1
00:00:01,130 --> 00:00:05,700
Hello, everyone, welcome to a new video of our binary exploitation series.

2
00:00:06,560 --> 00:00:14,510
Last time we were able to execute a reverse show and we tried a few commands from our neck up connection,

3
00:00:16,130 --> 00:00:17,300
but we had a problem.

4
00:00:17,690 --> 00:00:24,350
The memory address of our message above that has our show code will change every time when we have a

5
00:00:24,350 --> 00:00:28,580
smaller address based layout randomization enabled.

6
00:00:30,260 --> 00:00:32,900
So we need to brute force the memory address.

7
00:00:33,380 --> 00:00:39,590
But before we do that, we need to also find a valid memory address for our string format function.

8
00:00:40,880 --> 00:00:46,190
Because if you remember from before the string for math function, if it doesn't find a valid memory

9
00:00:46,190 --> 00:00:47,580
address, it will crash.

10
00:00:48,950 --> 00:00:50,060
It's easy to do, though.

11
00:00:50,060 --> 00:00:54,220
We can use a system function which the address is not changing.

12
00:00:54,230 --> 00:01:04,040
So if we opened GDB first, let's make sure that our US is Solares turned off.

13
00:01:05,000 --> 00:01:06,320
I mean, turn down, sorry.

14
00:01:15,410 --> 00:01:21,740
OK, now, if this is to run, that means is turned on, if it's zero, that means is turned off.

15
00:01:23,370 --> 00:01:33,930
So far, so good, this child, Dee Dee Dee Dee, make sure his two hours on now before we all break

16
00:01:33,930 --> 00:01:36,530
on, man, I'm running our program.

17
00:01:36,930 --> 00:01:39,810
Let's check P system.

18
00:01:41,280 --> 00:01:47,190
So this is an area that we can use to develop the literacy function.

19
00:01:48,780 --> 00:01:54,720
The system function is using this period so we can use this if we do quit and start again.

20
00:01:58,080 --> 00:01:58,680
And then.

21
00:02:02,050 --> 00:02:04,230
I forgot to turn on this, so.

22
00:02:06,980 --> 00:02:10,550
OK, reconvene on our program.

23
00:02:12,410 --> 00:02:24,140
It's still the same memory address like here, check Jack Samer, so we can use this as a VLADIMÍR.

24
00:02:24,620 --> 00:02:25,130
That's fine.

25
00:02:25,940 --> 00:02:29,990
Now, what we have left to do is to brute force the message Buchmann.

26
00:02:30,960 --> 00:02:31,490
All right.

27
00:02:34,880 --> 00:02:37,810
I already wrote my program here.

28
00:02:38,570 --> 00:02:40,200
So what I'm doing now.

29
00:02:40,850 --> 00:02:47,000
We are going to generate two bytes, the two bytes in the middle, because we know the bite on the right

30
00:02:47,000 --> 00:02:47,900
and the left.

31
00:02:48,170 --> 00:02:50,120
Is there fixed or not changing?

32
00:02:50,570 --> 00:02:50,960
Right.

33
00:02:51,750 --> 00:02:53,390
They are B zero.

34
00:02:55,130 --> 00:03:00,890
And we already said why we are choosing Bezier because if we choose easier, we will jump to the very

35
00:03:00,890 --> 00:03:04,030
beginning of our show code, which it has no bite.

36
00:03:04,460 --> 00:03:08,330
So we have chosen before v0 because of that.

37
00:03:08,720 --> 00:03:10,570
And the last byte is zero zero.

38
00:03:10,970 --> 00:03:17,750
So we need to generate or loop through two hundred fifty five numbers.

39
00:03:17,900 --> 00:03:20,090
Each will be hex byte.

40
00:03:21,290 --> 00:03:24,080
So we have our first random byte here.

41
00:03:24,860 --> 00:03:32,660
We're using the format function to turn it into hex like zero six zero five zero six two zero three

42
00:03:32,660 --> 00:03:33,250
and so on.

43
00:03:33,740 --> 00:03:37,130
And then we go into another loop for our second byte.

44
00:03:37,700 --> 00:03:38,510
Same thing.

45
00:03:38,630 --> 00:03:45,470
We're using the format to change it to a real to an actual hex zero six zero five.

46
00:03:45,950 --> 00:03:49,280
And then we're getting only the number.

47
00:03:49,640 --> 00:03:53,570
We don't care about the zero X, so we're getting the second.

48
00:03:54,660 --> 00:03:56,450
We're we're from the second.

49
00:03:56,450 --> 00:04:04,130
Tudo from the third, I mean, to the last because 012 so it begins from third to the end.

50
00:04:04,550 --> 00:04:11,250
And then we use the hex solidify you funded here from Ben asking for context.

51
00:04:11,250 --> 00:04:17,300
So we're using the Olympics to the function to change it into a real bilic rabbis.

52
00:04:17,300 --> 00:04:23,330
So we are able to send it and then we incremental by one on by two here plus equal.

53
00:04:24,200 --> 00:04:31,790
And then we have our temple address, which is the fixed first byte, this one at the top and then the

54
00:04:31,790 --> 00:04:35,750
two in the middle byte, one by two and then the second fixed.

55
00:04:36,050 --> 00:04:40,430
But then we will have Hexa lefi this time.

56
00:04:41,060 --> 00:04:44,240
This time we need Hextall Figes just for printing it.

57
00:04:44,240 --> 00:04:46,250
That's all for not sending T one.

58
00:04:46,790 --> 00:04:54,860
So we are converting it into a hex so we can print it to the screen using the Vistage outright function.

59
00:04:55,580 --> 00:05:01,760
And then we use this to dissolve that flush because we don't want the screen to keep printing over and

60
00:05:01,760 --> 00:05:02,420
over and over.

61
00:05:03,140 --> 00:05:03,390
Right.

62
00:05:03,470 --> 00:05:04,970
We will get a lot of lines.

63
00:05:04,970 --> 00:05:08,180
So we're just using flush to keep it on the same line.

64
00:05:09,540 --> 00:05:11,390
And then finally we have our payload.

65
00:05:11,780 --> 00:05:18,020
But this time we are using this system address, the one that we have here.

66
00:05:20,180 --> 00:05:24,260
This is the address that we got from the function here from David.

67
00:05:25,330 --> 00:05:33,280
And then our junk from everything the same as before, but the last address, which from before, it

68
00:05:33,280 --> 00:05:36,100
was the message above, we're not going to use this anymore.

69
00:05:36,590 --> 00:05:44,740
We're going to use this to address this one, which is had it has a generated bariatrics address.

70
00:05:44,740 --> 00:05:50,430
Right after that, we send it, use it using to send to function.

71
00:05:51,070 --> 00:05:53,970
And here's the thing.

72
00:05:53,980 --> 00:05:55,140
This is extra part.

73
00:05:55,870 --> 00:06:02,350
So the first thing is when we send it and we get a reversal, how do we know that this byte actually

74
00:06:02,350 --> 00:06:02,830
worked?

75
00:06:02,980 --> 00:06:03,340
Right.

76
00:06:03,340 --> 00:06:05,860
Because there is no way we can do we can know this.

77
00:06:05,860 --> 00:06:07,180
Our program doesn't know.

78
00:06:07,360 --> 00:06:11,710
He will keep trying all the addresses without knowing.

79
00:06:12,790 --> 00:06:16,720
So in order to fix this, I'm going to pickle.

80
00:06:18,700 --> 00:06:19,720
An empty file.

81
00:06:20,230 --> 00:06:23,850
Just to touch you out, OK?

82
00:06:24,870 --> 00:06:26,950
After that, I'm going to.

83
00:06:29,990 --> 00:06:36,440
Open Tsipi dump using Alisson on the port, just filter on port one, two, three, four.

84
00:06:37,170 --> 00:06:48,500
I'm using it for old Yassky and then excuse me and then I will send the output to a file called Tsipi

85
00:06:48,500 --> 00:06:48,850
out.

86
00:06:49,340 --> 00:06:58,190
So if I keep this running like this, it has got zero, right.

87
00:06:58,220 --> 00:06:59,180
So if we check.

88
00:06:59,630 --> 00:07:00,560
If we come here.

89
00:07:02,920 --> 00:07:03,430
And.

90
00:07:07,380 --> 00:07:11,610
Fred, you realize the scale and then keep out.

91
00:07:16,170 --> 00:07:26,330
You right, it's one it's empty now, so if we receive anything, it will the size will be more a bit

92
00:07:26,330 --> 00:07:28,880
larger than be larger than one.

93
00:07:30,020 --> 00:07:36,020
So I'm using this function here, always that stat to see the file disipio kind of checking if it's

94
00:07:36,020 --> 00:07:37,640
larger than one.

95
00:07:37,640 --> 00:07:43,100
If it's larger than one, that means we are we receive something and then we print.

96
00:07:43,100 --> 00:07:45,080
We got Shell and then exit.

97
00:07:46,230 --> 00:07:46,650
Right.

98
00:07:47,710 --> 00:07:52,140
Oh, this should be here.

99
00:07:53,520 --> 00:07:55,280
Why do we have sleep here?

100
00:07:55,290 --> 00:08:00,330
Because the UDP is sending the packets very, very fast enough like DCP.

101
00:08:00,870 --> 00:08:08,070
Please remember this, and we need to sleep at least zero point zero three milliseconds before each

102
00:08:08,370 --> 00:08:09,120
attempt.

103
00:08:09,150 --> 00:08:16,410
If you don't do this, you're not going to success with your with your packets.

104
00:08:16,440 --> 00:08:22,050
I really tried this before and didn't work, but if you do sleep zero point zero three, at least it

105
00:08:22,050 --> 00:08:22,800
will work fine.

106
00:08:23,730 --> 00:08:24,330
All right.

107
00:08:25,140 --> 00:08:26,190
Now let's try.

108
00:08:26,880 --> 00:08:30,710
I'm going to quit here and I'm going to run our program.

109
00:08:30,720 --> 00:08:32,790
Let's let's first check if it's running.

110
00:08:37,170 --> 00:08:43,080
It's not so OK, sort of one, two, three, and then here I'm going to.

111
00:08:44,630 --> 00:08:48,000
First, we need also to listen on Ngarkat.

112
00:08:53,440 --> 00:08:55,060
One, two, three, four.

113
00:08:55,840 --> 00:09:00,850
Uh, I'm sorry, this should be

114
00:09:04,090 --> 00:09:10,720
our local address, so let's leave it here for now and then.

115
00:09:12,920 --> 00:09:16,040
We can start our program.

116
00:09:18,520 --> 00:09:24,520
Oops, we got worse in Europe, need to imported

117
00:09:27,150 --> 00:09:28,780
beef function in.

118
00:09:32,500 --> 00:09:39,870
All right, it's going to take some time if you know it is here we have the first bite on the left.

119
00:09:39,870 --> 00:09:40,650
It's busier.

120
00:09:40,650 --> 00:09:41,190
That's fine.

121
00:09:41,200 --> 00:09:45,780
This is a fixed bite, the very last bite, the zero zero.

122
00:09:46,140 --> 00:09:51,840
Because when we reverse this, it will be the zero zero will be on the left, right, zero zero.

123
00:09:52,260 --> 00:09:56,870
And then the two bites we are generating and then finally the visual.

124
00:09:58,410 --> 00:10:05,160
Now I'm going to keep this running and I will pause the video from now and continue once I get something

125
00:10:05,580 --> 00:10:05,940
right.

126
00:10:06,390 --> 00:10:10,050
Going also to get the Tsipi dump.

127
00:10:12,250 --> 00:10:13,980
Oops, and put it here.

128
00:10:16,140 --> 00:10:23,850
So you can get it, you can see what exactly I'm getting here, so we will like this and I'll pause

129
00:10:23,850 --> 00:10:25,440
the video and I'll be right back.

130
00:10:27,210 --> 00:10:28,760
All right, I'm back.

131
00:10:28,800 --> 00:10:34,470
We got our shell here if you see his address and then we got a shell.

132
00:10:34,500 --> 00:10:36,150
This is not the exact address.

133
00:10:36,150 --> 00:10:39,120
It should be zero zero forty one.

134
00:10:39,390 --> 00:10:46,320
The 30 is not going to be very accurate because it takes like half a second to try again.

135
00:10:46,770 --> 00:10:52,410
And then we have to wait for our DCP to captured one packet like it did here.

136
00:10:53,100 --> 00:10:53,470
Right.

137
00:10:53,820 --> 00:10:58,560
So this half seconds, this 30 will be changed, right.

138
00:10:58,590 --> 00:10:59,490
It's so fast.

139
00:10:59,490 --> 00:11:05,580
It's UDP unless you want to make it slower, like you want to make it safely for one or half second.

140
00:11:06,060 --> 00:11:08,550
But I wouldn't recommend that because it will take longer time.

141
00:11:09,960 --> 00:11:15,660
It took me like, I don't know, like around 15 minutes or something to brute force the address or even

142
00:11:15,660 --> 00:11:16,440
less than that.

143
00:11:17,220 --> 00:11:20,260
So we have a shell here so we can actually try some commands.

144
00:11:20,640 --> 00:11:21,210
That's good.

145
00:11:22,830 --> 00:11:28,200
Now let's actually attach our GDP, our GDB, and

146
00:11:30,840 --> 00:11:34,410
let's let's find the process idea.

147
00:11:34,410 --> 00:11:37,740
First of all, our server.

148
00:11:39,420 --> 00:11:40,750
OK, that's.

149
00:11:42,060 --> 00:11:44,400
And then GDB Dushka.

150
00:11:46,590 --> 00:11:48,630
And then Padget.

151
00:11:49,790 --> 00:11:53,930
OK, now let's find the message, but.

152
00:12:02,430 --> 00:12:07,410
All right, as you can see here, the 14 one is correct here, right?

153
00:12:08,150 --> 00:12:14,780
So the only thing that was is not is the three, because it was it got 20 and then we got our show,

154
00:12:14,780 --> 00:12:18,860
but it took half second for the Tsipi to capture the one packet.

155
00:12:19,190 --> 00:12:22,370
Then it became 30 because it was very fast.

156
00:12:23,770 --> 00:12:29,500
All right, this was the last video of our binary exploitation series, you'll find both the source

157
00:12:29,500 --> 00:12:34,330
code of the C program and the Python script on my get up channel here.

158
00:12:35,990 --> 00:12:38,720
Thanks again for watching and see you in the next video.