WEBVTT

00:00.670 --> 00:03.640
Chapter six buffer overflow attacks

00:08.220 --> 00:31.010
the unauthorized reproduction in whole or in part of this publication in any form is prohibited.

00:31.070 --> 00:46.690
We will now copy the required files from the enclosed discs to the hard disk.

00:46.710 --> 00:48.790
Here is our first example program.

00:48.810 --> 00:54.340
It shows the content of the I.A. a variable which is visible in the program code.

00:54.390 --> 00:55.320
Let's can pilot

01:03.640 --> 01:10.990
as we can see after transferring the second argument of the call The I.A. a variable has been overwritten

01:11.020 --> 01:19.770
with the value 0 x 41 corresponding to the letter A to discover how the overwriting of the i n t a variable

01:19.810 --> 01:20.740
was possible.

01:20.740 --> 01:24.240
We will now look at the program examples using gdb

01:41.630 --> 01:49.070
as we can see in the case of the car BAAF 10 variable the stack has been increased to 24 bytes 0 x 18

01:49.070 --> 01:50.420
and the hexadecimal system

02:11.770 --> 02:20.130
in the case of the I NTA variable the stack has been increased to 8 bytes by transferring 32 characters

02:20.280 --> 02:28.090
24 plus 8 to our first program we have overwritten the valuable of the i n t a variable.

02:28.210 --> 02:34.390
The next task will be to overwrite The I.A. OK variable which controls access to secure resources

02:51.360 --> 02:53.810
after transferring the long character chain.

02:53.820 --> 02:55.710
It was possible to crack the program

02:59.270 --> 03:00.380
but how can we do this.

03:00.380 --> 03:03.080
If the variable controlling access does not exist

03:20.370 --> 03:50.600
let's test our next example program.

03:50.680 --> 03:53.950
We will now use gdb to find out what happens at the moment.

03:53.980 --> 03:57.580
A program called paramita that is too long is transferred.

04:20.560 --> 04:29.200
As we can see the program wanted to jump to the address 0 x 41 41 41 41 which does not belong to its

04:29.200 --> 04:30.290
memory area.

04:34.080 --> 04:39.600
Let's now try to tell the program to jump to the correct address which will allow it to skip to the

04:39.600 --> 04:44.170
procedure of log in and password verification.

04:44.220 --> 04:49.440
This will be the address 0 x 0 8 0 48 for C-7

04:53.480 --> 04:58.500
the address of the past to be written in reverse order starting from the last byte

05:13.800 --> 05:14.880
as we can see.

05:14.940 --> 05:16.770
Everything went as expected.

05:16.770 --> 05:20.280
We managed to fool the application.

05:20.280 --> 05:24.470
Now we will analyze another example to exploit using the shell code.

05:28.100 --> 05:32.090
In this case a ready address that we can transfer does not exist.

05:32.120 --> 05:36.170
We will need to create our own show code and add it to our program.

06:08.480 --> 06:13.310
Unfortunately a shellcode containing indirect closing function calls is not appropriate.

06:13.310 --> 06:38.850
It is necessary to create a code containing system function calls.

06:38.890 --> 07:15.290
We will obtain a ready made show code from the binary program image using a LBJ dump tool.

07:15.340 --> 07:18.100
The final version of our shell code looks like this.

07:37.830 --> 07:43.080
We will therefore use a ready made exploit that takes advantage of the techniques we learned while reading

07:43.080 --> 07:43.940
this chapter.

07:59.280 --> 08:03.930
As we can see the operation has been successful we gained access to the shell.