WEBVTT 00:01.520 --> 00:02.810 Welcome back to another video. 00:03.080 --> 00:09.050 In this video, we are going to talk about how to write reverse this special called while writing this 00:09.050 --> 00:10.500 reverse deception code. 00:10.670 --> 00:14.720 It is essential that we follow a seven step process once again. 00:15.770 --> 00:22.630 First, we need to have a C program that can make a reverse DCP connection, and we will stress this 00:22.760 --> 00:27.600 program to identify the required size calls and their respective arguments. 00:28.220 --> 00:31.950 After that, we will translate that functionality into assembly code. 00:32.210 --> 00:35.300 And finally, we will extract the code as usual. 00:35.450 --> 00:38.390 We will have to make sure that null bytes are avoided. 00:38.990 --> 00:40.280 All right, let's begin. 00:40.460 --> 00:48.310 Let me first switch to my virtual machine and let's create a directly called reverse shell. 00:50.260 --> 00:57.910 And let's navigate to that territory and within this directly, I'm going to create a file called Reverse 00:57.910 --> 01:01.240 Nazi with this content. 01:04.420 --> 01:05.870 So here is my program. 01:06.130 --> 01:08.050 I'm going to explain what it does. 01:08.350 --> 01:11.570 But before that, let's first check if it works. 01:12.160 --> 01:14.800 So what I'll do is I will open up a new tab. 01:16.360 --> 01:26.290 And I will start a listener on PT. four four four four using Basche and LCP using that cat once this 01:26.290 --> 01:26.680 is done. 01:26.890 --> 01:33.850 Let's go back to our previous show and let's compile this reverse Nazi and let's produce the output 01:33.850 --> 01:40.540 file, which is reverse, and let's quickly execute this reverse program and let's render. 01:41.200 --> 01:45.760 And if you go back to the listener, we should receive a connection from this program. 01:46.330 --> 01:52.000 This confirms that our program just works fine and it is giving a revolution. 01:52.480 --> 01:56.730 Now, let's try to understand the code written in this reverse Nazi file. 02:01.660 --> 02:10.900 The first line is to create a socket, and it has three arguments if underscoring it soke underscore 02:10.900 --> 02:12.850 stream and a zero. 02:13.720 --> 02:19.870 As you can see, this is returning some file descriptor which will be kept in the variable SOC. 02:20.790 --> 02:28.470 So we basically created a socket in this line and the return value is an integer, which is saved in 02:28.470 --> 02:29.640 the variable sock. 02:30.300 --> 02:35.160 This is the socket file descriptor which will be used throughout the remaining program. 02:35.490 --> 02:42.010 If you notice, this sock is referred here, here, here and here. 02:42.540 --> 02:45.600 So it is important to take note of this return value. 02:46.350 --> 02:47.310 Now, let's move on. 02:47.760 --> 02:51.690 In the next few lines, we are preparing a structure. 02:52.660 --> 02:55.100 And this structure has three members. 02:55.480 --> 03:02.530 The first one is seen underscore family, the second one is seen underscore port, and the third one 03:02.530 --> 03:04.600 is seen underscore address. 03:05.560 --> 03:14.310 The members in underscore family holds the value, which is defined by an underscore in it and the member 03:14.560 --> 03:19.880 in underscore port holes, the port number, which is four four four four. 03:20.500 --> 03:25.870 Finally, the member underscored address holds the address 127. 03:25.870 --> 03:27.340 Not one, not one. 03:27.340 --> 03:27.830 Not one. 03:28.690 --> 03:31.840 The reason why we chose this address 127. 03:31.840 --> 03:33.070 Not one, not one. 03:33.070 --> 03:39.550 Not one is that when we write this address in assembly, this will not produce any null bytes. 03:40.330 --> 03:46.140 If you choose 127, not zero zero, not one that will produce nonwhites in the code. 03:46.660 --> 03:48.780 So we decided to go for this address. 03:49.210 --> 03:54.040 You can choose any address for Canek back, but make sure that it doesn't have any lights. 03:54.970 --> 03:58.210 Now let's move on to the next line, which is connect. 03:59.050 --> 04:05.050 Now that we have a socket file descriptor and we have a structure defined, now we are making a connection. 04:05.830 --> 04:12.010 If you know the first argument of this connect function call it is the return value of the socket call 04:12.880 --> 04:17.220 the file descriptor retained by the socket call is being used in this connection. 04:17.560 --> 04:18.990 So that's the first argument. 04:19.750 --> 04:23.310 The second argument is an address to the structure. 04:23.680 --> 04:26.970 If you see this, this is an address to the structure. 04:27.340 --> 04:32.590 So basically we will have to provide the address of the structure we prepared earlier as the second 04:32.590 --> 04:33.100 argument. 04:34.220 --> 04:41.720 Next, we have the third argument, which is the size of this structure, we can get some of these values 04:41.720 --> 04:46.900 by running straight against this binary and we can use them directly in our assembly code. 04:46.910 --> 04:48.260 So we will get to that soon. 04:48.740 --> 04:55.010 For instance, this size of the structure, you can get that by running a stress against this binary. 04:55.970 --> 04:58.910 Now, let's move on to the next few lines of the code. 05:00.050 --> 05:06.560 If you notice, we have three W calls with the first argument being the socket file descriptor once 05:06.560 --> 05:06.830 again. 05:06.950 --> 05:09.500 And this is the return value of socket called. 05:10.510 --> 05:19.150 The second argument in all these three calls is an integer value, the first loop to call has the argument 05:19.150 --> 05:22.570 zero and this loop to call is for in. 05:23.080 --> 05:27.610 And the second call has the argument one, and this is for study out. 05:28.000 --> 05:33.270 And the third loop to call has the argument to which is for study error. 05:33.670 --> 05:36.880 Once these calls are done, we are finally calling. 05:36.880 --> 05:37.720 Exactly. 05:38.320 --> 05:45.190 Business is the first argument, which is basically the program to be executed by Xixi and the next 05:45.190 --> 05:47.050 two arguments are null. 05:48.060 --> 05:54.870 So essentially, once a reverse connection is made, exactly, it provides the shell so we can execute 05:54.870 --> 05:56.010 commands remotely. 05:56.760 --> 06:01.890 Now, it is important for us to know what some of these arguments here, because we will need them when 06:01.890 --> 06:05.550 writing the assembly code before we move on to the assembly code. 06:05.850 --> 06:12.120 Let's quickly run this program through stress and observe the schools and their associated arguments. 06:13.440 --> 06:23.220 So I'm just reading the screen and I'm going to start this listener once again and I'll run as trace. 06:26.700 --> 06:30.780 And like we did earlier, we are going to use Dash F and dash E. 06:31.410 --> 06:43.340 This time we are going to use Xixi socket, connect dukedom and let's execute our binary. 06:45.210 --> 06:54.060 If you look at the socket call, it has afine it sock string and IP Proteau underscore IP in the C program. 06:54.090 --> 07:02.070 This value was zero and finally the return value is three in this case and this three is used in connection 07:02.070 --> 07:03.790 as well as the W cards. 07:04.500 --> 07:11.310 Now if you look at the second one, which is connect, the first argument is three, which is the return 07:11.310 --> 07:17.260 value of this socket call, and the second one is the address of the structure. 07:17.610 --> 07:19.800 In this case, you are seeing the structure itself. 07:20.260 --> 07:23.430 And finally, the third argument is the size of the structure. 07:23.880 --> 07:26.060 If you notice the sizes, 16 here. 07:26.520 --> 07:29.210 So we can directly use this in our assembly program. 07:30.080 --> 07:36.590 And after that, we have three dupatta calls, first argument in all the three to two guards is going 07:36.590 --> 07:39.740 to be the return value coming from this socket call. 07:40.040 --> 07:44.650 And the second argument in all due to calls is going to be an integer. 07:45.140 --> 07:47.510 So that's pretty much it for the exact value. 07:47.510 --> 07:50.350 We can use the same code that we have written earlier. 07:50.570 --> 07:58.220 So essentially to complete this reverse shell code, we will have to craft the assembly code with these 07:58.220 --> 07:59.050 six calls. 07:59.420 --> 08:01.130 Let's do that in the next real.