1 00:00:01,160 --> 00:00:08,510 Everyone, and welcome to this video also about software exploitation, so in this video, we will. 2 00:00:09,640 --> 00:00:18,760 Go over another example, which I explained last time in previous videos that there are three different 3 00:00:18,760 --> 00:00:21,680 ways to exploit a process or an application. 4 00:00:21,850 --> 00:00:30,070 So we talked about exploiting the client, using a local exploit, like a multimedia application excuse 5 00:00:30,070 --> 00:00:38,260 me, by, like crafting a malicious playlist and feeding it to the multimedia application or a word 6 00:00:38,260 --> 00:00:44,620 processor also by feeding it a malicious, let's say, word documents or when the word processor tries 7 00:00:44,620 --> 00:00:49,330 to process it, you exploit a weakness in that application. 8 00:00:49,600 --> 00:00:54,280 Same thing applies to a PDF reader or really any other client application. 9 00:00:55,570 --> 00:00:56,230 Excuse me. 10 00:00:57,870 --> 00:01:04,140 Then we jumped to the exploiting the application remotely, so you have a service or a process which 11 00:01:04,140 --> 00:01:11,100 is running and listening to some connections, like an FTP server waiting for a connection to connect 12 00:01:11,100 --> 00:01:12,540 to it and then. 13 00:01:14,310 --> 00:01:21,450 Providing it some service on a Web server, running remotely like serving Web pages or any other really 14 00:01:21,450 --> 00:01:25,610 network service which you can access over the network. 15 00:01:26,120 --> 00:01:28,260 So this is the threat. 16 00:01:28,260 --> 00:01:32,910 Actor will be sending their malicious, let's say, payload remotely. 17 00:01:32,920 --> 00:01:40,170 They don't need to, let's say, for the victim or anything else if once they find this service running 18 00:01:40,170 --> 00:01:42,540 and they they are in direct contact with it. 19 00:01:42,540 --> 00:01:48,000 And when I meet what I mean by that, a contact here is there let's say there is no filtering, no firewall 20 00:01:48,090 --> 00:01:48,530 cetera. 21 00:01:48,630 --> 00:01:56,580 So they can communicate with the process, then they can craft their malicious payload and send it remotely 22 00:01:56,760 --> 00:01:58,230 and exploit that process. 23 00:01:58,740 --> 00:02:05,400 Now, the third one, which I left till the end and will use a really good example today and I'll explain 24 00:02:05,400 --> 00:02:11,760 why it's a good example and a little bit is exploiting the client, but this time also remotely so you 25 00:02:11,760 --> 00:02:16,920 might be looking at, hey, but the client is running on my computer or it's running at the clients 26 00:02:16,920 --> 00:02:18,740 and it's not running remotely. 27 00:02:18,750 --> 00:02:20,220 So how am I going to do that? 28 00:02:20,400 --> 00:02:28,950 The idea is in this case or in this scenario is that the client themself will visit your like evil website. 29 00:02:28,960 --> 00:02:32,670 So you be the threat actor Mike Craft and even the website. 30 00:02:32,670 --> 00:02:39,330 Once the client visitors visit that website, if the if the application they are using to visit that 31 00:02:39,330 --> 00:02:45,720 website, which is probably a Web browser, it has a weakness, then probably the actor will be able 32 00:02:45,720 --> 00:02:47,550 to exploit that weakness. 33 00:02:47,550 --> 00:02:53,450 Or a user has an FTP client and they want to connect to another server. 34 00:02:53,820 --> 00:03:00,120 So the threat actor will create an evil FTP server and once the client connects to it, they will be 35 00:03:00,120 --> 00:03:07,260 served well with evil, with an evil payload or with a with some malicious data to exploit that application. 36 00:03:07,560 --> 00:03:13,770 Same thing applies for any other network service or any service that you can use a client to connect 37 00:03:13,770 --> 00:03:14,550 to it remotely. 38 00:03:14,880 --> 00:03:23,040 So this time what we are doing actually is the threat the actor will be serving the client with an evil 39 00:03:23,160 --> 00:03:23,950 service. 40 00:03:24,030 --> 00:03:29,040 OK, again, the threat factor is going to be serving the client with an evil service. 41 00:03:29,970 --> 00:03:32,020 Now, what type of evil service? 42 00:03:32,040 --> 00:03:34,470 It depends on the type of application you want to target. 43 00:03:34,470 --> 00:03:40,350 If you are targeting enough the server and if the client, then definitely it's an FCP server. 44 00:03:40,350 --> 00:03:46,920 If you are targeting a browser, then you might be interested in creating an evil website and so on 45 00:03:46,920 --> 00:03:47,550 and so forth. 46 00:03:48,640 --> 00:03:56,500 OK, so this is the example which we will be discussing today, also in the past couple of examples 47 00:03:56,500 --> 00:04:02,050 that we did, we were always looking like, for example, for a jump PSP or call E.S.P. 48 00:04:03,400 --> 00:04:05,060 This time it's not going to work. 49 00:04:05,080 --> 00:04:12,550 So in today's example, OK, the the other thing which we will learn out of this, not just the exploiting 50 00:04:12,550 --> 00:04:16,560 the client remotely is there is no jump speed. 51 00:04:16,570 --> 00:04:20,280 And I on purpose picked a really good example. 52 00:04:20,290 --> 00:04:24,850 There is no jump up or let's say there is no job or call to E.S.P. 53 00:04:24,850 --> 00:04:25,610 We can do that. 54 00:04:26,140 --> 00:04:27,480 There is also a nail biter. 55 00:04:27,550 --> 00:04:29,080 How are we going to deal with that? 56 00:04:29,090 --> 00:04:30,050 So there there's a nail biter. 57 00:04:30,070 --> 00:04:34,990 There are situations similar to the one that we are going to deal with today that you will see. 58 00:04:37,280 --> 00:04:42,990 We can avoid the nail biter and kind of fool the system that we are going to work around the bite. 59 00:04:43,010 --> 00:04:47,280 And also the final thing is why a debugger is important. 60 00:04:47,300 --> 00:04:48,140 So why? 61 00:04:48,680 --> 00:04:54,330 This is another example which will show why the burger is important. 62 00:04:54,940 --> 00:05:00,770 OK, this is also going to show why the budget is important and using a debugger will be able to see 63 00:05:01,580 --> 00:05:08,230 where is my data going in memory and why would I go with this option, not this option. 64 00:05:08,240 --> 00:05:09,440 I'm going to do all of that. 65 00:05:09,830 --> 00:05:11,000 And yeah. 66 00:05:11,000 --> 00:05:11,980 So let's get started. 67 00:05:12,350 --> 00:05:19,040 The example I decided to use for this one to explain all the ideas, like we want to explain this. 68 00:05:19,050 --> 00:05:19,670 This is one. 69 00:05:19,880 --> 00:05:21,860 And I also want to explain this. 70 00:05:21,860 --> 00:05:27,110 In this single example, we won't be doing in this video anything about bad character. 71 00:05:27,130 --> 00:05:28,430 So we'll try to avoid them. 72 00:05:29,060 --> 00:05:33,530 Just use some bad characters, which I already know are bad characters. 73 00:05:33,860 --> 00:05:35,060 How to deal about that? 74 00:05:35,060 --> 00:05:36,500 We have another video for that. 75 00:05:36,500 --> 00:05:45,770 But for now, let's just focus on how to get, uh, how to deal with these three cases and work on exploiting 76 00:05:45,770 --> 00:05:47,700 a client remotely. 77 00:05:47,750 --> 00:05:49,160 OK, so let's let's start. 78 00:05:49,580 --> 00:05:53,890 So here we are going to be targeting a client called an FTP client. 79 00:05:54,290 --> 00:05:56,870 It has a vulnerability in the Virgin. 80 00:05:56,870 --> 00:06:03,200 Six point seven has a remote buffer overflow the the exploit author Sebastian Castro. 81 00:06:03,200 --> 00:06:04,940 You can go check his work out. 82 00:06:05,330 --> 00:06:11,400 The exploit is found an exploit DB the same thing for the application and you can find it under forty 83 00:06:11,420 --> 00:06:13,100 four, five hundred and ninety six. 84 00:06:13,130 --> 00:06:16,000 OK, so that's the exploit that we will be using. 85 00:06:16,310 --> 00:06:22,820 OK, so just make sure you install, go here to this application and start the vulnerable application. 86 00:06:22,820 --> 00:06:27,620 I've done this a long time ago, but I, I think I have never had the chance to. 87 00:06:27,830 --> 00:06:33,560 But I prepared the video I did yesterday to a video on this. 88 00:06:33,560 --> 00:06:41,030 But unfortunately, due to a mistake, I forgot to I posted it and I forgot to unpause the video. 89 00:06:41,270 --> 00:06:43,190 So that's in the past now. 90 00:06:43,190 --> 00:06:45,050 I had to now record it again. 91 00:06:45,560 --> 00:06:50,690 And actually when I had to do the session again for my students because there was no recording, so 92 00:06:50,690 --> 00:06:53,870 I had to do it live today and now I'm doing it again. 93 00:06:54,050 --> 00:06:56,470 But hopefully will. 94 00:06:56,660 --> 00:06:58,730 That's for the good for everyone else. 95 00:06:59,890 --> 00:07:01,330 So just make sure you install it. 96 00:07:01,360 --> 00:07:07,330 I think I only have two days left in my trial, so hopefully we'll get to exploit it today and get rid 97 00:07:07,330 --> 00:07:10,900 of it and move on to another case scenario. 98 00:07:11,260 --> 00:07:13,810 OK, so here is our application. 99 00:07:15,230 --> 00:07:20,270 Let's go to our threat actor, download the same file again. 100 00:07:20,300 --> 00:07:23,240 This is the one for five hundred and ninety six. 101 00:07:23,840 --> 00:07:28,620 Just download that to the code, the the exploit. 102 00:07:28,680 --> 00:07:33,410 OK, and let's move it to our to this directory. 103 00:07:33,410 --> 00:07:37,870 So it's downloads and downloads for let's move it over here. 104 00:07:38,120 --> 00:07:39,500 I'm going to make a copy of it. 105 00:07:39,500 --> 00:07:43,460 By the way, I again, I've explained this multiple times. 106 00:07:43,460 --> 00:07:46,360 I like to exploit why. 107 00:07:46,430 --> 00:07:47,990 So it's exploit one. 108 00:07:48,150 --> 00:07:52,550 OK, and let's do yeah. 109 00:07:52,550 --> 00:08:01,220 Let's open this using my, uh, mousepad editor so open and let's see, these were from my my previous 110 00:08:01,220 --> 00:08:02,810 example, which I did at the college. 111 00:08:03,560 --> 00:08:07,160 So, uh, where is my home. 112 00:08:08,610 --> 00:08:10,120 Uh, this one. 113 00:08:10,680 --> 00:08:11,520 Yeah, this one. 114 00:08:11,790 --> 00:08:16,180 OK, so we're going to leave all the credits for Sebastian. 115 00:08:16,410 --> 00:08:18,390 We will just do a couple of modifications. 116 00:08:18,660 --> 00:08:23,250 We don't need the buffer for now because we are starting from scratch and moving on. 117 00:08:23,680 --> 00:08:24,960 I'm going to delete all of this. 118 00:08:26,850 --> 00:08:31,240 OK, a little of that and then leave all of this. 119 00:08:31,710 --> 00:08:40,620 I just need to add one thing here, which is about the, uh, reusability of the, uh, so this exploit, 120 00:08:40,620 --> 00:08:46,530 if you stop it and reuse it again, it will tell you that the port is already bound to port. 121 00:08:46,530 --> 00:08:47,260 Twenty one. 122 00:08:47,640 --> 00:08:51,270 So in order to avoid that, I think I found it. 123 00:08:51,510 --> 00:08:58,190 I forgot I used to use it in the past, but this is the code to do that again. 124 00:08:58,210 --> 00:09:01,950 Uh, I haven't brought a lot of Python code in a long time. 125 00:09:02,670 --> 00:09:06,470 Now I'm getting, I think, a little bit rusty maybe. 126 00:09:07,170 --> 00:09:12,240 So this is going to enable the reusability enable that's just type it here. 127 00:09:12,570 --> 00:09:14,970 Nibbler kind of reusability. 128 00:09:15,950 --> 00:09:18,920 Uh, the useability. 129 00:09:23,040 --> 00:09:26,010 And the key of the port. 130 00:09:26,940 --> 00:09:29,280 No twenty one will be freed. 131 00:09:29,460 --> 00:09:31,840 OK, so that's what we need here. 132 00:09:32,790 --> 00:09:35,070 We are going to delete all of this, by the way. 133 00:09:35,080 --> 00:09:36,690 We are going to start from scratch. 134 00:09:36,700 --> 00:09:39,900 So I'm going to, uh, I'm going to delete. 135 00:09:40,830 --> 00:09:45,990 Though we know the payload size, by the way, is 400, but we are going to start from scratch, so 136 00:09:46,410 --> 00:09:47,840 let's just put. 137 00:09:49,750 --> 00:09:50,160 Junk. 138 00:09:50,530 --> 00:09:58,040 OK, and then the junk here, I'm going to send a sort of multiplied by 400. 139 00:09:58,330 --> 00:09:59,700 I'm going to delete all of this. 140 00:09:59,710 --> 00:10:00,640 We don't need them now. 141 00:10:00,640 --> 00:10:03,970 At least we will gradually update our payload. 142 00:10:04,180 --> 00:10:07,120 Let me just go quickly over what this is doing. 143 00:10:07,450 --> 00:10:17,020 So this is important, the socket and this is Python libraries, and then it will try to run this line 144 00:10:17,020 --> 00:10:17,470 of code. 145 00:10:17,480 --> 00:10:20,050 So that's why we have the tri except. 146 00:10:20,260 --> 00:10:25,830 So it's going to try run this block of code, OK, which is actually creating a socket and it's listening 147 00:10:25,850 --> 00:10:33,630 it, it's binding it to the IP zero zero zero, which means it's listening on all interfaces on point 148 00:10:33,640 --> 00:10:34,240 twenty one. 149 00:10:34,240 --> 00:10:36,190 So it's going to be listening on twenty one. 150 00:10:36,490 --> 00:10:44,230 OK, and then we going to create a queue of five, then just display a message saying this is the number 151 00:10:44,230 --> 00:10:46,600 your like ATP started on. 152 00:10:47,530 --> 00:10:49,390 Twenty one is that's what it's going to say. 153 00:10:49,870 --> 00:10:53,350 And then if anything fails here we are going to get this message. 154 00:10:53,360 --> 00:10:57,810 So if this block fails, we will be getting this message. 155 00:10:57,820 --> 00:10:58,900 So that's part one. 156 00:10:59,260 --> 00:11:04,750 Then we are creating the jonquiere to the payload which we want to send and then here in the loop we 157 00:11:04,750 --> 00:11:05,050 have. 158 00:11:05,050 --> 00:11:05,990 It's always true. 159 00:11:06,160 --> 00:11:13,330 So as long as there are payloads or sorry packets coming in from a client or clients connecting, we 160 00:11:13,330 --> 00:11:16,900 want to use the socket and accept that connection. 161 00:11:17,320 --> 00:11:21,900 And from that, take the address and create an object of type socket. 162 00:11:22,120 --> 00:11:28,630 So this is a socket object, but this will have the details of the client so we can use it to connect 163 00:11:28,630 --> 00:11:29,550 back to the client. 164 00:11:29,560 --> 00:11:31,380 And that's why we are using it here. 165 00:11:31,810 --> 00:11:40,720 So that then it's clear that the the the user here or let's say the owner of this FTP server, we can 166 00:11:41,020 --> 00:11:44,510 say welcome to my FTP server, for example. 167 00:11:44,680 --> 00:11:50,140 So this is going to be sent immediately to the client who is going to be connecting to our server. 168 00:11:50,710 --> 00:11:53,830 The client will send something here. 169 00:11:53,950 --> 00:11:56,760 So it's most probably is going to be a user name. 170 00:11:57,100 --> 00:11:59,620 So we are going to respond back with that. 171 00:11:59,650 --> 00:12:01,110 Your username is OK. 172 00:12:01,300 --> 00:12:03,220 This is the status code for that. 173 00:12:03,610 --> 00:12:09,580 Then the client will, since the user name is OK and send the password, then the server is going to 174 00:12:09,580 --> 00:12:11,900 respond back that your password is also OK. 175 00:12:12,010 --> 00:12:13,390 So these are all crafted. 176 00:12:13,390 --> 00:12:19,630 So it appears to the client that they are actually talking with an actual FCP server while actually 177 00:12:19,630 --> 00:12:20,240 they are not. 178 00:12:20,680 --> 00:12:24,280 So then later on today we will receive or the FTP server. 179 00:12:24,280 --> 00:12:27,820 This malicious server will receive the. 180 00:12:28,810 --> 00:12:37,450 The payload from the yes, it will receive a new, let's say, command from the client and then what 181 00:12:37,450 --> 00:12:44,520 we are going to do is send 220 as a response at the payload and then is current directory. 182 00:12:44,680 --> 00:12:50,620 So most probably what the client is going to be sending is the print working directory. 183 00:12:50,620 --> 00:12:51,700 Usually EFTPOS. 184 00:12:51,910 --> 00:12:57,670 Once they log in, they will ask for the the working directory that they got in to. 185 00:12:57,670 --> 00:13:03,190 So and that could be also, by the way, reconfigured one of the of applications. 186 00:13:03,280 --> 00:13:05,940 But in this case, this is this is what's happening. 187 00:13:06,340 --> 00:13:09,700 So now we have this going on. 188 00:13:11,030 --> 00:13:17,000 Let's see what we need to do so we can start Python to exploit one. 189 00:13:17,180 --> 00:13:19,440 OK, let's do that as well. 190 00:13:20,000 --> 00:13:27,260 So now listening on part 21, let's go to our client and connect to our server. 191 00:13:27,410 --> 00:13:29,740 So the server is IP address. 192 00:13:30,110 --> 00:13:37,400 Is this in my case, just make sure you in your case, you know what the IP addresses, so I will need 193 00:13:37,400 --> 00:13:38,350 to just connect to it. 194 00:13:38,360 --> 00:13:41,750 So one nine two two one six eight one or nine. 195 00:13:42,080 --> 00:13:45,710 Once I hit Connect, you can see we got this access violation. 196 00:13:45,870 --> 00:13:47,060 Let me drink some coffee. 197 00:13:52,940 --> 00:13:58,290 So we got this access violation, and it means that is something that happened. 198 00:13:58,330 --> 00:14:01,270 Let's look at the the commands that we received, actually. 199 00:14:01,550 --> 00:14:05,820 So let's look here a little bit and see what we have over here. 200 00:14:06,260 --> 00:14:12,610 So if you go back, we can see this, which is the welcome to my FTP server, which the threat actors 201 00:14:12,890 --> 00:14:14,870 were had in their code. 202 00:14:15,170 --> 00:14:19,100 So in their code, if you remember here, we did welcome to my FTP server. 203 00:14:19,100 --> 00:14:25,760 OK, after that, the client said the user, the user comment and then the password so that the user 204 00:14:25,760 --> 00:14:30,580 anonymous we responded back, said yeah, that that username is OK. 205 00:14:30,920 --> 00:14:35,540 Then the client sent the password, the pass commentary with the password itself. 206 00:14:35,750 --> 00:14:37,190 And then we also responded. 207 00:14:37,190 --> 00:14:38,410 Yes, that's also OK. 208 00:14:38,870 --> 00:14:46,360 So they then sent print working directory so and we responded to the threat factor or the malicious 209 00:14:46,610 --> 00:14:48,950 responded by 20 and all of this. 210 00:14:48,960 --> 00:14:55,600 So we sent back the four hundred by four hundred bytes of eight. 211 00:14:56,630 --> 00:15:01,960 As you can see that, by the way, the application didn't really crush it like that and it's still working, 212 00:15:01,970 --> 00:15:06,900 I think we can still use it, but it didn't succeed in doing what we wanted it to do. 213 00:15:07,310 --> 00:15:12,110 So let's check it in a debugger and look closer at what happened in this case. 214 00:15:12,290 --> 00:15:15,140 So let's close go to our thieberger. 215 00:15:16,030 --> 00:15:16,770 Immunity. 216 00:15:18,510 --> 00:15:25,890 OK, now go open again, I've already done this, so if you go to the path, it will be installed on 217 00:15:25,890 --> 00:15:35,640 C program files X 86 FCP client and then just go to special because I did this today to my students 218 00:15:35,640 --> 00:15:39,720 and I also actually did it yesterday when my my recording failed. 219 00:15:40,350 --> 00:15:46,020 So let me just, by the way, modify the appearance a little bit because I had to change this for my 220 00:15:46,020 --> 00:15:46,670 class. 221 00:15:46,680 --> 00:15:47,550 Let's do this. 222 00:15:47,550 --> 00:15:48,990 I think it should be good. 223 00:15:49,230 --> 00:15:50,490 Yeah, this should be fine. 224 00:15:50,490 --> 00:15:50,880 Good. 225 00:15:51,750 --> 00:15:59,520 The application is poor, so let's start the application and connect to our analysis of the piece over 226 00:15:59,520 --> 00:15:59,820 again. 227 00:16:03,320 --> 00:16:05,360 Silver is still running, right? 228 00:16:06,280 --> 00:16:14,800 We are still running, accepting commands, so let's run again one six eight eight, one or nine and 229 00:16:14,800 --> 00:16:15,100 third. 230 00:16:15,580 --> 00:16:16,660 So crushed. 231 00:16:16,840 --> 00:16:17,680 OK, pause. 232 00:16:17,830 --> 00:16:22,680 It did pause or kind of Christ because the debugger now captured this. 233 00:16:23,320 --> 00:16:24,820 Now, let's look at this. 234 00:16:24,820 --> 00:16:25,680 What do we have here? 235 00:16:25,690 --> 00:16:28,900 Do we have any control in the registers? 236 00:16:28,900 --> 00:16:33,820 So in the registers, when we look at this, in the past we were focusing mostly on ESP. 237 00:16:33,820 --> 00:16:38,140 So E.S.P now does not point to anywhere on my buffer like the buffer. 238 00:16:38,500 --> 00:16:42,790 My A's are here, so it's deep down in the the stack. 239 00:16:43,000 --> 00:16:45,500 So it's not directly now like you can see here. 240 00:16:45,790 --> 00:16:49,480 So it's not really pointing directly to my eyes. 241 00:16:49,480 --> 00:16:53,740 So I no longer can, let's say, uh, do a jump speed. 242 00:16:53,770 --> 00:16:59,350 This is not going to work or E.S.P, but if we go down a little bit so it's not going to work. 243 00:16:59,710 --> 00:17:04,900 Equipe also and currently we don't have let's see what we have an EVP. 244 00:17:05,650 --> 00:17:08,830 So EBP is also not pointing to any of my bytes. 245 00:17:09,220 --> 00:17:13,870 But if we look at this, I we got the string copied into IACI. 246 00:17:13,900 --> 00:17:19,300 So if we follow them, we can see that the string was in IACI. 247 00:17:20,000 --> 00:17:21,850 OK, so we control. 248 00:17:22,990 --> 00:17:24,880 A registered, but it's not the ASPE. 249 00:17:26,310 --> 00:17:32,020 Let's do some modification to our malicious server and run it again, see what's going to happen so 250 00:17:32,040 --> 00:17:34,860 we don't have control over IP. 251 00:17:35,150 --> 00:17:35,700 Let's see. 252 00:17:37,250 --> 00:17:42,170 What's going to happen, let's modify this, so restart and start that again. 253 00:17:44,060 --> 00:17:46,370 And while this is starting, I can drink coffee. 254 00:17:52,870 --> 00:18:01,300 OK, start go back to our Threat Actors application, Mr. Silver, I'm going to stop again, I prefer 255 00:18:01,300 --> 00:18:02,140 to do it this way. 256 00:18:02,530 --> 00:18:04,900 So what we can do now, we can change. 257 00:18:04,900 --> 00:18:07,780 Say, this is number two, it's up to you. 258 00:18:07,780 --> 00:18:11,430 But this way you have an idea what are the changes that you did. 259 00:18:11,710 --> 00:18:15,210 So if we had like one thousand, by the way, just let's add a number. 260 00:18:15,460 --> 00:18:19,050 So increase the number C, will this override IP or not? 261 00:18:19,570 --> 00:18:20,410 So let's do that. 262 00:18:21,920 --> 00:18:29,460 Uh, no, not one we want to do who could run again, this is running, which is which is good. 263 00:18:29,480 --> 00:18:31,300 Let's bring this little bit down here. 264 00:18:31,760 --> 00:18:39,200 So go back and we have everything ready for 90 to 168, eight or nine and 30. 265 00:18:39,920 --> 00:18:40,810 What happened here? 266 00:18:41,600 --> 00:18:44,260 We all wrote what IP? 267 00:18:44,270 --> 00:18:50,240 So it's interesting to know what the payload, which we sent now overwrote the IP. 268 00:18:50,420 --> 00:18:55,010 So we are able to override override onto IP. 269 00:18:55,160 --> 00:18:56,600 So we have control over IP. 270 00:18:56,840 --> 00:19:03,110 But again, the idea why I wanted to use this example is there are many things we will learn out of 271 00:19:03,110 --> 00:19:03,250 it. 272 00:19:03,260 --> 00:19:08,960 It's not just about sending a payload, overwriting IP directly and then taking advantage of it with 273 00:19:09,140 --> 00:19:10,730 in this case is not going to work. 274 00:19:10,730 --> 00:19:12,620 But let's see why it's not going to work. 275 00:19:13,400 --> 00:19:14,800 So IP is overwritten. 276 00:19:14,810 --> 00:19:15,350 That's good. 277 00:19:15,890 --> 00:19:16,730 At least for now. 278 00:19:17,000 --> 00:19:24,020 We can see it's always overwritten with ease and we can see it now over 10 days, huh? 279 00:19:24,050 --> 00:19:26,570 We have two things over 10 days. 280 00:19:26,570 --> 00:19:33,650 But what we don't know yet is how many bites do I need to write in order to override the IP? 281 00:19:33,650 --> 00:19:33,880 Right. 282 00:19:33,890 --> 00:19:34,960 We need to know the offset. 283 00:19:35,360 --> 00:19:38,120 So, again, last time I think or in the previous videos. 284 00:19:39,260 --> 00:19:47,120 We use Mörner this time, let's use the MLO It's a pattern create, so let's restart again. 285 00:19:47,120 --> 00:19:50,510 Like you can see, this is a long process, trial and error. 286 00:19:50,510 --> 00:19:55,010 We keep doing that until we find at the end our working exploit. 287 00:19:55,220 --> 00:19:58,190 So now let's we need to modify this. 288 00:19:58,190 --> 00:20:01,430 So I'm going to create another file called number three. 289 00:20:01,790 --> 00:20:02,220 OK. 290 00:20:03,120 --> 00:20:09,840 But this time is going to be a little bit different, and we will let's do let's create our pattern 291 00:20:09,840 --> 00:20:15,290 MSF pattern, create the length will be 1000, right. 292 00:20:15,300 --> 00:20:16,250 That's what we used. 293 00:20:16,740 --> 00:20:22,560 So that's just copy the one thousand bytes and put it into our payload. 294 00:20:22,590 --> 00:20:29,400 So now our payload, instead of sending 1000 bytes of age, we are going to send all this junk, which 295 00:20:29,400 --> 00:20:31,470 is a unique cycle. 296 00:20:31,470 --> 00:20:33,530 If you remember, we talked about this last time. 297 00:20:33,540 --> 00:20:37,220 It's a unique cycle of A's and in the buffer. 298 00:20:37,320 --> 00:20:39,340 So let's get this started. 299 00:20:39,370 --> 00:20:40,580 So let's run this again. 300 00:20:41,280 --> 00:20:42,840 This is number three. 301 00:20:42,870 --> 00:20:43,200 Yep. 302 00:20:45,220 --> 00:20:47,090 So three run again. 303 00:20:47,680 --> 00:20:54,520 Everything is working properly, fine, let's go here and connect to our religious Apicella. 304 00:20:55,630 --> 00:20:56,260 Connected. 305 00:20:56,290 --> 00:21:03,850 So we have over it and again, we have all of the other AVP like we saw, but with these characters, 306 00:21:03,850 --> 00:21:07,450 which is are we I'm sure they are part of our payload we've overlooked. 307 00:21:07,450 --> 00:21:11,770 And yes, I also with that and we have over in EBP and so the IP. 308 00:21:12,160 --> 00:21:14,110 So let's copy that. 309 00:21:14,260 --> 00:21:21,490 Not I'm going to write that down because I can't really copy and paste it into my transactor because 310 00:21:21,490 --> 00:21:24,690 this is running on a remote environment. 311 00:21:24,710 --> 00:21:28,390 So I'm going to I'm going to copy write them down six e. 312 00:21:29,500 --> 00:21:33,830 For one four one three three six eight. 313 00:21:33,950 --> 00:21:40,140 OK, I'm going to write this down to use it and calculate the offset again, restart again. 314 00:21:40,780 --> 00:21:43,540 That's two that restart. 315 00:21:44,670 --> 00:21:47,730 Yeah, we do want to restart and then start again. 316 00:21:49,450 --> 00:21:51,280 Uh, OK, uh. 317 00:21:52,220 --> 00:21:52,670 Ron. 318 00:21:53,620 --> 00:21:56,230 While this is getting let's run it. 319 00:21:56,260 --> 00:22:02,470 OK, so again, close this see, we can close it, by the way, because we had that line, which I added 320 00:22:02,470 --> 00:22:06,400 into the code, this one which will allow us to close and run it again. 321 00:22:06,910 --> 00:22:08,740 Now, let's create another one. 322 00:22:08,770 --> 00:22:09,850 Call it number four. 323 00:22:11,260 --> 00:22:18,850 And do a slight modification, but based on our calculation, so we need to do a massive pattern offset 324 00:22:18,850 --> 00:22:19,590 this time, right. 325 00:22:19,600 --> 00:22:20,710 And we need to do a query. 326 00:22:21,070 --> 00:22:29,410 And the query is we want to ask for six E and then four to one six four, two, one, three, three 327 00:22:29,770 --> 00:22:30,930 and then six E again. 328 00:22:31,510 --> 00:22:32,390 So let's see. 329 00:22:32,410 --> 00:22:32,670 Oh. 330 00:22:32,680 --> 00:22:34,330 So the offset is four hundred bytes. 331 00:22:34,520 --> 00:22:37,670 OK, so the offset is four hundred bytes. 332 00:22:37,690 --> 00:22:43,010 Let's get this ready, which is number four, not running now until we update this. 333 00:22:43,510 --> 00:22:50,170 So this time but we are going to do is we are going to delete this, put back our ace. 334 00:22:50,180 --> 00:22:52,810 This is multiplied by 400. 335 00:22:52,810 --> 00:22:53,170 Right. 336 00:22:53,740 --> 00:22:58,470 Then we have IP because we need 400 days to reach IP. 337 00:22:58,810 --> 00:23:00,970 So let's put the bees in there. 338 00:23:01,260 --> 00:23:05,490 OK, we can do that or we can just say be multiplied by four. 339 00:23:06,100 --> 00:23:10,540 And then after that, we need to put the pad because we sent one thousand bytes. 340 00:23:10,540 --> 00:23:17,530 So let's just add that this time I'm going to use a cool method instead of like calculating things manually 341 00:23:17,530 --> 00:23:18,240 every time. 342 00:23:18,460 --> 00:23:23,710 If you have you have math problems, like probably myself, we can use this way of doing it. 343 00:23:23,720 --> 00:23:28,300 So junk calculating the junk actually let me rename it now to offset. 344 00:23:28,300 --> 00:23:30,550 Even so, this is going to be offset. 345 00:23:30,850 --> 00:23:33,910 So I'm going to calculate the length of offset. 346 00:23:33,940 --> 00:23:37,440 OK, then subtract again the length of the IP. 347 00:23:37,450 --> 00:23:39,820 I know it's only just four bytes. 348 00:23:39,820 --> 00:23:45,130 We could just say add those IP, but let's make our work clean. 349 00:23:46,310 --> 00:23:52,490 So we have offset iPads, though, what we are going to send here is the payload, our payload will 350 00:23:52,490 --> 00:23:53,600 be also offset. 351 00:23:54,380 --> 00:23:55,640 Plus, VIP. 352 00:23:57,120 --> 00:24:03,450 Plus iPad, so that's how our offset will look like, so we're going to subtract from that the length 353 00:24:03,450 --> 00:24:09,800 of the offset, the length of the chip, the rest with what will, let's say, CES. 354 00:24:09,820 --> 00:24:10,740 So let's do that. 355 00:24:10,770 --> 00:24:13,790 Fill it with CES and now let's run number four again. 356 00:24:13,800 --> 00:24:19,890 So if we do this wrong for twenty one and actually before I do that, let me do an update here. 357 00:24:19,900 --> 00:24:24,000 I like to do this usually also debugging purposes. 358 00:24:24,960 --> 00:24:31,740 The payload size is let's do this and then learn of payload. 359 00:24:32,370 --> 00:24:33,180 Let's do that. 360 00:24:33,180 --> 00:24:37,670 In this way we can keep continuously seeing the size of our payload. 361 00:24:37,680 --> 00:24:39,870 So the size is one thousand, which is correct. 362 00:24:39,990 --> 00:24:40,650 What we need. 363 00:24:40,980 --> 00:24:44,550 And let's go back here and connect to our Google server. 364 00:24:45,790 --> 00:24:52,030 So, again, one ninety two point sixty eight eight one or nine connect good. 365 00:24:52,150 --> 00:24:54,940 So we did overwrite what? 366 00:24:55,800 --> 00:25:04,380 Uh, i.p we managed to overwrite what IP and now let's look at this, because this is where this is 367 00:25:04,380 --> 00:25:06,780 one of the reasons why I chose this example, by the way. 368 00:25:07,560 --> 00:25:08,910 So we have. 369 00:25:09,760 --> 00:25:15,130 Overrating IPN, if we look at the stack, we can see the start here and then if we go down, down, 370 00:25:15,130 --> 00:25:21,760 down, more, more, more, we can see this is where our the bees, which got written into ippy. 371 00:25:21,910 --> 00:25:27,100 And then we can see the seeds come immediately after that, which looks good, right. 372 00:25:27,760 --> 00:25:28,960 Everything looks good here. 373 00:25:29,790 --> 00:25:30,160 No. 374 00:25:31,800 --> 00:25:36,960 What are we going to do next week and what are we going to do next? 375 00:25:36,990 --> 00:25:38,850 Let's just look at this also. 376 00:25:39,240 --> 00:25:43,540 We can see now that BP actually is pointing at. 377 00:25:43,770 --> 00:25:47,160 So if do follow stock is pointing at the sea. 378 00:25:47,210 --> 00:25:51,150 Why do following them we can see again is pointing at the seas. 379 00:25:51,400 --> 00:25:52,680 Please keep this in mind. 380 00:25:53,040 --> 00:26:00,420 Currently, BP is pointing at the sea path while its eye is pointing to the appart. 381 00:26:01,140 --> 00:26:03,720 So if you remember, if we go back to our payload. 382 00:26:04,550 --> 00:26:17,030 We had here 100 bites of then the iPad and the CS, so in this and this example, I draw this, by the 383 00:26:17,030 --> 00:26:17,360 way. 384 00:26:18,850 --> 00:26:26,230 Uh, I must paint, I'm not a good designer, but give it a try so we can see what's going on. 385 00:26:26,240 --> 00:26:28,510 So we have this is our stock, OK? 386 00:26:28,640 --> 00:26:28,960 Right. 387 00:26:29,350 --> 00:26:32,870 And let's maybe do it over here somewhere. 388 00:26:33,800 --> 00:26:36,350 So the zip it over here. 389 00:26:36,390 --> 00:26:43,500 Yeah, and let's put just the name IP, so e i p just like that so we know what we are doing. 390 00:26:44,180 --> 00:26:52,910 So this is the IP and then what happened is the A's or Forte's for a right for A's. 391 00:26:53,390 --> 00:26:55,970 And then let's just add a filler, OK. 392 00:26:56,000 --> 00:26:57,380 These are all A's also. 393 00:26:57,770 --> 00:26:58,970 OK, these are all A's. 394 00:26:59,330 --> 00:27:07,850 And then what happened here is we got the CS sees CS right CS and then we have the CS. 395 00:27:08,180 --> 00:27:11,390 So this is how our stock actually currently is looking like. 396 00:27:12,140 --> 00:27:21,110 OK, this is how currently our stock looks like we AIt's and IP in the seat, so we have our. 397 00:27:22,070 --> 00:27:29,000 Yes, I actually pointing to the to the here at the beginning or actually the bottom, because the stack 398 00:27:29,060 --> 00:27:33,910 is the other way around and we have the seas which are beyond i.p. 399 00:27:33,920 --> 00:27:35,390 So it's pointing at the other part. 400 00:27:35,620 --> 00:27:38,960 OK, so just keep that in mind because it's very important. 401 00:27:38,960 --> 00:27:39,310 Why? 402 00:27:39,710 --> 00:27:46,670 Because it means if I am going to want to put my payload in this area, then I need to use which one 403 00:27:46,970 --> 00:27:49,240 I need to use EVP. 404 00:27:49,370 --> 00:27:52,160 Right, because it's the payload is in the sea part. 405 00:27:52,430 --> 00:28:00,380 If I want to put my payload in the 80s, then I will need to use the S Iwai because he has eyes pointing 406 00:28:00,380 --> 00:28:00,880 to the eyes. 407 00:28:01,070 --> 00:28:04,490 So this is really why I chose this example. 408 00:28:04,640 --> 00:28:06,950 And you'll see we still haven't, uh. 409 00:28:08,440 --> 00:28:15,150 Dig more into this, but you'll see why probably if I use EBP, it's not going to be a good decision 410 00:28:15,610 --> 00:28:18,950 while if I use IACI sorry, it's going to be a good one. 411 00:28:19,120 --> 00:28:19,510 Why? 412 00:28:19,510 --> 00:28:20,380 I'm not going to tell. 413 00:28:20,410 --> 00:28:24,900 Let's just get into that and see it by ourself, though. 414 00:28:25,030 --> 00:28:26,710 Let's decide to go. 415 00:28:27,010 --> 00:28:34,290 Because at the end, you are you you explore the ways you you will be able to exploit the application. 416 00:28:34,570 --> 00:28:37,300 So let's decide to go the first way. 417 00:28:38,170 --> 00:28:39,810 The first one use SBP. 418 00:28:40,300 --> 00:28:42,480 So we are deciding to do EBP. 419 00:28:42,490 --> 00:28:48,090 So what we need to search for is a jump or a call SBP Right. 420 00:28:48,100 --> 00:28:49,360 That's what we need to search for. 421 00:28:49,390 --> 00:28:52,810 So if I do find and that's to jump AVP. 422 00:28:54,620 --> 00:28:58,700 So if we have one, so we do have one, but it has a no bite. 423 00:28:58,930 --> 00:29:04,250 OK, so let's try to find maybe a call SBP. 424 00:29:06,060 --> 00:29:11,670 Also by and this is in the same application, by the way, we are using the application itself. 425 00:29:11,700 --> 00:29:16,170 I'm not going to use anything like we did in previous examples. 426 00:29:16,320 --> 00:29:19,140 This time, I want to explain a different method. 427 00:29:19,150 --> 00:29:21,370 So that's why I'm using the same example here. 428 00:29:21,720 --> 00:29:30,210 So, again, let's do you can go with Carlip or Colly jump, but really not make a difference because 429 00:29:30,210 --> 00:29:31,740 they both do the exact same thing. 430 00:29:31,740 --> 00:29:32,170 Kind of. 431 00:29:32,640 --> 00:29:36,440 So let's take this address, which is called EBP. 432 00:29:36,450 --> 00:29:41,610 Let's put a break point on it and I'm going to just type it, write it down, I mean, on my paper here 433 00:29:42,030 --> 00:29:49,380 so I can copy it to my six E and then eight two and then four zero. 434 00:29:50,430 --> 00:29:51,690 OK, so let's do that. 435 00:29:52,530 --> 00:29:58,990 So we are going to target our SBP by jumping to do a call to EBP. 436 00:29:59,040 --> 00:30:07,710 OK, so we are going to like send our this address into IP, replace this with with this and try and 437 00:30:07,710 --> 00:30:13,590 send it and get to this code, these this data over here, which are the CS. 438 00:30:13,860 --> 00:30:14,780 Let's restart. 439 00:30:14,940 --> 00:30:15,750 OK, yes. 440 00:30:18,090 --> 00:30:20,130 And then start the application. 441 00:30:22,960 --> 00:30:23,710 More coffee. 442 00:30:24,720 --> 00:30:25,650 Uh, start. 443 00:30:31,010 --> 00:30:38,390 And now let's, uh, yep, let's go to our right actor and modify the code, so let's do five. 444 00:30:39,250 --> 00:30:40,510 So this is now five. 445 00:30:42,700 --> 00:30:47,530 And then what we are going to do, the A's are going to stay the same, we are just going to modify 446 00:30:47,530 --> 00:30:48,070 this part. 447 00:30:48,070 --> 00:30:50,020 So this will be zero X. 448 00:30:51,210 --> 00:31:00,300 And it will be 40 zero eight two zero six E, right, zero zero zero, right. 449 00:31:00,420 --> 00:31:03,390 That's the number where we will be sending that. 450 00:31:03,420 --> 00:31:05,930 OK, so now let's run this again. 451 00:31:06,740 --> 00:31:10,430 But close line number five this time. 452 00:31:12,030 --> 00:31:18,330 And we have also one thousand bites to everything the size of our payload is correct, let's get our 453 00:31:18,330 --> 00:31:27,830 application and connect to our evil after piece over the two one six eight eight one nine and 13. 454 00:31:28,820 --> 00:31:29,630 Look what happened. 455 00:31:31,690 --> 00:31:38,470 So actually, what happened is we didn't jump to the we didn't jump. 456 00:31:39,240 --> 00:31:41,940 To SBP, the call BP, we didn't jump there. 457 00:31:41,960 --> 00:31:46,710 We didn't go that way because as you can see here, we have part of that address, by the way. 458 00:31:46,710 --> 00:31:54,800 We can see that the six eight eight two, uh, four zero four, I mean, but it got stuffed with this 459 00:31:54,820 --> 00:31:56,570 6F from somewhere. 460 00:31:56,580 --> 00:31:57,510 We don't know that. 461 00:31:57,510 --> 00:31:59,010 Got stuff from somewhere. 462 00:31:59,340 --> 00:32:00,720 But let's look at the stack. 463 00:32:00,720 --> 00:32:02,570 Let's go up the stack and looking down here. 464 00:32:02,580 --> 00:32:05,220 So this is where our ace came in. 465 00:32:05,250 --> 00:32:09,240 This is what our ace came in and all go to now. 466 00:32:10,170 --> 00:32:12,360 Then look at here what happened. 467 00:32:12,480 --> 00:32:18,480 So what happened is all of our data and our stack had got truncated. 468 00:32:18,480 --> 00:32:18,870 Why? 469 00:32:19,080 --> 00:32:20,100 Because of the NHLBI. 470 00:32:20,930 --> 00:32:23,210 So the Knobi actually caused. 471 00:32:24,200 --> 00:32:31,700 US to lose the seas, we don't know where the seas are anymore, we don't that's why we use a debugger. 472 00:32:31,880 --> 00:32:39,590 We can wander around, take, uh, take, uh, explore what's available in the memory of this application, 473 00:32:39,590 --> 00:32:40,910 what's inside its head. 474 00:32:41,180 --> 00:32:43,190 And we can see there is no seat anymore. 475 00:32:43,310 --> 00:32:45,620 We we don't we lost those seas. 476 00:32:45,950 --> 00:32:50,180 They are probably somewhere, but we don't know or maybe they didn't even get to the memory. 477 00:32:50,570 --> 00:32:51,200 We don't know. 478 00:32:51,200 --> 00:32:53,420 We can't see them, at least in the stack. 479 00:32:53,420 --> 00:32:54,200 We can't see them. 480 00:32:54,200 --> 00:32:56,210 We might do some search. 481 00:32:56,600 --> 00:33:01,390 But what happened is that no bite truncated the rest of the code. 482 00:33:02,620 --> 00:33:11,030 OK, that no bite truncated the the rest of the code, let me just turn off my, uh, my phone, but 483 00:33:11,070 --> 00:33:18,030 it's silent, so that means our call SBP will not be successful. 484 00:33:18,040 --> 00:33:18,370 Why? 485 00:33:18,370 --> 00:33:18,910 Because. 486 00:33:20,040 --> 00:33:28,260 The BP or the jump means if I'm going to put my payload in the in the seaside or in the sea part of 487 00:33:28,260 --> 00:33:31,850 the the my exploit, I'm going to lose it. 488 00:33:31,860 --> 00:33:32,020 Why? 489 00:33:32,070 --> 00:33:32,780 Because I don't know. 490 00:33:33,000 --> 00:33:35,760 I no longer is going to be after the Nobakht. 491 00:33:36,980 --> 00:33:44,330 Right is going to be after the NHLBI, and I know I don't control the area beyond the nobut I don't 492 00:33:44,330 --> 00:33:44,900 control it. 493 00:33:44,900 --> 00:33:47,150 I don't I can see where those seats are. 494 00:33:47,810 --> 00:33:51,810 So we need to go back and check the other way around, which is using VCI. 495 00:33:51,950 --> 00:33:59,930 OK, so we can do the SBP because this NHLBI truncated the code and EBP was pointing to the second part 496 00:33:59,930 --> 00:34:00,850 of my payload. 497 00:34:01,520 --> 00:34:09,050 So let's go back this time use a different method, which is to use either a jump, Yes I or Yes I. 498 00:34:10,010 --> 00:34:10,790 Uh. 499 00:34:11,770 --> 00:34:13,030 So let's start this again. 500 00:34:14,750 --> 00:34:15,340 OK. 501 00:34:16,900 --> 00:34:17,560 Start. 502 00:34:18,640 --> 00:34:21,430 And let's go to our Michelle. 503 00:34:22,310 --> 00:34:30,070 And just search for what on earth I want us to call IACI this time and we have this address. 504 00:34:30,080 --> 00:34:31,540 So let's put a break point here. 505 00:34:32,120 --> 00:34:39,290 Let me just type that down, which is zero zero four zero one two seven eight. 506 00:34:40,050 --> 00:34:43,110 Now you'll say, hey, but this one also has an alibi. 507 00:34:43,260 --> 00:34:44,440 How are you going to deal with that? 508 00:34:45,090 --> 00:34:50,540 Now, the trick here is and this is why, again, we need a debugger and this is why exploitation, 509 00:34:50,550 --> 00:34:53,510 each case should be taken differently or separately. 510 00:34:53,790 --> 00:34:57,500 They I would say not all cases are exactly the same. 511 00:34:57,510 --> 00:35:04,320 Every case has its ups and downs and it will interact with the the data we send differently. 512 00:35:04,770 --> 00:35:11,190 So in this case, we remember that, yes, I was pointing to our stack, but it was pointing to a part 513 00:35:11,430 --> 00:35:13,890 at the beginning, which we already control. 514 00:35:14,130 --> 00:35:17,400 So what this means or what I'm trying to say here. 515 00:35:18,760 --> 00:35:28,030 Is we could probably add these bites at the end of my payload, OK, at these bites at the end of my 516 00:35:28,030 --> 00:35:28,630 payload. 517 00:35:29,460 --> 00:35:40,650 And getting that stuffed into i.p, like just pushing it into i.p, OK, but without the second part 518 00:35:40,650 --> 00:35:41,310 of the payload. 519 00:35:42,170 --> 00:35:48,590 Again, what we are doing, what we are going to do here is to offset the number of bites here. 520 00:35:48,680 --> 00:35:51,590 So we are going to send these bites, same thing. 521 00:35:52,040 --> 00:36:00,530 But here, instead of sending all of the let's say, uh, let me just create a copy of this I will like. 522 00:36:01,400 --> 00:36:07,370 Uh, modify this one, so what we are going to do is send, instead of all of i.p, we are just going 523 00:36:07,370 --> 00:36:10,130 to send three bites of the bite. 524 00:36:10,130 --> 00:36:11,270 We will not send it. 525 00:36:11,450 --> 00:36:17,060 The application will add itself to truncate the string and then everything after this. 526 00:36:17,060 --> 00:36:20,120 Actually, we will not send anything because it's not going to matter. 527 00:36:20,570 --> 00:36:23,920 OK, so we're going to send Azz and then three bites here. 528 00:36:24,620 --> 00:36:25,000 Three. 529 00:36:25,160 --> 00:36:25,880 Let's let me. 530 00:36:25,880 --> 00:36:26,840 You can delete this. 531 00:36:29,840 --> 00:36:35,450 And just write down, uh, three bites of. 532 00:36:36,350 --> 00:36:38,060 Oh, yes. 533 00:36:38,610 --> 00:36:39,980 OK, three bites from the. 534 00:36:40,430 --> 00:36:41,840 Yes, that's what we are going to say. 535 00:36:42,290 --> 00:36:47,390 And again, what will happen is the system will automatically or the application will add that no bite 536 00:36:47,390 --> 00:36:51,460 at the end because it will need to terminate the string. 537 00:36:51,470 --> 00:36:52,580 So we have that here. 538 00:36:52,580 --> 00:36:53,660 We have everything ready. 539 00:36:54,500 --> 00:36:56,060 Let's get started. 540 00:36:56,090 --> 00:36:58,880 So we'll go back to this now. 541 00:36:58,880 --> 00:37:01,790 DOE number six, modify the code. 542 00:37:03,960 --> 00:37:05,670 This is going to be number six. 543 00:37:06,690 --> 00:37:13,080 And this time, what I'm going to do is IP, we are going to remove the NHLBI, but let's also modify 544 00:37:13,080 --> 00:37:13,770 the whole code. 545 00:37:14,220 --> 00:37:22,810 So this time we have Seventy-eight and then we have 12 and then we have 40. 546 00:37:22,830 --> 00:37:25,380 We are not going to send the byte, OK? 547 00:37:26,370 --> 00:37:32,280 In this case, let me just take this out and then I'm going to just send payload offset and IP. 548 00:37:32,280 --> 00:37:35,430 We don't we no longer need actually the pad anymore. 549 00:37:35,460 --> 00:37:36,650 We no longer need the pad. 550 00:37:37,080 --> 00:37:38,690 So I'm going to, uh. 551 00:37:38,700 --> 00:37:40,110 Yeah, I'm going to leave it this way. 552 00:37:40,350 --> 00:37:47,730 OK, we no longer need because we have the four hundred and then we have this, which the system will 553 00:37:47,730 --> 00:37:49,730 automatically actually kind of add. 554 00:37:50,160 --> 00:37:54,390 You can think of it like this system or application. 555 00:37:55,710 --> 00:38:02,250 Uh, application will be zero zero. 556 00:38:03,370 --> 00:38:05,910 Which is the no bite. 557 00:38:06,190 --> 00:38:07,310 OK, so let's start. 558 00:38:07,330 --> 00:38:11,860 Let's check this out and see if that's true or if I'm just making this up. 559 00:38:13,570 --> 00:38:16,490 So now let's go here. 560 00:38:16,900 --> 00:38:18,460 This is number six. 561 00:38:19,480 --> 00:38:24,820 From this time, the payload is four hundred and three, because four hundred is our offset and the 562 00:38:24,820 --> 00:38:31,810 three is the three bytes of our, uh, jump our colleague IACI before I run it. 563 00:38:31,810 --> 00:38:35,080 I do remember I put a breakpoint on. 564 00:38:36,110 --> 00:38:40,650 So this is the one this is the one we are using, coleus I. 565 00:38:40,710 --> 00:38:41,060 Right. 566 00:38:41,780 --> 00:38:42,500 Let's do it. 567 00:38:42,500 --> 00:38:44,000 This I'm going to delete this one. 568 00:38:44,000 --> 00:38:44,710 Delete this one. 569 00:38:44,930 --> 00:38:45,970 Keep the. 570 00:38:45,980 --> 00:38:48,590 And you can just, like, hit the delete button on your keyboard. 571 00:38:48,890 --> 00:38:50,210 It will delete those. 572 00:38:50,390 --> 00:38:55,540 So just going to leave this breakpoint, which is actually as high as you can see this one. 573 00:38:56,060 --> 00:39:03,800 And let's go back to wherever we were and now connect to our military server one on one sixty eight. 574 00:39:03,800 --> 00:39:05,480 Eight, one or nine. 575 00:39:06,380 --> 00:39:08,340 And then what happened here? 576 00:39:09,140 --> 00:39:14,240 So look, what happened here is you can see we got to the IACI, which is great. 577 00:39:14,600 --> 00:39:19,130 I if we follow it in the dump, it includes our payload, which is the ace. 578 00:39:19,370 --> 00:39:24,190 And I know we have this construction here, but it's not really going to matter and we will see that. 579 00:39:24,500 --> 00:39:27,880 And then after that, we have the whole EHS, we can see that. 580 00:39:28,340 --> 00:39:31,130 And then here in the stack until you can see it even here. 581 00:39:32,590 --> 00:39:39,250 So this is where the A's end and then we can see the address, which is 78, 140, and then the no by 582 00:39:39,280 --> 00:39:41,500 got added automatically, same thing here. 583 00:39:41,500 --> 00:39:44,410 If you go down in the stock, go down, down, down, down, down. 584 00:39:44,830 --> 00:39:47,140 And then you can see here the forty one, forty one. 585 00:39:47,140 --> 00:39:57,070 And then we have the address, which is zero zero zero forty twelve seventy eight which got pushed into 586 00:39:57,250 --> 00:39:58,000 IP. 587 00:39:58,120 --> 00:40:03,760 And that's why now we control IP with this partial address that we sent. 588 00:40:03,910 --> 00:40:08,650 If we do F7, we will jump to this area where we control. 589 00:40:08,650 --> 00:40:12,550 And now these are all the the A's that we sent. 590 00:40:12,790 --> 00:40:16,930 So everything is working exactly properly as we want. 591 00:40:17,230 --> 00:40:17,650 Right. 592 00:40:18,280 --> 00:40:25,630 But if we added if we you can see now why we went with the S3 case, we didn't go with the case because 593 00:40:25,630 --> 00:40:28,720 yes, I was pointing at some area over here. 594 00:40:29,140 --> 00:40:37,510 And once we added that address at the end here, it truncated the code behind the address, behind the 595 00:40:37,510 --> 00:40:37,990 IP. 596 00:40:38,230 --> 00:40:44,080 We go back to our design because when we added the node by the truncated, all of that, so I no longer 597 00:40:44,080 --> 00:40:45,870 control it, I don't know what it is. 598 00:40:46,330 --> 00:40:48,550 So that's why we had to use the S. 599 00:40:48,550 --> 00:40:50,450 S R instead of SBP. 600 00:40:50,470 --> 00:40:51,610 So that's why. 601 00:40:53,580 --> 00:40:55,040 That is first no jump. 602 00:40:55,860 --> 00:41:02,720 We have no bite and why the is important in exploitation, trial and error, I know that it takes time. 603 00:41:02,790 --> 00:41:03,720 I also know that. 604 00:41:03,720 --> 00:41:09,690 But at the end, it's fun once you get everything sorted out and you understand what what you are doing. 605 00:41:09,960 --> 00:41:11,220 So let's restart this. 606 00:41:12,890 --> 00:41:20,750 Again and go modified our goal, modify our code a little bit so all should be running right. 607 00:41:21,030 --> 00:41:21,440 Good. 608 00:41:22,020 --> 00:41:24,200 Go back here and let's stop. 609 00:41:24,860 --> 00:41:35,210 This time I'm going to do what am I going to do is we can let's change this with, uh, like not so 610 00:41:35,210 --> 00:41:36,560 I'm going to modify the code. 611 00:41:37,360 --> 00:41:42,010 And the payload may be so it's time to probably, uh, payload. 612 00:41:43,510 --> 00:41:44,020 Still. 613 00:41:45,130 --> 00:41:49,680 We can do let's put this over here and now we need the pat. 614 00:41:50,440 --> 00:41:51,880 So let's do. 615 00:41:52,800 --> 00:41:55,360 We need to do some calculations and create our payload. 616 00:41:55,950 --> 00:41:58,340 So let's go to a payload. 617 00:41:58,350 --> 00:41:59,430 Let's use this. 618 00:41:59,940 --> 00:42:01,260 How did I get these? 619 00:42:01,890 --> 00:42:04,430 Don't ask me now, you know, later. 620 00:42:04,680 --> 00:42:12,720 But for now, let's just generate this payload and use it for our, uh, for our testing. 621 00:42:12,900 --> 00:42:14,520 So let's bring this little bit up. 622 00:42:15,280 --> 00:42:15,660 The. 623 00:42:16,610 --> 00:42:21,470 So let me copy all of this and then we'll modify them inside our code. 624 00:42:23,110 --> 00:42:30,220 So go here, we are going to modify this code with this, I'm going to delete. 625 00:42:31,270 --> 00:42:33,150 Uh, this line, I don't need it. 626 00:42:34,060 --> 00:42:35,380 Right, we don't need that. 627 00:42:35,410 --> 00:42:39,340 This is going to be coming out and we don't need any of this. 628 00:42:39,340 --> 00:42:41,260 We just use this way. 629 00:42:41,650 --> 00:42:43,690 If not, I can remember, uh. 630 00:42:44,820 --> 00:42:46,890 Remember, what is the command that I used? 631 00:42:46,920 --> 00:42:49,610 OK, so in this case, this is our payload. 632 00:42:49,620 --> 00:42:52,570 You can see the sizes two and 220. 633 00:42:53,070 --> 00:42:55,260 Do we have enough space? 634 00:42:59,340 --> 00:43:01,680 In this area to push our Palladin. 635 00:43:02,810 --> 00:43:07,940 Now, if you are in a class with me, I will be asking you that question, but since this is just a 636 00:43:07,940 --> 00:43:10,010 recording, the answer is what? 637 00:43:10,010 --> 00:43:11,080 Let me drink some coffee. 638 00:43:13,870 --> 00:43:15,670 The answer is yes, we do have that why? 639 00:43:15,670 --> 00:43:18,820 Because this is 100 bites, so there's 400, right. 640 00:43:19,030 --> 00:43:22,890 And we only have a period of 200 bites, so everything looks good. 641 00:43:23,350 --> 00:43:25,870 So let's go back, modify our payload. 642 00:43:25,870 --> 00:43:26,740 So we have this. 643 00:43:28,300 --> 00:43:31,930 So what I'm going to do now, I'm going to add some notes at the beginning. 644 00:43:32,470 --> 00:43:35,900 I'm going to do 16 and I'm on purpose, going to do 16. 645 00:43:35,920 --> 00:43:36,870 You'll also see why. 646 00:43:37,300 --> 00:43:45,010 But let's change this X 90 for the note we have we need now, what do we need now to do? 647 00:43:45,400 --> 00:43:46,450 We need to put the pad. 648 00:43:46,450 --> 00:43:55,960 Right, because our buffer here, if we go back our buffer, it's not 16 bytes, three chip, it's four 649 00:43:55,960 --> 00:43:56,530 hundred bytes. 650 00:43:56,530 --> 00:43:57,640 So I need to modify this. 651 00:43:58,120 --> 00:43:59,670 So we have the 16 bytes. 652 00:43:59,710 --> 00:44:01,710 Now let's get the pay the pad. 653 00:44:01,840 --> 00:44:03,600 So let's bring it over here. 654 00:44:04,390 --> 00:44:06,990 But this time the pad is actually 400, right. 655 00:44:07,900 --> 00:44:11,440 And then what I'm going to subtract from it is not. 656 00:44:13,440 --> 00:44:15,060 And also the buffer. 657 00:44:15,990 --> 00:44:24,150 So I'm going to subtract from that the buffer and I'm going to replace this with also 90, so the buffer 658 00:44:24,150 --> 00:44:26,890 will come in here, but I'm just going to put a placeholder. 659 00:44:27,420 --> 00:44:32,410 So what will happen is we'll put knob's buffer pad and then Yipee! 660 00:44:32,610 --> 00:44:37,050 So if we go back here just to understand, we'll put the buffer, the knobs. 661 00:44:37,800 --> 00:44:41,640 We write this down, but let's use a different color. 662 00:44:41,910 --> 00:44:43,630 Uh, black, for example. 663 00:44:44,250 --> 00:44:51,360 So we we will have here the knobs we will have here then the buffer, which is a payload or the Chalco. 664 00:44:52,290 --> 00:44:56,010 Shall, uh, yeah, let's just put it anyway, you know what I mean? 665 00:44:56,310 --> 00:44:58,980 And then we'll have the pad, right. 666 00:44:59,190 --> 00:45:05,290 So there's a placard at Numpad until we reach this location. 667 00:45:05,310 --> 00:45:05,610 Right. 668 00:45:05,640 --> 00:45:07,120 This is what we are doing right now. 669 00:45:07,620 --> 00:45:08,850 This is exactly what we are doing. 670 00:45:08,880 --> 00:45:10,260 So not for bad. 671 00:45:10,260 --> 00:45:11,550 Bad, bad until we see. 672 00:45:12,630 --> 00:45:13,160 All good. 673 00:45:13,290 --> 00:45:13,770 Let's. 674 00:45:15,610 --> 00:45:21,670 Make sure everything is working so the knobs, the buffer just put as a placeholder here so you can 675 00:45:21,670 --> 00:45:25,020 understand, you can visualize it in your head. 676 00:45:25,940 --> 00:45:26,770 One hundred. 677 00:45:27,870 --> 00:45:33,690 Remove 16 knives from it, remove the buffer sides and then multiply the rest by 90, so we'll fill 678 00:45:33,690 --> 00:45:39,870 the rest of the buffer or the rest of the payload with the rest of the 400 bites with nuts, OK, and 679 00:45:39,870 --> 00:45:40,920 then our ship. 680 00:45:41,250 --> 00:45:44,590 So what do we need to do here is modify our payload. 681 00:45:45,030 --> 00:45:46,200 So now it's not. 682 00:45:47,710 --> 00:45:52,460 And then both right and then Pat and then at the end. 683 00:45:52,480 --> 00:45:58,660 So this is how because like I wrote them, not both, Pat, not sparked by the EIB. 684 00:45:58,930 --> 00:46:01,930 So let's now run this code, which is No.7. 685 00:46:03,380 --> 00:46:03,790 Good. 686 00:46:03,860 --> 00:46:05,150 Everything is working. 687 00:46:05,330 --> 00:46:16,370 So let's do that same thing for all three could go back one hour, one two one six eight eight one nine. 688 00:46:16,670 --> 00:46:21,400 And we called SSI, so we stopped on our break point. 689 00:46:21,410 --> 00:46:22,720 We are now ATSI. 690 00:46:22,790 --> 00:46:23,120 Right. 691 00:46:23,480 --> 00:46:28,050 And you can see, by the way, here in the buffer, these are where our 16 knobs are. 692 00:46:28,280 --> 00:46:30,000 These are where our 16 jobs are. 693 00:46:30,200 --> 00:46:33,130 And then this is where we have the shell codes. 694 00:46:33,140 --> 00:46:41,500 And then after the shell code comes our, uh, more more buffer of knob's more not not not not snob's. 695 00:46:41,780 --> 00:46:48,960 And then you can see this is where we had our, uh, call IACI, which got pushed into IP. 696 00:46:49,140 --> 00:46:51,620 OK, now if we take that call. 697 00:46:52,970 --> 00:46:55,000 So now we are, uh. 698 00:46:55,220 --> 00:46:55,870 What did I do? 699 00:46:57,390 --> 00:47:00,900 Darren, uh, did I step into it or did I run it actually? 700 00:47:02,260 --> 00:47:05,620 No, I don't know what I did exactly. 701 00:47:05,650 --> 00:47:06,960 Let me just repeat this again. 702 00:47:06,970 --> 00:47:07,420 Sorry. 703 00:47:10,660 --> 00:47:17,410 I think I hit F nine, but even if nine, it should work means probably have a bad character. 704 00:47:18,540 --> 00:47:21,000 Let me check again here. 705 00:47:22,620 --> 00:47:23,400 Excuse me. 706 00:47:28,260 --> 00:47:30,690 So we have these. 707 00:47:32,520 --> 00:47:33,270 Uh. 708 00:47:36,870 --> 00:47:38,750 Should we just do it like this? 709 00:47:40,030 --> 00:47:47,140 Uh, I know it's not going to change the bite itself, but I just cannot do it because I usually do 710 00:47:47,140 --> 00:47:47,860 it this way. 711 00:47:49,050 --> 00:47:49,910 And. 712 00:47:53,820 --> 00:47:55,540 It's weird why this didn't work. 713 00:47:55,560 --> 00:47:56,560 We will check it out. 714 00:47:56,580 --> 00:47:57,200 No problem. 715 00:47:57,960 --> 00:48:01,770 Oh, now, if I get rid of all of this. 716 00:48:03,400 --> 00:48:07,480 OK, let's put the brackets I like to it this way. 717 00:48:08,810 --> 00:48:11,680 Uh, remove these. 718 00:48:11,710 --> 00:48:13,360 So this is our buffer. 719 00:48:14,260 --> 00:48:16,580 And this should really work. 720 00:48:16,600 --> 00:48:18,700 Why is this not working? 721 00:48:19,180 --> 00:48:20,620 Let's check it out. 722 00:48:21,560 --> 00:48:24,670 So we have no choice then the for. 723 00:48:26,220 --> 00:48:31,410 Then this, yeah, everything should be fine, let's run it again. 724 00:48:32,980 --> 00:48:36,990 And let's do this, uh, for three. 725 00:48:37,870 --> 00:48:39,100 Come back here. 726 00:48:40,160 --> 00:48:45,650 Sometimes we won't be able to run it and the debugger so we can test it. 727 00:48:46,410 --> 00:48:53,250 Like, so coleus eyes, correct, if we do, oh, great, yeah, I think I pressed something by mistake 728 00:48:53,250 --> 00:48:53,450 then. 729 00:48:54,090 --> 00:48:58,830 So we landed on to our our, uh, are is pointing to. 730 00:48:58,960 --> 00:49:05,700 OK, you can see his eyes pointing to this area if you you've on down, which is where our Chalco this 731 00:49:05,940 --> 00:49:11,310 and now we run this, we can continue to just like skim through the payload. 732 00:49:12,000 --> 00:49:14,090 Probably this is going to be affecting. 733 00:49:14,100 --> 00:49:21,560 So that's why I will test running it and we will see how to find those bad characters and avoid them. 734 00:49:21,960 --> 00:49:23,520 I'll have a session just for that. 735 00:49:23,520 --> 00:49:29,400 For now, I wanted to introduce those main concepts which I listed over here. 736 00:49:29,880 --> 00:49:33,980 So, uh, let's just run F nine again, see if anything's going to happen. 737 00:49:34,770 --> 00:49:34,980 Good. 738 00:49:35,160 --> 00:49:38,970 I don't know what I press the last time, so everything is working fine. 739 00:49:39,120 --> 00:49:40,080 Uh, all good. 740 00:49:40,590 --> 00:49:46,290 Let's, uh, probably replace our, uh, even our, uh, payload with a reverse shell just to make sure 741 00:49:47,040 --> 00:49:47,700 we are good. 742 00:49:49,610 --> 00:49:55,280 And that's probably what the fancy things about people like to see, which is a reverse shell or a shell 743 00:49:55,520 --> 00:49:56,910 on your victim's system. 744 00:49:57,710 --> 00:49:58,940 So let's do that. 745 00:49:59,210 --> 00:49:59,720 Good. 746 00:49:59,720 --> 00:50:00,480 And now. 747 00:50:00,500 --> 00:50:02,320 So this was working great. 748 00:50:02,960 --> 00:50:06,680 Let's do, uh, create a shell code of. 749 00:50:07,570 --> 00:50:10,360 Let's see, do I have it over here or. 750 00:50:11,290 --> 00:50:14,510 No, this is my handler, let's keep the handler ready. 751 00:50:14,560 --> 00:50:15,190 I'm going to. 752 00:50:16,150 --> 00:50:22,120 Prepare this and I'm going to create a payload, so these are, by the way, the aski. 753 00:50:22,120 --> 00:50:26,800 You can see what the zero zero what, a zero nine zero eight that I removed. 754 00:50:27,220 --> 00:50:30,240 But we'll get back to those later here. 755 00:50:30,250 --> 00:50:32,170 I will use. 756 00:50:33,030 --> 00:50:41,060 Windows Shandra WCP localhost 192 one six eight eight nine, local port four four three exit function 757 00:50:41,250 --> 00:50:48,330 architecture platform windows encoders Shikata Garni minus F the C minus B the. 758 00:50:48,540 --> 00:50:49,020 Let's go. 759 00:50:50,090 --> 00:50:58,130 So let's get this going and now I'm going to rename this hour to a copy again, I prefer to do it this 760 00:50:58,130 --> 00:50:58,460 way. 761 00:50:58,820 --> 00:51:01,040 It's all up to your preference. 762 00:51:01,820 --> 00:51:03,640 This is not nice, but no problem. 763 00:51:05,080 --> 00:51:06,460 Uh, good. 764 00:51:06,480 --> 00:51:10,510 So we have this let's copy it into our payload. 765 00:51:12,190 --> 00:51:14,920 So from here, all the way to the end and. 766 00:51:16,050 --> 00:51:17,550 Well, we can have the whole. 767 00:51:18,500 --> 00:51:18,990 Think. 768 00:51:20,360 --> 00:51:21,830 And let's now. 769 00:51:23,510 --> 00:51:24,420 To fly. 770 00:51:25,500 --> 00:51:26,160 This. 771 00:51:27,290 --> 00:51:28,850 So we have. 772 00:51:29,640 --> 00:51:30,820 Let's remove this. 773 00:51:31,140 --> 00:51:33,830 We don't need it, let's move. 774 00:51:35,150 --> 00:51:36,350 This as well. 775 00:51:36,750 --> 00:51:37,240 OK. 776 00:51:38,440 --> 00:51:42,590 But there is one thing here that we need to pay attention to. 777 00:51:43,150 --> 00:51:46,690 So look at the payload size, by the way, three, eight, nine. 778 00:51:48,400 --> 00:51:50,590 And three, eight, nine. 779 00:51:52,010 --> 00:52:01,190 And if we add to that, like the, uh, the 16 bytes of no, uh, no operations. 780 00:52:01,940 --> 00:52:08,240 What this means is we no longer have space for our buffer, so you'll need to modify this, OK? 781 00:52:08,270 --> 00:52:10,150 That's why I did this on purpose last time. 782 00:52:10,490 --> 00:52:12,250 You need to modify this to 10. 783 00:52:12,590 --> 00:52:15,760 And as you can see here, you don't need to modify any of your code. 784 00:52:15,770 --> 00:52:17,210 The buffer is going to stay here. 785 00:52:17,720 --> 00:52:19,330 Just we needed to modify. 786 00:52:19,340 --> 00:52:22,760 And this is just one example of one scenario. 787 00:52:22,760 --> 00:52:30,140 Why sometimes I need to, like, lower the number of buffer, but not by sorry, the operations, et 788 00:52:30,140 --> 00:52:30,590 cetera. 789 00:52:31,160 --> 00:52:33,090 But you don't need to modify any of this. 790 00:52:33,110 --> 00:52:34,550 Everything is going to stay the same. 791 00:52:35,060 --> 00:52:39,260 So this time what we will be doing is three, eight, nine. 792 00:52:39,470 --> 00:52:44,780 So we'll add first number ten and then add three, eight, nine to that, which means we will have three 793 00:52:45,020 --> 00:52:47,620 hundred and ninety nine bytes. 794 00:52:47,930 --> 00:52:48,740 So we are going to. 795 00:52:49,740 --> 00:52:56,460 And at the end of that, we'll have just one bite left, so we are going to add the operation and then 796 00:52:56,460 --> 00:53:00,810 after that we have our, uh, jump or call to IACI. 797 00:53:01,080 --> 00:53:05,580 OK, so let's get this going and let's see. 798 00:53:05,590 --> 00:53:07,160 Everything is good. 799 00:53:08,900 --> 00:53:10,460 And let's go back here. 800 00:53:11,090 --> 00:53:13,250 The payload the listener is working. 801 00:53:14,330 --> 00:53:19,290 So now we are looking at number nine because we renamed it by mistake for all three. 802 00:53:19,310 --> 00:53:20,260 Everything is good. 803 00:53:21,080 --> 00:53:24,280 Let's now, uh, run the application. 804 00:53:25,460 --> 00:53:30,140 And actually, that's on it from outside, that's from it from outside, just. 805 00:53:31,580 --> 00:53:35,040 We tested it inside the debugger, let's test it from here. 806 00:53:35,060 --> 00:53:35,570 Now. 807 00:53:36,530 --> 00:53:38,780 Of top clients and now. 808 00:53:40,560 --> 00:53:49,350 One six eight eight one nine eight until something is going on behind the scene and we can see that 809 00:53:49,350 --> 00:53:59,280 we have a concrete, we have access to our, uh, Windows 10 system, uh, we managed to exploit this, 810 00:53:59,790 --> 00:54:08,010 uh, FTP client that we we did a remote exploitation against, uh, and, uh, a client application. 811 00:54:09,240 --> 00:54:12,210 OK, so that's it for this video. 812 00:54:12,270 --> 00:54:17,010 I hope you understood all the concepts that we went over. 813 00:54:17,010 --> 00:54:18,060 There are many of them. 814 00:54:18,570 --> 00:54:24,870 This is really not just about, let's say, a basic buffer overflow or any of that. 815 00:54:24,870 --> 00:54:34,170 It's it's more about the method of exploitation that we use that you you don't you shouldn't depend 816 00:54:34,170 --> 00:54:37,030 always on a jump PSP or E.S.P. 817 00:54:37,060 --> 00:54:38,180 Those might not work. 818 00:54:38,610 --> 00:54:40,710 You need to find other alternatives. 819 00:54:40,710 --> 00:54:43,620 And the more you work with this, you'll get better. 820 00:54:43,770 --> 00:54:46,430 And it's already about a lot of assembly stuff. 821 00:54:47,080 --> 00:54:53,040 We will add more different techniques while we go through the scores, the no bite. 822 00:54:53,040 --> 00:54:55,620 We saw how we managed to overcome that. 823 00:54:55,860 --> 00:54:57,420 And the scenario, by the way. 824 00:54:58,500 --> 00:55:01,440 This doesn't mean you will always be able to do this. 825 00:55:02,070 --> 00:55:03,510 We were lucky in this scenario. 826 00:55:03,510 --> 00:55:08,630 I would say that we had another register pointing to some of our payload. 827 00:55:08,880 --> 00:55:17,280 So we managed to kind of excuse me, craft the payload, which we are sending in a way to avoid the 828 00:55:17,280 --> 00:55:17,880 Nobakht. 829 00:55:17,880 --> 00:55:25,650 And then we also saw why, as DeBacker was really important, because if we went the way the AP was 830 00:55:25,650 --> 00:55:32,120 pointing to the second part of my buffer, which is this one, and we saw once we add the nailbiter, 831 00:55:32,280 --> 00:55:35,240 it got truncated and I no longer know where it is. 832 00:55:35,550 --> 00:55:42,810 So we had to go back and go with the S3 way because it's pointing to another area that I can still control 833 00:55:42,810 --> 00:55:47,670 and have access to and I can still see in my in my stack in my debugger. 834 00:55:48,900 --> 00:55:50,610 So that's it for this video. 835 00:55:50,790 --> 00:55:57,810 I hope it was useful to you, if you have any comments, questions, please let me know. 836 00:55:58,330 --> 00:55:59,550 See you in another video. 837 00:55:59,580 --> 00:56:00,780 Thank you and bye bye.