1
00:00:00,270 --> 00:00:05,370
So when we talk about finding the offset we kind of talked about in the last video we're going to be

2
00:00:05,370 --> 00:00:10,040
looking for where we overwrite the IP because that's what we want to control.

3
00:00:10,230 --> 00:00:16,950
Now lucky for us there is a tool already out there that will help us do this in this tool is provided

4
00:00:16,950 --> 00:00:18,120
by Metis play framework.

5
00:00:18,120 --> 00:00:19,820
It's called pattern create.

6
00:00:19,890 --> 00:00:23,730
So in our Kelly machine we're gonna go ahead and just get that set up.

7
00:00:23,850 --> 00:00:34,560
So we're gonna do is we're going to see a user share Metis boy framework tools exploit pattern create

8
00:00:36,610 --> 00:00:37,200
OK.

9
00:00:37,260 --> 00:00:41,160
Now we're gonna have to give this a couple switches actually just one for the first one.

10
00:00:41,370 --> 00:00:46,940
We're gonna give it a switch of L for length and the switch Val we're gonna say three thousand so why

11
00:00:46,950 --> 00:00:48,150
three thousand.

12
00:00:48,150 --> 00:00:52,950
Well if you remember the last video what happened was we found somewhere around twenty seven hundred

13
00:00:52,950 --> 00:00:58,600
bytes is where the villain server program crashed and then I said hey let's just make it even three

14
00:00:58,600 --> 00:01:00,540
thousand it'll be nice.

15
00:01:00,540 --> 00:01:02,280
This is where it comes into play.

16
00:01:02,280 --> 00:01:05,970
So we're going to take three thousand bytes and we're gonna hit enter here.

17
00:01:06,030 --> 00:01:11,040
What's gonna happen is it's going to generate this crazy psychical code here that we're going to actually

18
00:01:11,040 --> 00:01:14,970
have to send into immunity and Vulcan server.

19
00:01:15,030 --> 00:01:22,500
So you see all this jumbled stuff all we're gonna do is just take it and we're gonna copy it and then

20
00:01:22,500 --> 00:01:28,260
we're going to modify our script that we created earlier just a little bit and I've gone ahead and done

21
00:01:28,260 --> 00:01:28,940
that.

22
00:01:29,160 --> 00:01:30,590
I'm going to show you what that looks like.

23
00:01:30,600 --> 00:01:31,710
So let's go ahead.

24
00:01:31,710 --> 00:01:39,650
I called it to the PI if you want to modify your one dot pi and make it easier from the last video and

25
00:01:39,650 --> 00:01:42,770
then I did a little test here just to make sure it worked.

26
00:01:43,040 --> 00:01:48,950
But what we're gonna do is we're gonna paste this value into here but first I want to cover this script

27
00:01:49,460 --> 00:01:52,640
so removed some things wrong with the time because we don't need it.

28
00:01:52,640 --> 00:01:55,430
We saw the import cysts in socket.

29
00:01:55,430 --> 00:01:57,680
We don't need it like a wall loop anymore.

30
00:01:57,680 --> 00:02:03,080
We can just say try and we're gonna do the same connection and just try and the connection make sure

31
00:02:03,080 --> 00:02:06,950
we connect that address and then we're gonna send this offset.

32
00:02:06,950 --> 00:02:07,680
Right.

33
00:02:07,730 --> 00:02:10,960
So I'm going to go ahead and paste that value into here.

34
00:02:10,970 --> 00:02:14,450
You can go ahead and work on getting the set up.

35
00:02:14,450 --> 00:02:19,500
What we're gonna do is we're gonna send this value in the word to close connection.

36
00:02:19,660 --> 00:02:24,580
If for some reason we cannot access it then we'll throw an exception and say air connecting to server

37
00:02:24,580 --> 00:02:26,350
and then we'll exit out.

38
00:02:26,350 --> 00:02:32,530
So what we're gonna do is when we send this in we're gonna get a value on the E IP so we're gonna see

39
00:02:32,530 --> 00:02:37,180
that the program crashes and then the value in the IP is going to come back and then we're gonna use

40
00:02:37,180 --> 00:02:39,080
a tool we're going to say hey okay.

41
00:02:39,140 --> 00:02:42,520
Medicinally I found this value on the IP.

42
00:02:42,640 --> 00:02:44,390
What is the offset.

43
00:02:44,440 --> 00:02:50,820
So we've got this pattern create right now and then we're gonna have pattern offset here in a second.

44
00:02:50,860 --> 00:02:54,340
So let's go ahead and get this saved up once you're ready.

45
00:02:54,340 --> 00:03:00,090
Go ahead hit save same thing again what we're going to need to do is we're going to change the mode

46
00:03:00,120 --> 00:03:03,180
like we did last time to execute on to that pie.

47
00:03:04,000 --> 00:03:08,110
And also we're gonna need to get immunity running and bone server running.

48
00:03:08,110 --> 00:03:11,080
So I'm going to do that really quick here.

49
00:03:11,200 --> 00:03:11,470
OK.

50
00:03:11,470 --> 00:03:14,300
It should look like this hit play.

51
00:03:14,440 --> 00:03:22,530
Make sure we're running in the bottom and then go ahead and fire off that script OK.

52
00:03:22,530 --> 00:03:23,520
Should there an exception.

53
00:03:23,520 --> 00:03:30,510
Right away and you see now that we have this try and command that came through with our values that

54
00:03:30,510 --> 00:03:39,150
we sent right to the cervical value goes to the A's it crosses over the EVP down the IP even comes through

55
00:03:39,150 --> 00:03:40,730
the ESB right.

56
00:03:40,740 --> 00:03:45,130
So what we're doing here is we have completely overwritten everything.

57
00:03:45,390 --> 00:03:48,930
We've gone too far because we've crossed this ISP.

58
00:03:49,200 --> 00:03:51,750
But really what we're interested in is this e IP.

59
00:03:51,780 --> 00:03:54,100
We want to be able to control this value.

60
00:03:54,300 --> 00:04:01,110
So we see this value in here is 3 8 6 f 4 3 3 7 right here.

61
00:04:01,110 --> 00:04:03,710
This is what we need and we're interested in.

62
00:04:03,750 --> 00:04:06,860
So let's see how we can make this value of use.

63
00:04:06,930 --> 00:04:14,970
So if we come back to the screen and let's just tab up a couple and we'll go here and just backspace

64
00:04:15,080 --> 00:04:20,220
what we're gonna say is instead of pattern create all we're gonna say is pattern offset.

65
00:04:20,220 --> 00:04:25,470
We're gonna give it the same switch of L and we're gonna say three thousand but one thing we need to

66
00:04:25,470 --> 00:04:29,900
add in here is a switch of Q and that's for our finding.

67
00:04:29,910 --> 00:04:40,940
So our finding was 3 8 6 F as in Foxtrot 4 3 3 7.

68
00:04:41,270 --> 00:04:48,560
And now if we hit Enter here and we did it right we should find a pattern offset meaning that somewhere

69
00:04:48,560 --> 00:04:54,170
inside of these three thousand bytes it found this pattern and it relayed back to it.

70
00:04:54,410 --> 00:04:59,960
So if you see here we actually do have an exact offset match at two thousand and three bytes.

71
00:04:59,960 --> 00:05:06,050
This information is critical because that tells us now that two thousand three bytes we can control

72
00:05:06,050 --> 00:05:11,480
the E IP and that's exactly we're going to do in the next video we're going to look at the IP and see

73
00:05:11,480 --> 00:05:12,520
if we can control it.

74
00:05:12,530 --> 00:05:17,420
So we're going to try to overwrite it with very specific bytes and see if those bytes show up.

75
00:05:17,420 --> 00:05:19,460
So let's go ahead and move on to their.