1
00:00:00,570 --> 00:00:05,520
So in this video we'll be testing the Metasploit payloads with our loader.

2
00:00:05,520 --> 00:00:13,470
So I have created a function that is called Inject P 64 and it will take these in the byte format,

3
00:00:14,760 --> 00:00:16,710
the XY in the binary format.

4
00:00:16,710 --> 00:00:18,960
So how are we going to get this is.

5
00:00:25,360 --> 00:00:28,450
So we are going to send via the circuits.

6
00:00:28,450 --> 00:00:35,350
So we'll be receiving directory into this payload and we'll be passing that to a new thread.

7
00:00:36,640 --> 00:00:40,780
So these our XY file never touches the disk.

8
00:00:41,050 --> 00:00:45,070
So in this function I'm creating a new process.

9
00:00:45,070 --> 00:00:47,800
So I will tell you why we are creating the new process.

10
00:00:48,870 --> 00:00:49,170
Huh?

11
00:00:49,860 --> 00:00:57,600
Here we can see good size of feathers, you might say, etc. and we I am allocating a space in my,

12
00:00:57,780 --> 00:01:08,520
in this process virtual space and then also creating the memory region in the remote process.

13
00:01:08,520 --> 00:01:11,400
So that is in this process.

14
00:01:11,400 --> 00:01:16,590
So this process runs the CMD DLC in the background in the hidden.

15
00:01:16,590 --> 00:01:20,220
So it will not pop up on the user desktop.

16
00:01:22,510 --> 00:01:30,210
So we'll be fixing the passing the headers and we'll be mapping the sections into remote memory.

17
00:01:30,220 --> 00:01:32,950
So we'll be mapping into our own memory.

18
00:01:32,950 --> 00:01:38,650
And then we just use this right process memory to write into the remote process memory.

19
00:01:38,650 --> 00:01:45,070
So it will be same as what we are done previously, but we'll be using right process memory instead

20
00:01:45,070 --> 00:01:50,510
of Marshall that copy and then we will be fixing IADS.

21
00:01:50,770 --> 00:01:55,000
So instead of the base address, we will have the remote base address.

22
00:01:57,760 --> 00:01:58,920
And martial art.

23
00:01:59,140 --> 00:02:02,610
So instead of martial law, copy.

24
00:02:02,620 --> 00:02:03,130
All right.

25
00:02:03,130 --> 00:02:14,740
We have this right process memory to the process center and this at which address we want to write and

26
00:02:14,740 --> 00:02:16,180
the bite area and the length.

27
00:02:16,180 --> 00:02:20,170
And this is the output number of bytes written.

28
00:02:20,170 --> 00:02:27,070
So instead of just master copy, all right, we'll be using the right memory to write into the process

29
00:02:27,070 --> 00:02:34,390
memory so you can inject into the same process.

30
00:02:34,390 --> 00:02:42,130
But the motivator payloads, when you type exit in the motivator session, that is a massive console,

31
00:02:42,160 --> 00:02:45,460
then this whole process gets terminated.

32
00:02:48,730 --> 00:02:56,680
So there is this function load P 64, that is the exact function, what we have written from the previous

33
00:02:56,680 --> 00:02:57,280
videos.

34
00:02:57,280 --> 00:03:06,840
So what this does is it will load this PE into itself and starts the thread from that entry point.

35
00:03:06,850 --> 00:03:11,290
So the problem is you need to compare the Metasploit payloads.

36
00:03:11,320 --> 00:03:18,880
M7 went payloads using the exit function is equal to thread, otherwise it will exit the whole process.

37
00:03:19,780 --> 00:03:20,560
Instead of that.

38
00:03:20,560 --> 00:03:26,480
What we're going to do is we are going to create a new process and this dummy process will load the

39
00:03:26,500 --> 00:03:28,360
our XY into this one.

40
00:03:28,570 --> 00:03:33,490
So even though it exits, our main process will be continue.

41
00:03:36,280 --> 00:03:43,300
So it's almost same as our previous code here.

42
00:03:43,300 --> 00:03:46,120
We'll be using the create remote thread instead of create thread.

43
00:03:49,720 --> 00:03:50,980
So how so?

44
00:03:50,980 --> 00:03:53,810
Let's go and generate the pirates.

45
00:03:53,830 --> 00:03:55,930
I have already generated the pirates.

46
00:04:00,140 --> 00:04:01,940
So one is the character.

47
00:04:01,940 --> 00:04:11,290
RTX This enormous character, and this one is not a reversal and this one is the matter of reversal.

48
00:04:11,300 --> 00:04:13,100
So let's go and test out this.

49
00:04:13,550 --> 00:04:17,120
So my, our C2 server is running.

50
00:04:18,320 --> 00:04:21,050
Let's go and start the agent.

51
00:04:23,140 --> 00:04:24,340
Now go to order.

52
00:04:24,910 --> 00:04:31,420
So I have written some HTML code to choose the file so you can click on file and there should be an

53
00:04:31,420 --> 00:04:32,620
output folder.

54
00:04:33,220 --> 00:04:37,330
Currently the program accepts only from the output folder.

55
00:04:38,230 --> 00:04:40,930
We can also customize from the full path as well.

56
00:04:41,170 --> 00:04:43,870
So control the DXY.

57
00:04:43,900 --> 00:04:45,130
Now click on load.

58
00:04:45,340 --> 00:04:47,320
Now you can see the pop up.

59
00:04:55,060 --> 00:04:58,600
Now what we're going to do is we are going to test the normal reversal.

60
00:05:00,850 --> 00:05:03,130
So I have generated to connect to the phone.

61
00:05:03,130 --> 00:05:04,210
One, two, three, four.

62
00:05:04,840 --> 00:05:07,780
So let's go and choose that one normal reversion.

63
00:05:07,870 --> 00:05:11,800
So if you click on load and if you see the connection.

64
00:05:14,690 --> 00:05:21,590
And one thing you need to do, you need to observe is you can still execute commands or not.

65
00:05:21,590 --> 00:05:28,760
Yes, you can still execute commands because we are creating a new process and that process will be

66
00:05:28,760 --> 00:05:33,740
loading the already loaded our metasploit payload so we can type.

67
00:05:33,740 --> 00:05:34,610
Who are my.

68
00:05:37,180 --> 00:05:38,110
We had the username.

69
00:05:41,770 --> 00:05:47,710
Now we can having this connection on we can load again calculator.

70
00:05:50,970 --> 00:05:51,450
It's.

71
00:05:54,060 --> 00:05:55,920
So let's go and exit this.

72
00:05:58,670 --> 00:06:00,830
And we have exited here.

73
00:06:02,090 --> 00:06:06,980
Let's try to execute character die sexy and still we get this.

74
00:06:07,700 --> 00:06:18,940
If you don't create a new process here, your main program can get exit or it will stay in the infinite

75
00:06:18,950 --> 00:06:22,400
state until the reverse connection is exited.

76
00:06:22,850 --> 00:06:25,430
So that's why I have created a new process.

77
00:06:26,180 --> 00:06:29,570
Now let's test the matter.

78
00:06:29,570 --> 00:06:39,140
Beta one so I have already set the execute for reverse TCP so I can run the prisoner.

79
00:06:42,960 --> 00:06:43,230
Well.

80
00:06:45,910 --> 00:06:48,100
Now we can see session one open.

81
00:06:53,730 --> 00:07:00,990
Let's interact with the first session and let's say this info and we get the information.

82
00:07:01,350 --> 00:07:05,490
At this point I should be able to execute commands.

83
00:07:05,940 --> 00:07:10,590
So let's type net users and we got all the users.

84
00:07:11,820 --> 00:07:19,980
And the important thing is if you exit this Metro Beta, our main process should not execute, should

85
00:07:19,980 --> 00:07:20,830
not exit.

86
00:07:20,850 --> 00:07:22,650
So let's exit this one.

87
00:07:25,620 --> 00:07:28,350
Now let's go and road the car to the taxi.

88
00:07:29,220 --> 00:07:31,350
And here you can see the taxi.

89
00:07:36,850 --> 00:07:40,170
So I highly suggest you create a process in C-sharp.

90
00:07:40,180 --> 00:07:40,960
It's very easy.

91
00:07:40,960 --> 00:07:47,740
It's just a few lines of code in windows where you need to use the create process function.

92
00:07:47,740 --> 00:07:49,540
It's also very easy.

93
00:07:51,160 --> 00:07:52,270
So that's over this video.

94
00:07:52,270 --> 00:07:57,670
We have successfully executed the Metasploit payloads with our rotor.