1
00:00:01,470 --> 00:00:02,280
All right, everybody.

2
00:00:02,280 --> 00:00:05,070
So welcome back to Introduction to Exploit Development.

3
00:00:05,610 --> 00:00:10,700
So we are now going to really walk through our Linux exploitation exercises.

4
00:00:10,710 --> 00:00:17,160
I've been receiving complaints that due to the newest Linux Kernels and Linux versions, usually five

5
00:00:17,160 --> 00:00:23,790
and up, that basically the previous exploits I've been teaching has not worked, which is why we're

6
00:00:23,790 --> 00:00:25,770
going to re explore.

7
00:00:25,770 --> 00:00:28,050
I actually have three exercises right now.

8
00:00:28,110 --> 00:00:34,080
You can ignore this one, but what I need you to do is install Docker.

9
00:00:35,190 --> 00:00:36,930
So let's do this.

10
00:00:36,960 --> 00:00:43,710
Sudo get update ampersand sudo app install dash y.

11
00:00:43,740 --> 00:00:45,090
Docker io.

12
00:00:54,100 --> 00:00:59,040
Now I already have the newest version of Docker and the first thing you want to do to go back through

13
00:00:59,050 --> 00:01:06,040
lib http damen 1.2 is let me see for my write ups.

14
00:01:06,700 --> 00:01:08,290
You want to run the command?

15
00:01:08,440 --> 00:01:11,290
I'm already running this route, so you don't have to run as pseudo.

16
00:01:11,350 --> 00:01:19,360
But first you want to do echo zero because you want to turn off outer space without randomization.

17
00:01:19,360 --> 00:01:27,280
We're not at the level where we want to bypass SLR and on Linux machines we need to disable address

18
00:01:27,280 --> 00:01:28,960
space layout, randomization.

19
00:01:30,550 --> 00:01:37,660
Let's see this kernel randomize.

20
00:01:38,440 --> 00:01:39,610
The space

21
00:01:43,180 --> 00:01:43,990
randomize.

22
00:01:46,470 --> 00:01:51,900
Double check that is off so capped and it's off.

23
00:01:52,410 --> 00:01:56,010
Now I want you with Docker Run.

24
00:01:56,370 --> 00:02:03,900
Remember, I'm running a super user, but if you're not a super user, you can just run with pseudo.

25
00:02:03,900 --> 00:02:05,850
But I'm just going to do this for formalities.

26
00:02:05,850 --> 00:02:09,960
So pseudo docker pull GHC.

27
00:02:10,410 --> 00:02:20,160
I'll slash my personal github repo 27 slash intro exploit dev lib htp dave and latest.

28
00:02:25,140 --> 00:02:30,180
Now that we actually have it running, we want to make sure that we get an environment running to make

29
00:02:30,180 --> 00:02:31,310
it work.

30
00:02:31,320 --> 00:02:33,390
So let's open up another terminal.

31
00:02:35,890 --> 00:02:43,590
So you just log on a superuser and then we're going to run it.

32
00:02:43,590 --> 00:02:48,210
Because remember, this is a 64 bit penetration testing distro.

33
00:02:48,240 --> 00:02:50,880
We're running on Linux kernel 5.18.

34
00:02:50,880 --> 00:02:56,940
We're actually a 64 bit machine and we're going to run it in Docker emulation mode.

35
00:02:56,940 --> 00:03:09,120
So the command to do this is do soccer pseudo Docker run double dash platform equals Linux slash I 386

36
00:03:10,770 --> 00:03:14,340
dash it for interactive double dash privilege.

37
00:03:14,340 --> 00:03:21,930
So inherits the attributes such as the outer space layout, randomization, being disabled by your host

38
00:03:21,930 --> 00:03:39,840
machine and gc cri io dot slash 27 intro exploit dev lib http date, then latest and run it with a shell

39
00:03:39,840 --> 00:03:41,880
prompt bash.

40
00:03:42,060 --> 00:03:48,840
This is going to take a while because platform emulation is not particularly quick, but so far this

41
00:03:48,840 --> 00:03:50,670
is probably the best option I have.

42
00:03:50,910 --> 00:03:56,580
So before we get started, the next exercise, I want to show you where you're vulnerable.

43
00:03:56,790 --> 00:04:04,740
And also I want to show you something about the difference between Python two and Python three so that

44
00:04:04,740 --> 00:04:08,880
we can make sure that we can teach our students both methods.

45
00:04:09,210 --> 00:04:20,190
So the difference between our original exploits cat fixed solution is that you don't have a B that you

46
00:04:20,190 --> 00:04:22,710
can see which stands for bytes.

47
00:04:23,100 --> 00:04:32,250
So in Python two, our original exploit, which I covered in our previous Python 2.7 methodology, did

48
00:04:32,250 --> 00:04:41,430
not use B because in Python two strings are interpreted both as either bytes or an array of characters

49
00:04:41,430 --> 00:04:42,390
called strings.

50
00:04:42,690 --> 00:04:47,280
So this is going to be part of our reboot and there will be changes.

51
00:04:47,280 --> 00:04:53,310
So let me show you the Python three exploit, which is what I want you to do right now.

52
00:04:55,410 --> 00:05:02,220
The final solution for this actually has the word B, as you can see, pretending the string.

53
00:05:02,220 --> 00:05:06,240
This specifies that not as a string, but as bytes.

54
00:05:06,270 --> 00:05:12,030
Otherwise, let's say that I broke this, by the way, in Python three.

55
00:05:15,750 --> 00:05:18,450
Let's say that I didn't want to write binary.

56
00:05:19,800 --> 00:05:24,510
Let's say we take out the speed if we ran this solution.

57
00:05:26,070 --> 00:05:27,060
Python three.

58
00:05:27,060 --> 00:05:27,690
I'm sorry.

59
00:05:27,690 --> 00:05:31,470
It's an indicator you can see.

60
00:05:31,470 --> 00:05:31,830
Right?

61
00:05:31,830 --> 00:05:34,470
Argument must be string, not bytes.

62
00:05:35,520 --> 00:05:46,470
So the problem with penetration testing is that you need to learn both python 2.7 and three because

63
00:05:46,470 --> 00:05:49,560
a lot of exploits predates 2019.

64
00:05:49,560 --> 00:05:57,120
And since the time I actually wrote this course, we actually transitioned to Python three and almost

65
00:05:57,120 --> 00:05:58,770
everything apart from two was deprecated.

66
00:05:58,770 --> 00:06:04,590
Unfortunately, on websites like Exploit Database and security trails, there are still exploits still

67
00:06:04,590 --> 00:06:06,300
written in Python two.

68
00:06:06,300 --> 00:06:08,640
So I just want to cover this up.

69
00:06:09,630 --> 00:06:17,130
So I want to just go over this and explain to you that we are now going to learn Python 2.7 and all

70
00:06:17,130 --> 00:06:18,210
variants of three.

71
00:06:18,990 --> 00:06:29,250
Also notice that we are no longer reversing the bytes four and a Python 2.7 version.

72
00:06:29,340 --> 00:06:37,590
We are actually going to pack it using the Python C Structs Command and this is pretty much the main

73
00:06:37,590 --> 00:06:39,930
difference between Python two and three.

74
00:06:39,930 --> 00:06:46,470
And I just want to teach you a new technique because once we go into 32 bit and 64 bit return oriented

75
00:06:46,470 --> 00:06:50,970
programming wrap chains, this will be a very convenient command.

76
00:06:50,970 --> 00:06:54,030
You don't want to be reversing the bytes of every rock chain.

77
00:06:54,360 --> 00:06:57,510
So thank you for staying with me.

78
00:06:57,510 --> 00:07:04,590
In this class, I will restart our fuzzing process and our exploit development process for this reboot

79
00:07:04,590 --> 00:07:07,650
of our class in our next session.