1
00:00:00,240 --> 00:00:05,200
To better explain where we actually go in terms of attack and memory exploits,

2
00:00:05,200 --> 00:00:11,760
we have to understand that there's two primary areas of the actual running memory that we look

3
00:00:11,760 --> 00:00:19,040
at in terms of viable for attack and also viable to the operating system for those that are doing

4
00:00:19,040 --> 00:00:27,600
programming and other coding adventures. First, we want to address that this is broken down into

5
00:00:27,600 --> 00:00:33,279
either the stack or the heap. Now, you may be wondering those are some goofy names and yes,

6
00:00:33,279 --> 00:00:37,119
they really are but they've been around for quite some time and I'm going to break them down pretty

7
00:00:37,119 --> 00:00:45,840
easily. The stack is the organized area of the actual RAM itself. This is where local variables

8
00:00:45,840 --> 00:00:53,360
and function calls go. It's basically referred to as the last in and first out. So, this is where

9
00:00:53,360 --> 00:00:58,480
stacked based stuff like buffer overflows get to happen at. So, whenever we send a buffer overflow

10
00:00:58,480 --> 00:01:07,360
attack, it will happen in the stack of the actual memory itself. It's the easiest place to start

11
00:01:07,360 --> 00:01:14,879
because of the data that we put in for actual controls and it sits right next to each other.

12
00:01:14,879 --> 00:01:20,320
So, basically, we send a knot sled in and it's going to start pushing things in front of it out

13
00:01:20,320 --> 00:01:27,120
the other end of the buffer itself causing that overflow. And then you have the heap which is

14
00:01:27,120 --> 00:01:34,559
known as the chaotic area. It's almost like they were thinking of me. But inside the heap, we have

15
00:01:34,559 --> 00:01:42,400
dynamic memory. Now, this is memory allocated to things on the fly and it's way less structured.

16
00:01:42,400 --> 00:01:48,959
So, you'll see parts, bits, pieces of fragmented memory all throughout the area and it's not

17
00:01:48,959 --> 00:01:53,680
necessarily because something got closed and we still have pieces left, but that is a part of it.

18
00:01:54,239 --> 00:01:58,879
And that's where we can do some information and data carving out of things later on, especially

19
00:01:58,879 --> 00:02:04,639
in those digital forensics courses here on CBT Nuggets using programs like volatility and etc.

20
00:02:05,360 --> 00:02:15,520
But this is where heap overflows happen. And this is use after free exploits. So, basically,

21
00:02:15,520 --> 00:02:20,720
we're sending in exploits, not buffer overflow, but we're sending in things into the memory,

22
00:02:20,720 --> 00:02:27,919
specifically the heap area for us to call upon again later if it gets called back up or if we're

23
00:02:27,919 --> 00:02:36,080
wanting to go through and do some very detailed data carving. And the reason I'm stressing this

24
00:02:36,080 --> 00:02:41,679
part right here is because this is where the hardest level of attacks happen at when we look

25
00:02:41,679 --> 00:02:48,240
at terms of attacking the actual memory itself. Now, I just wanted to give a real quick synopsis

26
00:02:48,240 --> 00:02:51,520
of it because I really want to go into more detailed explanation here.