1
00:00:00,330 --> 00:00:00,690
All right.

2
00:00:00,690 --> 00:00:02,730
Welcome back to Base Exploit development.

3
00:00:02,730 --> 00:00:07,020
And before we generate our payload, I was a bit too overexcited.

4
00:00:07,500 --> 00:00:15,720
We need to identify our bad characters or else execution may crash, truncate or break in general,

5
00:00:15,720 --> 00:00:16,980
and the show code won't work.

6
00:00:17,460 --> 00:00:26,130
So what I'm going to do is we're rerun this again and then let's see.

7
00:00:26,610 --> 00:00:28,170
Cat character, stop.

8
00:00:28,170 --> 00:00:31,320
PY want to copy the string?

9
00:00:32,009 --> 00:00:39,000
This is excluding zero zero all of the hexadecimal digits from zero to f f but we're excluding zero

10
00:00:39,000 --> 00:00:43,020
zero as that is known as a universal no byte, which means there will always be a bad character.

11
00:00:44,160 --> 00:00:45,540
So we're going to copy this.

12
00:00:47,190 --> 00:00:47,880
Copy.

13
00:00:49,780 --> 00:00:52,750
This Nano first shot up high.

14
00:00:57,210 --> 00:00:59,910
And then we're going to load it right here.

15
00:01:00,660 --> 00:01:04,200
And instead of our CS, we're going to put in our

16
00:01:09,210 --> 00:01:17,130
1048 A's plus speed, plus bad characters.

17
00:01:20,430 --> 00:01:25,320
And then we're going to analyze that within the stack to see if we can find those back characters.

18
00:01:28,560 --> 00:01:30,540
So Python first tried out pi.

19
00:01:33,140 --> 00:01:40,850
Control, see the exit and then work to type extra dollars on DSP 200.

20
00:01:42,420 --> 00:01:46,320
So just use the bottom as a reference.

21
00:01:46,960 --> 00:01:52,260
Kapag church talks up high, but see how it goes from 012345678.

22
00:01:52,380 --> 00:01:55,890
But then bam look, another bite form right here.

23
00:01:56,220 --> 00:02:00,660
And Irving behind it just truncated as a mangled doesn't look right.

24
00:02:00,960 --> 00:02:03,990
So we know that the first bad character is zero nine.

25
00:02:06,980 --> 00:02:09,380
So let's make a note of that.

26
00:02:22,290 --> 00:02:25,230
And then we move that from our bad character strength.

27
00:02:30,110 --> 00:02:30,590
Control.

28
00:02:30,600 --> 00:02:36,060
Q To quit out that again and then fire.

29
00:02:36,200 --> 00:02:37,880
Our proof of concept again.

30
00:02:41,150 --> 00:02:41,780
Next up.

31
00:02:43,350 --> 00:02:44,460
DSP 200.

32
00:02:52,940 --> 00:02:54,050
What else do we have?

33
00:02:54,200 --> 00:02:58,310
Has been so repeating the bad character elimination process.

34
00:02:58,520 --> 00:03:02,190
We actually found out that there were several bad characters.

35
00:03:02,210 --> 00:03:03,710
Let's go through them.

36
00:03:07,910 --> 00:03:18,200
So the back characters are 090a0d0 by 20 zero by two, F zero by three.

37
00:03:18,560 --> 00:03:27,230
I say zero because that's how hexadecimal here is represented usually by zero x it just means backslash

38
00:03:27,230 --> 00:03:30,980
x inside of our bad characters code.

39
00:03:31,550 --> 00:03:38,420
So what we do is we run this again, DSP 80

40
00:03:42,200 --> 00:03:49,310
and then also don't forget to delete the bad characters from our actual back character set.

41
00:03:49,610 --> 00:03:51,260
See, we don't have a09.

42
00:03:51,500 --> 00:03:56,720
We don't have a0a we don't have a0d within these bad characters.

43
00:03:58,900 --> 00:04:00,580
So Python first try.

44
00:04:03,710 --> 00:04:05,600
And then let's see, text.

45
00:04:06,560 --> 00:04:08,900
Oh, Sonia, speak to 56.

46
00:04:11,450 --> 00:04:19,850
So let's first try and look how our bad characters, I mean, our actual character set is matching up

47
00:04:20,810 --> 00:04:22,070
to the rest of.

48
00:04:23,330 --> 00:04:23,990
These.

49
00:04:25,090 --> 00:04:27,340
Hexadecimal digits and hex.

50
00:04:27,340 --> 00:04:29,420
Don't see how.

51
00:04:29,490 --> 00:04:30,880
Just no more truncation.

52
00:04:31,240 --> 00:04:35,800
Truncating means that whatever appears after the bad character gets mangled.

53
00:04:36,790 --> 00:04:40,360
And basically there's two things that can happen.

54
00:04:40,540 --> 00:04:46,180
Either it gets truncated, it may go surfing after it, or it just represents itself in a different

55
00:04:46,180 --> 00:04:46,570
way.

56
00:04:47,080 --> 00:04:53,230
If that happens, that's unpredictable assembly instruction, and that means that your execution will

57
00:04:53,230 --> 00:04:54,250
likely crash.

58
00:05:00,940 --> 00:05:01,240
Sorry.

59
00:05:01,250 --> 00:05:03,910
I'm just looking through and just seeing that everything's counting, right?

60
00:05:05,170 --> 00:05:06,490
It looks like it's right.

61
00:05:08,310 --> 00:05:14,100
So right now we can generate our payload, which will be our next section.