1
00:00:00,150 --> 00:00:04,540
Hello, everyone, welcome to a new video of our binary exploitation series.

2
00:00:05,400 --> 00:00:11,280
Last time we were able to crash our program by overwriting our stack and causing the string for math

3
00:00:11,280 --> 00:00:13,280
function to stop the execution.

4
00:00:14,160 --> 00:00:19,080
But remember, we're not able to overwrite our main function return address yet.

5
00:00:19,650 --> 00:00:24,210
We first need our string for math function to continue its execution.

6
00:00:25,470 --> 00:00:29,280
Let's take a look at the server see program.

7
00:00:32,350 --> 00:00:39,160
If you look here, the string for month function is called after the mem copy, and then it will return

8
00:00:39,160 --> 00:00:40,120
to the main function.

9
00:00:41,860 --> 00:00:48,610
Last time we overwrote an address of this tech belongs to talk to the time buff variable of the good

10
00:00:48,610 --> 00:00:49,390
time function.

11
00:00:51,400 --> 00:00:51,910
This one.

12
00:00:55,720 --> 00:01:02,160
The let's see if we can replace this address by any other address or is only bound to the time baff

13
00:01:02,170 --> 00:01:02,680
address.

14
00:01:06,080 --> 00:01:08,870
Going to start our program in GDB again.

15
00:01:13,420 --> 00:01:14,590
I'm to read the program.

16
00:01:21,240 --> 00:01:27,180
First thing we need to take a look at the message, both variable, that we are actually copying everything

17
00:01:27,180 --> 00:01:27,560
to it.

18
00:01:35,100 --> 00:01:39,710
The address of the message above is Forry for me is zero.

19
00:01:39,780 --> 00:01:43,740
So we need not to forget we have zero zero in the very beginning.

20
00:01:43,740 --> 00:01:48,110
So zero zero 40 40 is zero, right?

21
00:01:49,010 --> 00:01:57,740
What if we instead of overwriting this address of the string time variable, we give it any other address

22
00:01:57,740 --> 00:01:59,000
like this address, for instance?

23
00:02:01,280 --> 00:02:04,430
So let's use this address in our.

24
00:02:05,750 --> 00:02:06,620
Buffer here.

25
00:02:07,910 --> 00:02:14,250
But remember, we're using something our until processors call using something called little engine.

26
00:02:14,420 --> 00:02:16,650
So this is this will be reversed.

27
00:02:16,670 --> 00:02:21,140
So instead of 40 for you, zero will be zero for three four three zero zero.

28
00:02:21,620 --> 00:02:29,050
So here first thing is zero four three four three zero zero.

29
00:02:29,390 --> 00:02:34,960
And then we need to put the backslash X because this is, um.

30
00:02:38,260 --> 00:02:45,220
Just here, backslash X, backslash X in here.

31
00:02:45,490 --> 00:02:55,090
OK, now let's break after destroying Firmat again here and continue.

32
00:02:56,110 --> 00:02:57,640
And then send our buffer.

33
00:02:59,770 --> 00:03:01,580
OK, so far so good.

34
00:03:01,600 --> 00:03:04,600
What if we step in a week where we're so far we're done?

35
00:03:04,600 --> 00:03:04,890
Good.

36
00:03:05,140 --> 00:03:10,720
We didn't get any segmentation fault, even though we gave it another memory address.

37
00:03:10,750 --> 00:03:14,000
Is the memory address of the message buffer right?

38
00:03:14,200 --> 00:03:18,730
It's not the memory of the time format, Stepin.

39
00:03:21,850 --> 00:03:22,870
So far, so good.

40
00:03:23,180 --> 00:03:30,610
Now, we should be returning to the main function right here if we look at this tech.

41
00:03:35,020 --> 00:03:40,750
The top of the stack is pointing to the memory address of the main function that we are returning back

42
00:03:40,750 --> 00:03:41,980
to, right.

43
00:03:43,740 --> 00:03:46,320
It's zero zero 40, 50, 15 to be one.

44
00:03:48,820 --> 00:03:50,880
It's the same memory address as this one.

45
00:03:53,240 --> 00:03:59,360
When we called a good time function, right, and we went to a good time function, we finish executing

46
00:03:59,360 --> 00:03:59,770
everything.

47
00:03:59,780 --> 00:04:02,420
Now we need to go back to the next instruction.

48
00:04:03,260 --> 00:04:06,920
So that means the address that we need to put there.

49
00:04:06,920 --> 00:04:11,220
It's not bound by the time, but it can be any other address.

50
00:04:11,870 --> 00:04:12,920
That's that's very good.

51
00:04:14,030 --> 00:04:16,880
Now, let's take a look at the message board variable itself.

52
00:04:22,250 --> 00:04:26,690
OK, we were able to copy everything, right, the no bite and then I will raise.

53
00:04:27,550 --> 00:04:32,750
All the way to this memorial address of the message board itself, right?

54
00:04:33,340 --> 00:04:33,970
That's fine.

55
00:04:34,720 --> 00:04:36,250
So now what's our next step?

56
00:04:36,650 --> 00:04:42,440
Our next step is to override the memory address of, um, the return address.

57
00:04:42,460 --> 00:04:42,760
Right.

58
00:04:44,260 --> 00:04:44,670
All right.

59
00:04:44,680 --> 00:04:45,270
Let's do that.

60
00:04:48,790 --> 00:04:54,340
What we need to do now is since our buffer is on the stack, then we can override the return address

61
00:04:54,340 --> 00:05:00,270
to point to the top of the stack or to point to the location of our message above.

62
00:05:04,760 --> 00:05:09,790
Oh, sorry, the message of this location.

63
00:05:12,040 --> 00:05:18,370
Then instead of returning to the main function, it will go to this location and then it will execute

64
00:05:18,370 --> 00:05:19,720
our show code.

65
00:05:21,010 --> 00:05:25,410
But keep in mind that this variable is on initialize global variable.

66
00:05:25,450 --> 00:05:30,250
It's located in the business segment, if you remember that from our slides.

67
00:05:30,610 --> 00:05:33,130
And by default, it's not executable.

68
00:05:33,140 --> 00:05:35,140
So we can just go there and execute it.

69
00:05:35,140 --> 00:05:36,760
Same thing goes for the stack.

70
00:05:37,120 --> 00:05:43,690
By default, we can just jump to the top of the stack and execute it because it's not executable.

71
00:05:45,040 --> 00:05:51,850
So for the purpose of this video, we will make it executable by recompiling our program with the dash

72
00:05:52,250 --> 00:05:54,130
exec stack argument.

73
00:05:58,510 --> 00:05:59,380
Let's do that.

74
00:06:01,570 --> 00:06:05,380
OK, now let's try again.

75
00:06:13,690 --> 00:06:17,110
This is be a time for you to break here.

76
00:06:24,350 --> 00:06:27,740
OK, let's examine the stack again.

77
00:06:32,910 --> 00:06:39,770
This is the return address, so we need to overwrite so so far we are here this address, right?

78
00:06:39,780 --> 00:06:41,340
This is our message of address.

79
00:06:41,670 --> 00:06:44,270
It could be any other validators, right.

80
00:06:44,730 --> 00:06:54,860
So we need another four, eight and then 12 and then another for the last four to over the address.

81
00:06:55,110 --> 00:06:56,010
So let's try that.

82
00:06:57,810 --> 00:06:59,700
We come here and.

83
00:07:01,820 --> 00:07:12,560
One, one, two, three, four, five, six, seven, eight, nine, 10, 11, 12, and then and put

84
00:07:12,560 --> 00:07:19,280
the same address again of our message both here.

85
00:07:20,540 --> 00:07:22,040
All right, let's get was Dragon.

86
00:07:34,280 --> 00:07:42,680
OK, let's break again here after the Fermat function.

87
00:07:44,200 --> 00:07:44,820
Continue.

88
00:07:46,820 --> 00:07:47,750
Let's send it.

89
00:07:49,260 --> 00:07:51,420
OK, let's first check our stock.

90
00:07:55,550 --> 00:08:07,370
OK, where is our last forty one forty one, so this is our first message of one that we added and then

91
00:08:08,000 --> 00:08:11,660
A is, a is, a is and then again, the same address.

92
00:08:11,690 --> 00:08:14,270
Well, let's start execution.

93
00:08:16,670 --> 00:08:18,260
OK, now let's check.

94
00:08:18,260 --> 00:08:19,090
What's the.

95
00:08:20,260 --> 00:08:24,130
Night was check the top of the stack.

96
00:08:26,570 --> 00:08:32,330
Nice, it points to our message of, uh, variable, which is.

97
00:08:39,880 --> 00:08:47,170
So it's not working because we haven't compiled our program with the best option and that option with

98
00:08:47,180 --> 00:08:54,160
due GTC will make the program contains some symbolic information like the names of our Arabel and more

99
00:08:54,160 --> 00:08:55,980
debugging information.

100
00:08:56,650 --> 00:09:00,280
But we can still check our message board by its memory address.

101
00:09:00,280 --> 00:09:00,610
Right.

102
00:09:01,090 --> 00:09:07,570
We know that we sent the memory address with our code here so we can check it here.

103
00:09:11,350 --> 00:09:16,840
Let's check the first hexadecimal address and then.

104
00:09:18,660 --> 00:09:20,640
But Durex and then.

105
00:09:22,390 --> 00:09:24,020
Remember, this is the little Indian.

106
00:09:24,310 --> 00:09:31,800
So instead of a zero four three four zero zero, it'll be zero zero for three for Asia.

107
00:09:33,690 --> 00:09:40,390
So this is our message, both verbal, when we're able to copy everything here, everything we need.

108
00:09:40,920 --> 00:09:50,280
So this is our no biter in the very beginning and then the rest of our days up until here, this is

109
00:09:50,280 --> 00:09:52,520
actually the same address of our message board.

110
00:09:54,510 --> 00:10:01,740
Let me move this a little bit and then we have another 12 days.

111
00:10:01,890 --> 00:10:08,250
And then again, the same address that we put here, because, you know, the string of affirmative

112
00:10:08,250 --> 00:10:10,190
action needs validators, right?

113
00:10:10,890 --> 00:10:16,740
So if you step in step one instruction and then keep going.

114
00:10:18,180 --> 00:10:22,730
Our function is almost ready to return to the main function.

115
00:10:23,100 --> 00:10:23,480
Right.

116
00:10:23,790 --> 00:10:29,700
So if we step in one more now, we haven't executed this on instruction yet.

117
00:10:30,540 --> 00:10:32,970
So now our program is ready to go.

118
00:10:32,970 --> 00:10:37,470
Where to go here to this message above address.

119
00:10:37,680 --> 00:10:38,150
Right.

120
00:10:38,490 --> 00:10:41,600
It's at the top of the stack E.S.P.

121
00:10:41,820 --> 00:10:44,760
Or check up the top of the stack.

122
00:10:44,760 --> 00:10:46,020
It's ready to go back.

123
00:10:46,030 --> 00:10:54,150
So if we step in one more time, it will go to our message board and start executing the let's see if

124
00:10:54,150 --> 00:10:56,280
we just step in again and see what happens.

125
00:10:59,170 --> 00:11:02,150
Now we are inside our message board.

126
00:11:02,710 --> 00:11:03,610
Let's continue.

127
00:11:06,670 --> 00:11:09,100
We got segmentation fault, why?

128
00:11:09,370 --> 00:11:17,500
Because we have zero zero the NHLBI that we have in the very beginning of our buffer.

129
00:11:19,570 --> 00:11:20,680
This is a old byte.

130
00:11:20,950 --> 00:11:23,620
So once it reads the mobile, it will stop.

131
00:11:24,280 --> 00:11:31,510
So where are we going to do later is instead of pointing it to the very, very beginning of our message

132
00:11:31,510 --> 00:11:41,070
above a zero, we can make it to start from here, from Bezier, and then we will fill all our messages,

133
00:11:41,080 --> 00:11:44,730
both all these section with no operations and destruction.

134
00:11:45,370 --> 00:11:47,440
We will do that next in the next video.

135
00:11:48,700 --> 00:11:51,400
Thanks for watching and see you in the next one.