
08:26
but in this case, it stopped.
08:30
All right, so
08:31
we can't just hard coded in R E S P is where two. Don't D'oh!
08:37
How are we going to get there? Well, I guess I kind of gave it away. We can jump there so
08:43
we don't know much assembly with me not
08:46
aware of it. But there is a command called J and P short for jump.
08:52
No, Cole
08:54
pretty much does the same thing,
08:58
always for our purposes.
09:00
But Mona makes it pretty simple. We can just do Ramona.
09:03
That would do Mona JMP that will find all the jumps and the equivalent as well, so cold. You could also do like,
09:13
um, we do. We could do push ESPN push ESPN to the stack, and in return we return will grab whatever the top of the stack is and then return to it or send execution to it.
09:26
So we're going to do Mona Jump Dash are for the register And in our case, we want to get TSP.
09:33
We also tell it to automatically delete any bad characters, but also do this manually on site groups.
09:41
But most just go ahead and tell it to take the bad characters out. So it'll automatically throw out any pointers that have.
09:48
So that character in them So
09:52
not that b
09:52
the sheep Eby. Rather,
09:58
I always get that wrong. I don't know why I always want to say cbp,
10:01
but it's cpv. So bad is last.
10:05
Tell it to get rid of the bad characters. Ramona, Jump, JMP Dash are for the register. ESPN our case and CPB
10:15
on then are bad characters we want to avoid.
10:20
So we put those down here at the bottom.
10:22
What? That execute again? It's going to take a minute because it is
10:28
searching through all of our loaded models for jump, ps, ps and equivalents. That was pretty fast.
10:33
So come over here to see logs. War dad's f d p d.
10:39
Now we have jumped up text
10:41
share our models appear at the top again.
10:45
Well, here are all of our pointers. So we have Jumpy S. P. S, Kohli Espy's pushy S P s and then return
10:52
who finds the equivalence as well. And it did automatically take out all of our bad characters. So technically, we can use anything on this list
11:01
gun. I light to this for portability. Say, if I can
11:05
use the war FTP model itself or some of its
11:11
G l l would only has one Diello this image
11:15
she 42 dot dll I never use anything in war ftp itself because it is
11:22
loaded with annulled by it show every pointer in there is going to have a null byte in it, which we want to avoid. So everything got thrown out there that looks like our MFC.
11:33
It doesn't seem like they're in there anywhere. It doesn't look like there's a jumpy SP equivalent in there. At least not one that has doesn't have a bad character.
11:45
I didn't have another way.
11:46
Maybe it does. Doesn't look like it.
11:52
For whatever reason, they're not in there. I'm somewhat weakened. Dio is he's another one again. In this case, you can use anything on this list.
12:00
I like to use the M S V c r t
12:03
the Here's m sec, Archy dll right here. So let's grab this one with the push S p and then a return. So it's an equivalent to jumpy SP
12:13
that Mona found.
12:13
So then you could use anything on this list As long as you automatically filter out the bad characters, you don't necessarily have to do the same one that I do
12:24
those competitions and put it in my note pad.
12:30
All right, so let's go ahead and restart. Just still crashed.
12:35
Come over to immunity.
12:37
Well, let's get rid of that FT feed out there or have to be demon. Not that.
12:46
And then I get a debug and restore It
12:50
should open up. But so now,
12:54
sure enough, it does.
12:58
Lightning bolt
13:00
and we come over Thio,
13:05
our Callie.
13:09
Now what I want to do instead of B times or here
13:13
going to put my
13:16
jumpy SP equivalent, just paste it in there for reference. I need to put it in little Indian format and help fight on that. It's hex, but 59 1st again, bite by bite turned it around. 59 1st
13:31
then 54.
13:35
Then
13:37
she's three
13:39
and then 77 of yours is different. Just make sure it's in little Indian formats. We flip it around, bite by bite
13:46
and put that in the place of Ari. I be over right. So in the place of our 42 0 r b times for
13:54
look, it only change. We need to wreck right now,
13:56
So let's go ahead and say this and one more thing before we run it. I want to like we did in the Lenox example, actually set a break point.
14:05
So what we can do for that is just a BP for break point
14:09
on, then paste. And
14:13
it didn't work out too, huh?
14:15
Paste in that address,
14:22
BP and
14:30
hey.
14:31
All right, It's still not working one more time. That it copy?
14:41
Really?
14:43
Okay.
14:46
All right. So I'll just write it in because for whatever reason, immunity doesn't want to get from me.
14:50
All right, so let's make this more so I can see it.
14:56
7 73
14:58
5459
15:03
hasn't 73 5459 All right, there. Instead, a break point there
15:09
and his inner.
15:11
And we can see our break point that we go to view on break points.
15:16
So there's the address. The module in Ms V C. R t Always active. And it pushy sp remember this one of the pushy SP and then return sexually to commands to do the equivalent of jumpy SP.
15:31
All right, so let's go ahead and run it.
15:37
So everything is as expected over here on Callie, we hop back over x p. We are paused, but we don't have a crash.
15:46
Who? Look a t i p. It is pointing to our 77 c 35459 in my case so animus v C R t. Who we are in a break point. If we look at the CPU, you see are pushy SP followed by a return so we could let it play or what we can D'oh
16:03
is we can hit F seven Drona. Mac, you may have hit function at seven
16:08
and that will just execute one instruction at a time. So if I do f seven do pushy sp
16:15
who take a look at our stack,
16:18
we now have E s p pushed onto the stack and then we return. So it's gonna take that address and then try and execute what's there.
16:27
So would you that return
16:30
So again, let's do function of seven. If you're on a Mac this F seven on Windows
16:36
on DDE that indeed does redirect us to the beginning of our D said we go up in a president. Those diseases
16:44
it grabbed that Nelle in front of it. Now it thinks that that's another
16:48
command, but so it takes us two e s. P s in the beginning of our D's. So now course we need to replace Ardis with something useful. Looks like 44 heck sisters increments DSP,
17:00
There was a long list of increment DSP, so I'm not going to be particularly useful in terms of shell code. So certainly we can use in its venom and take advantage about medicine, payload system and create some shell food that'll be more useful for us.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor