1
00:00:00,570 --> 00:00:01,380
Hello, everybody.

2
00:00:01,380 --> 00:00:06,990
In this module, we are going to break the ice when it comes to exploit development.

3
00:00:07,320 --> 00:00:15,150
I understand that creating exploits while looking at assembly of codes in a debugger might be a very

4
00:00:15,150 --> 00:00:20,610
intimidating or daunting task, something that might be outside of your comfort zone.

5
00:00:21,750 --> 00:00:29,250
So we're going to cover some very, very basic concepts, such as shell code, basically a shell code,

6
00:00:29,250 --> 00:00:32,310
at least within the realm of binary exploitation.

7
00:00:32,970 --> 00:00:40,200
It's basically a similar language opcoes and operands intended to hijack CPU execution and perform malicious

8
00:00:40,200 --> 00:00:47,520
acts such as connecting back over a burst shell or spawning a listening band show on the phone or application,

9
00:00:47,790 --> 00:00:49,590
or just simply crash in the program.

10
00:00:50,070 --> 00:00:55,410
Shell code exist in many forms, but within this class we are only going to talk about what shell code

11
00:00:55,410 --> 00:01:03,030
is in binary exploitation a bind show the spawn against a target host by exploiting a target application

12
00:01:03,030 --> 00:01:03,810
that is listening.

13
00:01:04,200 --> 00:01:09,310
After launching the exploit, the victim would have a new listening port and you can simply network

14
00:01:09,330 --> 00:01:12,840
how to it to connect to its command shell.

15
00:01:13,260 --> 00:01:16,440
This will be covered in the CROSSFIRE explicit section of the class.

16
00:01:17,430 --> 00:01:23,100
A reverse shell connects back from the target to the attacker, a specific listening port or service

17
00:01:23,100 --> 00:01:27,450
on the attackers open before the exploitation attempt just to catch the shell.

18
00:01:27,930 --> 00:01:33,330
This is useful for exploiting machines behind a firewall or router and it can usually bypass the firewall

19
00:01:33,540 --> 00:01:35,970
by having the target machine solicit the connection.

20
00:01:36,360 --> 00:01:41,610
We catch the reverse of the command net cat dash envelope listening port.

21
00:01:41,940 --> 00:01:46,170
We will cover a burst shell in the cell mail 5.5 section of the class.

22
00:01:47,640 --> 00:01:49,890
But there is also something that's commonly mentioned.

23
00:01:51,150 --> 00:01:52,000
It's called mature.

24
00:01:52,000 --> 00:01:59,700
Upper mature repeater is nothing any special outside of Rapid7 proprietary remote access Trojan remote

25
00:01:59,700 --> 00:02:06,270
access trojans fine function like bein in reverse shells, but they have additional modules and functionality

26
00:02:06,270 --> 00:02:12,900
convenient to an attacker such as Keyloggers, persistence modules, exfiltration modules, privilege

27
00:02:12,900 --> 00:02:19,200
escalation modules because you not always can gain system simply by exploiting a vulnerable application.

28
00:02:19,200 --> 00:02:25,260
Sometimes you need a second exploit to raise your privileges to system without the convenience of interpreter

29
00:02:25,260 --> 00:02:26,260
or other remote access.

30
00:02:26,260 --> 00:02:32,820
The Trojan penetration testing must perform the post exploitation process manually using commands on

31
00:02:32,820 --> 00:02:39,270
the command line, fuzzing, forcing it to send or transmit junk strings to the vulnerable application

32
00:02:39,600 --> 00:02:43,440
with the intent of crashing it and possibly locating a exploitation opportunity.

33
00:02:43,830 --> 00:02:49,170
The first process is assisted with the availability of open source and commercially available buzzers.

34
00:02:49,560 --> 00:02:51,170
You have different kinds of fuzziness.

35
00:02:51,190 --> 00:02:53,070
You could have network work off others.

36
00:02:53,310 --> 00:02:57,240
You could have network or file format footers.

37
00:02:57,870 --> 00:02:59,820
Some could be mutating.

38
00:02:59,820 --> 00:03:05,460
BUZZER We will build our own phaser within the Seattle labs mail 5.5 exploit.

39
00:03:07,870 --> 00:03:11,020
The Abutters are critical to the exploit development process.

40
00:03:11,230 --> 00:03:16,570
We attach the debugger to a specified process that is already running to analyze the results of the

41
00:03:16,570 --> 00:03:17,080
crash.

42
00:03:17,500 --> 00:03:21,790
We will use three debugger in this course immunity debugger for Windows.

43
00:03:22,060 --> 00:03:27,610
The new debugger Petya and Evan's debugger for both Linux systems.

44
00:03:28,780 --> 00:03:30,100
Technical requirements.

45
00:03:30,550 --> 00:03:35,110
We need to have virtualization enabled on your laptop or your PC.

46
00:03:36,220 --> 00:03:39,220
We will walk you through those steps in the next module.

47
00:03:40,930 --> 00:03:48,640
A copy of Windows seven Vista or XP running as a virtual machine is required and we call Linux running

48
00:03:48,640 --> 00:03:51,160
as a virtual machine as the attacking guest.

49
00:03:52,450 --> 00:03:57,070
All exploitable applications will be made available for download from the course materials section.