1
00:00:00,840 --> 00:00:03,060
Welcome back to Basic Exploit Development.

2
00:00:03,330 --> 00:00:05,640
And in this section, we're covering egg hunters.

3
00:00:06,300 --> 00:00:13,410
Now, it's important for me to merely mention that this section in topic is not required for the OCP

4
00:00:13,410 --> 00:00:13,860
exam.

5
00:00:14,160 --> 00:00:21,480
The OCP exam only focuses on two topics for buffer overflow attacks, stack smashing and multi-stage

6
00:00:21,480 --> 00:00:28,680
shell code, and also the CROSSFIRE exploit, which is the multi-state shell code exercise that is also

7
00:00:28,680 --> 00:00:29,430
not tested.

8
00:00:29,700 --> 00:00:34,500
If you are concerned about passing the OCP, you should always stick in reverse.

9
00:00:34,830 --> 00:00:39,060
So now 5.5 in the sample, 5.5 section of the class.

10
00:00:39,510 --> 00:00:45,600
Now the only reason why out of this section is because even though egg hunters are a bit of a complicated

11
00:00:45,600 --> 00:00:54,960
topic, I think if not completely certain that you will be able to grasp how to use an egg hunter within

12
00:00:54,960 --> 00:00:58,410
this course as long as you have done what you need to do.

13
00:00:58,410 --> 00:01:04,349
On the other three exploitable applications, this brings our total amount of exploitable applications

14
00:01:04,500 --> 00:01:05,190
to four.

15
00:01:06,450 --> 00:01:14,000
So if you guys are already OCP eighth grade, there actually is a fancy security certified expert egg

16
00:01:14,010 --> 00:01:19,440
hunter actually covered in offensive security, certified expert certifications code cracking in the

17
00:01:19,440 --> 00:01:22,350
perimeter as well as advanced windows.

18
00:01:23,320 --> 00:01:28,480
Exploitation, which would give you the certification offensive security exploitation expert.

19
00:01:30,270 --> 00:01:37,950
So an 800 operates when you're only allowed a limited buffer space that you can't fit any charcoal inside

20
00:01:37,950 --> 00:01:38,220
of.

21
00:01:38,490 --> 00:01:40,170
And it refuses to expand.

22
00:01:40,170 --> 00:01:43,560
We try to float over a larger buffer base.

23
00:01:44,040 --> 00:01:50,730
As long as we have 32 bytes within that buffer, you can drop an hundred inside of that.

24
00:01:51,060 --> 00:01:56,940
And when the egg cutter executes, the CPU will be hijacked and will search for the full shell code

25
00:01:57,270 --> 00:02:01,110
and wherever section of virtual outer space that is located.

26
00:02:02,700 --> 00:02:07,620
So many hundreds work by marking the shell code with a double egg.

27
00:02:08,220 --> 00:02:13,050
So if my egg was woot in, let's be w00t.

28
00:02:13,590 --> 00:02:17,010
And I put what worked in front of my shell code.

29
00:02:17,730 --> 00:02:23,220
Then the egg hunter will be able to locate it by scanning the string and comparing against this register

30
00:02:24,360 --> 00:02:28,920
according to work by scanning virtual address space for bytes at a time, it looks for the condition

31
00:02:28,920 --> 00:02:35,250
of the double egg as the egg hunter hijacks CPU execution and searches for the egg increments appointed

32
00:02:35,250 --> 00:02:38,370
by one each time while comparing the contents of the register.

33
00:02:38,670 --> 00:02:46,440
It uses the scan string command to compare what is located in the string against the egg that was programmed

34
00:02:46,440 --> 00:02:46,950
to find.

35
00:02:47,310 --> 00:02:53,430
Once it locate the correct egg egg marker for a shell code, it will jump to into it and it will skip

36
00:02:53,430 --> 00:02:56,910
the eight bytes, which is the egg, and begin execution of the shell code.

37
00:02:57,330 --> 00:02:59,460
For more information, go to this link right here.

38
00:03:06,210 --> 00:03:15,630
This website has shown a lot of information, including the basic practical functionality of the Hunter.

39
00:03:16,960 --> 00:03:26,110
So as you can see, what it does is it saves the egg and then it compares it against any strings that

40
00:03:26,110 --> 00:03:35,260
you may find, such as the egg it uses to scan strings to validate whether or not it found the egg,

41
00:03:35,380 --> 00:03:40,900
that if it did find the double agent, it would then shock to the register and jump eight bites past

42
00:03:40,900 --> 00:03:43,480
the egg to merely execute the shell code.