WEBVTT 00:00.990 --> 00:03.630 Welcome back to another video in this video. 00:03.660 --> 00:06.270 Let's begin with writing exit code. 00:07.470 --> 00:12.450 As mentioned earlier, this is the process that we are going to following almost all the cases. 00:12.930 --> 00:21.320 But when writing a court, we are going to skip the first two steps because exit court is straightforward. 00:22.050 --> 00:28.500 We know that Exeter's is going to be used so we can see the main page of exit is called Right Away, 00:28.830 --> 00:30.700 and then we can write the assembly code. 00:31.260 --> 00:37.680 So let's switch to our virtual machine and let's first create a directory called Shall Code. 00:37.830 --> 00:42.000 Inside this exchange underscore sixty four directly 00:45.270 --> 00:49.670 and let's navigate there before starting to write the code. 00:49.920 --> 00:53.360 Let's check the main page of Exit Cisco. 00:58.560 --> 01:01.860 If you notice the command I'm using manned space. 01:01.860 --> 01:12.390 Two space exit man pages of Cisco can be read using man to be a typing man to space exit because exit. 01:12.420 --> 01:14.030 This is what we are interested in. 01:14.910 --> 01:15.800 Let's hit enter. 01:17.610 --> 01:24.450 If you read the description, it says the function exit terminate the counting process immediately. 01:25.500 --> 01:33.350 And if you see this here, the value status is returned to the parent process as the process exit status. 01:34.260 --> 01:36.810 This is all you need to write the code. 01:37.200 --> 01:38.960 We have two important things here. 01:39.540 --> 01:47.160 One, we are going to use this exit function and it requires one argument which is going to be returned 01:47.160 --> 01:48.810 as the exit status. 01:49.500 --> 01:56.760 So what's our approach in writing the Shell code when writing code that says call number goes to the 01:56.760 --> 02:06.540 register are a X and any argument that says call may have will go to the registers at the RSA are the 02:06.540 --> 02:10.920 X are six or eight or nine respectively. 02:11.520 --> 02:14.130 In this case we only have one argument. 02:14.340 --> 02:21.870 So this argument goes into our design and the second number of this exit goes into our X. 02:22.500 --> 02:29.940 Now let's find out the second number of exit I'm exiting from this man page output. 02:33.150 --> 02:40.140 And let's find out the second number of exit Cisco numbers for 64 bit architecture can be found in the 02:40.140 --> 02:44.980 final units to underscore 64 dot hedge. 02:45.450 --> 02:47.070 So let's search for this file. 02:51.210 --> 03:00.570 This is the five year interest rate, so let's copy this and let's take Cat and let's use grip and let's 03:00.570 --> 03:01.650 grab for exit. 03:03.330 --> 03:07.980 There it is, 60 is the skull number four exit system. 03:08.400 --> 03:14.940 So our eggs should contain 60 and 80 should contain the argument for this column. 03:15.180 --> 03:15.660 That's it. 03:15.990 --> 03:20.930 So let's begin writing our shell code, using the information that we have gathered so far. 03:21.590 --> 03:24.510 Let's create a file called Exit Dart. 03:29.340 --> 03:38.850 Let's begin with the section text and let's write a global directive which says start and let's write 03:38.850 --> 03:46.290 our entry point here and let's move the value of 60 into register artex. 03:47.850 --> 03:52.560 We are moving the value 16 to ADEX because our eggs should contain. 03:52.560 --> 03:55.600 This is called number of exit, which is 16. 03:56.700 --> 03:59.200 We have also discussed that exit. 03:59.200 --> 04:03.050 This call contains one argument, which is the exit status. 04:03.540 --> 04:06.810 So let's move some value into add the register. 04:07.440 --> 04:11.640 This can be any value and I am choosing this value to be two in this case. 04:12.060 --> 04:15.840 So let's write move on the comma to. 04:17.090 --> 04:19.440 Finally, let's take this call. 04:21.740 --> 04:22.540 This is in. 04:23.660 --> 04:30.770 So this will invoke the fiscal using the number that's placed in the ATX register, essentially we are 04:30.770 --> 04:34.450 going to invoke Exeter's call with to ask the argument. 04:34.970 --> 04:48.560 Now, let's save this file and let's assemble it using Nazeem exit dot nazan dash o exit dot o f l sixty 04:48.560 --> 04:48.890 four. 04:50.960 --> 04:58.800 Let's hit enter and let's link it using early exit or national exit. 04:59.720 --> 05:04.450 Now if you execute this file it just exits. 05:04.940 --> 05:06.530 But let's check the status. 05:12.400 --> 05:16.490 As you can see, the written code, too, is getting printed in the States. 05:16.840 --> 05:19.420 That means our assembly program worked. 05:19.900 --> 05:23.420 Now let's try to dump the machine code from this Helft binary. 05:23.920 --> 05:26.710 This can be done using object dump, 05:32.290 --> 05:34.740 dash the exit. 05:36.310 --> 05:39.640 And if you see the instructions there, an AT&T syntax. 05:40.150 --> 05:42.370 My preference is internal syntax. 05:42.700 --> 05:49.090 So let's use Widget, Daschle, Exit and Intel. 05:50.710 --> 05:56.770 If you see the instructions are now being shown in Intel's index, it's just my preference and there 05:56.770 --> 06:01.150 is no need to use internal syntax if you are comfortable with AT&T syntax. 06:01.690 --> 06:06.610 Now, this is fine as far as the functionality of the exit program is considered. 06:07.120 --> 06:14.710 But if you want to use this as a shell in your exploits, it may break because it has multiple NUL bytes 06:14.710 --> 06:15.780 in its machine code. 06:16.750 --> 06:19.760 You can see them here in the next video. 06:19.910 --> 06:23.140 Let's try to fix our code to avoid these null bytes.