1
00:00:00,760 --> 00:00:07,000
OK so now we're gonna try to override the VIP so in the last video we discovered that the offset was

2
00:00:07,000 --> 00:00:08,940
at two thousand and three bytes.

3
00:00:08,950 --> 00:00:13,550
What that means is there's two thousand and three bytes right before you get to the IP and then the

4
00:00:13,550 --> 00:00:16,120
E IP itself is four bytes long.

5
00:00:16,120 --> 00:00:19,910
So we're going to try to do is overwrite those four specific bytes.

6
00:00:19,990 --> 00:00:25,680
So as always go ahead and get your immunity debugger running with Von server attached.

7
00:00:25,990 --> 00:00:29,110
When you have that let's go ahead and hop right into Kelly Linux.

8
00:00:29,110 --> 00:00:35,050
This should be a pretty short video so we're gonna do is let's go ahead it is g edit the last script

9
00:00:35,050 --> 00:00:42,500
that we wrote which was to the PI and we're gonna modify this together so we can do here is we can just

10
00:00:42,500 --> 00:00:50,270
delete this offset variable because we don't need that anymore and instead we can just write shell code

11
00:00:50,270 --> 00:01:00,020
here and we'll switch out this offset variable to Shell code and then let's go ahead and set this equal

12
00:01:00,620 --> 00:01:16,330
to a Times 2003 plus B times for so let's make sense of this real quick we're replacing what we sent

13
00:01:16,330 --> 00:01:18,730
before to find the offset with the shell code.

14
00:01:18,730 --> 00:01:23,410
Now the shell goes nothing but A's and B's right now but it's gonna get malicious in a minute.

15
00:01:23,410 --> 00:01:26,910
So what we're doing here is we're sending two thousand three A's.

16
00:01:26,920 --> 00:01:27,300
Why.

17
00:01:27,310 --> 00:01:30,250
Because that's where the E IP starts.

18
00:01:30,250 --> 00:01:37,240
So byte 2004 starts the E IP so we're doing is we're sending a bunch of A's but we want to make sure

19
00:01:37,240 --> 00:01:42,040
that we don't overwrite the E IP with A's and have no idea if we're correct or not.

20
00:01:42,040 --> 00:01:47,340
So remember A's or 4 ones B's is gonna then be for 2.

21
00:01:47,380 --> 00:01:54,690
So in theory we should see 4 2 4 2 4 2 4 2 on the VIP when we overwrite it.

22
00:01:54,730 --> 00:01:57,250
So let's go ahead and just fired this guy off.

23
00:01:57,250 --> 00:02:02,470
I'm going to save this and you could save it as Dot three if you want obviously to keep it dot to to

24
00:02:02,470 --> 00:02:04,010
make it simple.

25
00:02:04,480 --> 00:02:11,500
And then what we're gonna do is to that pi remember if you did make it a new file go ahead and change

26
00:02:11,500 --> 00:02:12,480
the mode.

27
00:02:12,880 --> 00:02:17,530
And since we have Vulcan server running and attached to immunity to debugger we should be able to fire

28
00:02:17,530 --> 00:02:22,990
this guy off and it should break the program.

29
00:02:22,990 --> 00:02:26,720
So we have paused down here access violation grade.

30
00:02:27,320 --> 00:02:27,720
OK.

31
00:02:27,760 --> 00:02:29,850
So let's talk about what happened here.

32
00:02:29,920 --> 00:02:33,020
So you see the x try ran through bunch A's.

33
00:02:33,010 --> 00:02:38,920
Were you seeing that EVP for 1 4 1 4 1 4 1 Good came through.

34
00:02:39,340 --> 00:02:44,350
But look here the EIB is for 2 4 2 4 2 4 2.

35
00:02:44,350 --> 00:02:49,000
Now we only sent 4 bytes of B's and they all landed in the IP.

36
00:02:49,000 --> 00:02:49,560
Guess what.

37
00:02:49,570 --> 00:02:52,480
That means we control this e IP now.

38
00:02:52,600 --> 00:02:54,700
So from here it's pretty smooth sailing.

39
00:02:54,700 --> 00:03:00,820
We've got a couple of housekeeping things we got to do in terms of finding bad characters and finding

40
00:03:00,820 --> 00:03:03,070
the right module to send this to.

41
00:03:03,160 --> 00:03:08,500
But once we do that we're gonna generate some show code we're gonna point this e IP here instead to

42
00:03:08,500 --> 00:03:12,960
that return address that's going to be malicious and then we're gonna gain root.

43
00:03:12,970 --> 00:03:14,790
So hopefully this makes sense.

44
00:03:14,920 --> 00:03:19,960
Again just to reiterate we have controlled the IP and now we're going to start to get malicious.

45
00:03:20,050 --> 00:03:23,370
So in the next video we're going to talk about finding bad characters.