1
00:00:00,540 --> 00:00:03,810
Welcome back to Basic XPoint development in this section.

2
00:00:03,840 --> 00:00:09,030
This is the echo section of the course, so we might be getting into some.

3
00:00:09,060 --> 00:00:11,370
I expect a lot of people to be asking me answers.

4
00:00:11,370 --> 00:00:19,380
Basically, egg hunters is not really that easy of a concept to understand, but I am putting it in

5
00:00:19,380 --> 00:00:25,800
the introduction to exploit development Zero Day Discovery class because I am very confident that I

6
00:00:25,800 --> 00:00:27,030
could actually teach you this.

7
00:00:27,330 --> 00:00:31,170
But if you have any questions, please ask on the form.

8
00:00:32,430 --> 00:00:38,010
So we're going to exploit a service called on server dot execute.

9
00:00:38,250 --> 00:00:40,590
It's basically freely available on GitHub.

10
00:00:43,950 --> 00:00:45,480
Made by Stefan Bradshaw.

11
00:00:45,990 --> 00:00:48,840
So all you need to do is download this.

12
00:00:51,540 --> 00:00:53,880
Directly into your Windows XP machine.

13
00:00:55,220 --> 00:00:58,820
Or Vista or seven or whatever windows you chose to use.

14
00:01:00,140 --> 00:01:06,170
And we are going to try to use an egg hunter eventually against us.

15
00:01:06,440 --> 00:01:11,120
But for now, we're going to go right for the standard development process for exploits.

16
00:01:11,990 --> 00:01:13,520
So I want to open immediately debugger.

17
00:01:15,080 --> 00:01:16,850
We're going to run Bone Server.

18
00:01:19,020 --> 00:01:20,220
And then we're in a press play.

19
00:01:24,440 --> 00:01:24,710
Back.

20
00:01:24,710 --> 00:01:25,820
I tally machine.

21
00:01:27,680 --> 00:01:29,640
Less proof of concept.

22
00:01:29,840 --> 00:01:30,230
Hi.

23
00:01:31,160 --> 00:01:38,870
We found out that this vulnerable server initially will crash from approximately 256 letter A's.

24
00:01:39,560 --> 00:01:44,960
And what we need to do is determine whether or not we can exploit this.

25
00:01:46,400 --> 00:01:52,130
A little thing about egg hunters is that egg hunters are very useful with limited buffer space and unpredictable

26
00:01:52,130 --> 00:01:56,150
shell code landing who God knows what within the buffer.

27
00:01:56,780 --> 00:01:59,840
So 800 is actually a very useful tool in this situation.

28
00:02:01,050 --> 00:02:03,600
For now, let's make sure that the service is running.

29
00:02:05,170 --> 00:02:10,120
So here's a tip like you have to click play until play.

30
00:02:11,800 --> 00:02:13,240
Until it's highlighted.

31
00:02:19,910 --> 00:02:20,810
So Python.

32
00:02:20,900 --> 00:02:21,680
Proof of concept.

33
00:02:23,630 --> 00:02:24,920
We've crashed the program.

34
00:02:25,850 --> 00:02:28,860
We found out IP, as usual, has been overwritten.

35
00:02:29,510 --> 00:02:31,340
41, 41, 41, 41.

36
00:02:31,340 --> 00:02:33,620
That's four hexadecimal A's.

37
00:02:34,870 --> 00:02:36,010
So we're going to.

38
00:02:37,830 --> 00:02:38,940
Follow this and.

39
00:02:43,120 --> 00:02:46,690
And we notice we have a very limited buffer right here.

40
00:02:47,650 --> 00:02:48,760
Let me maximize this.

41
00:02:50,120 --> 00:02:52,460
We have a very limited buffer right here.

42
00:02:54,200 --> 00:02:59,690
I know for sure that it's over 32 bytes, which is why we can fit in our 800 inside of it.

43
00:03:00,560 --> 00:03:04,850
But where else will the show code go then, if we can't put it in here except for an egg hunter?

44
00:03:06,200 --> 00:03:08,690
Well, that's the question.

45
00:03:08,990 --> 00:03:11,660
And we need to first follow the other steps.

46
00:03:11,810 --> 00:03:13,160
Explained Development process.

47
00:03:15,320 --> 00:03:17,630
And I will see you in the next section.