1 00:00:02,070 --> 00:00:02,510 All right. 2 00:00:02,520 --> 00:00:08,880 So welcome to our hopefully our second to last section of the all mail module. 3 00:00:10,380 --> 00:00:15,450 At this point, we still have crashed our application and we have verified all of the bad characters 4 00:00:15,450 --> 00:00:16,890 that we eliminated before. 5 00:00:17,520 --> 00:00:25,410 This time we're going to look for it's basically an S and alert bypass outer space layer realisation, 6 00:00:25,800 --> 00:00:31,050 which is something that Microsoft implemented to prevent attackers like us from successfully explaining 7 00:00:31,050 --> 00:00:31,710 programs. 8 00:00:32,280 --> 00:00:38,180 So to get around that, there are actually many catches to getting a smaller one. 9 00:00:38,190 --> 00:00:43,470 Everything, including every dialogue, must be compiled of dynamic based options in a lot of people 10 00:00:43,800 --> 00:00:46,710 more than we think actually forget to do that. 11 00:00:46,950 --> 00:00:54,990 Which means one not properly compiled module can make that entire application vulnerable to assault 12 00:00:54,990 --> 00:00:55,680 or bypass. 13 00:00:57,480 --> 00:01:01,260 So I want you to type exclamation point on a modules. 14 00:01:02,790 --> 00:01:07,110 And this is the the column where it's our is. 15 00:01:08,740 --> 00:01:10,420 What we're looking for is. 16 00:01:12,460 --> 00:01:14,920 Anything that is not Islam or death. 17 00:01:15,280 --> 00:01:20,890 Did execution, prevention, coercive structure, etc. Hitler's. 18 00:01:22,530 --> 00:01:27,930 And we find it all the way down here from Iselin at Sea Dot deal. 19 00:01:30,780 --> 00:01:37,650 So now at this point, we need to query this and look for a jump construction. 20 00:01:40,260 --> 00:01:43,770 What we can do is use the Asthma, MSA and Asthma Show. 21 00:01:47,860 --> 00:01:50,020 To hunt down it jumps instruction. 22 00:01:53,410 --> 00:01:56,200 And we figure out it is at the E-4. 23 00:01:57,460 --> 00:02:05,430 So now we have to use this command within the specific dynamic league library to look for a job being 24 00:02:05,440 --> 00:02:09,039 instruction which would allow execution of our cell phone. 25 00:02:13,320 --> 00:02:14,770 Mona finds us. 26 00:02:20,100 --> 00:02:21,270 FFP for. 27 00:02:28,580 --> 00:02:29,510 S. 28 00:02:29,640 --> 00:02:29,720 L. 29 00:02:29,910 --> 00:02:30,060 N. 30 00:02:30,820 --> 00:02:30,970 D. 31 00:02:31,170 --> 00:02:31,280 L. 32 00:02:31,290 --> 00:02:31,500 L. 33 00:02:32,900 --> 00:02:33,730 That's right. 34 00:02:46,390 --> 00:02:48,490 So we found numerous pointers. 35 00:02:50,060 --> 00:02:52,700 And we still need to look for things like. 36 00:02:55,380 --> 00:02:57,540 Anything that does not contain bad characters. 37 00:03:02,600 --> 00:03:07,130 And I think I will take the first one. 38 00:03:28,510 --> 00:03:36,580 Yes, the first one will be adequate because there is no specific structurally such a handler, no ad 39 00:03:36,580 --> 00:03:40,240 especially transition, and most importantly, no bad characters. 40 00:03:40,660 --> 00:03:43,000 So we need to write it in a little Indian format. 41 00:03:44,020 --> 00:03:52,630 This is the exact and remote address within the s o mail of C ideal file, but we need to reverse it 42 00:03:52,840 --> 00:04:01,240 into five that for a 30 58f because it's a little Indian ized and it works by lit by the least significant 43 00:04:01,240 --> 00:04:02,440 bit because first. 44 00:04:07,140 --> 00:04:10,830 So at this point, we can change our buffer. 45 00:04:24,600 --> 00:04:31,260 And then from here see the times 3500 to 6, oh six minus four. 46 00:04:36,240 --> 00:04:41,730 And we can also generate a payload because we know that whatever happens there will land in the seas. 47 00:04:42,960 --> 00:04:49,170 So let's try this one more time and see if we can successfully land in the seeds for the jump into the 48 00:04:49,190 --> 00:04:50,040 spin structure. 49 00:05:20,630 --> 00:05:26,510 If you see something weird like you don't see the rest of the contest now view at a CPU window and then 50 00:05:26,510 --> 00:05:27,920 maximize it like that. 51 00:05:28,430 --> 00:05:29,840 And now you can see the registers. 52 00:05:30,710 --> 00:05:34,700 Then our sense of security of the training courses didn't actually mention that, but I just learned 53 00:05:34,700 --> 00:05:35,570 this from experience. 54 00:05:51,890 --> 00:05:52,490 Again. 55 00:05:56,810 --> 00:05:58,190 Find out where we are and. 56 00:06:02,690 --> 00:06:03,560 Shall PSP. 57 00:06:03,680 --> 00:06:05,540 We land it in the beginning of our buffer. 58 00:06:09,780 --> 00:06:18,750 And what I want you to do now is replace the final shell code because we're ready to finally open this 59 00:06:18,750 --> 00:06:19,260 box.