1 00:00:00,270 --> 00:00:00,690 All right. 2 00:00:00,690 --> 00:00:03,000 Welcome back to Introductory Exploit Development. 3 00:00:03,390 --> 00:00:11,940 This is a sample section of the class and now we're going to locate where we actually can reach ERP 4 00:00:11,940 --> 00:00:15,330 extended instruction pointer by using a cyclic pattern. 5 00:00:17,550 --> 00:00:27,690 So Mr. Patten, Craig Nash now from the 700, because we know it's somewhere around 2600 or 2600 2700 6 00:00:27,690 --> 00:00:30,090 something AIDS to reach there. 7 00:00:31,680 --> 00:00:36,120 So as you can see, the sideways pattern increments every four characters. 8 00:00:36,810 --> 00:00:43,500 So that way we can always find the location where it was about to overwrite the IP. 9 00:01:14,420 --> 00:01:20,930 And then let's clear this out finishes first and let's restart the process. 10 00:01:22,400 --> 00:01:23,480 On the border while Bashir. 11 00:01:27,730 --> 00:01:28,210 Stop. 12 00:01:30,830 --> 00:01:31,340 Start. 13 00:01:34,390 --> 00:01:36,550 Reckless bugger run as administrator. 14 00:01:37,270 --> 00:01:37,810 Yes. 15 00:01:39,770 --> 00:01:40,460 Attach. 16 00:01:42,980 --> 00:01:43,430 Name. 17 00:01:45,260 --> 00:01:47,000 So now attach. 18 00:01:49,390 --> 00:01:57,730 Press play, and let's see if we can send our buffer again to see what happens. 19 00:02:06,980 --> 00:02:13,370 So now we have the contents is 39, 69, 44, 38. 20 00:02:13,730 --> 00:02:22,040 This is the contents of our as you can see, the site pattern shows up here in ASCII text history on 21 00:02:22,040 --> 00:02:23,000 the back to ASCII. 22 00:02:25,010 --> 00:02:26,330 They just shown up right here. 23 00:02:27,680 --> 00:02:28,250 So. 24 00:02:29,270 --> 00:02:29,680 Oops. 25 00:02:30,540 --> 00:02:31,120 Got. 26 00:02:32,080 --> 00:02:32,500 Put on. 27 00:02:32,980 --> 00:02:34,030 Let's run this again. 28 00:02:39,870 --> 00:02:40,440 Stop. 29 00:02:42,160 --> 00:02:42,760 Star. 30 00:02:48,820 --> 00:02:49,480 Attach. 31 00:02:51,090 --> 00:02:51,780 So now. 32 00:02:55,620 --> 00:02:56,190 Play. 33 00:03:05,820 --> 00:03:07,170 Fire the PRC again. 34 00:03:09,320 --> 00:03:13,730 When I take note that it is 39, 69, 44, 38. 35 00:03:23,250 --> 00:03:26,820 So it's a pattern offset just to. 36 00:03:33,640 --> 00:03:37,870 And we found a jackpot match of access to six or six. 37 00:03:39,520 --> 00:03:43,960 So what we need to do now is validate that actually works. 38 00:03:45,670 --> 00:03:52,930 So coming out this buffer buffer equals eight times to six or six plus. 39 00:03:54,300 --> 00:03:59,310 B times four plus C times. 40 00:04:00,890 --> 00:04:02,390 3500 last year. 41 00:04:02,390 --> 00:04:04,250 Total six minus four. 42 00:04:14,180 --> 00:04:14,540 All right. 43 00:04:14,540 --> 00:04:16,220 Go back to when those. 44 00:04:19,769 --> 00:04:20,820 I said this. 45 00:04:21,089 --> 00:04:22,050 Stop this. 46 00:04:23,920 --> 00:04:24,400 Start. 47 00:04:27,910 --> 00:04:32,500 And now we're looking for validation that we correctly predicted the offset. 48 00:04:41,410 --> 00:04:42,310 Press play again. 49 00:04:54,090 --> 00:04:55,370 This to you? 50 00:04:55,370 --> 00:04:55,820 To me? 51 00:04:55,850 --> 00:04:57,950 Just checking to see that this is correct. 52 00:05:00,360 --> 00:05:01,230 Yes, it is. 53 00:05:03,440 --> 00:05:05,030 Pass on to me. 54 00:05:10,130 --> 00:05:11,180 Did I forget to press play? 55 00:05:14,950 --> 00:05:15,370 All right. 56 00:05:15,940 --> 00:05:21,460 So now we have proven that we can overwrite IP, extend instruction pointer before. 57 00:05:25,540 --> 00:05:26,710 Letter is right here. 58 00:05:26,740 --> 00:05:29,170 42, 42, 42, 42. 59 00:05:29,800 --> 00:05:32,170 Well, actually, not for capital letter B. 60 00:05:32,890 --> 00:05:39,550 This is a very good sign that we are actually controlling the buffer space. 61 00:05:39,970 --> 00:05:46,360 If you look at the extended stack, one ESP followed out and up, you'll notice that we now have a buffer 62 00:05:46,360 --> 00:05:47,140 of C's. 63 00:05:48,250 --> 00:05:51,280 Here's our four B's, by the way, with a buffer of scenes. 64 00:05:52,720 --> 00:05:54,220 Or we can put a shelter in.