Learn tricks and techniques like these, with us, in our amazing training courses!
https://flashback.sh/training

Previously, we showed you how we found a vulnerability in a DNS parser exposed through a router's Wide Area Network (WAN) connection.

Today, we will dive deep into it, and work around its limitations to build a surprisingly complex exploit. So buckle up, and join us on an epic journey to get that sweet remote root shell!

In this video, we will continue our journey into exploiting CVE-2020-10881, which we abused in the Pwn2Own Tokyo 2019 hacking competition to win $20,000 :-)

0:00 - Intro
0:37 - Recap of Last Video
2:41 - Vulnerability Overview
4:24 - Jumping into Ghidra (process_resolved_IP)
7:06 - Writing the Proof-of-Concept (PoC)
9:37 - Testing Our PoC
11:30 - Checking Constraints / ASLR / NX
13:34 - Return Oriented Programming (ROP)
17:08 - Hunting for ROP Gadgets
18:23 - Stack Overview
21:54 - Master Ownage Plan
23:03 - Jumping into Ghidra Again
25:21 - ROP Gadget Walkthrough
30:22 - Exploit Walkthrough
31:42 - Exploit Run
32:30 - Our Training
33:55 - Radek Joins In
34:38 - What is conntrack?
36:34 - Checking conntrack in the Target
37:24 - Final Exploit Walkthrough
38:40 - Attack Setup
39:28 - Final Exploit Run!
40:02 - TXID Ignored?

Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.

~ Flashback Team
https://flashback.sh
  / flashbackpwn  

Background track: "Hackers" by Karl Casey @WhiteBatAudio