1
00:00:00,780 --> 00:00:01,050
All right.

2
00:00:01,050 --> 00:00:02,090
So welcome back.

3
00:00:02,100 --> 00:00:09,270
And since we now finally found our favorite gadgets, we are going to go construct our rock chain.

4
00:00:09,840 --> 00:00:19,560
So to basically in 64 bit exploitation, you need to type something like struct pack, single quote,

5
00:00:20,100 --> 00:00:21,660
little Indian capital.

6
00:00:21,660 --> 00:00:24,840
Q And then your memory address.

7
00:00:26,400 --> 00:00:33,750
And the reason why you're doing that is because lowercase capital Q means double long little Indian,

8
00:00:34,830 --> 00:00:42,030
and that means a eight byte memory address, which obviously we use only up to 48 bits out of 64 bits.

9
00:00:42,030 --> 00:00:43,380
That's six bytes.

10
00:00:43,590 --> 00:00:47,310
So to construct our wrap chain, it must be fed backwards.

11
00:00:47,310 --> 00:00:48,990
So it must be like this.

12
00:00:49,560 --> 00:00:52,430
So struct that pack.

13
00:00:55,460 --> 00:00:58,640
Ox capital q return

14
00:01:03,290 --> 00:01:18,200
struct pack ox capital q pop rti struct PAC lowercase capital Q I mean lower sign capital Q.

15
00:01:20,440 --> 00:01:25,510
So struct pack lowercase capital q.

16
00:01:27,990 --> 00:01:28,800
This call.

17
00:01:31,140 --> 00:01:35,110
Struck that packed lowercase capital q.

18
00:01:37,600 --> 00:01:38,410
Exit call.

19
00:01:44,680 --> 00:01:48,730
So using this, we are going to write our payload again.

20
00:01:49,000 --> 00:01:53,650
So make sure we just copy and paste this back into our exploit box.

21
00:01:55,060 --> 00:02:03,640
And I want to step through the functionality of our program because I want to explain how this works.

22
00:02:04,690 --> 00:02:06,970
So we're going to go back into our exploit.

23
00:02:07,840 --> 00:02:09,340
We can leave wrapper right now

24
00:02:11,980 --> 00:02:13,300
and our exploit.

25
00:02:16,270 --> 00:02:17,530
So we.

26
00:02:21,360 --> 00:02:24,990
And then run Python 3.5 to create our new payload.

27
00:02:25,590 --> 00:02:26,760
Let me see what happened here.

28
00:02:27,420 --> 00:02:28,630
Oh, I forgot to import.

29
00:02:28,650 --> 00:02:29,430
I'm sorry.

30
00:02:31,590 --> 00:02:33,790
Airport cook.

31
00:02:37,450 --> 00:02:38,470
Success.

32
00:02:44,000 --> 00:02:48,320
Let's do this again and I'll exploit.

33
00:02:51,630 --> 00:02:56,820
We exploit that pie, and now we have our new payload so we can help stop it.

34
00:02:58,680 --> 00:03:05,430
Oh, I don't have the hex pumped up, but what we want to do is go back and zoom in to our debugging

35
00:03:05,430 --> 00:03:06,150
session.

36
00:03:07,980 --> 00:03:12,900
So we're going to set a breakpoint or actually we're going to disassemble our main function, which

37
00:03:12,900 --> 00:03:13,530
is me.

38
00:03:13,530 --> 00:03:16,260
Just assemble, underscore me.

39
00:03:19,750 --> 00:03:26,380
And we want to put a breakpoint at the return because here is where it gets the string and ingests it.

40
00:03:26,830 --> 00:03:32,680
This is where it prints out our little challenge, which, as you may have known, was just say Hi,

41
00:03:32,680 --> 00:03:33,280
Bob.

42
00:03:33,730 --> 00:03:36,700
So we're going to put Breakpoint at

43
00:03:39,580 --> 00:03:43,660
Mean plus 60 bytes so we can observe our wrap chain.

44
00:03:44,500 --> 00:03:46,330
Finally, we want to run it with our payload.

45
00:03:49,350 --> 00:03:54,150
So we first have our payload and we hit our first return instruction.

46
00:03:56,230 --> 00:03:57,220
Which is this?

47
00:03:59,290 --> 00:04:00,340
Single step.

48
00:04:08,020 --> 00:04:09,430
Single step again.

49
00:04:09,910 --> 00:04:10,660
Let me see.

50
00:04:17,890 --> 00:04:18,950
I must have done something wrong.

51
00:04:18,970 --> 00:04:20,260
Let me rerecord this.

52
00:04:24,660 --> 00:04:25,430
Aren't everybody.

53
00:04:25,430 --> 00:04:26,110
Welcome back.

54
00:04:26,120 --> 00:04:32,210
So in my haste, genius, I actually forgot to do something that's completely critical.

55
00:04:33,710 --> 00:04:35,930
So I'm going to show you what I did wrong.

56
00:04:36,080 --> 00:04:43,640
So previously, I actually just did a bunch of lines of Struck PAC, Struck PAC, but I forgot to add

57
00:04:43,640 --> 00:04:44,510
it to the buffer.

58
00:04:44,540 --> 00:04:47,540
It was just an honest, you know, an honest mistake.

59
00:04:47,540 --> 00:04:51,050
You know, I'm just like in a rush, you know?

60
00:04:51,380 --> 00:04:57,830
But what we can do now is we can now copy and paste the payload with our drop chain.

61
00:04:58,190 --> 00:05:03,380
So what's going to do is it's going to write into the stack backwards.

62
00:05:03,620 --> 00:05:04,310
All right.

63
00:05:04,310 --> 00:05:12,440
So it writes our exit call and then our sis call, then our pointer to our shell and then pop the shell

64
00:05:12,440 --> 00:05:13,010
variable.

65
00:05:13,010 --> 00:05:15,470
It's an RTI register according to 64 bit.

66
00:05:15,470 --> 00:05:18,560
Calling conventions executes a return.

67
00:05:18,560 --> 00:05:23,060
So that way the stack is aligned and then it will then run the payload.

68
00:05:23,120 --> 00:05:28,580
To better explain this, let's copy and paste the exploit code back into our session.

69
00:05:29,540 --> 00:05:34,010
So exploit phi let's delete all this

70
00:05:37,130 --> 00:05:47,390
python three exploit py unless we have our payload right here and we're going to put a breakpoint.

71
00:05:47,630 --> 00:05:58,400
So new debugger phone dash two and then we're going to disassemble, create, underscore me.

72
00:05:59,750 --> 00:06:03,350
Now the offset to the return is 60 bytes.

73
00:06:03,470 --> 00:06:12,050
So we're going to do is we're going to put a breakpoint at greet me plus 60 and now we're going to ingest

74
00:06:12,050 --> 00:06:12,740
the payload.

75
00:06:14,990 --> 00:06:21,170
So let's control busy and let's observe how the wrap chain works.

76
00:06:21,170 --> 00:06:26,870
So we hit our return in this direction pointer and we have another return right here because it's written

77
00:06:26,870 --> 00:06:28,520
to the top of the stack.

78
00:06:28,520 --> 00:06:29,150
Right?

79
00:06:30,320 --> 00:06:32,300
That's I for single step.

80
00:06:33,630 --> 00:06:35,250
The next instruction.

81
00:06:35,520 --> 00:06:40,500
Now our return is within the instruction pointer.

82
00:06:40,890 --> 00:06:44,180
Our next instruction is Pop RTI.

83
00:06:44,220 --> 00:06:47,760
What are we popping the pointer to the shell.

84
00:06:48,090 --> 00:06:49,470
So single step again.

85
00:06:49,530 --> 00:06:56,100
See, the stack pointer now has a variable binary shell.

86
00:06:56,790 --> 00:07:01,200
So we're in a single step again as I.

87
00:07:05,020 --> 00:07:12,070
And now we have the pointer to Binary Shell and the RTI Register, which is the first argument because

88
00:07:12,070 --> 00:07:13,960
we're basically doing this.

89
00:07:14,170 --> 00:07:14,950
Let me show you.

90
00:07:14,980 --> 00:07:22,360
We're basically doing this system, system by shell.

91
00:07:23,590 --> 00:07:24,820
That's basically what we're doing.

92
00:07:25,180 --> 00:07:30,550
So press continue and you see that it actually creates a child process.

93
00:07:31,120 --> 00:07:32,440
So what's going on?

94
00:07:33,820 --> 00:07:35,470
I'm sorry, what's going on?

95
00:07:35,500 --> 00:07:40,610
So basically we created a child process that runs as route.

96
00:07:40,630 --> 00:07:46,000
However, it forked away and we didn't give it a command, so it just immediately died.

97
00:07:46,300 --> 00:07:53,560
So let's run this exploit without relying on that.

98
00:07:54,880 --> 00:08:01,510
The debugger is actually like a headache to actually attach or catch, run, catch statements and to

99
00:08:01,540 --> 00:08:02,290
debugger.

100
00:08:02,680 --> 00:08:08,830
So we're going to do is tap payload semicolon cat.

101
00:08:08,950 --> 00:08:13,720
We surround this with braces pipe it into volume.

102
00:08:20,090 --> 00:08:21,420
You press enter again?

103
00:08:21,470 --> 00:08:26,120
ID who am I now?

104
00:08:26,160 --> 00:08:27,720
Less route.

105
00:08:27,950 --> 00:08:29,150
Not flag.

106
00:08:29,150 --> 00:08:30,050
Dot text.

107
00:08:31,140 --> 00:08:34,559
Big cat slash fruit fly text.

108
00:08:36,450 --> 00:08:39,419
If you're wondering where I'm getting this these flags from.

109
00:08:40,289 --> 00:08:46,740
I actually got it from a comic book series called Punisher Max, authored by Garth Ennis.

110
00:08:47,730 --> 00:08:52,560
It was actually printed in 2007, and it was a villain named Barracuda.

111
00:08:52,560 --> 00:08:55,200
And one of his lines is, I'm Barracuda.

112
00:08:55,200 --> 00:09:00,280
And therefore, the theme most members find out a little too late before he murdered somebody.

113
00:09:00,300 --> 00:09:04,470
He's actually one of Punisher's greatest and badass villains.

114
00:09:05,010 --> 00:09:09,260
And, you know, like, he's just not someone that you want to mess around with.

115
00:09:09,270 --> 00:09:17,390
But Punisher actually killed him after cutting off his fingers, taking out his eye, chopping off both

116
00:09:17,400 --> 00:09:18,420
his arms.

117
00:09:18,990 --> 00:09:23,520
Setting aside as an exploding vehicle in an M60 dueling battle.

118
00:09:24,930 --> 00:09:25,620
It was crazy.

119
00:09:25,620 --> 00:09:29,200
I don't want to ruin the sport for it, but I highly recommend reading this.

120
00:09:29,220 --> 00:09:31,820
The print I don't think is no longer in print anymore.

121
00:09:31,830 --> 00:09:42,030
But this was the flag when I was making this the petting zoo, DEFCON 702 CTF.

122
00:09:42,840 --> 00:09:47,610
And in the next video, I'm going to show you how to redo this using pone tools.

123
00:09:48,810 --> 00:09:51,840
So make sure to submit your flag in the challenge.