1
00:00:01,300 --> 00:00:01,569
Okay.

2
00:00:02,100 --> 00:00:04,290
So welcome back to Introduction.

3
00:00:05,190 --> 00:00:05,640
I'm sorry.

4
00:00:05,640 --> 00:00:07,590
I was just arguing with my family.

5
00:00:07,710 --> 00:00:10,650
He just did something incredibly stupid.

6
00:00:10,650 --> 00:00:18,630
So in this final part, we're finally going to do the read the plot attack, which is to return to the

7
00:00:18,630 --> 00:00:20,100
procedure linkage table.

8
00:00:20,610 --> 00:00:25,170
And basically we're going to overwrite the global offset table entry.

9
00:00:25,170 --> 00:00:32,790
So instead of pointing to print F, which is actually in the source code of this function, let's see

10
00:00:32,790 --> 00:00:34,440
where is my source code?

11
00:00:37,120 --> 00:00:44,110
So instead of calling print F, we're actually going to overwrite the global asset table entry from

12
00:00:44,110 --> 00:00:49,030
the procedure linkage table and then have a 0.2 system instead.

13
00:00:49,720 --> 00:00:53,830
So what we're going to do is actually add a few gadgets of my own.

14
00:00:53,830 --> 00:00:59,380
And here is we're going to do a new debugger for vol dash to.

15
00:01:01,730 --> 00:01:02,960
And then want to run press.

16
00:01:02,960 --> 00:01:06,020
R And then when press control c.

17
00:01:08,560 --> 00:01:19,090
And then we want to type X info x file system and we want to take note of the memory address.

18
00:01:19,120 --> 00:01:22,180
You could also do exactly this thing like p system.

19
00:01:22,480 --> 00:01:23,890
You can get the same value.

20
00:01:23,890 --> 00:01:26,470
So watch whatever way it works for you.

21
00:01:26,470 --> 00:01:28,180
Works just fine.

22
00:01:29,140 --> 00:01:41,800
So we're going to do let's see, attempt four and then we're going to do this call equals this.

23
00:01:42,010 --> 00:01:46,870
Not to mention from import star.

24
00:01:52,270 --> 00:01:53,080
Let me see.

25
00:01:55,330 --> 00:02:01,330
What we want to do now is find the printf function that we want to replace and we want to calculate

26
00:02:01,330 --> 00:02:02,350
the offset.

27
00:02:03,760 --> 00:02:06,430
So you can either calculate the offset.

28
00:02:06,820 --> 00:02:08,770
Well, here we just do print f right here.

29
00:02:08,800 --> 00:02:12,400
Just save the address or you can do something like

30
00:02:17,530 --> 00:02:18,030
sorry.

31
00:02:20,990 --> 00:02:29,840
Protects the print F address minus the CIS call address, which is fa00.

32
00:02:29,840 --> 00:02:41,510
So you could have just said offset to CIS call equals this or you could have alternately done this.

33
00:02:44,890 --> 00:02:50,920
Offset to assist call equals current f minus fiscal.

34
00:03:00,540 --> 00:03:03,300
So for this we will need the following gadgets.

35
00:03:03,300 --> 00:03:04,980
So let's open up proper.

36
00:03:05,190 --> 00:03:07,520
Let's just use the first one to offset this this call.

37
00:03:07,530 --> 00:03:09,240
Either way, it would actually work.

38
00:03:11,250 --> 00:03:18,210
I'm just a little bit irritated right now because I told my father I am busy working on these courses,

39
00:03:18,210 --> 00:03:26,460
but he has chosen to disrupt, you know, my instructions or my time to instruct all of you.

40
00:03:28,860 --> 00:03:34,980
So you file full volume and then we're going to search for the following gadgets.

41
00:03:34,980 --> 00:03:39,180
So one search for search def, one return.

42
00:03:42,250 --> 00:03:44,650
Return equals this.

43
00:03:46,330 --> 00:03:51,220
We're also going to search for the guide to search pop the RTI return.

44
00:03:53,860 --> 00:03:56,280
So pop RTI rat.

45
00:03:57,280 --> 00:03:59,110
Remember to move the last colon.

46
00:04:01,320 --> 00:04:02,010
Search.

47
00:04:02,040 --> 00:04:03,830
Pop up,

48
00:04:07,360 --> 00:04:09,450
pop up, return.

49
00:04:13,450 --> 00:04:20,589
And then when to search for sub RTI from the base point because what we're doing is we're actually using

50
00:04:20,589 --> 00:04:29,530
that gadget to calc to overwrite our global offset table entry for our Cisco.

51
00:04:29,530 --> 00:04:37,180
So we turn this print function into a call basically.

52
00:04:37,210 --> 00:04:42,070
So what we're going to look for is cert sub RTI.

53
00:04:46,110 --> 00:04:47,070
Let me see.

54
00:04:49,150 --> 00:05:00,850
O sub and gadget that we're looking for is the one located right here.

55
00:05:07,570 --> 00:05:16,270
So we're going to add another gadget and we're going to call it sub RTI from return base pointer.

56
00:05:24,040 --> 00:05:28,210
And finally, we're going to look for the shell string within our binary.

57
00:05:28,210 --> 00:05:33,040
So back up here, we're going to do the command VM map.

58
00:05:35,440 --> 00:05:37,240
Remember, this is our address, Ray.

59
00:05:37,270 --> 00:05:40,660
So set start equals this.

60
00:05:42,830 --> 00:05:45,140
Set dollar sign and equals this.

61
00:05:48,350 --> 00:05:49,630
And then we could run.

62
00:05:49,630 --> 00:05:57,190
The command search pattern shall start and full.

63
00:06:02,490 --> 00:06:11,490
So we can tell that it's a two byte string and we can use this copy, this address either or would work

64
00:06:11,490 --> 00:06:16,500
actually, but we'll just use the first one and we're actually going to do this.

65
00:06:16,920 --> 00:06:20,040
The shell equals this address.

66
00:06:24,550 --> 00:06:27,790
So your final source code for your exploit.

67
00:06:28,060 --> 00:06:31,480
That means basically we need 216 bytes.

68
00:06:31,480 --> 00:06:32,050
Right.

69
00:06:32,350 --> 00:06:36,070
To overwrite the instruction pointer.

70
00:06:40,190 --> 00:06:45,320
Offset to overwrite return instruction pointer.

71
00:06:49,210 --> 00:06:52,870
Then we're going to pack another gadget or return gadget

72
00:06:58,000 --> 00:07:00,550
to 64.

73
00:07:05,350 --> 00:07:06,310
Let me see.

74
00:07:07,420 --> 00:07:08,280
Oh, I missed something.

75
00:07:08,290 --> 00:07:08,980
I'm sorry.

76
00:07:10,360 --> 00:07:13,000
We also need the print f.

77
00:07:13,120 --> 00:07:16,360
So disassemble main.

78
00:07:18,580 --> 00:07:20,680
Disassemble me.

79
00:07:28,460 --> 00:07:33,950
And then we're actually going to disassemble the print function.

80
00:07:36,840 --> 00:07:43,020
And we're going to notice this section right here for the Global Offset Table entry.

81
00:07:43,620 --> 00:07:45,600
So I forgot to mention about that.

82
00:07:45,600 --> 00:07:47,460
So we're going to save two variables.

83
00:07:48,030 --> 00:07:49,410
So save this.

84
00:07:53,190 --> 00:07:55,830
Credit f at.

85
00:07:56,340 --> 00:07:56,790
Procedure.

86
00:07:56,820 --> 00:07:57,150
Lingo.

87
00:07:57,210 --> 00:07:58,200
Language table.

88
00:08:01,090 --> 00:08:05,590
Print f global offset table.

89
00:08:06,580 --> 00:08:07,900
We want to save this value.

90
00:08:15,650 --> 00:08:18,650
Salsa Pop rti return

91
00:08:22,070 --> 00:08:26,780
de 50 4ff the global offset table

92
00:08:30,020 --> 00:08:35,450
pack pop return based pointer return.

93
00:08:38,140 --> 00:08:47,110
Above a piece of the floor offset to Siskel, which is who knew this value.

94
00:08:48,070 --> 00:08:51,700
So if you don't know what I'm doing, what we're basically doing is that we're going to replace the

95
00:08:51,700 --> 00:08:54,970
global offset table entry to point it, to assist call.

96
00:08:54,970 --> 00:09:00,190
Instead, at this section right here, we're actually going to change.

97
00:09:01,820 --> 00:09:07,460
Um this global offset table entry to point a system instead of actually just printing a string.

98
00:09:07,880 --> 00:09:09,500
So basically that's what we're doing.

99
00:09:12,940 --> 00:09:17,910
Plus equals passive for sub BP.

100
00:09:19,750 --> 00:09:20,260
Oops.

101
00:09:31,780 --> 00:09:32,320
Above

102
00:09:36,550 --> 00:09:41,650
64 return plus plus equals p 64.

103
00:09:43,200 --> 00:09:45,210
Pop RTI return.

104
00:09:48,350 --> 00:09:50,690
But plus those 64.

105
00:09:54,150 --> 00:09:54,840
So.

106
00:09:57,640 --> 00:09:59,380
Plus plus

107
00:10:05,290 --> 00:10:18,130
plus plus p 64% at pointer procedure linkage table system standard output buffer.

108
00:10:18,460 --> 00:10:20,160
Write buff.

109
00:10:26,910 --> 00:10:27,720
What is this?

110
00:10:28,170 --> 00:10:28,980
Turn this off.

111
00:10:29,640 --> 00:10:30,750
Let me just check the code.

112
00:10:30,780 --> 00:10:31,410
Correct.

113
00:10:31,530 --> 00:10:32,220
Let's see.

114
00:10:32,850 --> 00:10:34,770
We are doing a

115
00:10:37,230 --> 00:10:40,920
packing a let's see the procedure to linkage table address.

116
00:10:41,370 --> 00:10:42,930
We're putting the shell string.

117
00:10:43,590 --> 00:10:47,990
We then pop the register return as an argument.

118
00:10:48,000 --> 00:10:49,950
We're executing a return.

119
00:10:50,670 --> 00:10:56,340
We are then making a calculation to make printf point assist call.

120
00:10:56,850 --> 00:11:03,540
This is our offset to the this call within pop, the base return and the return.

121
00:11:05,760 --> 00:11:12,030
We then pass the address for the global offset table over effectively overwriting it with our offset.

122
00:11:13,560 --> 00:11:20,010
And then we're going to pop the return because at this point when we run this gadget, it actually calls

123
00:11:20,010 --> 00:11:22,080
system instead of print f.

124
00:11:22,440 --> 00:11:30,150
So we hijack control and then we pop out the return, which means that it's basically running this.

125
00:11:30,150 --> 00:11:33,750
So it's going to be doing system.

126
00:11:36,460 --> 00:11:45,240
Michelle and then we ask you to return because you always have to end with a return for 64 bit column

127
00:11:45,240 --> 00:11:49,410
conventions to align the stack which allows you to execute your show code.

128
00:11:53,460 --> 00:11:55,560
So let's see if this works.

129
00:12:05,300 --> 00:12:09,220
No attempt for pi.

130
00:12:10,190 --> 00:12:11,540
Copy all this.

131
00:12:14,920 --> 00:12:15,880
Python.

132
00:12:16,000 --> 00:12:17,680
Three, four,

133
00:12:23,790 --> 00:12:24,020
four.

134
00:12:25,720 --> 00:12:32,290
Press enter again ID and we have our shells low control, easy to zoom.

135
00:12:33,220 --> 00:12:40,060
And then we're going to do that slash route, slash flag text.

136
00:12:41,740 --> 00:12:51,340
So if you don't know what this actually means, this is actually the flag or the lyrics of a song.

137
00:12:51,340 --> 00:12:51,820
I'm never sure.

138
00:12:51,880 --> 00:12:56,470
I'm not sure how many people are from the United States or if you guys watch G.I. Joe.

139
00:12:56,470 --> 00:13:05,830
But there's a 1987 cartoon, G.I. Joe movie, which had a like a really epic kind of entry.

140
00:13:05,830 --> 00:13:11,100
And this is the hooks for the Cobra section for you.

141
00:13:12,340 --> 00:13:21,790
Yeah, but this is going to be your flag for the final quiz for outer space layout, randomization,

142
00:13:21,790 --> 00:13:22,420
bypasses.

143
00:13:22,420 --> 00:13:27,340
So if you really want to walk through this to the debugger, let's go back.

144
00:13:28,960 --> 00:13:35,350
We're going to do Python three, attempt for pi, pipe it into payload.

145
00:13:36,850 --> 00:13:44,620
And because we're not running in this anymore, we're going to do let's see, let's put a Z here.

146
00:13:44,620 --> 00:13:46,570
This is symbol three.

147
00:13:46,570 --> 00:13:47,590
Underscore me.

148
00:13:48,940 --> 00:13:50,680
Let's put a break.

149
00:13:58,550 --> 00:13:59,330
Here.

150
00:13:59,660 --> 00:14:00,380
Break.

151
00:14:01,640 --> 00:14:03,290
Me plus 71.

152
00:14:06,280 --> 00:14:08,110
Now I'm going to run up the payload

153
00:14:12,010 --> 00:14:15,460
and I want to put another breakpoint at system.

154
00:14:20,230 --> 00:14:22,510
So you can either step through it.

155
00:14:27,670 --> 00:14:29,860
Single step through our rock chain.

156
00:14:33,170 --> 00:14:35,660
Or if you want, you can delete the first breakpoint.

157
00:14:36,320 --> 00:14:37,370
Press Continue.

158
00:14:38,030 --> 00:14:46,610
And as you can see, if you look at this address now, we are calling our printf function which is now

159
00:14:46,610 --> 00:14:49,130
replaced with a call to shell.

160
00:14:52,330 --> 00:14:53,110
Right here.

161
00:14:55,210 --> 00:14:56,410
So we continued.

162
00:15:00,090 --> 00:15:00,660
Asleep.

163
00:15:00,660 --> 00:15:02,610
The second breakpoint continue.

164
00:15:03,360 --> 00:15:06,360
It would set fault because it's actually forking.

165
00:15:14,410 --> 00:15:22,480
Its SEC faulted because it fought a process, and that's why it doesn't work.

166
00:15:22,520 --> 00:15:25,060
But as you can see, we already have our shell.

167
00:15:25,060 --> 00:15:34,240
So if we ran a finding of breakpoints for our payload, it should say something like detaching after

168
00:15:34,240 --> 00:15:41,500
V Fork from child process 424 What's going on is that it basically spawned a shell session and because

169
00:15:41,500 --> 00:15:44,980
it had received no commands, it just died.

170
00:15:46,060 --> 00:15:55,330
And that's why we can always do this exploit again and again and again, so we can just do Python four

171
00:15:56,200 --> 00:15:59,750
for tat.

172
00:16:02,740 --> 00:16:03,580
Where Von.

173
00:16:07,020 --> 00:16:07,740
Oh, sorry.

174
00:16:08,950 --> 00:16:11,230
Python three ID.

175
00:16:14,800 --> 00:16:23,010
See Import PTI, PTI, icon and bash.

176
00:16:27,690 --> 00:16:35,710
He wrote cat flags and this is your flag for the final exercise.

177
00:16:35,710 --> 00:16:42,670
So I hope this is a great thing for you guys to go through at this point.

178
00:16:42,670 --> 00:16:51,250
You already know how to bypass non executable bits, how to write custom shell code, how to do 64 bit

179
00:16:51,250 --> 00:16:54,370
exploitation, how to bypass the stack canary.

180
00:16:54,370 --> 00:17:02,740
And you are more than ready to take either offensive securities exploit 301 which would teach you the

181
00:17:02,740 --> 00:17:06,010
windows exploitation side of modern exploit development.

182
00:17:06,010 --> 00:17:16,569
Or you can go take the N from SANS, which is a sec 60 and you are more than ready to take the SEC 760

183
00:17:16,569 --> 00:17:21,280
course, which will be focused more on heap and kernel exploitation.

184
00:17:22,329 --> 00:17:24,609
So thank you for your time.