1
00:00:01,780 --> 00:00:01,930
Right.

2
00:00:02,130 --> 00:00:03,360
It's recording good.

3
00:00:04,260 --> 00:00:10,140
So right now we have our necessary gadgets.

4
00:00:11,370 --> 00:00:19,780
So we're going to go for our redo and we're going to add a buffer of 200 letter A's.

5
00:00:19,780 --> 00:00:24,810
So B B, couple a times 200.

6
00:00:27,270 --> 00:00:28,080
Let's see.

7
00:00:28,560 --> 00:00:29,580
Let's put this right here.

8
00:00:42,110 --> 00:00:48,230
Because to reach the canary, we needed 200 acres and then we have to repair our canary.

9
00:00:48,470 --> 00:00:57,170
So for our buffer, instead of doing something like struct pack lowercase, I mean capital Q for double

10
00:00:57,170 --> 00:01:06,470
long, the canary poem tools allows you to conveniently run this as buffer plus equals P 64 canary,

11
00:01:06,470 --> 00:01:09,290
which packs the 64 bit little Indian.

12
00:01:10,940 --> 00:01:22,670
Then you must overwrite and find your path to our IP using eight letter BS to reach our IP.

13
00:01:25,520 --> 00:01:29,210
And then we pack our return instruction,

14
00:01:32,150 --> 00:01:34,920
then pack our pop ready instructions.

15
00:01:34,940 --> 00:01:37,310
This is basically a repeat of what we did before.

16
00:01:38,970 --> 00:01:52,950
P 64 show buff equals plus p 64 CIS call plus equals 64 exit.

17
00:01:58,280 --> 00:02:02,360
And then with open payload.

18
00:02:02,690 --> 00:02:03,050
Right.

19
00:02:03,050 --> 00:02:03,890
Binary.

20
00:02:05,050 --> 00:02:06,260
That's payload.

21
00:02:08,090 --> 00:02:08,509
Payload.

22
00:02:08,750 --> 00:02:09,380
Right.

23
00:02:11,600 --> 00:02:15,470
Finally, we send the buffer stuff.

24
00:02:17,800 --> 00:02:19,020
And then it started to interact.

25
00:02:22,780 --> 00:02:27,170
So make sure you memorize this format string attack the format stream bug.

26
00:02:27,190 --> 00:02:28,480
These are not two ones.

27
00:02:28,480 --> 00:02:33,040
These are two lowercase l's and x also come back from def con.

28
00:02:33,040 --> 00:02:35,650
I'll go back into deeper detail about what's going on.

29
00:02:36,160 --> 00:02:38,890
But at this point, we're ready to run our exploit.