1
00:00:00,360 --> 00:00:06,350
Hello, everyone, welcome to our new video of our binary exploitation series today.

2
00:00:06,750 --> 00:00:08,610
Let's talk about buffer overflow.

3
00:00:10,360 --> 00:00:16,150
From its name, buffer, overflow is when we have a certain size of a variable replacement in memory

4
00:00:16,420 --> 00:00:18,820
and we overflow that space.

5
00:00:19,390 --> 00:00:26,110
So, for instance, if I have a C program that asks for name, this name will be stored on the stack.

6
00:00:28,320 --> 00:00:33,690
But at the strength size is more than the size that we allocated for it on the stack, of course we

7
00:00:33,690 --> 00:00:41,640
have, and it's the program itself that then it will overflow and overwrite, uh, other addresses like

8
00:00:41,640 --> 00:00:42,600
the return address.

9
00:00:43,020 --> 00:00:43,390
Right.

10
00:00:44,250 --> 00:00:45,120
If you look at here.

11
00:00:47,710 --> 00:00:50,110
This bunch of values that we put on the variable.

12
00:00:51,440 --> 00:00:59,540
Is more than this tag can hold for the size that we allocated for it, then it will come here and it

13
00:00:59,540 --> 00:01:07,130
will overwrite the return address at the function needs to return back to when it's done executing its

14
00:01:07,130 --> 00:01:07,520
code.

15
00:01:09,040 --> 00:01:16,780
If we can control the return address, that means we control the VIP register, which points to the

16
00:01:16,780 --> 00:01:24,280
next instruction, let's take a look at the source code of a network program that we that only does

17
00:01:24,280 --> 00:01:24,960
one thing.

18
00:01:25,510 --> 00:01:28,240
It echoes back everything we send to it.

19
00:01:36,520 --> 00:01:38,230
Let's make sure it's not running first.

20
00:01:42,100 --> 00:01:43,200
Actually, it is.

21
00:01:43,270 --> 00:01:47,200
OK, I'm going to kill it and then we run it.

22
00:01:57,220 --> 00:02:00,790
Now I'm going to use Netcare to connect to the server.

23
00:02:04,570 --> 00:02:07,570
It's a UDP socket, so that's fine.

24
00:02:15,920 --> 00:02:18,260
So it echoes back everything we said, right?

25
00:02:18,290 --> 00:02:19,010
Very simple.

26
00:02:19,170 --> 00:02:24,230
OK, now let's take a look at the source code.

27
00:02:32,270 --> 00:02:33,680
Let's go to the main function.

28
00:02:39,200 --> 00:02:40,460
He starts from here.

29
00:02:44,270 --> 00:02:50,180
This bank function, it will check for ports, but we don't need to know that from now.

30
00:02:50,720 --> 00:02:53,090
Basically, it will open a socket.

31
00:02:53,120 --> 00:02:55,220
Let's go all the way down here.

32
00:02:55,470 --> 00:02:57,760
It will bind on a port.

33
00:02:57,770 --> 00:03:00,170
It's kind of similar to what we did in Python before.

34
00:03:00,830 --> 00:03:08,090
And then it will use a function which is receive from similar to our UDP socket from Python, remember?

35
00:03:09,200 --> 00:03:18,830
And then after that, it will call the good time function and it will pass an argument, which is the

36
00:03:18,830 --> 00:03:19,430
message.

37
00:03:19,460 --> 00:03:23,350
But the message above is what we receive from the client.

38
00:03:24,140 --> 00:03:25,970
So when we said hello or how are you?

39
00:03:26,000 --> 00:03:29,780
Everything is actually stored in the message of a variable.

40
00:03:30,710 --> 00:03:31,790
And then we'll pass.

41
00:03:31,960 --> 00:03:39,410
It will be passed the good time function along with other two arguments, return string and receipt.

42
00:03:41,420 --> 00:03:44,810
Then you go all the way up.

43
00:03:45,440 --> 00:03:47,660
Check the good time function here.

44
00:03:47,690 --> 00:03:53,840
This one here we receive our message both right.

45
00:03:54,770 --> 00:03:58,760
And then we come here.

46
00:03:58,760 --> 00:04:03,590
We have another variable time above current time.

47
00:04:04,040 --> 00:04:05,630
We don't need to know that for now.

48
00:04:06,200 --> 00:04:10,820
But if you look here, there's a if statement to check the site.

49
00:04:11,570 --> 00:04:20,570
If the string length of the Fermat, which is the message buffer, this one, if it's larger than time,

50
00:04:20,570 --> 00:04:23,900
both sides, which is only one twenty eight.

51
00:04:23,910 --> 00:04:33,680
So it checks if we're only sending one three, eight or less bytes, then if it's greater than that

52
00:04:33,680 --> 00:04:36,440
it will give us an error process error.

53
00:04:37,560 --> 00:04:44,390
But if it's not, if it's less then you will use the mem copy function and then it will copy the format

54
00:04:45,050 --> 00:04:45,770
to the memory.

55
00:04:46,250 --> 00:04:47,180
And that's what we need.

56
00:04:47,180 --> 00:04:47,400
Right.

57
00:04:47,420 --> 00:04:48,770
We need to go to the memory.

58
00:04:48,770 --> 00:04:55,100
We need to be able to be copied to the memory so we can manipulate the memory and overwrite it.

59
00:04:55,820 --> 00:04:58,130
But how do we pass this one?

60
00:04:58,130 --> 00:05:06,500
Because every time we we send something larger than type of size, it will come here and will send us

61
00:05:07,190 --> 00:05:08,000
processor.

62
00:05:08,210 --> 00:05:09,320
And we try that.

63
00:05:11,450 --> 00:05:12,020
Let's try.

64
00:05:13,700 --> 00:05:21,520
So, for instance, if I connect again and send a lot of characters, what will happen with it echoed

65
00:05:21,530 --> 00:05:22,310
back to me.

66
00:05:23,150 --> 00:05:23,990
I did that.

67
00:05:25,970 --> 00:05:27,510
I think that's enough.

68
00:05:28,020 --> 00:05:36,930
See, I got process error, that means I was able to get to this line where it checks for the size.

69
00:05:37,200 --> 00:05:37,580
Right.

70
00:05:38,010 --> 00:05:42,860
But how do I, you know, like pass or write this one?

71
00:05:43,260 --> 00:05:45,780
They go back all the way to the bottom here.

72
00:05:45,960 --> 00:05:52,470
There is a vulnerability in, um, in the received from.

73
00:05:56,600 --> 00:06:05,780
So if we send a our strength from before and put a node by it, I know by dysfunctional will keep receding

74
00:06:05,780 --> 00:06:09,330
until a node by its received or until it reads a node by.

75
00:06:09,390 --> 00:06:12,910
But what if we put the node by it in the very beginning of our strength?

76
00:06:13,430 --> 00:06:14,420
Can we do that?

77
00:06:20,460 --> 00:06:22,410
Let's try again this just copyable this.

78
00:06:32,210 --> 00:06:37,610
Well, it gives us the same thing, but really what happens in the memory is completely different.

79
00:06:38,240 --> 00:06:39,260
Let's examine that.

80
00:06:42,150 --> 00:06:47,250
First, let's kill our currently running program.

81
00:06:53,550 --> 00:06:55,440
It's opening in GDP now.

82
00:07:00,480 --> 00:07:05,040
Now we need to set our disassembling flavor, the syntax to be gentle,

83
00:07:08,610 --> 00:07:16,560
and we need to follow each fork to the to the child

84
00:07:20,490 --> 00:07:25,920
and also we need to turn off the attachment for.

85
00:07:27,590 --> 00:07:28,030
OK.

86
00:07:28,860 --> 00:07:34,870
So let's break on Main and then we need to run our program.

87
00:07:36,150 --> 00:07:40,860
We use the run or are and then our arguments, one, two, three, four, which is our report.

88
00:07:42,810 --> 00:07:45,330
OK, now we've got our hit our breakpoint.

89
00:07:47,220 --> 00:07:51,150
So first, let's take a look at the main program, main function.

90
00:07:52,050 --> 00:07:57,660
This symbol, main and in main.

91
00:07:57,670 --> 00:08:07,200
What we need to take a look at is when we call our the good time function right here.

92
00:08:08,690 --> 00:08:13,100
So we need also to take a look at the good time function.

93
00:08:17,080 --> 00:08:23,590
So the good time function after it receives our strength, our buffer, it will come here to this line

94
00:08:23,920 --> 00:08:26,430
is my address and then we'll call them and copy.

95
00:08:26,830 --> 00:08:32,940
And once when he calls and copy, you will copy all our strength into the memory.

96
00:08:32,950 --> 00:08:33,380
Right.

97
00:08:33,850 --> 00:08:39,130
So we need to see a break after it copies everything

98
00:08:41,830 --> 00:08:43,990
and then we need to do continue.

99
00:08:45,430 --> 00:08:47,770
Now it's waiting us to send something.

100
00:08:50,170 --> 00:08:51,820
But said the same thing again.

101
00:08:56,940 --> 00:08:57,380
OK.

102
00:08:59,880 --> 00:09:03,510
Um, nothing happened.

103
00:09:03,540 --> 00:09:10,740
I think our buffer was truncated, um, because of the kept it didn't send the Xs or zero the nobut

104
00:09:10,750 --> 00:09:12,600
so I'm going to fix this and I'll be right back.

105
00:09:14,640 --> 00:09:15,270
All right.

106
00:09:15,270 --> 00:09:15,760
I'm back.

107
00:09:15,990 --> 00:09:18,390
So the only thing I did hear is just echo.

108
00:09:18,660 --> 00:09:26,730
I use echo and then dash in and uh backslash x zero zero four, no bite and then a bunch of BS.

109
00:09:27,700 --> 00:09:36,550
And the last of them is for B, B, B, B, B, and then pipe all of that to Ngarkat and send it to

110
00:09:36,970 --> 00:09:37,610
the server.

111
00:09:37,960 --> 00:09:38,650
Let's do that.

112
00:09:45,480 --> 00:09:52,110
OK, now we hit our break point after the copy, that means it should be copied to the memory, right?

113
00:09:52,650 --> 00:09:53,580
Let's examine the.

114
00:09:57,540 --> 00:10:05,940
Let's look at the U.S. Oh, well, nice, so this stack pointer points here and our goal, our buffer

115
00:10:06,510 --> 00:10:07,280
was copied.

116
00:10:07,290 --> 00:10:11,190
If you see here, this is the very beginning of our buffer X zero zero.

117
00:10:11,370 --> 00:10:16,140
It was copied here, zero zero and then forty one in Texas is eight.

118
00:10:16,980 --> 00:10:27,830
So zero zero and in a and then all these days here and then the last four B's.

119
00:10:28,680 --> 00:10:29,070
Right.

120
00:10:30,120 --> 00:10:32,100
Let's see what happens if we continue.

121
00:10:33,330 --> 00:10:42,090
Keep in mind that the return address of our main function, if we do, if we disassemble our main when

122
00:10:42,090 --> 00:10:48,080
we called our good time here, we called it this line.

123
00:10:48,150 --> 00:10:52,510
So when we return, we need to return to our next instruction, remember?

124
00:10:53,220 --> 00:10:55,080
So this is our next sort of instruction.

125
00:10:55,470 --> 00:11:03,660
If we take a look at the stack again, this is the memory address of the next instruction after the

126
00:11:03,660 --> 00:11:11,940
good time, which is just one zero zero four three fifteen seven two one zero zero four three fifteen

127
00:11:11,940 --> 00:11:12,690
seventy one.

128
00:11:12,850 --> 00:11:16,950
It was pushed on the stack when we called good time function.

129
00:11:19,020 --> 00:11:23,900
And then we have one address to three hour arguments, remember?

130
00:11:24,750 --> 00:11:33,720
OK, now we need to be able to override this return address, right.

131
00:11:34,880 --> 00:11:42,440
First, let's continue and see what happens if we just passed a string for function.

132
00:11:43,740 --> 00:11:45,390
Let's take a look at the good time again.

133
00:11:45,390 --> 00:11:46,010
Function at.

134
00:11:47,630 --> 00:11:51,710
This function is very long, so we need to pass this one and break here.

135
00:11:56,140 --> 00:11:56,740
Continue.

136
00:11:58,510 --> 00:12:02,080
All right, so we started construction.

137
00:12:03,550 --> 00:12:13,240
Well, the problem is we got segmentation fault sig here stopped why we were actually still inside our

138
00:12:13,240 --> 00:12:14,560
strength for math function.

139
00:12:14,560 --> 00:12:23,500
For some reason, it it was able to read our 40 to 40 to 40 to which over the last four BS as invalid

140
00:12:23,500 --> 00:12:25,590
address for for some reason.

141
00:12:25,690 --> 00:12:26,090
Right.

142
00:12:28,210 --> 00:12:33,460
So let's see, what was this address before we overwrite it going to start again.

143
00:12:34,750 --> 00:12:38,250
So here on the right side, I'm not going to overwrite this address.

144
00:12:38,260 --> 00:12:40,210
I'm just going to remove the last four BS.

145
00:12:41,450 --> 00:12:47,940
And then there's a simple good time again, and I'm going to stop this time here.

146
00:12:49,240 --> 00:12:52,960
I'm going to break and then continue.

147
00:12:54,980 --> 00:12:59,750
Send our puffer now, looks like we're good.

148
00:13:01,310 --> 00:13:03,110
Let's check our STAC.

149
00:13:07,340 --> 00:13:15,680
OK, so this is the address that we over we were we were able to overwrite last time when we got a segmentation

150
00:13:15,680 --> 00:13:16,070
fault.

151
00:13:17,720 --> 00:13:22,610
So let's check this address, see with what's this address it's mad about?

152
00:13:26,610 --> 00:13:33,600
Actually, it's the time, both variables, so for some reason when we call this format in our program,

153
00:13:33,900 --> 00:13:37,350
it needs this address to be a valid address.

154
00:13:38,370 --> 00:13:40,150
And if it's not valid, they will crash.

155
00:13:40,530 --> 00:13:41,830
So that's that's fine, right?

156
00:13:41,850 --> 00:13:46,650
We can give it a valid address, but we will do that next time.

157
00:13:47,130 --> 00:13:52,950
So far, we were able to crash our program and get segmentation fault, but we need to know how to bypass

158
00:13:52,950 --> 00:13:58,980
the six-fold we just got from the string format function and overwrite the return address of the main

159
00:13:58,980 --> 00:13:59,520
function.

160
00:13:59,970 --> 00:14:06,300
Because even if we override the return address of the main function now, it still won't read it because

161
00:14:06,300 --> 00:14:10,560
it will crash before it gets to the two that address.

162
00:14:12,090 --> 00:14:14,310
Thank you for watching and see you in the next one.