1 00:00:00,510 --> 00:00:04,740 Welcome back to Basic Exploit Development, the exploit development process. 2 00:00:05,310 --> 00:00:09,240 Now, there really is not a de facto standard and how exploits are developed. 3 00:00:09,540 --> 00:00:15,300 But we generally agreed on a few key steps one fuzzing to proof of concept creation. 4 00:00:15,540 --> 00:00:19,500 Three, Hijack the execution for bad character analysis. 5 00:00:19,740 --> 00:00:21,750 And five, successful exploitation. 6 00:00:24,480 --> 00:00:29,970 Fuzzing is a process of hurling random data and strings at a listening, vulnerable service to trigger 7 00:00:29,970 --> 00:00:30,540 a crash. 8 00:00:31,050 --> 00:00:34,590 Now we have many open source and commercial buzzers. 9 00:00:35,610 --> 00:00:36,660 These are just a few of them. 10 00:00:36,660 --> 00:00:39,570 File fires, pitch that name. 11 00:00:40,200 --> 00:00:45,380 But the objective is to crash of brain process and analyze the results of the crash through lost but 12 00:00:45,420 --> 00:00:47,700 opportunity to create and to craft a next quick. 13 00:00:52,480 --> 00:00:59,950 So there are three indicators to trashing a application, assessing an opportunity to develop an exploit. 14 00:01:00,910 --> 00:01:07,270 You can overwrite the IP register, extended instruction pointer, you can overwrite the structure exception 15 00:01:07,270 --> 00:01:14,320 handler also known SDH Overwrite or detect access violations are invalid memory addresses. 16 00:01:17,520 --> 00:01:22,350 When you can correctly determined that you can crash an application and also being able to reliably 17 00:01:22,350 --> 00:01:27,960 perform any of the three events above you are now in possession of a proof of concept for possible code 18 00:01:27,960 --> 00:01:28,620 execution. 19 00:01:31,650 --> 00:01:36,990 Let's assume that we actually overall through our proof of concept memory dress where the extended instruction 20 00:01:36,990 --> 00:01:39,840 pointer is located with four hexadecimal A's. 21 00:01:41,100 --> 00:01:46,260 The external instruction pointer basically points to what is next in program execution. 22 00:01:46,590 --> 00:01:53,460 It accepts little and in nice reverse memory addresses by overwriting that valid IPA for hexadecimal 23 00:01:53,460 --> 00:01:53,880 BS. 24 00:01:54,210 --> 00:02:00,630 We validate that we can clearly hijack execution by first sending a known buffer of A's and then clearly 25 00:02:00,630 --> 00:02:04,410 overwriting the IP register for hexadecimal reads. 26 00:02:06,580 --> 00:02:12,480 At this point, you can use the budget floor to look for usable assembly instructions such as jumps 27 00:02:12,790 --> 00:02:18,340 within the debug application itself and then replace the piece of a ballot memory address in little 28 00:02:18,340 --> 00:02:19,090 Indian format. 29 00:02:22,860 --> 00:02:25,380 So bad characters, bad characters. 30 00:02:25,380 --> 00:02:31,740 And the simplest form is basically assembly of codes that are in house decimal that do not properly 31 00:02:31,740 --> 00:02:33,960 render memory in the debug application. 32 00:02:35,900 --> 00:02:42,380 It can basically cause unpredictable execution of commands that will either redirect the exploitation 33 00:02:42,380 --> 00:02:48,380 attempt away from our desired goal or crash and lose your one and only successful exploitation attempt. 34 00:02:49,460 --> 00:02:55,640 So you will invest a significant amount of your time in locating and eliminating these bad characters. 35 00:02:59,520 --> 00:03:00,120 I'm sorry. 36 00:03:00,570 --> 00:03:01,380 My mouth is dry. 37 00:03:02,430 --> 00:03:08,880 So once we successfully hijack execution, eliminate back characters, and 3 minutes to insert valid 38 00:03:08,880 --> 00:03:13,080 show code in the application that we are about to perform a successful exploit. 39 00:03:13,590 --> 00:03:22,350 These could result in spawning a command show, interpreter or Trojan session, as well as gaining a 40 00:03:22,350 --> 00:03:27,450 foothold to offend the target organization's internal network through the initial compromised system.