Binary Exploitation Workshop with Leigh Trinity

Okay, we are live from Willis College for Bides Meetup. The fir the first of the year or the second. >> It's not the first of the year. Oh, yeah. It's the first of the year. >> First of the year. Okay. So, my name is Lee Gilbert. I'm from far east Newf Finland and uh I'm in tonight to teach you about binary exploitation basics. A little about me. I'm instructor at the Cyber Casix School in Ukraine teaching malware analysis and exploit development to Ukrainians to keep their country safe right now. Uh I'm currently just finishing off my exploit development course with Offseek. Um I'm retired military. I was a tank commander and a reconnaissance patrol commander back in

the day and I'm now living on a remote island off of the coast of Newfaland. Um I studied under occupy the web for years and I've been programming assembly, Python and C for about five years. And here's my um LinkedIn if anyone wants it. Okay, so to Bides Meetup, this is normally a three-day course I do. Um within the time constraints we have tonight, I basically broke it down into four different binaries we're going to go over. So the first is going to be a binary game to overwrite variables on a stack. Um that's the start to um exploit development and doing a buffer overflow. If you've ever heard of remote code execution happening uh in exploits, it

all comes back to the buffer overflow. Now there's multiple vulnerabilities within the C program language. Um what we're going to be covering tonight is stir copy. So stir copy function basically it will take user input and copy it into a buffer without doing any bounds checking. So without doing bounds checking we can overwrite things outside of that um buffer and take control of the instruction pointer. Once we take control of the instruction pointer we own the server. We own whatever the program is. So we're going to break it down into four different binaries tonight. Um, I know some people had some trouble with, um, getting MX Linux set up. So, we have two computers. I think

you got yours set up as well. So, um, we'll huddle around. We'll share and we'll get through this. Um, so the way we're going to do it, I'm going to do the demonstration of it, explain it, and then we'll take my computer and your computer and we'll sort of huddle around and we'll go through them. Okay. So, the first thing we're gonna do to binary game to overwrite variables on the stack. Then I'm going to take you into a a vanilla buffer overflow. Um, from there we're going to bypass data execution prevention and then we're going to bypass data execution prevention and ASLR at the same time. Okay. So I'll just get you guys to come

over to your binaries here and open a terminal and let me just bring up the draw IO for game. So the first thing you have to do is compile the binaries. Now everyone should have downloaded the C programs and here we Whoops. Let me just get into my binaries folder. So we'll compile the binaries. Now you can see here when we compile it with GCC we have no stack protector exec stack and then the name of the program and then the output. So what we're going to do is no stack protector gets rid of stack cookies. Exec stack allows us to execute things on the stack because right now in 2026 of course you still

can't do that but I want to teach you how to walk before we run. So as you can see it compiled no trouble. So let me just switch over here. So now we're going to open up GDB which is a binary um editor and viewer. Can you put back your screen again? Did you stop sharing? >> Stop sharing. But now

right now it was uh it was on earlier. Oh, there we go. >> We're good. >> Yes, there we go. >> Okay. Okay. So, first we're going to disassemble the main function. And as you can see, this is assembly language. This is what I program in and and where I where I live. So, what we're going to see is this right here is stir copy. So, this takes the user input. Stir copy copies it into the buffer. Now, the problem with stir copy and there are m a multitude of different uh functions that are vulnerable. The thing with stir copy, it doesn't do bounds checking. So what we will do we'll set a break point at the stir copy

here.

And all this does is stop the program right at the stir copy before it copies anything into the buffer. And next we're just going to run u the program with an input of a bunch of A's. Let me just put this over here to the side. Okay. So the next command is display 60 words of hex from the ESP. So the ESP um if you've done the precourse is the extended stack pointer. It sits on the very top of the stack. So what I'll do now is we'll hit print ESP. and you will see it's at F040. So we come over here to the side and have a look at the stack and we see it's

right here. So this right here is the stack pointer. This shows the where the top of the stack is. So we print our base pointer which is the bottom of the stack and it's at 098. So the thing to remember when you're counting in hex obviously we start at zero. So it's 0 1 2 3 4 5 6 7 8. So this is our base pointer. So here's our stack pointer. Here's our buffer and here's our base pointer. To the right of the base pointer, always in binary exploitation, this is the return address. So when the program crashes, it automatically returns to the return address to exit. If we control this, we control where the

instruction pointer is pointing and then we can take over the whole system. Um, we're not going to do that right yet. We'll do that in the next um in the next binary. But with this game, I want it to uh overwrite a variable on the stack. So as you can see I have a variable zed and it's at 08 C. So C is 12 in hex. So we come over here and right here this is variable Z which is set at zero. So what we want to do we want to overwrite this variable. So let's hit next instruction and then display 60 words from the ESP again.

Now, do anyone see where those A's went on that buffer? >> What does anyone know what an A in hex is >> 41? >> So, so what we have right here, this is the start of writing on the buffer. So now what we want to do, we want to overwrite this variable down here. So as you can see, we have quite a ways to go before we reach there. So we'll continue on the program and it says continuing. You suck. X is still zero. So what we'll do, we'll put in 50 this time.

Now, if this was real exploit development, you would be doing it with Python scripts, and we'll get into a little Python scripting um in two more scripts. So, we already hit our break point. So, let's hit next instruction and display 60 words of hex from the ESP from the stack pointer. So right here, here's our stack pointer right here. Um, let's have a look for our base pointer. Our base pointer is at right here. So this is our stack right here. This is the variable we're trying to overwrite right here. So as you can see, we still haven't overwritten it with uh 50 A's. So as you can see, continuing you still suck x is zero.

So now we sort of know that 52 is going to overwrite it.

And again we'll display 60 words in hex. Now this is right at the stir copy. So as you can see nothing's been copied into our buffer yet. However, when we hit next instruction, stir copy is called and we'll have a look again. And as you can see, all these 41s right here are right down to where our variable Z was. And as you can see, 41s are overwriting the binary. So, if we hit continue here, you can see you have completed this challenge. Z is overwritten with 4141. So now you've just learned how to overwrite something on a buffer. And this is going to be really important in the next lessons as we start taking

control of the instruction pointer and taking control of the servers. So what we'll do now, we'll break into I guess we'll break into groups because we had some trouble with MX Linux and we'll give you guys a chance to run through this yourself. So, uh, if you want to come out with me and you two work together and then the rest of us can sort of split between us and, uh, and we'll do it that way.

[snorts]

Okay. So, let me just

All right. So, if you want to jump in here. >> So, basically, it's just copy and paste, >> okay? >> As you go down through, but just make sure you're clicked on that and not the box itself. Copy it in and then we'll uh and just work your way down through it. Starting uh >> we just did that one. So, the one just below. >> If you guys have any questions, I'm here. Thank you.

Okay. So, it'll be game class um for the uh >> Oh, free um the game class. This one right here. That's the draw.io.

Okay. Okay. So, the first thing you're going to need to uh to do what I do, I just put it half screen and half screen. >> Okay. So, you're going to have to compile your binary. >> I'm pretty much still new, so I still need [laughter] Thank you. >> So, just come here to the first one. You want to copy that? Uh, no. Just double click on the uh the inside. Copy the text. Yep. So, this is just compiling the binary we're going to use. >> Okay. >> Perfect. >> This Yeah. >> So, let's move to the next um next command. And this is just opening up our GDB and just double click in the center.

Yep.

>> Pressure makes it easier. >> Yeah. [laughter] Yeah. >> Well, that's what I wanted to do. I wanted to make it plug and play for everyone so you can actually see what's happening. So, now you're going to disassemble the main function.

>> That is the hardest part. There's a little little work here. Now, you're going to look for stir copy, which is right here, and we're going to copy that address directly across from it. Yep. Now, um, what you're going to do is put a B and a star before that space and then put that address in. And that just sets the break point at your stir copy. Okay.

How we make it out? >> So, copy this. >> Which one is >> Okay, so the return address is right next to your base pointer. So, the base pointer, let's grab uh this command.

So the base pointer is A50 >> and then the return address is to the right >> right to right next to it. [laughter]

[snorts] >> Okay. So your breakpoint's set. >> So now let's go to our next one here. And now we're just going to run the program with some A's. So all this is doing is putting A's into the buffer. There you go. Okay. So just go to the next command and it should um should be an examine display. So this is just going to show you 60 words of hex from the stack pointer. So there it is. >> Okay. So I just um just hold the second one up here. Let me uh do this. Oops. >> Do you want me to minimize it? Okay. >> Do it like this. And then all this terminal. Oops. Like so.

There we go. Okay. [snorts] So, now you've done that one. So, just copy this one in. And this one's going to show print where the ESP is. So, copy that one and then have a look for that address when it comes up. >> So, I found it. It's this one here. And then this must be the return address. This one. >> That's right. Y. >> So, I ran xwx with the return address. >> Okay. Just let me hear one sec. Something is off right there. Okay. So, we'll skip jump down to this one here. >> Okay. >> So, we're going to run it.

>> Okay.

construction.

Okay. So now if you hit print Z right there, P and Z, no symbol in context.

Let's

do the display.

Oops. Got a weird little thing put on it. Okay, there you go.

just different. >> All right. Did you find them? >> We were supposed to find where those are on there or >> Yeah. So, like this one here. Um I can't see your uh What's the last three? >> The 080. >> Okay. So, just find 080 on the side. Your ESP is always I'll show you now. Your ESP is always this one right here. So, you can see this number here matches up >> with that one. So this this is your top left corner is always your ESP >> and then what's that one there? [laughter] >> Can I get in between you guys just for one sec? >> Yeah. Yeah. Yeah. >> Um actually you know say that we could come there

also so that you don't have to walk all the way. So >> I could do with the exercise. I was in bed all last week sick. So I'll do it. Um 0 D8. So here is your right here. So this is your base pointer right here. So we came over to zero D0. That's this one. So 0 1 2 3 is here. >> 456 78 right here. >> Okay. So you understand how I got that? >> No. Could you >> Okay. So right here >> 0 D8. >> So we find 0 D0. Okay. Yeah. >> 0 1 2 3 4 5 6 7 >> 8 by seven. >> That's eight. So here's your base pointer. This is your stack. And here's

your stack pointer right here. So this is how the stack is set up right now. Right there. >> Okay. >> So now once we know this base pointer is right here, this is your return address right here. So always to the right of the base pointer, that's the return address right there. >> Okay. >> So if we do x wx and then copy this address [snorts] >> is >> you see to return to lib C main. >> Okay, >> that's the return address. So now when we get into the buffer overflow, the whole thing is once you overwrite that return address, you gain control of the instruction pointer and then you tell the computer what to do.

>> You have full control. >> Okay. >> So now let's get back to here. >> That's called the base pointer. Is it always right with a zer followed by? >> No. No, not all the time. No, but always to the right of it. That's always the return address. Base pointer. Return address. every every time a stack is created. So now have a look for uh Z and see if you can do that one. >> So because I after you entered [snorts] in this one, I tried entering in this. >> Okay, let's >> didn't work. So >> okay, let's do this first. >> Open terminal here.

It starts at zero. Always starts at zero.

[clears throat] >> It's all It's all included. >> If you guys want pizza, it's right there. When you're dealing with binary, it always binary, you always.

>> So that's how we got that. So she said go on next. [laughter]

>> Okay. >> [snorts]

>> right now.

>> [clears throat] >> disassemble the main function and we look for distur copy which is right here. So, let's put a break point. So, then that way it just stops prior to um getting copied over.

Okay.

So, do you understand where the ESP is yet? No, >> just by looking. Okay, so the ESP is always right here in this top corner. >> Okay, >> so right here. So this would be the address of ESP. And we can confirm that just by doing P >> ESP. Whoops, copied that instead.

As you can see, F040, and that's this address right here. So this is where your stack pointer is. Now every time a stack's created stack pointer and the base pointer go to the same place and then it opens up like this. >> So

and you see 098. So it starts at 0 1 2 3 4 5 6 7 8. So this is your base pointer. This is your stack pointer. So this is our stack right here. >> Okay. So, what we'll do now, I'll take you right down to the bottom here. Says, "You suck. X is still." So, what we'll do, take this one in.

Okay. So, let's display Now let's do P and Z. Now here is our 05 C. So come here to 05. So 0 1 2 3 4 5 6 7 8 9 10 11 12. So that's our C over right here. So this is what we're trying to overwrite here. So let's hit next instruction. Is that a run a >> Yeah, that's what we we put into the buffer. And as you can see now, Z is overwritten right here. So we hit continue and you have completed this challenge. Z is overwritten. >> All right. >> Thank you very much. >> No sweat.

Okay. So, where did we leave off? We found Z right here. >> Yeah. >> Okay. Did you find out where it was? >> Yeah. Yeah. This was the one. >> That's the zero right there. Yeah. So, now we >> you mentioned Yeah. This is the This is the one, you know, which is the base pointer. >> Oh, no. >> The return address. >> The return address. Yeah. >> Yep. Okay. So, um nothing's been copied there yet. So, let's do Oops. Oh, now you see your mouse here. [laughter] You do that one. Just click the next instruction in.

>> Yep. Yeah. >> Okay. And then if we just do now, you can see these 41s are copied in right here. See, this is our A's that just got copied onto the buffer. And as you can tell, we're going to need a lot more, right? [snorts] >> So, what we'll do, we'll just hit C here >> like so. And it says you suck. X is still zero. >> Okay. >> So, you >> So, let's copy that one. >> Okay. >> Let's put that run into um So, now we're just putting 52 A's into the buffer.

Oh, hold on one sec. We got >> it is the space >> space there. So, just

Okay. So, now just copy this one here.

Okay. So, there's our stack and we're right at the stir copy before it copies in. So, nothing's been copied there yet. So, we put in next instruction. Just hit here. I'll just do NI >> and then display. You see all our 41s are filling the buffer. >> Yeah. Yeah. Yeah. >> And we've overwritten the variable >> one. Okay. >> So, if you hit C, you have completed this challenge. Z is overwritten with 4141. >> So that's how you overwrite things on the stack. >> So what we'll get into next now is overwriting that return address with shell code >> and then we start totally hacking the system. All right. [snorts and laughter] [sighs and gasps]

Okay. So that was a bit of fun. We'll uh we'll jump right into our next class here. Okay, so now we're getting into the serious stuff, the buffer overflows. So, anytime you've ever heard remote control execution, um or ran a script on a program from um exploit DB or somewhere like that, this is what they're talking about. Okay, so buffer overflow. Instead of overwriting a random variable on the stack like we just did, we're going to overwrite the return address. And where's the return address? Can anyone tell me? >> Right to the base. >> Right next to the base pointer. Always to the right of the base pointer is is where it at where it's at.

Okay. So, I am not an artist, so don't laugh at me too hard. Um but okay so what you just learned is the top here we see the ESP we have our buffer that we filled out with A's our base pointer and our return address. So what we're going to do is we're going to put X90 which is knops which tells the computer in assembly no operation. So basically when it gets to knops it just keeps going until it gets a valid command. Okay. So this is done basically it's called a knop sled and it provides a place for the instruction pointer to land on and then slide into our shell code. So this is the vanilla buffer overflow. You will

not get away with doing this nowadays but this is part of the process of of learning um how to do it and we'll get into bypassing that stuff soon. So the way it is we set up our kns at the top of the stack. So instead of just putting in A's, we're going to put in knobs. We're going to put shell code right after that. And then we're going to fill up the rest of the buffer with just a couple A's. The return address, we're going to do a jump in assembly, which is going to jump back to here, come through the knopsled, execute the shell code, and take over the system. Okay, so that's the basic idea of a buffer

vanilla buffer overflow. So let's get into it.

Okay.

Okay. Okay. So, the first thing we're going to do, we're going to make sure that ASLR is turned off. Let's open the terminal. And all you do for turning off your ASLR, it's everything's a file in Linux, a folder. Um, so basically, you just echo zero. It is either zero, it's off, or two, it's on. So, we'll echo zero into the file. And you can see cat right here that it's zero. So, ASLR is turned off. That's our first step. Next, we compile our binary. I've already got mine compiled. So, we'll jump into our GDB where we all live as exploit developers. And again, we disassembled a main function here. And thankfully, um, we have this thing

called vulnerable function here. Looks like something we should check out as exploit developers.

And here's our stir copy again. So we know that this is vulnerable to buffer overflow. So we'll just copy this and put a break point at it so it stops just before it copies into our buffer.

And uh what we'll do, we're going to skip over one part here because um when you're doing exploit development, have you ever hear of MSF Venom and all the tools in Cali? You'll use MF MSF pattern create a a small buffer that has repeated uh numbers and letters. you send that into the buffer and then whatever overwrites to EIP basically tells you how big that buffer is. Okay, so we've already done that and we come back that the buffer is 268 bytes. So what we'll do now we'll send a skeleton in and as you can see right here we have 268 a's and then four Bs. So the four B's will be to jump backwards into

the nups. And this this will make sense here in a sec.

So let's examine 132 words from the ESP. Now, and I should point out to a word in 32bit is is just four bytes. Okay. So as you can see, nothing's been copied into the stack yet. So let's hit next instruction. Have a look again. And as you can see, here's all our A's copied in here. And overwriting the return address, we have B's, which is the 42 here. So now we have control of this is a skeleton to basically show that yeah, this works. It all lines up properly. And now we have control of the instruction pointer. So now what we have we have 268 bytes we need to break down um our shell code

here is only 35 bytes because just a bin shell code for example here if we're doing this in real life you need about 300 bytes for a proper um interpreter shell to to get back interpreter shell you can get smaller ones but it will don't have the same functionality as the interpreter so what we'll do we're going to put 200 knobs our shell code and then eight A's and then a jump that's going to jump back into the shell code. So let's continue on here. And as you can see, a segmentation fault. So if you were an exploit developer and you were doing this kind of work at home, you would just constantly barrage the program until you

see that segmentation fault. Once you see that, you're like, "Oh, okay. I can exploit this." And then you start writing your your exploits. So now I'm going to run it. And as you can see, we have 200 knobs right here, which is X90. We have our shell code right here. And then we have 33 A's just to as a buffer because you can't have gaps in the space, right? And then we have these B's set up here that we'll find a jump address to jump back into our show code with. So let's examine our stack. And nothing's been copied in. Let's hit next instruction and examine our stack again. And you can see these nine zeros

right here. These are all our knobs right down to here. Here's our shell code on the stack here. And now we had to fill it up. You can fill up this buffer with everything. Exploit developers always use A's, B's, and C's though. Um, so I filled the rest of the buffer up with A's right here. And then this right here is the return address um that we have overwritten with our B's. Now I'm going to find a jump address. So I'll just open up my notepad. Now we need to jump backwards into those knobs. So you'd never go with the top because things in binary exploitation shift a little bit. So if you go with right at

the top, it might shift a bit and totally mess up your your kn. So what you want to do, you want to come down here to the center and pick one. So I like this one right here.

Okay. And now everything's looking good for this vanilla buffer overflow. So, we'll continue on and exit the program. It crashed again. So, we know that it got to the return address and realized that um yeah, there was no proper instruction there. So, it just crashed. So, now what we need to do, we need to add that jump address. Now what I'll do now is show you a slide. This is probably the hardest part.

So the core concept of little India means the least significant bit bit the little n is stored at the lowest memory address. So 0xb7 dd3920 becomes 2039 ddb7. So it's stored backwards into the stack. So this is probably the most complicated part of the part of this and I'll show you a fun way to do it with Python where you don't have to do any of this stuff but this is the core concept of when you look in memory if you had to store it just B7D3920 you would look at it in assembly and it would be stored backwards. Okay. So, just a little something to keep in mind here. And let's see if I mess it up or

not. We already copied our address down from the from the jump earlier. So, right here,

one two three four.

X90.

E

FF and BF. So, let's put that into the program here. Let's examine our stack again. And nothing's been copied in. Let's hit next instruction and examine the stack again. And as you can see, here's all our knops here. And this is a good time to make sure that your address is perfect. Um, there's our shell code starting here. Here's our 30A right here. And right here on top of the return address, let's double check and confirm. And as you can see, I didn't [ __ ] it up. So, BF FFF90. We're good. So, everything's good. And copathetic. So, if I hit continue now, you can see user bin bash. We now have control of this server. So if this was

on a server somewhere, we have a full interpreter shell and we own it. Okay. So we'll break into our groups again and I'll walk you through all this and uh we'll do our first vanilla vanilla buffer overflow hopefully. All right, if you want to jump up on mine.

Okay. Just have to start at at this one right here.

Just um that one right right there. This one. >> Yeah. >> Actually, here. Let me set you up proper. Here we go. [snorts]

>> Yeah. Before you go any further, I just want to tell you there's uh somebody on stream that just said, "Awesome live stream." So, I'm assuming that somebody really likes what you're teaching right now. [laughter] >> Good. Good. Okay. So, now we got to compile it. We got to Oh, you're already ahead. >> Oh, no. No. >> Oh, is the old one? So, this one is exploit one. >> That one right here. Exploit one class. >> Oh my. Okay. Yeah. >> Yeah. >> [snorts]

[laughter] >> Yeah. So, just get your screen set up and uh and get it compiled.

>> Terminal right here in the corner. That one or down? Right there. Here we go. Okay. So now you're going to disassemble the vulnerable function with this this function here. So just copy copy that right there. There you go.

>> And so it's not this here. [snorts] >> No, no, just uh the name of the name of the function. Okay. So now we're going to look for the stir copy which is right here and B star and take this address right here and set a breakpoint. So we'll do B star and then copy this address right here. [snorts] Perfect.

Okay. [snorts] So, the breakpoint set. So, let me just So, now this is where we would fuzz um but we're not going to get into it because it needs another class. So, basically we came back and found out that the um Oops.

Okay. So now examine it and then hit next instruction and then examine it again and you should see the A's go into the stack.

>> How we doing guys? >> Uh so so like yeah we just set it up. So like we want to open the new terminal for this one, right? >> Yeah. in your binary and um grab this one.

>> So that's compiled. Perfect. Now open up the GDB. [clears throat]

>> Perfect. So now we're going to disassemble the main function. >> So GDB is a tool. >> Yeah. >> A binary exploitation tool. Yeah, >> got some messed up stuff there. >> Okay. And you see vulnerable functions. So, let's just see just assemble the vulnerable function. Uh, nope. Just click um this one right here. This perfect. Now you're looking for your stir copy and you got to set a B star at that address right there.

>> ESP. >> Oh, hold on now. >> Okay, so here's your stack. >> And as you can see, nothing's copied into your stack yet. So, hit next instruction. And how about I just use up arrow like that. >> And as you can see, here's your it's copied in the return address has the 42s on it. And these are your 258. >> So now you know the instruction pointer you have written in your 42s. This is where you're going to put your jump. Your jump's going to jump back up here to the top into the knobs and hit the shell code and take the computer over. >> Okay. So what we'll do now is if we just

come down to this right here. So 268 bytes is our total shell code. We have 200 knobs, 35 for our shell code here. >> 8 to cover up to the 42s. >> And then the 42s is where the jump's going to go. Okay. So >> yeah. So, let's grab this one here. >> Okay. So, now this is our skeleton. Um, here's our shell code. We have 200 kns. Our shell code 33A is just to fill out the gap between the shell code and the jump.

So, I'll get you to examine the stack, hit next instruction, and examine it again and see where it all lines up, and then we'll go from there.

>> You might want to copy that, recopy that with extra spaces. >> Yeah, this one. >> No, that should be good. See? Scroll down. >> I am trying to scroll down, but I don't see here anything with this color. Just let me see.

>> It already went to the next prompt. I don't know. We don't know how that got in there. >> Okay. So, we're hoping that doesn't actually quit it because sometimes it just is >> that the terminal >> just started over. It'll slowly take a sec because this already compiled, right? So, okay, [clears throat] I'm getting that one. Disassemble the main function. Disassemble the vulnerable function. And now breakpoint at stir copy. >> It's hard to see in this font. >> Yeah, I didn't choose that font. Okay, I'll [laughter] be honest. Yeah, I'm trying [clears throat] to change it, but I didn't choose that one. [laughter] >> Here's the breakpoint set. Um,

>> tried to change it, but yeah. >> No. Okay. So, um, this is where you would fuzz it. We're skipping that for this class because, uh, we didn't really have time. This usually like a two, three day course we do. So now, >> yeah. [laughter] Um, so now we just put in 268. That's the size of our buffer. And then we overwrite our return address, uh, with these B's. So what's going to happen? We're going to put the return address is going to where be where the jump backwards goes, jumps back into kns, and then hits shell code and takes over. So actually, I'll let you do that. Copy that one. Have a look at your stack. Hit

next instruction. Have a look at your stack again and see where everything lines up. [clears throat] >> How we doing, guys? >> So, we're trying to figure out which one is the address. >> So, must be what you got to do, you got to come up here to these knobs up here and find something in the middle. You never go for the top here because in binary things can move like 10 bytes >> and it'll fail. So this one right here is good. >> So I would copy that one. >> So any of these basically >> any if you took any of these in the middle into these knobs, it'll work. >> Okay. >> So then um I just open my mouse pad

>> and you paste. Okay. >> Just paste it in here just so we remember. >> Okay. >> Um what happened? >> In reverse. So, what's going to happen? Here's our 42s. This is where that jump address needs to go. >> And then it'll jump up here. >> So, it goes before there or it gets overwritten. >> Um, we're going to overwrite that jump address onto the return address. Okay. >> So, what we'll do, we'll hit continue here and continue. Okay, we got a segmentation fault. That's always really good. >> Okay. >> [laughter] >> Okay. So now here's where we have to put that jump. >> Okay. >> So like this. Now >> it was the seven.

>> Was this? Oh, it was too. Okay. So this is little Indian convention. So we start off with the first two and it goes like nine zero. So we keep them in blocks of two. >> Um so >> the first one just I'll let you uh do it so you remember it. >> So so 9 0. >> Oh x keep the x. Okay.

>> And then >> after Yak. >> There you go. Perfect. >> Perfect. Okay. Let's let's run that. [clears throat] Let's examine >> that. Nothing's copied in yet. >> So, [clears throat] hit next instruction. Examine it again. So here's our knops. >> Here's our shell code. >> And this is what we just opened. >> Here's our four ones. So now is a good time. You can have a look and see BF f90. >> You overwritten it. Perfect. Okay. So now program's going to crash. It's going to hit this address, jump back up to here, go through these knobs, execute the shell code, take over the system. So just hit C. Boom. You just took over to the server.

You own it. That's your [ __ ] [laughter] >> Easy as that. >> Cool. >> Uh, we got a question here from the uh from YouTube >> from the webs. >> Yeah. So, there's a question here that says, "Does it require C language?" Like, do you know to do you need to know C language to be able to actually perform this? >> Not at the basic level, but you need C and assembly to really get the the most out of this. Sounds good. And then the other thing that came up uh is uh that you look like a very intelligent woman. [laughter] So >> looks can be deceiving. Okay. So what we'll get into now is so

we figured out that it was 268 bytes to our return address. So we're going to fill 200 kns. We're going to put our shell code right after that. And then between the shell code and the return address, we have to fill it out with something. So we'll fill it out with A's. 33 A's and then we're going to put the jump to the top of the shell. Okay. So, what that looks like this one right here. >> So, the code which we ran so it ran well but we didn't meet that uh uh the cracking that one. >> No, this one we don't have the jump address put back in yet. So, where these B's are is going to overwrite the return

address. >> We're going to put a jump back to the top of the knobs. >> Okay. It'll go down through the knops, execute the shell code. Okay, so just watch. It'll it'll become clear. Clear as mud. Just give it a sec. Okay. Why isn't that Oh, there we go. Okay. Um, so now let's examine the stack here.

And as you see, nothing's copied in yet. Now it'll become more clear. So as you can see here's the knobs. >> So these just tell the computer no operation move on to the next code. Okay. Once we hit here, this is our stored shell code. This takes over the computer. And then we had to fill the buffer with 41s right up to here. And here's our stack or our return address. This is where we're going to put a jump. So right now we got to look for a jump. So this address right here. >> So you're just choosing a random address. >> It has. What I always recommend is never go with the top address because things

in binary will shift 10 20 bytes. Sometimes if you go with the top one, it it probably won't work. So you want some in the middle. Any of these in the middle will work. So we'll copy that address. Do you have mouse pad on this or a a text editor? Actually, I can just open another terminal. Um, >> I just followed your instructions. So, if the instructions said that text editor, then it would be Yeah. I [clears throat] >> Okay. So, we'll just put

>> Okay. So, that's the address we're going to put onto this jump. So, now this is the hardest part. We have to do the little line stuff. So just hit C here and the programs crashed. That's always good sign when you're doing exploit development. Okay. So here's the jump address right here. So now >> one, two, three, four. So now what we do is we take this, we put four zero

4 Z. >> Um, what's where's the terminal? >> F0. >> Okay. So, like you're reversing. Okay. Got it. Okay. F0. >> F0. Let's have a look. I wish I had a better memory. >> FFBF. >> Okay. So, now we come over here. We do FF >> NBF. MBF. Perfect. >> Okay. So now just examine your stack. So you're examining 136 words from the ESP.

>> No, nothing's copied in yet. So let's do next instruction. Let's have another look. So here's our knops. Our knops are all right here. [clears throat] >> Here's the start of our shell code. Here's our filler that comes down. And here's the overwritten address right here. And we can just double check to make sure it's right.

BF FFF BF FF00404. So let's double check. >> Perfect. And it's perfect. So let's hit continue. And there we go. You own the computer. The computer is toned. >> So that's that's how you take over a server with remote code execution. So anytime you hear like there's a remote code execution out, that's what that's exactly what's happening. Okay. Now, this is the vanilla version that would have worked up till 2004. I'll show you the next steps now.

Okay, so we just owned our first server. Um, what we're going to move on to next, just let me exit out of everything here.

Um, okay. So >> we have another question from the audience okay on YouTube. >> Uh so the question is is there a road map underneath this >> um like that you may have or you know online that you could potentially find. >> The reason I put this is usually a three-day course and the reason I put it together is exploit development is always looked at as some like weird thing off in the distance that only gods do. It's not. It's it's really quite simple. Um, if you go to my YouTube, if you check out my YouTube, I have lessons from the very beginning up to more advanced stuff. And that would be a great place to start.

>> If you want to share with me, I can probably put it on the in the chat for them to be able to check it out. >> Uh, yeah. >> Oh, you have a chart. >> Just some actually, could you Google Lee Trinity? >> Yeah. And put it in the chat. >> Okay. >> Okay. So, let's get some Okay. So what we learned we we all learned where the EVP is the base pointer. We learned where the stack pointer was. Uh we learned the return address is always next to the EVP. We also learned that counting starts at zero in binary and not one. And we learned how things are stored on the buffer. And you did your

first buffer overflow. Next we're going to move into data execution prevention. So of course people start putting shell code onto the stack. Um computer companies had to come up with a way to get rid of that. So they developed data execution prevention. So data execution prevention it was introduced in Windows XP in 2003 to prevent what we just did. Okay. So now we cannot execute shell code on the stack. we can't put a shell code on and execute it because of this um prevention. Um so of course already this came out in 2003. A method to bypass this was actually developed back in 1997. So as you can see the attackers are ahead always and it's called the

return to lib C method. So what we're going to do to now is use the computer's own code to make shell code and take over the system.

Um

so let me get set up here.

Okay. So this is the debt bypass right here. So as you can see um here on the top is the way the buffer is normally laid out. We have the EBP and the buffer the return address and then after we return address we have argument one and argument two. Argument one is basically the name of the program and argument two is its vectors that we won't really get into. Just know that the next two after return address are argument one and argument two. So what we're going to do, we're going to fill the buffer with A's again over to return address. We're going to grab the um the code return oriented programming code for system which is built into the

computer itself. We're going to use the own computer's code against itself. We'll put an exit function next to it and then our favorite bin sh which spawns a shell. So now that we can't put that shell code there, we'll use the computer's own code against it and cause a shell that way. And it'll become more clear once we get into it here. Let me just open up our depth.

Okay, just let me open up my terminal.

>> [snorts] >> Okay, open up our GDB and you can do something called check sec here. I'll show you. And in Linux DEP is called NX. So you can see NX here is enabled. So now if we were to try to do what we just did, it wouldn't work because it would detect an executable shell code on the stack and it wouldn't wouldn't do it. So this is what companies came out to stop people from doing it. [snorts] So let's disassemble our main function again

and disassemble our vulnerable function. And let's look for our stir copy. There's our stir copy. So I'll set a break point there.

Now I'm just going to put in an input of 40 A's into the program.

So I examine 80 words of hex from the stack pointer. Nothing's copied in yet. So let's print the EBP

058. So that's down right here. So 0 1 2 3 4 5 6 7 8. So here's our base pointer. Can anyone tell me where the stack pointer is? >> Right. >> It's always in the top left hand corner right here. Okay. Okay. So there's our stack pointer right here. So we got our base pointer, our stack pointer, and here's our stack right here. So let's hit next instruction and have a look look at our stack again. And as you can see, our A's are copied in here. So that's definitely not going to uh reach. So continue on here.

So, let me undo my mess here. >> The stack pointer is the first at the beginning of the stack and then base pointer break. >> Uh, yep. Your stack pointer is always right up here in the top corner, the first address. So, what happens when a stack is formed? The base the stack pointer gets put onto the stack. The base pointer gets put to the exact same spot and then it subtracts the base pointer from the stack pointer. That's how a stack is is framed. Okay, so we're going to put in 280 this time and see if we can fill up our stack this way.

Okay, so nothing's copied in yet. So, hits next instruction. Now, let's find where our base pointer is. It's at EF68. So, you look for EF60 0123 456 78. So, right there. So, I need to take off 12. This right here is this the base pointer right here. And this is our return address here. This is argument one. And this is argument two. So always to the right of your return address is argument one and argument two. And these are what we're going to overwrite. Um the return address we're going to overwrite with the address of system. The next we're going to provide an exit function. And then we're going to put binsh onto our argument two.

So now we know the size of our buffer. We can continue on. And as you can see a sig sev. So basically what happened was the computer read the return address and seen a bunch of A's and went died. So what we'll do now we we know 268 A should fill it up. So let's examine our stack again. Next instruction. Examine our stack. And as you can see we're filled up pretty good there.

So here's our base pointer. So here's our return address. Here's argument one. Here's argument two. So this is what we're going to overwrite now. So next we'll send in a skeleton script. And this is the same thing we did before. Only this skeleton script, we're going to use B's for our system. C for the exit and D is for our bin SH. [snorts]

And let's open up our stack and have a look. Okay, so now we have all these A's filling up our stack. Our return address is overwritten with four twos. This is where we're going to put our system. Our four threes is overwritten. This is where we're going to put our exit. And this is where we're going to put our bin. So now um it's a little different in other programs finding these but what we'll do we just hit P system and we'll open up a mouse pad here

and we'll copy system. So this is what we're going to place on our return address. Next we provide an exit for the function. So, we need to look inside the computer's code and find the exit function in Linux. And here's the address for that.

Perfect. And now we've need to find the address of BSH within this computer. And it's right here.

Okay. So, we have those. Let's um continue on

and we will quit out of this. Now basically Whoops. What I'm doing now is I'm going to take this input and put it into a binary, a payload binary. And that's done there. And next we're going to run the program with it as an argument.

So let's disassemble the main function again.

disassembled a vulnerable function.

Find our stir copy and we'll set our break point again.

Let's run the program.

examine our stack again. Nothing's on it. So, let's hit next instruction and have another look. As you can see, our A's are all filled up. Our return address is overwritten with system. So, B7 DD3920. Everything went well. Everything's copacetic. Our argument one is overwritten with exit B7 DC2D60. That's perfect. And next B7F3 CFAA. So everything is good. We should get a shell. So now we just bypassed data execution prevention. computer companies stopped us from doing it that way, but hackers already had it figured out 1997 that we can do return oriented programming and take over this computer that way. So, what did we learn? Let me just haul up my slides here.

So, the big takeaway basic return oriented programming um we can't execute shells. So we took pieces of the computer's code and made our own shell. And of course little Indian format still a pain in the butt. So you got a little experience doing that. So we'll break into our groups again and we'll go through this one.

Here

we go. So, now we'll try that on our own.

[laughter] >> Thanks for coming out. >> Yeah. >> So, I did the I did the in things. So, like I I even set the break point. Okay, perfect. >> Yeah. And now >> awesome. >> Like this is the one which I should be running. >> Awesome. >> You're a pro already. >> Oh, thank you. See, [laughter] I do have a good >> You have a good partners too. >> Oh, no. See, the teacher was amazing. So, that's what I'll say. Like, you know, >> great job. >> Okay. So, if I see this one and we'll >> examine our stack. Yep. So what I have understood is that so like we run this code just to test it

and given this info we try to change the code and then we then improve the code. Is that what we're trying to >> Exactly. Exactly. Yeah. >> So here we like we check it and we don't really find anything and that's why >> we kind of investigate or at least to to get the layout and then

>> Okay, just give me one sec. Okay, help me make it out, guys. >> Is it this one or this? >> That's the one. This one right here on this side. Yep. Perfect. Good job.

So here, yeah, this is the one that we ran. So that now we want to check it. Check the >> I just hit this one here actually. Just the next instruction. >> Now what I do is just we already examine our stack. You want to keep looking at your stack. So just hit up. >> And now we can see our A's are copied in, right? So let's grab the EVP. find it where EBP is.

>> It's 098. That's what it says. >> Yep. So, let's find that on the side here. >> Okay. So, it's going to be here. Okay. 0. I see 090. Yeah. Yeah. This is the one. >> 090. That's the one. So 0 1 2 3 4 5 6 7 8. That's it right there. So there's your stack pointer. There's your base pointer. And this is the area we got to fill up. So as you can see, we need a lot more A's. So we'll just hit continue here. >> And let's grab this one and do the same thing.

So the EVP is this first one, right? >> ESP. ESP is here. And then we just hit grab um EVP.

>> Okay. >> So that's 058. So five 0 1 2 3 4 5 6 7 8. So there's your base pointer there. There's your return address. There's argument one. There's argument two. >> Okay. >> So what I would do now, just hit C there. And then come down and grab this one here. So now we're going to put 280 A's onto the stack. So basically put it in uh do the examine.

There we go. And you see nothing's in there. Just hit next instruction. >> Examine again. Perfect. Pro already. >> Okay. So, um, now just hit find out where your EBP is.

>> So, F68. So we can see F60 here. So 0 1 2 3 4 5 6 7 8. So you've already overwritten it here. So just hit C. >> Sorry, how did you know? >> Okay. So um EF68, right? So we come over here. We see EF60. >> Okay. >> So 0123 >> 4567 8. That's your base pointer. >> Okay. >> That's your return address. >> That's your argument one. That's your argument two. So, just hit C and then go down to the next um input, that one right there, and do the same sort of examine. >> I'll be right back.

>> Okay. So, where are we? >> So, yeah. So, here I did run this one and then we are looking into the pointers. >> Okay. Yeah. So like previously our co means like our base pointer was 0908 that's >> I tried it but it is still yeah yeah I believe like this is the thing that I'm changing. Yeah.

And then the other ones that they're still not >> I don't know how to change it on that. >> Yeah. >> Okay. So, so to print EBP it's at >> it is 0908 or did it change? >> I can ef88. So let's tell you what we'll do. Oops.

Okay. So, what we're going to do where that's hard to see, we'll move on to this part here. >> Okay. Okay. So, now let's do >> So, we went here because we tried this one and then it still didn't fulfill our purpose. So, that's why we >> we move on to the next one. >> Yeah. And that's what a lot of exploit development is, is do this, didn't work, do this, didn't work, do this, didn't work. >> Okay, so let's just hit um next instruction here and have another look. >> And as you can see, >> all arrays are filled out >> to here. >> Our return address is overwritten with the 42s. This is where we're going to

put system. >> Okay, >> 43s is overwritten with exit because it needs a place to exit. The function does. Mhm. >> And then our fours is where the bin sh was just shell. It goes. Okay. >> So what we need to do now is hit print system. Um do you have any kind of text editor on this? Um tell you what, we'll just do this. Here we go. We'll just put it in here for now. >> Okay. So now you come over here, you do P system. So now we need to find that system that overwrites the return address. [clears throat] So copy those down. Do the same for exit and bitsh and copy those down into that

um open file I just had open and then we'll go from there. [clears throat]

>> Is it okay if I use this? >> Yeah, that's perfect. Perfect. So, we're copying this, this, and this. Correct. >> Perfect. Awesome job.

>> So, this is

And this is the bin.

>> Perfect. >> Okay. >> So, you can continue on and and exit the program out. >> Yep. Perfect. So, now let's go down to um this one right here. I already have the addresses putting in there. Um, what we need to do, we need to, um, open a new terminal. And this is just putting that into a binary file for the exploit. >> So, you can start running the >> back on the original. >> We can kill this one actually. >> Okay. >> Okay. So, this is the last few before you take over system. So, let's start with that one right there. Okay. [snorts] >> So, we're running the P exit right now, right? >> Okay.

>> Yeah. Yep.

>> Okay. And copy this one.

Um >> yeah. And then we find the fine

and it's right there in green. [clears throat]

[clears throat] >> She's the continue. on. Yep. Just to exit the program. All right. So, let's have a look at the um the file here. They should be the same, I think. So, I already had these put in. >> Okay. >> So, as you can see, we have 268A's. Then we have our system. >> It is the reverse format, right? >> Reverse format. A little lineium format. >> So, we can copy this one now. Okay. Now, what we need to do, um, just exit out of GDB because what happens, we're going to put this into a binary file, which is a little >> normally, uh, like I said, normally I have a couple days to play with people.

>> So, but, uh, okay. So, now that's catted into a binary. So now just run through these and we'll we'll own the system.

Okay. So we got to disassemble the main function again.

Okay. So dis. Oh, that didn't work. Let me let me just try something here. Um, close window. Here is the terminal here. Here we go.

Okay.

What do you mean? >> What do you mean you don't think it's right?

>> Oh, it says okay. >> Just give me one sec, guys. I'll be right there. >> Okay, so payload.bin is made. Did you guys take it over by yourself? It

>> says the fight command >> don't know what

take a look at the script. Oh, maybe that's not [clears throat] um should I tell you? I guess I could tell you. Okay, give me a second. Um, it's a it's Python 3- C. Yeah, Python 3 space C space single quote. >> Yeah. PCY. [clears throat] I don't know why this isn't working on here.

[clears throat] >> Did we have to disable something in that first like like in the check? Did we have to do anything? Check. Check.

>> I'm trying to remember. It's done.

Okay. So it's after this code it's import spacey. >> Okay. The binary files made

arguments. Sorry. Um, it's bracket double quote >> for slash. No, no, I'm sorry. It's a double quote. Apologize. It's the bracket again. >> Program is not running. >> Double quote. Again, close the bracket. And then single quote. I have no idea why yours isn't working. >> So, you just sh

[snorts] So, right now you did the sh. Um, another thing that could have been done there. Another thing that could have been done is to get yourself a remote shelf. Now, so you exploit that thing. You could get yourself different. It's called depth. >> Um, if you think about it, how could you transfer? >> I have no idea why yours isn't working. Oh, file name too long. I ran into this before.

>> Oh, I see. I think maybe. Hold on. >> Let's say I'm Cali, right? I have Cali. I just exploit this and then I see that it's working. How can I get files onto that shell now or onto that computer over there? [snorts] Sending that [clears throat] out. >> So that's good. I mean like that's fine. So but that's the goal of it is to understand the the whole the whole uh the whole thing of how to be able to navigate around. So netap you know. >> No it's coming out with file name too long on yours. I don't know why. >> Okay. I really don't know. >> Wait, did you see that the file name is

long? I couldn't >> file name too long right here, >> which is very strange. >> Let me just double check my command for a sec. [clears throat] >> You can see the NC. Let me steal this for a sec. Actually, I can't. Um

Okay, I think I see the problem. >> I think there was a bit of a typo.

So if you need to do an exploit to be able to >> I think that might have been a problem. So do enormation step would be you name space right be one of those things >> there we go okay there was one little quote wasn't in the right place [laughter] sorry about that guys so we just disassemble the main function um dom vulnerable function.

>> Okay. Stir. Put a break point at stir >> copy.

[sighs and gasps]

>> Okay. Let's hit run. Okay. So, let's examine the stack. >> So, you could try to find out if there's anything you could do if config as well, right? >> RMRFM. [laughter] >> Not on my computer. >> Yes. Yes. >> So, here we go into >> and nothing's in there yet. So, let's hit next instruction

>> and have a look at the stack again. We'll just hit up. >> Okay, so everything's copied in and we can see we can we can check these right now and make sure these are all copacetic with what we had. So, just hit I think it's this file here you have open. So, B7 DDD4920 B7D320. We're good. Let me check this one. >> 293. That is like 3 96 3D 6. And this is 2D60. >> And this is 3D FA. This is 3C FA. >> I think if we hit C, we get shell. [snorts] >> Boom. Took it over. It is now yours. >> Easy as that. [laughter] So now you just bypassed data execution

prevention and now we're going to get into the last lesson of the night which is bypassing data execution prevention and now they came out with ASLR because people start doing this then they came out with ASLR. So we'll bypass ASLR next.

Uh yeah, I have a YouTube where I have all the lessons laid out as well. And then um I have a GitHub with all the commands and everything on it as well. Yep. I I can give that to you after class. >> And then now you have another. >> Great job, guys. Okay, our last lesson of the night, guys. Let's Let's mess it up. Okay. >> Sorry, I took over a little bit. >> It's all good. Nothing's broke on my computer. Everything's great. >> It's only a virtual machine anyway. I break those all the time, but I'll I'll be [laughter] >> Okay, so let me just get organized here for a sec guys.

Okay, the last lesson of tonight. [snorts] So, address space layout randomization. It was first released on Linux as a PAX update uh in 2001, but we never really seen widespread uh and it didn't hit Windows until 2007. So, ASLR randomly rearranges the address space of key areas like the stack. So, now you know how we just went in and grabbed P system P exit and those were all in one spot, right? Now, every time that program loads again, it loads it in a different space. So, now as the attacker, we can't go in and just grab it and put it into the next run because it'll be at a totally different address space. So that's what they came out with

to prevent what we were just doing with that execution prevention. However, 32 systems can be brute forced due to low entropy. So if we put it in a while true loop, we can go through all the possible addresses. I think it's 156 addresses is the max we would have to go through. And it's kind of fun to run it. Sometimes it it runs like two minutes and you're like, did I mess it up? Like why isn't this working? Sometimes it'll hit the address right away. So what we'll do is we'll set up a wall true loop. We'll run through the every possible address and it's such low entropy that we can actually do that. Okay.

So let me just get set up here.

Let's open our terminal.

And if you want to open it up guys is ASLR class is the name of the um so the first thing we have to do is switch to our root

and now we have to turn ASLR back on. So, we echo two into the Oops, sorry guys.

Okay, now I have my root. So, now I'm going to echo two into that folder. And now if I cat that folder, it should be two inside. There we go. Okay. So, I'll change back to my user. Now, what I'm going to do, I'm just going to load up ping address here. And as you can see, the past two times I've loaded this. They're at different addresses. So, this is what they came out with. So, attackers couldn't just guess or uh couldn't go in and pick system and exit like we just did. So now every time this program is loaded, it's going to be loaded at a different address. But if you notice at the very beginning

here, both of these start with 0xb7e. So the only the end of the address is actually changing, which is really low entropy, which allows us to to take over. So I already have mine compiled. So let's open up our pa here. And we have the set disable randomization to off. So again, we're going to disassemble our main function. And again, we're thankful that it says um vulnerable function.

And we'll set a break point at our stir copy.

And I'm going to put a Python input of 20 A's into it. So let's examine our stack. [snorts] So here's our stack. Let's hit next instruction and have a look at the stack again. And we can see our A's there. Let's find our base pointer. So 2 F8. So let's find 2F. Here's 2F0. So 0 1 2 3 4 5 6 7 8. So here's our stack pointer. And here's our return address. Here's argument one. And here's argument two. Perfect. We know where everything is.

Okay. So now I know to overwrite it. I need 20 A's and then we'll put our skeleton in. This is the exact same way. So we're going to bypass depos at the same time now. So we definitely need our system. We need our exit. We need our bin still. But what we're going to do, we're going to put it in a while true loop and just brute force it. So let's have a look.

Nothing's on the stack. Let's have a look at the stack again. Okay, so there's our four ones. Our return address has the four twos. Argument one has the four threes, which will be where we put our exit. And the fours here um is where we're going to put our bin sh. So again we need to find system. So let's copy these down

and exit again.

Here's our exit. >> [clears throat] >> and BSH. Oops.

Okay, we have our three addresses to Whoops. We have our three addresses to bypass a um DEP. So this is called return oriented programming and it's a lot of fun. If you ever really want to get into it, there's a place called RO Emporium and it teaches you all the basics of return oriented programming and it's basically taking little snippets of code from inside the target computer and using it against the target computer. It it's a lot of fun. So um what I'm going to show you now is this is more realistic. um what you're going to be doing if you were getting into exploit development is using Python to send your scripts to the

server, right? So, you set up um a connection, but you basically lay things out the same way and just send it in. So, as you can see right here within Python, we have this beautiful um thing called strruct and pack. And what that does, it takes um the straight address that you find and it puts it into little Indian for you. So you never ever have to go and take it and put it into backwards. You put it in here, you use strruct and it does all the work for you. So no fat fingers are going to mess it up. So what we'll do now, we'll use this script. Um you should have aslr.pigh Pi

download it. We'll use that script. We'll put in our uh system, our exit and our binsh with our 20s at the beginning. And then what we'll do, we will run the program in Python and it outputs it to a text document for us. So what we're going to do now, this is fun. What we're going to do now is we are going to brute force ASLR. We're going to bypass the DEP and take over the system. So, as you can see, I have a little while true do run the program and use ASLR as a argument or the cat ASLR.ext as an argument. And as you can see, it's going through every single possible iteration of system.

It's not find it. It's not find it. As you can see, so low entropy. So, segmentation fault. It's boom. We have system shell. So, now we just bypassed data execution prevention ASLR at the same time. So, that's our last class for this afternoon. Let's um what I'll do, let me just haul up

Okay. So, what we learned, we learned simple Python scripting. We learned that we can use strruct instead of using the fat fingers trying to put it in. We can use strruct.pack to make it little Indian. Um, and we learned that 32bit systems, which you will find in any IoT device out there today, has very low entropy and we can bypass every security mechanism on it. So, we'll break into our groups, the last one for tonight, and let's bypass all security features and that'll be a nice place to uh to finish off the night with.

We got a question from the audience on YouTube. Sure. Uh and earlier was about test. Now it's does understanding assembly language required? >> Crucial. >> Crucial. >> Crucial. >> Yes. And I plan on putting together a 32-bit assembly course um sometime this year when I find some time. um >> only for Intel >> uh Intel or ENTC syntax as well is is just a little little flavor. It's like real French and Quebec French. Um >> she is a truly remarkable woman. >> A >> you got a fan right now. [laughter] >> Thank you. Okay, so let's break into our groups. We'll finish off the night strong.

anything water bottle or something like that? >> No, I'm good. I'm good. Give you one of these. That's my website exploits.ca. >> Thank you. [laughter]

>> I'll give you one of my stickers as well. >> Awesome. You want one of these? >> Yeah. Thank you. [laughter]

>> So, for those that are not here, uh this is basically the sticker that you're missing out on. I don't know if we see it well enough on the screen, but >> So, ASLR is already turned on on this system. So, we can go down to this one. >> I'm already inverting everything. >> Yep. So, we can go to >> this one. Uh that way right there.

>> Awesome. >> Okay. So set disable randomization off. Then it's right into disassemble domain vulnerable function and distur copy again. [gasps]

[snorts] Okay. So, as you can see, let's let's hit that again. Whoops. Yeah, just [sighs] you can see these addresses now. Every time it loads ping, it's loading it at a different address. But if you notice the 0xb7's the same. So, it's only these here as low entropy. There's only so many possibilities that this address is going to be at. So, now as attackers, we're going to go in and we're going to brute force until we find the right one. This is what they tried to do to stop us, but we were ahead of them. [laughter] Okay, so let's let's uh

>> There you go. You got it.

>> [snorts]

>> This one. It says there's no depending symbol found in ASLR. Fine. >> Yep, that's fine.

>> Perfect. So again, we're going to disassemble set up your stir copy again.

>> So where? >> Okay. So EB8. So, EB0. >> Yeah. >> 0 1 2 3 4 5 6 7 8. >> Okay. >> Sometimes you look down. Uhhuh. >> Okay. >> Perfectly normal. >> Mhm.

[snorts]

You guys are getting the hang of this quick. I like it.

[snorts]

>> [clears throat]

>> Okay. >> We don't actually have to copy these down because your thing already absolutely done. Yeah. >> Yeah. Okay. So we just open up ASLR.py and you see this is the cool thing about strruct use from Python. You can just write them in normal with pack and it it does it for you. >> Okay. And so we can keep looking up the terminal. >> Perfect.

>> Yeah. Okay. And then when it says add gadgets, it's adding these right >> these right here. Y >> Yeah. >> And so we then

[snorts] Okay. Oh, sorry. You got to have this one. It's not clear in my notes. Actually, let's try that one again.

>> [snorts] >> Okay. >> Okay, I'm [clears throat] back. So here I ran till then. So here as these are all zeros. So like that's the base pointer. Is that how you figure it out? >> That's the base pointer. Yep. >> Okay. So but in the other ones we had some other numbers, right? So like we were counting it. So like how does it uh I mean how does it vary here? Uh I I have very limited >> it varies constant every every time it changes. >> Okay. >> It's just um there's nothing stored at the base pointer. So it usually comes across as zero, right? So what we'll do, let's skip right to this one here.

So segmentation fault. When you're doing exploit development, usually you're fuzzing the program. So you just sent a bunch of garbble at it and Oh god, no thanks. >> Well, I thought that you were really doing [laughter] that. I was like, oh god. >> Okay, just copy that one. >> Yeah. [laughter] >> Yeah, I'm really that good.

>> I thought that was a That's a pro. No, I was being a pro. I was being a pro. Okay. [snorts] Um, okay. Let's go back to the top for a sec. >> Exit out of this one. >> Okay. Let me have this for a sec.

You can practice again. >> Practice again. >> Yeah, practice to like you see this. What do you do? What's your next step again? >> Okay. So, um let's get to the point where we're

>> as much as possible. You're always trying to >> Oh, why is yours acting weird? basically one and I'm saying

>> okay so let's go over here >> asp

here's um this is nice because you can just put the addresses in lettuce So you don't have to put in 6 like that, right? Just use strruct. >> So now what we'll do >> um I don't know why it's doing that. Oh, stop drawing. There we go. >> Like you have nothing. Maybe you can do sudo uh sudo su sorry could potentially work but you need a password right? So you're not going to be able to do that. So, one of those things. >> Okay. So, now we should have a text file, >> ASLR.ext. Okay. >> So, now we have all those gadgets in there. So, now just run that program in a while true loop.

>> Now, we're just going to brute force it. >> You got it already. See how quickly yours happened? So, it's random, right? So, like sometimes it can be going for like two minutes. sometimes like the first one. Boom. And we got it. So now you have shell. So like is who am I? >> VK. >> So this is yours. You just bypassed every bit of security features that Windows shows up with. >> So but this is >> so it went weak into which one? Sorry. Like you know >> so like if this was a server >> Yeah. Yeah. Yeah. I own the server now. It's not just a program. I own that full server. It's mine.

>> Okay. [laughter] >> So, this is the joy of exploit development. I took over a Chinese company three days ago. True database took everything. Absolutely everything. So, I was sick in bed like lit around like dying and I'd wake up and I'd do some search and go to sleep again. And so, that's it. So that's bypassing that execution prevention ASLR. >> So that's security features that are out there and how we get around it. [laughter]

>> Well, do you see something in there? It could basically lead you to understand what command to be [snorts] used to be able to take over and potentially be read. So if pseudo has access to specific file to run as root, >> uh you could figure it out exactly what that file does and then take advantage of it. >> Okay. >> Um I can show you something else later on if we still have time. I'll let her do her magic, but that's one of those things. >> Yeah, let's finish her off. >> Okay, >> finish her off. Great job, guys. >> Okay, let me just bring up one slide here and you can stop listening to me

talk tonight. Uh uh uh. Okay. So, last but not least, I want to thank you guys all for coming out. I hope you walked away with some new knowledge. Um and I hope that basically what we just learned was simple Python scripting. We know that we don't have to do little Indian anymore. We can use struck and pack and a low entropy of 32bit systems. And as you can see, this one I did took way longer. Your guy got hit his hit right away. Okay, so we bypassed debt, we bypassed ASLR. Um, and we took over the full system. If there's any questions, uh, let me know. Um, I am on LinkedIn, I'm on YouTube, I'm on Twitter too much.

And, um, reach out to me if you ever guys want to jump in. I do bypassing stack cookies and all this sort of stuff as well uh on my YouTube. Um but we just had to compact everything down for tonight's lesson. So I hope you guys enjoyed and thank you so much for coming out. And I'm going to shut up now. Thank you.