WEBVTT 00:03.030 --> 00:10.590 Now, let's move on to execution called the goal of this court is to give us benefits when it is run 00:11.340 --> 00:14.610 for this, we are going to use Xixi system. 00:15.480 --> 00:21.750 So according to our seven step process, the first thing that we are going to do is to write a very 00:21.750 --> 00:24.870 simple SI program, which gives us a shell. 00:25.380 --> 00:28.700 So let's switch to our virtual machine and do that. 00:29.670 --> 00:31.740 So I'm inside that electrical cord. 00:32.490 --> 00:34.500 Let's create a new directorate card. 00:35.100 --> 00:35.910 Exactly. 00:36.750 --> 00:39.300 And let's navigate to exactly directory. 00:40.230 --> 00:45.450 And here let's create a new file and let's call it Shinda C. 00:48.060 --> 00:52.140 Has include a studio, NorTech. 00:54.490 --> 01:04.510 Let's type in Maine and let's simply write a system function with BENCIC as its argument. 01:10.570 --> 01:11.320 There it is. 01:11.450 --> 01:24.660 Now, let's compile this program using GCSE, so I'm just using DCC Sherazi, National Chef. 01:27.280 --> 01:30.380 Now let's execute this output file, which is Shell. 01:31.060 --> 01:31.960 And there it is. 01:32.260 --> 01:34.110 As you can notice, we got a shell. 01:34.510 --> 01:37.750 So this program is good enough to get as a shell. 01:38.230 --> 01:42.610 Now, let's stress this file and understand the underlying this cause. 01:43.030 --> 01:46.650 If you remember our seven step process, that's the next step. 01:47.820 --> 01:48.490 There it is. 01:48.930 --> 01:56.760 We want to use Astreus against the compiler program so we can understand what these cards are used in 01:56.760 --> 01:57.390 this program. 01:58.980 --> 02:07.710 Let's exit from the show and let's type Astreus Bash Haertsch to see the health options. 02:10.050 --> 02:14.460 Filtering and tracing are the two options that we are interested in. 02:15.270 --> 02:21.720 If you see the filtering section, we have a flag, which is that to to actually specify an expression 02:22.380 --> 02:27.450 similarly and a tracing we have F using, which we can follow Fox. 02:27.990 --> 02:32.700 So Neshev and Nasheet are the options that we are going to use here. 02:33.480 --> 02:43.130 So let me clear the screen and stress the F to follow the Fox Nasheet to specify an expression. 02:43.140 --> 02:49.690 In this case, I want to specify exactly because those are the scores that we want to track and not 02:49.710 --> 02:53.580 show, as you can notice, in the output. 02:53.620 --> 02:56.510 There is an executive function being invoked. 02:57.110 --> 03:02.790 What we are interested in is the first one, which is the full part of the binary that we want to execute. 03:03.300 --> 03:06.780 Now let's take a look at the main page of Xixi. 03:07.620 --> 03:13.320 I'm typing exit and let's type man to exit the. 03:14.340 --> 03:18.180 If you look at this, as we have seen earlier, there are three arguments. 03:18.640 --> 03:26.320 The first one is filename, the second one is an error and the third one is also an error. 03:27.030 --> 03:33.680 The last two values can be made null to start with and we can just pass a pointer to the string bencic 03:33.810 --> 03:35.190 into the first argument. 03:35.850 --> 03:43.200 Essentially in our assembly program we are going to place the second number of exactly in order X register 03:43.620 --> 03:48.780 and appointed to the full part of business, which goes into Oduye register. 03:49.680 --> 03:55.040 And then we will place null in autosite and we will place another null in at the X register. 03:55.560 --> 04:02.160 One important thing that we need to remember here is this is a file name and it should end with a null 04:02.160 --> 04:06.470 terminated so our benefits should terminate with null terminated. 04:06.900 --> 04:08.520 So let's keep that in mind. 04:09.030 --> 04:13.770 With that, let's begin to write this execution code first. 04:13.770 --> 04:24.810 Let's quit this and let's copy our exit the normal, not Nazeem into the current directory and let's 04:24.810 --> 04:26.210 use that as a template. 04:26.910 --> 04:35.640 So I'm just moving this file exit National Guard Nazim to exactly dot don't. 04:41.430 --> 04:45.840 Let's clear all these instructions so we can write from the scratch. 04:46.840 --> 04:47.390 All right. 04:47.460 --> 04:49.890 So I'm just not going to delete anything else. 04:50.400 --> 04:56.670 Let's quickly save this file and let's find out the Cisco number for Xigris, this call. 04:57.840 --> 05:04.770 So I'm just typing cat user include 05:07.620 --> 05:22.440 X eighty six, underscore sixty four, dash Linux no slash hsm slash uni stilly underscore sixty four 05:22.440 --> 05:23.130 Nadege. 05:23.850 --> 05:26.430 And let's grab for exactly 05:28.920 --> 05:29.580 where it is. 05:29.880 --> 05:32.370 Now if you notice this is called number four. 05:32.370 --> 05:34.200 Xixi is fifty nine. 05:34.740 --> 05:40.890 Now that we have got in the second number, let's go to our plan of how we want to write this shell 05:40.920 --> 05:41.250 code. 05:42.360 --> 05:43.020 Here it is. 05:43.410 --> 05:50.160 Obviously the Cisco number goes into the register IREX, so we will have to place the value fifty nine 05:50.160 --> 05:54.780 into X which is actually zero three be in hex. 05:55.590 --> 06:02.070 Next we will have to place a pointer to null terminated string into the register. 06:02.100 --> 06:11.850 Ardai this can be done by pushing this string onto the stack and placing the value of Arizpe into idea 06:12.240 --> 06:17.850 because Arizpe is actually pointing to this Benetta string which is null terminated. 06:18.270 --> 06:25.230 So Arizpe holds a pointer to benefit string so we can simply copy this Arizpe into ardia. 06:25.560 --> 06:28.020 And that sets up our first argument. 06:28.830 --> 06:33.750 As I mentioned earlier, the second and third arguments are going to be null values. 06:34.200 --> 06:39.780 So we are going to place a null in the Odyssey register as well as at the X register. 06:40.290 --> 06:44.700 Just to reiterate, Binsted should be followed by a null terminated. 06:44.970 --> 06:47.220 So the approach we are going to use here is to. 06:47.750 --> 06:55.250 And onto the stack first, as you can see here, and after that, we are going to push Minnesota String 06:55.250 --> 06:57.240 onto the stack in reverse order. 06:57.740 --> 07:05.120 If you see hitch slash and I.B. slash slash, so that's the order will have to push. 07:05.390 --> 07:11.760 So it will become slash, slash, bean slash S.H. after the push is complete. 07:12.500 --> 07:19.370 Once that is done, we will move Arizpe into another gister so that we will have a pointer to business 07:19.570 --> 07:23.060 with another Terminator into our desire to do this. 07:23.060 --> 07:27.520 We are going to convert all of these characters into their Heggs equivalents. 07:28.220 --> 07:31.400 One way to do that is to use an online service. 07:31.850 --> 07:35.920 So I'm going to use an online ASCII to hex converter. 07:36.770 --> 07:37.460 Here is one. 07:37.670 --> 07:45.080 We can use this ASCII to hex code converter and as I mentioned earlier, we will have to place the string 07:45.080 --> 07:46.210 in reverse order. 07:46.790 --> 07:49.930 So and a B slash slash. 07:50.480 --> 07:58.910 If you notice, we used to slashes after this Nabby string, that is to avoid STAC alignment issues 07:58.910 --> 07:59.350 later. 08:00.020 --> 08:12.590 So let's convert this and copied and pasted in notepad and let's also note down our call number. 08:15.080 --> 08:25.250 And let's write our shall code, let's once again open our execrated a.m. Let's begin by clearing the 08:25.260 --> 08:27.580 attics register, using a guide instruction. 08:27.950 --> 08:42.020 So I'm just typing za oryx, comma, oryx and let's use move RDX, comma IREX and move Oddisee, comma 08:42.050 --> 08:42.770 RDX. 08:43.400 --> 08:49.850 What these two instructions are going to do is the first instruction, which is more RDX, comma RDX 08:50.150 --> 08:54.200 is going to set up null value for our argument trip. 08:54.770 --> 09:03.170 So we are using null for argument here using this more RDX comma Addicks because Artex becomes zero 09:03.170 --> 09:07.100 here and we are just moving that zero into add the register. 09:07.490 --> 09:16.160 If you remember, RBI holds the first argument, Odissi holds the second argument and RDX holds the 09:16.160 --> 09:16.960 third argument. 09:17.510 --> 09:21.490 So we are using this instruction to place this null value in vehicles. 09:21.860 --> 09:28.190 Now that RDX contains the value of zero, we are just copying that into RSA register as well. 09:28.490 --> 09:32.030 So it will set up our argument to. 09:34.850 --> 09:39.860 So out of three arguments for Xixi, we have already set up two arguments. 09:40.010 --> 09:45.470 So we are only left with the first argument, which is appointer to benefit stream. 09:46.100 --> 09:50.010 So let's set it up now. 09:50.030 --> 09:53.410 Let's use Push IREX. 09:53.450 --> 09:59.800 This is because we will have to end our bayonetted string with the null Terminator and currently RSX 09:59.810 --> 10:09.800 contains a null value, so we are just pushing it onto the stack and then let's use move some register 10:09.800 --> 10:13.940 to hold our string message which is here. 10:14.540 --> 10:16.620 So I'm just going to use sixty eight. 10:17.330 --> 10:25.400 Seventy three to have sixty six, nine, six to twelve and twelve. 10:25.970 --> 10:29.960 So let's just use zero X and this value. 10:31.580 --> 10:35.360 So this is going to contain the benefit string in reverse order. 10:36.980 --> 10:40.270 Now what we want to do is we just want to push this value. 10:40.340 --> 10:46.520 So let's use push arbi x so it is going to be pushed onto the stack once this is done. 10:47.000 --> 10:50.660 Arizpe contains a pointer to this string. 10:50.930 --> 10:55.240 So all we have to do is we will have to put that into Oduye register. 10:55.640 --> 10:59.750 So let's use move ardia Qamar Oriskany. 11:00.230 --> 11:00.770 That's it. 11:01.160 --> 11:03.740 Once that is done we can just type Siskel. 11:05.570 --> 11:11.570 But if you remember when you executed this instruction Siskel, it is going to execute this is called 11:11.720 --> 11:15.710 which is specified in ATX Register in this case. 11:15.710 --> 11:19.430 Currently Arrigo's contains zero so let's move. 11:19.430 --> 11:30.440 Our Xigris is called second number into Attic's so I'm just using more irex comma fifty nine so this 11:30.440 --> 11:31.220 should do it. 11:31.400 --> 11:40.310 Let's save the file, let's assemble and link it using Nazan and Aldy respectively. 11:40.730 --> 11:50.600 So Nazem exequatur nazem yashpal exec we dot o f l sixty four. 11:51.740 --> 11:54.810 Now let's use a link to link it exactly. 11:54.820 --> 11:58.910 EG oh dashboard exec we hit enter. 11:59.630 --> 12:03.560 Now let's quickly verify if it has any bytes in the machine code. 12:04.070 --> 12:08.600 Some is going to use for bija dump Daschle. 12:09.650 --> 12:14.000 Xixi dash for internal syntax. 12:15.440 --> 12:19.190 If you notice this machine code we have three null bytes here. 12:19.640 --> 12:25.700 If you remember I have discussed some techniques to avoid null bytes so we can just use one of them 12:25.700 --> 12:30.950 to avoid these null bytes instead of using our more instruction we can use. 12:30.950 --> 12:41.520 Add let's save it once again, assemble it, link it and let's quickly check if we still have animal 12:41.540 --> 12:41.990 bites. 12:43.610 --> 12:44.240 Look at that. 12:44.420 --> 12:46.370 All our null bikes are now cleared. 12:46.910 --> 12:50.000 Now, the next step is to check if the binary is working. 12:50.390 --> 12:52.700 So Lipsius not exactly. 12:53.150 --> 12:56.610 If everything goes well, we should get a show there. 12:57.290 --> 13:04.700 Go now to be able to use this shell code in our exploits, we will have to extract the shell code from 13:04.700 --> 13:05.330 this binary. 13:05.720 --> 13:09.530 So one way to do that is to copy all these bytes one by one. 13:09.800 --> 13:13.280 But as I mentioned earlier, we can use some Linux kung fu. 13:13.510 --> 13:15.490 To extract the usable Shenkar. 13:17.130 --> 13:25.500 So let's use this first link once again, like we did earlier, and let's just copy this. 13:27.370 --> 13:37.310 And let's come back here, exit from this shell, let's start and let's just replace this program with 13:37.310 --> 13:38.960 our Xixi. 13:43.720 --> 13:50.770 There it is now, if you notice, this is going to be our final call, so from here onwards we can use 13:50.890 --> 13:53.230 this Shenkar in all our exploits. 13:53.840 --> 13:59.680 Let's quickly check if this Schenkel is working or not using one of our previously written exploits. 14:00.070 --> 14:03.850 I'm going to use the jump to exploit that we have written earlier. 14:04.360 --> 14:06.100 So let's open up a new tab. 14:07.680 --> 14:11.310 And let's first make sure that SLR is disabled. 14:16.520 --> 14:20.530 So no visible SLR, not essential. 14:21.650 --> 14:22.970 No, let's quickly check. 14:25.160 --> 14:27.440 There it is, a salary is now disabled. 14:28.130 --> 14:31.370 Now let's go back to our SHALL code directly. 14:31.790 --> 14:35.150 Let's go to exequatur directly and let's copy. 14:40.290 --> 14:44.640 The exploit from jump out eggs into the cut the rectory, 14:48.240 --> 14:52.700 so exploit the final thought pill is what we had written earlier. 14:54.510 --> 14:59.540 This is the exploit and this was the same code that we have taken from the Internet. 15:00.060 --> 15:04.190 So we are going to replace this code with the shell code that we have just written. 15:04.860 --> 15:12.840 So let's use them, exploit the final RPN and let's cut it out 15:18.750 --> 15:20.070 and let's use this one. 15:30.680 --> 15:37.730 There it is, if everything goes fine, this exploit should work, even with this shell called celeb's 15:37.730 --> 15:43.700 type exploit Basche final not cat. 15:50.510 --> 15:52.160 Dargavel. 15:55.700 --> 16:00.020 Looks like there is a segmentation fault, I have already tested this. 16:00.070 --> 16:03.580 The reason for this segmentation fault is the shell cord. 16:04.330 --> 16:11.290 What happened was when we used this one liner, it missed one bite from our actual shell cord that was 16:11.290 --> 16:12.680 supposed to be extracted. 16:13.270 --> 16:16.140 So let's quickly use Ovidio dump once again. 16:16.570 --> 16:22.120 And if you compare the shell cord and the bite that you see here, there is one bite missing in the 16:22.120 --> 16:22.720 shell cord. 16:23.320 --> 16:25.100 That is after 62. 16:25.120 --> 16:28.220 We have 69, nine, six, eight, 12. 16:28.720 --> 16:37.200 But if you closely examine the shell cord after 62, we have 69 and 12 and this six is missing. 16:37.660 --> 16:43.330 So to be able to identify these kind of issues, we will have to always do some double checking and 16:43.330 --> 16:45.870 we have to do a bit of debugging in GDP. 16:46.360 --> 16:47.830 So how do we fix this? 16:48.340 --> 16:52.490 One way is to simply companies and add it here after 69. 16:52.930 --> 16:58.230 Another way, if you don't want to do that, is to use another command. 16:59.020 --> 17:04.530 So I have just found another one which appears to be working fine. 17:05.050 --> 17:06.640 So I'm just copying this here. 17:07.660 --> 17:16.620 And let's go back to this once again and let's replace this binary with our exec. 17:16.660 --> 17:18.670 We let it enter. 17:20.290 --> 17:25.890 And this time, if you notice, after 69, we have 60. 17:26.530 --> 17:29.650 That means our shell code is properly extracted. 17:30.070 --> 17:38.350 So let's copy this and let's go back to our exploit and let's edit it once again. 17:48.610 --> 17:51.000 And let's start, you shall court, 17:56.410 --> 18:00.750 and if everything goes fine this time, next slide should work. 18:01.610 --> 18:03.160 So let's quickly check that. 18:07.820 --> 18:10.400 Look at that, that exploit finally worked. 18:11.180 --> 18:16.970 This is how we can create our own channel code and we can use that in the exploit that we are writing, 18:17.660 --> 18:24.440 this completes a full cycle of writing, simple stack based buffer overflow exploit, even by writing 18:24.440 --> 18:25.390 your own shell code. 18:25.820 --> 18:27.170 So that's the end of this video. 18:27.470 --> 18:28.580 See you in the next one.