1
00:00:00,570 --> 00:00:06,600
Welcome back to Advanced Exploit Development and we are about to begin our rock chaining exercise.

2
00:00:07,110 --> 00:00:10,290
First, let's take a look at our initial starter file.

3
00:00:10,320 --> 00:00:11,100
Bone Server.

4
00:00:11,100 --> 00:00:11,850
Rob Change.

5
00:00:11,850 --> 00:00:12,810
Size Start.

6
00:00:15,620 --> 00:00:19,910
So this is basically a standard staff base buffer overflow attack.

7
00:00:20,510 --> 00:00:26,000
And as you can see, we have a single memory address, overwrite IP to hijack execution.

8
00:00:26,540 --> 00:00:33,200
And we're just going to demonstrate the difference between how this works in a non def enabled application

9
00:00:33,500 --> 00:00:35,210
versus one that's enabled by DEP.

10
00:00:36,800 --> 00:00:38,480
So go back to Mirror Debugger.

11
00:00:39,380 --> 00:00:40,070
Right click.

12
00:00:40,640 --> 00:00:41,630
Where does administrator.

13
00:00:42,770 --> 00:00:43,310
Yes.

14
00:00:45,460 --> 00:00:48,040
File well server.

15
00:00:49,170 --> 00:00:49,980
Press play.

16
00:00:55,650 --> 00:01:00,000
Harrison Barnes Thurber press play again to.

17
00:01:01,370 --> 00:01:03,800
An execution is hijacked as normal.

18
00:01:05,120 --> 00:01:12,290
We inserted a key, a brake to stop execution from continuing, but execution is definitely hijacked.

19
00:01:12,710 --> 00:01:15,650
Now let's enable system wide depth.

20
00:01:16,400 --> 00:01:17,840
So closing the debugger.

21
00:01:19,240 --> 00:01:23,110
Click on start right click on computer properties.

22
00:01:24,290 --> 00:01:25,520
Advanced system settings.

23
00:01:26,690 --> 00:01:33,320
From the vast app settings, data, execution, prevention and turn on depth for all programs and serves

24
00:01:33,340 --> 00:01:34,700
except those I select.

25
00:01:35,800 --> 00:01:38,500
Apply and restart your computer.

26
00:01:56,020 --> 00:01:56,830
Welcome back.

27
00:01:56,860 --> 00:01:58,630
After finished restarting the computer.

28
00:02:00,520 --> 00:02:01,480
Log back in.

29
00:02:03,430 --> 00:02:04,570
Ask me later on that.

30
00:02:05,840 --> 00:02:07,010
Come on, keep going.

31
00:02:11,260 --> 00:02:16,330
In case you're wondering, I didn't enter the license key for this install of Windows seven on my KVM

32
00:02:16,330 --> 00:02:18,640
installation, so that's why I see you.

33
00:02:18,640 --> 00:02:19,160
Give me that.

34
00:02:19,420 --> 00:02:20,500
So back to me.

35
00:02:20,500 --> 00:02:22,090
Debugger run as administrator.

36
00:02:24,420 --> 00:02:24,890
Yes.

37
00:02:25,890 --> 00:02:33,180
File ball server not execute press play now run the attack again.

38
00:02:36,530 --> 00:02:37,670
Press play to continue.

39
00:02:39,490 --> 00:02:45,610
And notice House's access violation while executing this memory address containing are not.

40
00:02:46,730 --> 00:02:57,050
So as you can tell, what's going on is even you cannot even execute KNOP instructions as as depths

41
00:02:57,050 --> 00:02:57,620
enabled.

42
00:02:58,280 --> 00:03:01,810
So this concludes the first section of rock shading.

43
00:03:02,420 --> 00:03:05,480
In the next section, we're going to show you how to figure out.

44
00:03:06,870 --> 00:03:08,790
How to bypass Depp.