1
00:00:00,600 --> 00:00:04,260
Welcome back to Advanced Exploit and Zero Day Discovery Development.

2
00:00:04,620 --> 00:00:09,360
We are now in the Blockchain and Advanced Code Reuse Attack section of the course.

3
00:00:10,740 --> 00:00:16,260
Rob Chaining Defeats Data Execution Prevention, which is introduced in Windows XP Service Pack two

4
00:00:16,260 --> 00:00:19,590
as exploit mitigation measure data.

5
00:00:19,590 --> 00:00:24,930
Execution prevention comes in two modes, both hardware and force and software enforced.

6
00:00:25,350 --> 00:00:28,290
We will be covering hardware and for state execution prevention.

7
00:00:28,290 --> 00:00:35,970
In this course there are four modes and how DEC works opt in mode where depth is enabled for system

8
00:00:35,970 --> 00:00:39,360
processes and custom applications designed to use it.

9
00:00:39,690 --> 00:00:41,370
That's actually the normal operation.

10
00:00:42,000 --> 00:00:49,050
Opt out mode deps enabled for error effects of Excel specifically exempt applications always onboard

11
00:00:49,320 --> 00:00:53,340
system wide data execution prevention is enabled and always off mode.

12
00:00:53,730 --> 00:00:55,230
Death is permanently disabled.

13
00:00:55,770 --> 00:01:03,060
Rob or return or program is designed to defeat DEP Rob chaining works by using gadgets which are cherry

14
00:01:03,060 --> 00:01:03,270
picked.

15
00:01:03,270 --> 00:01:07,230
Machine instructions are readily available in the vulnerable applications memory regions.

16
00:01:07,560 --> 00:01:10,320
Each gadget ends with a return instruction.

17
00:01:10,680 --> 00:01:12,810
Each return points to another rob gadget.

18
00:01:13,080 --> 00:01:17,550
Hijacking of execution is not relinquished until a virtual protect is called to shut down death.

19
00:01:18,180 --> 00:01:23,820
Rob bypasses the need to directly inject code by cherry picking instructions off the vulnerable applications

20
00:01:24,090 --> 00:01:28,410
executable memory regions, which is why it is known as a code reuse attack.

21
00:01:29,270 --> 00:01:31,640
The rock gouges readjust the stack frame.

22
00:01:31,940 --> 00:01:35,580
The goal is to reach the Windows API libraries using the right gadgets.

23
00:01:35,600 --> 00:01:37,160
Much like navigating a maze.

24
00:01:38,420 --> 00:01:40,850
The purpose of rough chaining is to call Virtual Protect.

25
00:01:41,420 --> 00:01:48,650
Virtual Protect is basically a on and off switch, which would set the entire stack as executable or

26
00:01:48,650 --> 00:01:49,610
not executable.

27
00:01:54,410 --> 00:02:01,130
This is an example rap chain generated by Mona's, the MONA module, a thin immunity debugger.

28
00:02:01,550 --> 00:02:05,480
Notice how the highlighted section points to virtual protect.

29
00:02:06,650 --> 00:02:10,400
Before that, we have a pop exit and return instruction.

30
00:02:10,699 --> 00:02:16,700
Pop means to execute the instructions, locate in the X register, then take it off the stack.

31
00:02:17,120 --> 00:02:22,220
The return instruction immediately points to the next pointer, which points to a virtual protect.

32
00:02:25,270 --> 00:02:30,160
Thankfully, the creation of rock gadgets has been simplified, using tools available in Metasploit

33
00:02:30,160 --> 00:02:32,080
and immunity bugs mono module.

34
00:02:32,440 --> 00:02:38,200
Usually a substantial amount of understanding assembly is required to build rock chains in such a way

35
00:02:38,200 --> 00:02:40,420
that we can call the Windows API functions.

36
00:02:40,900 --> 00:02:46,360
We will use immunity bunkers, mortar module to construct our rock chain and exploit vault server with

37
00:02:46,360 --> 00:02:48,460
system wide hardware and four step.

38
00:02:48,850 --> 00:02:51,820
Set permanently on an a windows server machine.