1 00:00:01,200 --> 00:00:01,710 All right. 2 00:00:01,710 --> 00:00:07,030 So welcome to Introduction to Exploit and Zero Day Discovery and Development. 3 00:00:07,050 --> 00:00:13,380 My name is Chang Tan and I am a two time National Cyber League winner since fall 2021. 4 00:00:13,380 --> 00:00:17,550 And I'm currently a MOS Institute, Massey Institute student. 5 00:00:18,120 --> 00:00:25,500 I'm actually taking the McDs, so I'm studying on how to basically escape malware that's commonly found 6 00:00:25,500 --> 00:00:30,210 in the wild, using some very advanced techniques using Ida and JIRA. 7 00:00:31,860 --> 00:00:41,460 So I added new content, as is now the summer 2022 release or the remastering, and there's a lot of 8 00:00:41,460 --> 00:00:42,710 things that have changed. 9 00:00:42,720 --> 00:00:48,090 So I did add 64 bit binary exploitation for Linux. 10 00:00:48,300 --> 00:00:52,100 I am teaching manual rock chaining using red tulip. 11 00:00:52,110 --> 00:00:59,280 See, I can teach you how to bypass a stack canary which is known as GC stack guard. 12 00:00:59,970 --> 00:01:05,610 I can also bypass non executable, which is the Linux version of data execution prevention. 13 00:01:06,210 --> 00:01:12,630 And we also are going to bypass address base layout randomization and we have a few things. 14 00:01:12,630 --> 00:01:18,090 I didn't actually make a video for this, but I do have the write ups where customers show coding for 15 00:01:18,090 --> 00:01:21,240 both 32 bit and 64 bit binaries. 16 00:01:21,570 --> 00:01:32,430 And we are now going to be switching from GDB Petya to GDB Jef because GDB Jef is now still supported 17 00:01:32,430 --> 00:01:35,880 in 2022 and we're going to show you the Power Tools Framework. 18 00:01:37,290 --> 00:01:42,000 So here's a demonstration of one of our SLR bypass sections. 19 00:01:42,540 --> 00:01:50,220 We are actually writing the letters of SW and H to spell out Shell within the data section. 20 00:01:50,460 --> 00:01:55,650 And from now on we have for the Linux exploits flags. 21 00:01:55,650 --> 00:02:01,620 So those are like your pop quizzes that I want you to answer once you get root access within the containers. 22 00:02:03,480 --> 00:02:10,910 This is another example of very simplified version of a space layout randomization bypass called the 23 00:02:10,949 --> 00:02:14,580 Return to Procedure Linkage Table. 24 00:02:15,390 --> 00:02:22,170 The Return to Procedure Linkage Table is an attack that's used to bypass ASLA by modifying the global 25 00:02:22,170 --> 00:02:24,660 offset tables entries. 26 00:02:27,060 --> 00:02:35,400 So the reason why I decided to remaster the course is that as of 2022, by default, the new compiler 27 00:02:35,400 --> 00:02:41,700 collection and as well as C++, they enable these protections by default. 28 00:02:41,700 --> 00:02:48,690 So the odds of you finding like an unprotected shared object file, which is like the Linux version 29 00:02:48,690 --> 00:02:56,400 of a dynamic link library without added space layout, randomization enabled is very rare. 30 00:02:57,240 --> 00:03:03,630 And also, while Windows does support backwards compatibility for a 32 bit shell code because you have 31 00:03:03,630 --> 00:03:11,010 a special directory in windows called while 64 Linux requires a custom toolchain to be able to run 32 32 00:03:11,010 --> 00:03:12,390 bit assembly. 33 00:03:13,710 --> 00:03:21,060 I am going to be teaching both Python two and three, so I am leaving my old modules that I left in 34 00:03:21,060 --> 00:03:26,420 2019, 2020 in the class to show you Python two. 35 00:03:26,430 --> 00:03:34,530 And the reason why is because a lot of public exploits actually still use Python two, but the new content 36 00:03:34,530 --> 00:03:38,160 is written in Python three whenever possible. 37 00:03:38,160 --> 00:03:38,610 Always. 38 00:03:38,610 --> 00:03:38,820 Right. 39 00:03:38,820 --> 00:03:43,410 And explain Python three because you still have support from the libraries. 40 00:03:43,710 --> 00:03:49,650 Meanwhile, Pi Pi for Python two, a lot of the required libraries are often require workaround hacks. 41 00:03:50,580 --> 00:03:57,090 Let me know if there's actually an issue with any of the methods I was using in the python two sections. 42 00:03:57,210 --> 00:03:58,710 As far as I know they still work. 43 00:04:00,030 --> 00:04:09,540 So after remastering the course for summer 2022, I'm going to remaster again after December 20, 22, 44 00:04:09,540 --> 00:04:12,480 after I finished my fall college classes. 45 00:04:12,720 --> 00:04:23,820 I am trying to get my students ready for exploit 301, exploit 4016 660 and six 7760. 46 00:04:25,140 --> 00:04:31,110 So basically this class covers the introductory levels of user mode exploit development. 47 00:04:31,110 --> 00:04:38,700 That means we're not doing anything like on the kernel side, which is a very, very arcane subject. 48 00:04:39,540 --> 00:04:47,430 I am trying to research jump chaining, not rope chaining but job chaining or jump oriented programming 49 00:04:47,430 --> 00:04:51,390 which can bypass all stack mitigations except for control flow guard. 50 00:04:52,650 --> 00:04:58,920 But by the time you complete this class, you should be able to have your be on a running start for 51 00:04:58,920 --> 00:05:00,330 the mentioned classes. 52 00:05:01,230 --> 00:05:10,680 Now normally these classes like Exploit 401 and SAS Institute six, some 60 without like some sort of 53 00:05:10,680 --> 00:05:13,350 corporate discount or four sands. 54 00:05:13,350 --> 00:05:16,650 They have like a, like a work study program. 55 00:05:17,190 --> 00:05:26,070 They range between 5 to 9000 and up and they're actually taught only in person. 56 00:05:26,370 --> 00:05:33,150 So hopefully, you know, what I teach you in my course will let you basically get yourself ready for 57 00:05:33,180 --> 00:05:33,660 that. 58 00:05:33,900 --> 00:05:38,580 There's a lot of options and be able to get a discount for these higher level classes. 59 00:05:38,850 --> 00:05:47,220 And I would say a lot of jobs, they actually pay for these classes for you as well as student work 60 00:05:47,220 --> 00:05:53,490 study programs where you volunteer for Sands, working at their booths, being their proctors for their 61 00:05:53,490 --> 00:05:55,410 exams, that kind of stuff. 62 00:05:56,670 --> 00:06:05,730 So the requirements of my class is at this point all of the Linux challenges and exploitable binaries 63 00:06:05,730 --> 00:06:11,970 are to load into Docker containers, and we're now using platform emulation to be able to run the binaries 64 00:06:13,080 --> 00:06:18,750 so you can use any penetration testing distribution as a Linux virtual machine. 65 00:06:18,750 --> 00:06:29,820 So there is a few old videos I put up how to install it on VMware and on for Windows and on kernel based 66 00:06:29,820 --> 00:06:31,440 virtual machine for Linux. 67 00:06:31,440 --> 00:06:32,700 So it's up to you. 68 00:06:32,850 --> 00:06:39,630 But the Linux challenges are now taken care of by me compartmentalizing or containerized using them 69 00:06:39,630 --> 00:06:40,350 in Docker. 70 00:06:40,560 --> 00:06:49,820 Now you do need a Windows virtual machine, Windows XP, Vista or 732 bit, but if you are running like 71 00:06:49,830 --> 00:06:55,290 a newer version of Windows, you can right click on the binary and then run it in compatibility mode, 72 00:06:55,290 --> 00:06:58,320 which will allow you to run it as a 32 bit process. 73 00:06:58,320 --> 00:07:04,500 Also, this class is English only, so good luck. 74 00:07:04,530 --> 00:07:06,850 Have fun learning. 75 00:07:06,870 --> 00:07:08,670 Don't forget to ask me some questions. 76 00:07:09,600 --> 00:07:14,370 I am trying to figure out how to containerized windows instances. 77 00:07:14,940 --> 00:07:18,510 There is some workaround hacks but they're not really feasible. 78 00:07:18,510 --> 00:07:25,740 But once we can containerized windows instances I might be able to make. 79 00:07:25,810 --> 00:07:28,960 This class more portable for Windows exploitation.