1 00:00:00,450 --> 00:00:03,390 All right, everybody, welcome back to exploit development class. 2 00:00:03,750 --> 00:00:07,430 And in our first section, we're going to be exploring live FDP. 3 00:00:07,540 --> 00:00:15,060 Damon 1.2 And I want to show you something where we now created a proof of concept called First Try. 4 00:00:15,390 --> 00:00:17,580 We're not going to be using bash commands anymore. 5 00:00:18,120 --> 00:00:19,290 This would be too cumbersome. 6 00:00:19,620 --> 00:00:26,640 So what we're doing is we're writing our own payload into our local directory payload, our text. 7 00:00:27,030 --> 00:00:28,350 We're in a pen opposed to it. 8 00:00:28,860 --> 00:00:39,040 Where to send in 1048 A's for bees and 1000 minus fourth 1400 -1048 minus four sees. 9 00:00:39,820 --> 00:00:40,380 We're good. 10 00:00:40,380 --> 00:00:46,260 Then going to send the payload into our listening service and let's see that it actually works. 11 00:00:46,950 --> 00:01:01,140 So gdb training run esp 80 python four strike control set exit the crashes. 12 00:01:01,970 --> 00:01:02,970 Analyze the crash. 13 00:01:03,000 --> 00:01:05,010 We are controlling IP. 14 00:01:05,430 --> 00:01:05,970 Perfect. 15 00:01:06,720 --> 00:01:07,290 All right. 16 00:01:07,560 --> 00:01:17,220 So now we're going to try to find a jump to ESP instruction because note that the ISP let's close the 17 00:01:17,220 --> 00:01:25,770 bottom when took note that the ESP extended stack pointer is showing a pattern of see therapy's 200 18 00:01:25,770 --> 00:01:26,370 times. 19 00:01:27,450 --> 00:01:30,000 As well as overflowing in these sections right here. 20 00:01:30,960 --> 00:01:37,380 So it is possible that we can actually set in reverse shell, which actually are longer than bind shells 21 00:01:37,770 --> 00:01:39,330 and see if we can have that run. 22 00:01:39,720 --> 00:01:44,010 So this is a remastering my class basically to make a better quality class. 23 00:01:44,700 --> 00:01:47,250 And we're going to let's see. 24 00:01:48,590 --> 00:01:51,260 First we need to find a jump USB obstruction. 25 00:01:51,260 --> 00:01:52,250 So jump call. 26 00:01:54,710 --> 00:01:57,260 And our first jump ISP instruction is right here. 27 00:01:58,190 --> 00:01:58,970 Control shift. 28 00:01:58,970 --> 00:01:59,870 See to copy that. 29 00:02:04,550 --> 00:02:07,970 Q to quit Nano first tried it by. 30 00:02:13,170 --> 00:02:20,760 Jump speed instruction, and we're going to overwrite this with the little Indians version of it. 31 00:02:20,790 --> 00:02:22,650 What's the little Indian Eyes version of it? 32 00:02:23,160 --> 00:02:35,100 Well, we're reversing every two bytes, so be backslash x6f backslash x cc backslash x04 and note how 33 00:02:35,100 --> 00:02:36,300 it's only seven digits. 34 00:02:36,540 --> 00:02:39,870 So you need a 10 to 0 to the eight backslash x08. 35 00:02:44,150 --> 00:02:46,820 So let's see that we can actually hijack execution. 36 00:02:48,140 --> 00:02:50,060 Let's actually make this cleaner, you guys. 37 00:02:50,990 --> 00:02:51,500 Let's see. 38 00:02:51,860 --> 00:02:52,760 Jump up. 39 00:02:54,470 --> 00:02:55,010 Jump on. 40 00:02:55,610 --> 00:02:56,150 I'm sorry. 41 00:03:00,320 --> 00:03:07,070 Backslash x6f backslash x cc backslash x0408. 42 00:03:11,500 --> 00:03:13,330 It's always important to write clean code. 43 00:03:20,470 --> 00:03:26,440 So if we can hijack execution, then I see as a lens in this job PSP. 44 00:03:27,370 --> 00:03:32,470 It's going to hit our seas and that means it won't be able to access our seas because all it contains 45 00:03:32,470 --> 00:03:33,130 is gibberish. 46 00:03:36,130 --> 00:03:37,390 So let's see. 47 00:03:37,870 --> 00:03:51,670 EDB cheat gdb lib hdp demon run sp 8080 control b shift double quote to split into horizontal panes 48 00:03:53,290 --> 00:03:57,280 python burst tried API crashes. 49 00:04:02,690 --> 00:04:04,580 And we have an illegal instruction. 50 00:04:06,670 --> 00:04:09,700 And our access staff point is pointing out our fees. 51 00:04:10,150 --> 00:04:13,570 So this is where we're actually going to toss in our reverse shell. 52 00:04:14,920 --> 00:04:16,360 And we're going to see. 53 00:04:17,620 --> 00:04:18,970 Wow, that's huge.