1
00:00:00,540 --> 00:00:06,000
Hello and welcome back to Advance Development, and in this section, we're going to show you how to

2
00:00:06,000 --> 00:00:08,760
seize control of the structure exception handler.

3
00:00:09,180 --> 00:00:15,900
Now, structure reception handlers is like a last resort for Windows applications where if we can overwrite

4
00:00:15,900 --> 00:00:22,510
the stack in such a way that it triggers an exception, then the structure exception handler takes over.

5
00:00:23,220 --> 00:00:28,980
Right now we're going to first test our geologic media player application.

6
00:00:30,330 --> 00:00:34,620
So let's go start geologic media player eight and attach the process.

7
00:00:38,100 --> 00:00:40,380
Make sure to remind me, debugger administrator.

8
00:00:44,080 --> 00:00:45,910
The click file attach.

9
00:00:50,230 --> 00:00:52,810
And it's on the bottom attach.

10
00:00:56,120 --> 00:00:59,120
Now, make sure you step through the exception for shift F nine.

11
00:01:01,870 --> 00:01:02,830
And then Pressplay.

12
00:01:10,030 --> 00:01:13,780
So we're going to try our first proof of concept, four hundred and four a.

13
00:01:18,450 --> 00:01:22,530
On we try, I call my father, we try to call it anything you want.

14
00:01:25,750 --> 00:01:27,850
And then click on list.

15
00:01:32,370 --> 00:01:33,780
Top 40 open.

16
00:01:35,110 --> 00:01:36,850
And we have an access violation.

17
00:01:37,340 --> 00:01:41,530
However, we did overwrite let me maximize this.

18
00:01:43,460 --> 00:01:43,870
Oops.

19
00:01:49,230 --> 00:01:50,070
Let's try this again.

20
00:01:51,900 --> 00:01:53,940
I mean, you better file.

21
00:01:56,350 --> 00:01:57,250
Theologica.

22
00:02:00,720 --> 00:02:01,650
One program.

23
00:02:07,740 --> 00:02:08,310
List.

24
00:02:12,820 --> 00:02:19,570
And let's look at our top 40 and through ufology generated and notice how we overwrote and it's been

25
00:02:19,570 --> 00:02:20,920
converted into Unicode.

26
00:02:22,360 --> 00:02:28,210
Forty one and forty one zero zero forty one zero zero forty one in Unicode encoded applications such

27
00:02:28,210 --> 00:02:34,870
as this, the Unicode, our strain, our malicious string is always prepared with no bytes.

28
00:02:37,660 --> 00:02:41,380
So let's check our structure exception handler Shane.

29
00:02:43,570 --> 00:02:52,810
And we have yet to write anything to it yet, so let's go increase the size of our buffer to five thousand.

30
00:02:57,480 --> 00:02:59,550
And then restart.

31
00:03:06,570 --> 00:03:08,580
It was running it's loading all the steel.

32
00:03:12,210 --> 00:03:13,020
Click on list.

33
00:03:19,580 --> 00:03:23,360
Oh, we have in Python, we try.

34
00:03:32,680 --> 00:03:33,220
Open.

35
00:03:36,100 --> 00:03:40,220
Notice that we have Unicode, a house and all of our registers.

36
00:03:41,470 --> 00:03:43,530
So what you want to do is shift up nine.

37
00:03:43,720 --> 00:03:46,360
Well, actually, first check our structure exceptionality chain.

38
00:03:48,110 --> 00:03:53,540
We have successfully overrode the structural exception handler with zero zero 40 one zero zero forty

39
00:03:53,540 --> 00:03:56,570
one, that's Unicode for two Capital A's.

40
00:03:59,610 --> 00:04:05,610
Basically, what we have done here is overwrite the stack in such a manner that we trigger the structure

41
00:04:05,610 --> 00:04:13,620
exception handler now that we can actually find our Unicode strings of two A's in Unicode format, we

42
00:04:13,620 --> 00:04:21,029
have basically found something interesting where we can supposably we could take control of the structure

43
00:04:21,029 --> 00:04:23,310
except in Handler to run our own show code.

44
00:04:25,730 --> 00:04:29,330
So let's go back to view C.P.U.

45
00:04:33,180 --> 00:04:39,840
And if you were to click on one of these registers like X, right, click follow and you see that's

46
00:04:39,840 --> 00:04:46,340
overridden with multiple, multiple Unicode codas.

47
00:04:48,990 --> 00:04:51,660
So let's pass the exception for shift of nine.

48
00:04:54,790 --> 00:04:57,610
And we can see let's go back to our Essakane.

49
00:05:00,030 --> 00:05:03,270
We have successfully overwritten once again.

50
00:05:04,770 --> 00:05:07,140
This memory address for our structure, an exception handler.

51
00:05:07,800 --> 00:05:18,750
Now we need to verify that we can do this and what we can do is create a cyclic pattern using metastable.

52
00:05:27,190 --> 00:05:29,700
So let's create a cycle pattern.

53
00:05:33,340 --> 00:05:43,300
MSF pattern create life by a thousand to share pattern, not text.

54
00:05:48,600 --> 00:05:56,490
So we take a look at it, share pattern, not text, we have our cyclic pattern and we're going to share

55
00:05:56,490 --> 00:05:57,290
it right now.

56
00:05:57,450 --> 00:06:05,340
So we're going to do IMPAC it sort of rematches block server share dot slash share foder.

57
00:06:08,390 --> 00:06:16,430
Then go over to the window side, let's see that use the double backslash, one or two, one eight one

58
00:06:16,430 --> 00:06:19,370
twenty two one 10 backslash share.

59
00:06:20,740 --> 00:06:21,850
It's already in use.

60
00:06:25,120 --> 00:06:35,410
So we have our pattern, so let's do copy Zee colon backslash pattern, that text to our current directory,

61
00:06:35,410 --> 00:06:36,470
which is the desktop.

62
00:06:37,450 --> 00:06:38,110
Yes.

63
00:06:40,610 --> 00:06:42,050
And let's watch place.

64
00:06:43,270 --> 00:06:50,140
These aids were a cyclical pattern, so controlled open go to pattern text.

65
00:06:51,960 --> 00:06:53,010
Copy all of this.

66
00:06:56,330 --> 00:06:59,030
Evil string equals quote.

67
00:07:05,140 --> 00:07:06,670
And let's regenerate the file.

68
00:07:12,950 --> 00:07:20,300
So let's restart this shortcut to restarting the applications control of two, yes.

69
00:07:22,070 --> 00:07:22,790
Pressplay.

70
00:07:30,200 --> 00:07:31,400
With the click on list.

71
00:07:33,740 --> 00:07:35,280
I want to lower our cyclical pattern.

72
00:07:35,570 --> 00:07:38,690
I want to show you something that's very interesting.

73
00:07:42,590 --> 00:07:49,370
I want to show you something that's very interesting, because when we try to locate CPAC, our reception.

74
00:07:51,330 --> 00:08:02,040
If we try to use this to locate our Chalco buffer from our psyche pattern, notice how this will not

75
00:08:02,040 --> 00:08:04,200
be viable in metastable framework.

76
00:08:04,230 --> 00:08:07,890
It's a quote from this play framework's pattern offset.

77
00:08:11,960 --> 00:08:18,290
Thirty nine year old, seventy two, and it's not going to find any patterns because it's encoded in

78
00:08:18,290 --> 00:08:23,710
Unicode, see no exact match, just looking for a likely candidate.

79
00:08:24,440 --> 00:08:31,310
So we need to use immunity debugger now to walk through the stack and see what it can turn up.

80
00:08:32,120 --> 00:08:38,809
So its mission point Mona, find MSP thus find the most basic cyclic pattern.

81
00:08:41,130 --> 00:08:49,410
And your computer is going to slow down or freeze momentarily, and the reason why does that is because

82
00:08:49,410 --> 00:08:56,320
it may debuggers scanning throughout virtual outer space to basically look for identical pattern.

83
00:08:56,550 --> 00:09:03,840
But if you look right now here before froze, it says it found a overwritten of Unicode cyclic pattern

84
00:09:04,350 --> 00:09:10,050
on address zero four one zero zero thirty six offset.

85
00:09:10,050 --> 00:09:13,860
Five hundred and thirty six a.