1
00:00:00,520 --> 00:00:04,820
So let's talk about anatomy of memory so we talk about anatomy a memory.

2
00:00:04,820 --> 00:00:08,910
We have the colonel at the top and we've got text at the bottom.

3
00:00:09,320 --> 00:00:14,300
So if you think of your Colonel think of your command line you can also think about this is a bunch

4
00:00:14,300 --> 00:00:20,180
of ones and your text you can think about as you read only code and you could think about that as a

5
00:00:20,180 --> 00:00:22,100
bunch of zeros.

6
00:00:22,100 --> 00:00:28,910
So this is only for informational purposes but we can also call this the Colonel the top the text the

7
00:00:28,910 --> 00:00:33,980
bottom where we're really going to be focused on though is gonna be the stack.

8
00:00:33,980 --> 00:00:39,770
So if we dive into this memory here and we dive even deeper and we go into the stack.

9
00:00:39,770 --> 00:00:41,520
It's kind of similar.

10
00:00:41,690 --> 00:00:47,720
So we have these registers here and I'll provide links down below on how to brush up on some of these

11
00:00:47,720 --> 00:00:49,620
registers if you're not familiar.

12
00:00:49,790 --> 00:00:55,640
But the important things what we need to know for this lesson is that you have the ISP you have your

13
00:00:55,640 --> 00:00:59,690
buffer space your EVP and your e IP.

14
00:00:59,690 --> 00:01:06,810
So we can think about this again as the ISP sitting at the top and the EVP sitting as the bottom.

15
00:01:06,920 --> 00:01:12,070
So what happens is you have this buffer space in this buffer space fills up with characters.

16
00:01:12,200 --> 00:01:15,230
So the buffer space is going to go downward.

17
00:01:15,230 --> 00:01:21,050
What should happen is if you're properly sanitizing your buffer space then if you send a bunch of characters

18
00:01:21,050 --> 00:01:28,550
at it say a bunch of A's for example like this you should reach the EVP but stop the buffer space should

19
00:01:28,550 --> 00:01:31,150
be able to contain the characters that you're sending.

20
00:01:31,520 --> 00:01:38,600
Now however if you have a buffer overflow attack then you actually overflow the buffer space you're

21
00:01:38,600 --> 00:01:44,290
using and reach over the EVP and into something called the E IP.

22
00:01:44,420 --> 00:01:46,430
Now the IP is where things get interesting.

23
00:01:46,430 --> 00:01:49,880
This is a pointer address or a return address.

24
00:01:49,910 --> 00:01:55,640
So what we can do is we can use this address to point to directions that we instruct.

25
00:01:55,700 --> 00:02:00,250
Now these directions are actually going to be malicious code that gives a server shell.

26
00:02:00,380 --> 00:02:05,210
So we're going to learn that later on in future videos as we go step by step.

27
00:02:05,240 --> 00:02:10,560
So this doesn't have to seem very logical right now.

28
00:02:10,610 --> 00:02:16,880
You just have to very very base level understand that what's happening in the stack is that you're overflowing

29
00:02:16,880 --> 00:02:18,170
buffer space.

30
00:02:18,170 --> 00:02:23,750
So if you can write over the buffer space and write down all the way to the VIP you can control the

31
00:02:23,750 --> 00:02:29,630
stack and you can control the pointer and eventually you can have a reverse shell which will lead to

32
00:02:29,630 --> 00:02:30,460
root.

33
00:02:30,470 --> 00:02:34,910
So it's going to make a lot more sense when we dive in a hands on this just as more of a theoretical

34
00:02:34,910 --> 00:02:43,210
thing so let's talk about really quick the steps to conduct a buffer overflow so the first step are

35
00:02:43,210 --> 00:02:44,920
going to cover is called spiking.

36
00:02:45,040 --> 00:02:51,630
So spiking is going to be a method that we use to find a vulnerable part of a program.

37
00:02:51,760 --> 00:02:56,690
Once we find the vulnerable part of the program we're going to fuzzing which is kind of similar to spiking.

38
00:02:56,860 --> 00:03:03,320
So fuzzy we're going to send a bunch of characters at a program and see if we can break it if we do

39
00:03:03,320 --> 00:03:03,830
break it.

40
00:03:03,830 --> 00:03:07,430
We want to find out at what point we can.

41
00:03:07,430 --> 00:03:08,170
We did break it.

42
00:03:08,180 --> 00:03:08,450
Right.

43
00:03:08,450 --> 00:03:14,400
So we want to find something called the offset and we use that offset to overwrite the IP that pointer

44
00:03:14,400 --> 00:03:19,350
address that we're talking about once we have the IP controlled.

45
00:03:19,350 --> 00:03:23,880
We need to do a few house cleanup things one is called Finding bad characters.

46
00:03:23,880 --> 00:03:26,340
The other is called Finding the right module.

47
00:03:26,340 --> 00:03:31,610
This doesn't need to make sense right now but once we do that and we have this information from 75 to

48
00:03:31,630 --> 00:03:37,030
six we can generate shell code this malicious show code that will allow us to get this reversed shell.

49
00:03:37,140 --> 00:03:38,200
So we're gonna use that.

50
00:03:38,280 --> 00:03:44,720
We're going to point that e IP to our malicious shell code and hopefully we're gonna gain root.

51
00:03:44,730 --> 00:03:50,070
So again this will all make sense as we dive into the future videos and we get hands on.

52
00:03:50,070 --> 00:03:53,100
So if you look at these videos these are the videos that are going to come.

53
00:03:53,100 --> 00:03:55,090
So our next video is going to be on spiking.

54
00:03:55,260 --> 00:03:58,390
Second one is going to be on fuzzing and so on.

55
00:03:58,410 --> 00:04:03,600
So if you have trouble with one area in particular you can watch that area specifically and not have

56
00:04:03,600 --> 00:04:07,890
to look through a long video and hopefully break this down into little nuggets.