1 00:00:01,230 --> 00:00:01,490 All right. 2 00:00:01,569 --> 00:00:02,300 It's done. 3 00:00:03,000 --> 00:00:09,690 So after a couple of rewrites, we're going to redo our rock chain and our canary. 4 00:00:09,720 --> 00:00:10,530 And is this. 5 00:00:11,040 --> 00:00:11,880 That's not the way. 6 00:00:13,790 --> 00:00:22,340 So what we're going to do, since we're able to leak the canary, as we've seen before, is we're going 7 00:00:22,340 --> 00:00:26,300 to copy and paste that code. 8 00:00:29,920 --> 00:00:30,700 Right here. 9 00:00:35,160 --> 00:00:37,560 And now begin adding our rock chain. 10 00:00:39,590 --> 00:00:51,560 So what we want to do is we need to bugger Bowen to our control, see the map. 11 00:00:54,160 --> 00:00:55,690 Now we have our base address. 12 00:00:55,690 --> 00:01:02,410 So set callsign base equals this address and we're going to add the variable. 13 00:01:03,640 --> 00:01:05,319 Let's see, base address 14 00:01:07,480 --> 00:01:10,060 equals this. 15 00:01:11,110 --> 00:01:13,780 Now we need to look for our gadgets. 16 00:01:13,780 --> 00:01:16,240 So let's look for our shell gadget. 17 00:01:16,240 --> 00:01:21,820 So fine, fine shell, that's your absolute value. 18 00:01:22,240 --> 00:01:30,720 So we're going to do is print hex this FC value minus base and that is our offset. 19 00:01:30,730 --> 00:01:39,100 If you're really curious, you can actually print in decimal, you'll find out that it's this many bytes 20 00:01:39,100 --> 00:01:44,290 away from the base address of the C Standard Library. 21 00:01:44,650 --> 00:01:49,750 So we're going to save this just like we did in our first rock chain exercise. 22 00:01:50,650 --> 00:01:59,920 So be fine, show equals let's see, base address plus this offset. 23 00:02:01,300 --> 00:02:04,120 We're also going to look for system P system. 24 00:02:06,890 --> 00:02:15,680 So the print packs absolute address minus space, and we have this offset. 25 00:02:18,910 --> 00:02:21,250 Equals Seabass address. 26 00:02:21,250 --> 00:02:24,250 Plus this. 27 00:02:25,320 --> 00:02:27,730 Want to look for our exit function? 28 00:02:32,290 --> 00:02:36,670 Hex minus the base dress. 29 00:02:41,540 --> 00:02:44,130 Exit equals seabass address. 30 00:02:44,490 --> 00:02:47,300 Plus this. 31 00:02:50,020 --> 00:02:52,840 And we need to look for two more gadgets. 32 00:02:53,830 --> 00:02:56,320 So let's go look, eavesdropper. 33 00:02:57,220 --> 00:03:01,690 So let's exit this and please Teamdogs. 34 00:03:03,120 --> 00:03:04,200 So let's see. 35 00:03:06,260 --> 00:03:07,070 Right here. 36 00:03:08,030 --> 00:03:08,930 Right here. 37 00:03:08,960 --> 00:03:11,510 Rocker file. 38 00:03:12,620 --> 00:03:13,130 Let's see. 39 00:03:13,140 --> 00:03:14,330 Standard library. 40 00:03:15,680 --> 00:03:21,950 We're just doing the same exact drop chain that we're using in our original Bret Lipsey attack in the 41 00:03:21,950 --> 00:03:23,060 previous module. 42 00:03:28,770 --> 00:03:28,970 Man. 43 00:03:29,110 --> 00:03:30,060 This takes a while. 44 00:03:51,300 --> 00:03:56,400 All right, so I want to do search def one of return. 45 00:03:58,350 --> 00:03:59,700 This one, they'll be fine. 46 00:04:00,750 --> 00:04:04,080 That equals remember can move the colon. 47 00:04:05,070 --> 00:04:11,220 And let's see base address pluses offset. 48 00:04:14,220 --> 00:04:16,899 And then we need our pop RTI instructions. 49 00:04:16,899 --> 00:04:20,680 So search step one Pop VI. 50 00:04:23,610 --> 00:04:26,640 So it will be RTI. 51 00:04:27,510 --> 00:04:31,620 Let's see this address plus this offset. 52 00:04:33,030 --> 00:04:39,210 So at this point, what we're going to do is construct our rope chain. 53 00:04:40,050 --> 00:04:45,610 Well, actually, right now we have all of our necessary gadgets and we can leak the base, the stack 54 00:04:45,630 --> 00:04:46,340 canary. 55 00:04:46,560 --> 00:04:49,950 We can now put this in a new module.