1
00:00:00,330 --> 00:00:02,490
Welcome back to Advanced Exploit Development.

2
00:00:02,490 --> 00:00:08,400
And in this section we're going to show you how to construct a rope chain using energy buggers moana

3
00:00:09,510 --> 00:00:10,680
dot pie module.

4
00:00:11,250 --> 00:00:13,920
Now from immunity to bugger.

5
00:00:15,140 --> 00:00:16,940
Type explanation, Pomona.

6
00:00:18,240 --> 00:00:24,300
Rap dash start out deal dot dash CP.

7
00:00:24,310 --> 00:00:25,050
No, no.

8
00:00:25,920 --> 00:00:30,600
This will take a substantial amount of time and processing power.

9
00:00:32,159 --> 00:00:36,000
So I am just going to go pause the video until we get to that point.

10
00:00:40,620 --> 00:00:46,020
All right, so we finished creating our Rochester text file.

11
00:00:46,320 --> 00:00:52,350
This is why I told you to use the overview lot, by the way.

12
00:00:53,250 --> 00:00:58,560
So we have a the major rectory for our debugger installation.

13
00:00:59,040 --> 00:01:03,930
You have to run immediate debugger and administrator mode for it to write files.

14
00:01:06,070 --> 00:01:08,410
So let's go into a program files.

15
00:01:09,850 --> 00:01:10,690
Immunity.

16
00:01:11,680 --> 00:01:12,250
Immunity.

17
00:01:12,250 --> 00:01:12,820
Bugger.

18
00:01:13,630 --> 00:01:17,710
And here we will have a file called Rob Chains.

19
00:01:19,340 --> 00:01:19,850
Open.

20
00:01:24,100 --> 00:01:25,690
And if we maximize this.

21
00:01:31,630 --> 00:01:35,080
You can tell that now we have our wrapped chains set up right here.

22
00:01:35,700 --> 00:01:37,630
We have multiple rock chains, actually.

23
00:01:39,850 --> 00:01:41,770
And we have it in different languages.

24
00:01:43,080 --> 00:01:45,360
What we're gonna do is we're going to copy and paste.

25
00:01:46,720 --> 00:01:48,010
The Python one right here.

26
00:01:49,190 --> 00:01:57,050
And there's actually an easy way for us to share files between a non hacked window machine and a Linux

27
00:01:57,050 --> 00:01:57,530
machine.

28
00:01:58,040 --> 00:01:59,420
I will show you that right now.

29
00:02:00,290 --> 00:02:01,580
So let's go to the terminal.

30
00:02:03,140 --> 00:02:09,740
And here we're going to make a director for share which already did see file exist and only use impacted

31
00:02:10,160 --> 00:02:11,420
assembly server.

32
00:02:13,250 --> 00:02:13,880
Cher.

33
00:02:14,690 --> 00:02:15,260
Gaslight.

34
00:02:15,350 --> 00:02:15,860
Cher.

35
00:02:19,730 --> 00:02:21,680
Now from your windows.

36
00:02:22,040 --> 00:02:23,810
Windows are to open up.

37
00:02:23,810 --> 00:02:24,230
Run.

38
00:02:25,340 --> 00:02:25,730
Oops.

39
00:02:26,390 --> 00:02:27,470
Commander excuse.

40
00:02:28,870 --> 00:02:31,420
In type net use the.

41
00:02:32,980 --> 00:02:36,520
Double backslash 1921681221 ten.

42
00:02:36,520 --> 00:02:37,750
That's my kind of little machine.

43
00:02:38,380 --> 00:02:39,090
Backslash.

44
00:02:39,490 --> 00:02:39,760
I mean.

45
00:02:40,120 --> 00:02:40,420
Yeah.

46
00:02:40,450 --> 00:02:41,230
Backslash here.

47
00:02:42,750 --> 00:02:44,130
American police successfully.

48
00:02:44,820 --> 00:02:50,370
And now we're going to navigate to our immediate bunker installation directory.

49
00:02:56,620 --> 00:02:57,400
Let's see.

50
00:02:58,180 --> 00:03:01,480
And then we have our file, Rock Chainsaw Attacks.

51
00:03:01,750 --> 00:03:07,720
So we're going to type copy rob Shane's text to Z.

52
00:03:08,880 --> 00:03:09,990
One file copy.

53
00:03:10,560 --> 00:03:12,630
So go back to your Linux box.

54
00:03:13,920 --> 00:03:17,130
As you can see, we already authenticated and transferred a file.

55
00:03:21,550 --> 00:03:22,420
I'll share.

56
00:03:23,230 --> 00:03:24,850
And we have a text in their name.

57
00:03:24,850 --> 00:03:25,990
Russians star text.

58
00:03:26,530 --> 00:03:27,130
So else.

59
00:03:27,370 --> 00:03:27,760
Rob.

60
00:03:28,360 --> 00:03:28,720
Oops.

61
00:03:28,870 --> 00:03:29,950
This is the old one, by the way.

62
00:03:30,460 --> 00:03:33,520
And I'll share.

63
00:03:33,760 --> 00:03:39,250
Rob, Shane's our text less and go down all the way to Python.

64
00:03:42,750 --> 00:03:44,190
Worse as python right here.

65
00:03:48,220 --> 00:03:51,010
So we're going to copy and paste this.

66
00:03:57,920 --> 00:04:00,050
Into our proof of concept file.

67
00:04:07,380 --> 00:04:07,830
Let's see.

68
00:04:07,870 --> 00:04:08,700
Copy.

69
00:04:09,210 --> 00:04:11,450
Oh, server C2.

70
00:04:11,460 --> 00:04:12,010
Hi.

71
00:04:13,090 --> 00:04:13,450
Hi.

72
00:04:18,529 --> 00:04:20,959
And then because this is not correct.

73
00:04:20,959 --> 00:04:22,700
Python whitespace formatting.

74
00:04:23,060 --> 00:04:25,010
I want you to.

75
00:04:28,350 --> 00:04:31,830
Decrement each one by two spaces, each per line.

76
00:04:32,280 --> 00:04:36,210
So I'm going to do this manually, but.

77
00:04:39,850 --> 00:04:47,830
I will pause the video right now and have you will restart the video once I'm done.

78
00:04:51,650 --> 00:04:53,090
Okay Welcome back to class

79
00:04:55,610 --> 00:05:02,120
to test your new file type python nida pi c is a strut that's not defined.

80
00:05:02,120 --> 00:05:04,490
So Python got something or.

81
00:05:04,490 --> 00:05:11,960
Well, you made a debugger for yourself and we need to import the struct module and we also need to

82
00:05:11,960 --> 00:05:13,460
import this module.

83
00:05:16,500 --> 00:05:17,720
Python pie.

84
00:05:17,790 --> 00:05:18,610
Nothing happens.

85
00:05:18,630 --> 00:05:20,910
Good surfing is working just as planned.

86
00:05:21,390 --> 00:05:23,340
So at this point, let's see.

87
00:05:23,940 --> 00:05:24,510
Hello again.

88
00:05:24,540 --> 00:05:32,010
So now we can modify our attack code using my previous example that I actually tried before.

89
00:05:36,120 --> 00:05:37,460
You know, long server.

90
00:05:37,510 --> 00:05:37,960
Oops.

91
00:05:38,610 --> 00:05:42,030
You know, near that pi from our new Europe.

92
00:05:42,060 --> 00:05:42,420
She.

93
00:05:44,680 --> 00:05:48,190
And we need to make the following changes.

94
00:05:49,330 --> 00:05:54,070
So for padding, we need to subtract.

95
00:05:56,140 --> 00:05:57,880
The four bites right here.

96
00:05:58,180 --> 00:06:03,640
And we're going to use it by a life of the rock chain, because we are replacing what's going to IP,

97
00:06:03,640 --> 00:06:07,420
which is the four bytes, a VIP with the length of the rock.

98
00:06:07,960 --> 00:06:15,700
So what it's doing is that all of these gadgets right here, we're going to shove all of them right

99
00:06:15,700 --> 00:06:17,770
where we're going to overwrite the IP.

100
00:06:18,190 --> 00:06:24,280
Now, we we covered overriding IP in my previous class introduction to exploit development, but we're

101
00:06:24,280 --> 00:06:28,630
going to replace this IP variable with our ROP shape.

102
00:06:29,290 --> 00:06:34,980
And because of that, we need to adjust our four bytes with the actual life of our rock.

103
00:06:37,100 --> 00:06:42,040
So minus subtract the four length Rob underscore Shane.

104
00:06:45,480 --> 00:06:46,680
And.

105
00:06:48,700 --> 00:06:50,020
We're so skippy.

106
00:06:50,920 --> 00:06:55,360
We now replace that with the rock chain rope under store chain right here.

107
00:06:58,680 --> 00:07:03,480
So let's go give this code a test run to make sure that it's all working.

108
00:07:05,130 --> 00:07:07,200
Let me see if I miss anything.

109
00:07:08,890 --> 00:07:12,820
All right, give this a test run to see if this code is working.

110
00:07:13,750 --> 00:07:16,060
And then we will go back.

111
00:07:18,040 --> 00:07:20,250
So restart a mirror debugger.

112
00:07:23,380 --> 00:07:24,220
You can close this.

113
00:07:24,220 --> 00:07:25,330
We already share the file.

114
00:07:27,400 --> 00:07:28,000
Um.

115
00:07:28,480 --> 00:07:29,080
What is this?

116
00:07:30,570 --> 00:07:31,740
Yes, I know that.

117
00:07:32,340 --> 00:07:33,320
I didn't enter my license.

118
00:07:33,450 --> 00:07:33,870
I get it.

119
00:07:35,660 --> 00:07:37,670
Debug restart.

120
00:07:40,650 --> 00:07:41,160
Play.

121
00:07:42,480 --> 00:07:49,800
And we're just going to verify that the stack is executable again.

122
00:07:55,080 --> 00:07:58,590
And lo and behold, the staff's executable.

123
00:07:58,800 --> 00:08:00,150
I want you to look at something.

124
00:08:02,160 --> 00:08:07,350
If you look and you mean to debugger, notice how, says Khalil, 32, the virtual protect.

125
00:08:07,620 --> 00:08:13,710
That means that at the rob saying we finally made a function call into the kernel 32 dot dl virtual

126
00:08:13,710 --> 00:08:21,480
protect function at which re enables the execution of the non executable bits.

127
00:08:22,500 --> 00:08:29,250
So the non-taxable bill has been removed and we now restored because for before with a system wide dep

128
00:08:29,250 --> 00:08:32,429
enabled like it is now, we stopped that or not.

129
00:08:32,850 --> 00:08:38,400
But now we're able to exclude these knobs and then reach this specific memory address, which then calls

130
00:08:38,820 --> 00:08:42,870
the virtual protect function, which now makes the task executable again.

131
00:08:43,260 --> 00:08:47,820
This is the point that I wanted to make when we were explaining rock shading.