1 00:00:01,080 --> 00:00:01,359 All right. 2 00:00:01,410 --> 00:00:08,730 So we are now in the 64 bit rock chaining section and we have a lot of things to cover to differentiate 3 00:00:08,730 --> 00:00:12,330 between 64 bit and 32 bit rock chaining. 4 00:00:13,470 --> 00:00:20,980 So previously we covered automated 32 bit rock Cheney on windows using immunity buggers Mona Pi module. 5 00:00:21,000 --> 00:00:28,230 It was the moment where at the very end, the Windows seven virtual machine froze up because it was 6 00:00:28,230 --> 00:00:32,159 actually trying to recalculate a rock chain to gain shell access. 7 00:00:32,580 --> 00:00:38,430 In this section, we will introduce you to manual rock chaining on custom compile binaries on Linux 8 00:00:38,430 --> 00:00:39,510 64 bit. 9 00:00:39,810 --> 00:00:48,810 But when you're using rock chains or actually using 64 bit exploits, you need to pass the lower case 10 00:00:48,810 --> 00:00:49,380 capital. 11 00:00:49,380 --> 00:00:53,490 Q parameter meaning 64 bit little Indian. 12 00:00:53,850 --> 00:00:57,210 As we all know, like the lower side means little Indian. 13 00:00:57,540 --> 00:01:04,140 And it's actually stands for a double long integer or you know, in documentation it would just say 14 00:01:04,140 --> 00:01:05,370 long, long int. 15 00:01:06,090 --> 00:01:11,880 And we will also heavily use offsets from the standard C library file, outer space layout, randomization 16 00:01:11,880 --> 00:01:13,080 protection enabled. 17 00:01:15,150 --> 00:01:20,700 So there are fundamental differences between 32 bit is 64 bit rock chaining, which is why I went for 18 00:01:20,700 --> 00:01:27,720 teaching for 64 bit rock chaining first 32 bit rock chain right off are actually heavily dominant online. 19 00:01:27,720 --> 00:01:31,080 The main difference is that 32 bit rock chaining. 20 00:01:31,080 --> 00:01:37,380 They rely on what's called a standard call and usually the gadgets are placed on a stack and they're 21 00:01:37,380 --> 00:01:39,690 incremented by four bytes instead of eight. 22 00:01:40,770 --> 00:01:46,320 The most notable part, about 64 bit is the calling convention, where if we use a rock chain, we must 23 00:01:46,320 --> 00:01:50,550 populate the specific registers before executing our final drop gadget. 24 00:01:50,820 --> 00:01:57,270 Furthermore, the stack and registers must be must be aligned with a final RET instruction, return 25 00:01:57,270 --> 00:01:59,490 instruction, or the execution will fail. 26 00:02:01,050 --> 00:02:04,680 And one more thing is canonical addresses. 27 00:02:04,680 --> 00:02:11,039 You can actually Google Canonical addresses because in 64 bit computing, we don't actually use all 28 00:02:11,039 --> 00:02:19,380 64 bits of memory address space, we actually use around 48 bits or six bytes. 29 00:02:19,380 --> 00:02:25,830 So we actually have ranges of memory addresses in the stack, which is an invalid memory address. 30 00:02:27,950 --> 00:02:33,470 So this is the 64 bit calling conventions, and this is just an example. 31 00:02:33,740 --> 00:02:38,720 So let's say that I want to do Shell, right? 32 00:02:38,810 --> 00:02:47,150 So I would first execute a drop chain to populate the RTI register with the H variable and then I would 33 00:02:47,150 --> 00:02:50,570 execute sys RTI as the only argument. 34 00:02:50,840 --> 00:02:56,810 So for Linux 64 bit, it can support six specified registers. 35 00:02:56,810 --> 00:03:00,320 You just simply put them as arguments inside the register. 36 00:03:00,500 --> 00:03:07,630 And then after the six argument, it becomes a offset from the return stack pointer in windows. 37 00:03:07,640 --> 00:03:09,950 Let's say that you want to shut down virtual protect. 38 00:03:10,160 --> 00:03:15,350 You would have to populate four registers and if you still need arguments. 39 00:03:15,630 --> 00:03:22,610 Oh, I forgot a little parenthesis here, but if you still need a more argument you would do another 40 00:03:22,640 --> 00:03:24,590 offset from the return stack pointer.