1
00:00:00,690 --> 00:00:03,960
Welcome back to Advanced Exploit Development, the rock shaking capstone.

2
00:00:04,950 --> 00:00:09,540
So there's a few things that we need to get straight about assembly language versus your higher level

3
00:00:09,540 --> 00:00:14,280
language such as C Python Ruby to setting straight.

4
00:00:14,640 --> 00:00:21,090
A lot of the terms in assembly do not mean the actual term in a higher level programming language.

5
00:00:21,270 --> 00:00:23,400
We will merely go through this right after the slide.

6
00:00:24,090 --> 00:00:27,210
I highly recommend reading the book assembly language step by step.

7
00:00:27,210 --> 00:00:35,310
Third Edition by Jeff to so first the pop instruction in higher level languages like Python, the pop

8
00:00:35,310 --> 00:00:41,160
instructor literally pops an element like a string integer or character out of a list, dictionary or

9
00:00:41,160 --> 00:00:41,610
array.

10
00:00:42,150 --> 00:00:48,900
An assembly pop SGX, for example, removes the topmost value of the stack and restores it in the X

11
00:00:48,900 --> 00:00:49,440
register.

12
00:00:53,140 --> 00:00:54,490
Now to the push instruction.

13
00:00:55,030 --> 00:01:00,340
A push instruction pushes a new element, an array in a higher level programming language, but an assembly

14
00:01:00,670 --> 00:01:05,080
push instruction pushes the contents of the specified operand onto the top of the stack.

15
00:01:05,830 --> 00:01:12,880
You can construct a simple stack pivot by using a push in a pop, and then in return, which allows

16
00:01:12,880 --> 00:01:19,480
you to say, for example, push e-bikes, register onto the stack, pop it into X, which allows you

17
00:01:19,480 --> 00:01:23,590
to save the contents of the EB X register into the X register.

18
00:01:23,860 --> 00:01:29,530
This is a convoluted way to get around not having available gadgets such as move or exchange.

19
00:01:32,110 --> 00:01:34,300
The move instruction is actually a misnomer.

20
00:01:34,690 --> 00:01:39,610
Instead of moving the contents of the opera to another opera end, it actually copies copies of the

21
00:01:39,610 --> 00:01:42,640
second opera to the first opera, an assembly.

22
00:01:42,640 --> 00:01:48,220
You can move different objects, not just memory addresses, but also the contents by specifying.

23
00:01:48,760 --> 00:01:51,760
As you can see here, the square brackets.

24
00:01:54,280 --> 00:01:59,170
The return instruction is self George or Rob Cheney as a stance for return or in programming.

25
00:01:59,530 --> 00:02:04,420
After hijacking execution flow, we merely use a return.

26
00:02:04,450 --> 00:02:07,240
So that way the execution points to our next Rob Gadget.

27
00:02:07,810 --> 00:02:09,699
I will show you example of it.

28
00:02:13,650 --> 00:02:21,240
So as you can see, our wrap gadgets are stored as a list and then we are feeding all of it into a structure.

29
00:02:21,960 --> 00:02:28,260
And then each time that it completes one instruction, it would then go on to the next instruction at

30
00:02:28,260 --> 00:02:30,000
this next memory address.

31
00:02:32,580 --> 00:02:37,290
So stark pivoting is crucial to rationing in our example that I just showed you.

32
00:02:37,710 --> 00:02:39,630
It actually had multiple stacks of it.

33
00:02:40,650 --> 00:02:47,070
So a list of common stock, those pop pop return, which means you pop two of the topmost values of

34
00:02:47,070 --> 00:02:49,860
the stack and save them into two different options.

35
00:02:50,550 --> 00:02:56,700
A push pop return could be a good substitute for the move return or exchange return.

36
00:02:57,420 --> 00:03:03,420
And the exchange instruction basically allows you to exchange the contents of two registers.

37
00:03:04,320 --> 00:03:08,490
Zora or exclusive or is useful for zeroing out registers like zero.

38
00:03:09,210 --> 00:03:09,510
I mean.

39
00:03:10,130 --> 00:03:10,350
Yeah.

40
00:03:10,390 --> 00:03:10,510
Yeah.

41
00:03:10,960 --> 00:03:11,270
Yeah.

42
00:03:12,120 --> 00:03:14,070
It would then just zero off the register.

43
00:03:14,910 --> 00:03:20,130
In a later section of our advanced exploit class, we will make our own stack pivoting code.

44
00:03:22,340 --> 00:03:28,940
So you will learn that the automated automatically generated rapture is intended to set up the register

45
00:03:28,940 --> 00:03:35,390
such a manner that by using push or double push, all a general purpose registers virtual protect is

46
00:03:35,390 --> 00:03:38,120
called shut down data execution prevention.

47
00:03:38,810 --> 00:03:40,130
Now to our video.

48
00:03:43,100 --> 00:03:45,530
Welcome back to Advance Exploit Development.

49
00:03:46,160 --> 00:03:52,550
In this section, we're going to do a real walk through of the rock chaining process.

50
00:03:52,880 --> 00:03:59,060
I want to demonstrate how rock chaining works within the debugger as we step through the program.

51
00:04:00,410 --> 00:04:08,000
In the event that you restarted your PC or you re-enable or disable DEP on your Windows seven virtual

52
00:04:08,000 --> 00:04:12,650
machine at any time, you will have to create a new rope chain, unfortunately.

53
00:04:13,610 --> 00:04:20,540
But if you did, don't worry, just go back through the rock chaining creation process, which was the

54
00:04:20,540 --> 00:04:26,210
Mona Rob dash, and you'll see Pino now command and then start back from there.

55
00:04:26,660 --> 00:04:33,650
But if you haven't, go back and then look through your proof of concept code and I want you to put

56
00:04:33,650 --> 00:04:34,550
two breakpoints.

57
00:04:35,000 --> 00:04:40,700
I want you to put a breakpoint at the memory address where your rough chain begins and then where your

58
00:04:40,700 --> 00:04:41,780
rushing ends.

59
00:04:43,940 --> 00:04:44,510
So.

60
00:04:45,450 --> 00:04:45,840
Let's go.

61
00:04:45,840 --> 00:04:46,710
Put our brake lights.

62
00:04:48,290 --> 00:04:50,960
Our first breakpoint is at for me.

63
00:04:51,320 --> 00:04:52,550
Seven, six one.

64
00:04:53,970 --> 00:04:55,830
a306.

65
00:04:57,020 --> 00:04:58,820
And double click to put the breakpoint.

66
00:04:59,990 --> 00:05:01,520
Don't want to put another break point.

67
00:05:03,150 --> 00:05:04,490
At the end of eruption.

68
00:05:09,170 --> 00:05:09,740
Right here.

69
00:05:13,250 --> 00:05:18,200
Remember, your break points in your locations will depend on what?

70
00:05:18,200 --> 00:05:20,990
The eruption that you constructed using Mona.

71
00:05:22,190 --> 00:05:24,410
Now run the program.

72
00:05:28,940 --> 00:05:30,830
And then fire your proof of concept.

73
00:05:33,700 --> 00:05:35,140
We hit our first break point.

74
00:05:36,500 --> 00:05:37,430
So step through.

75
00:05:39,510 --> 00:05:42,570
Pop Pop X in return.

76
00:05:42,570 --> 00:05:43,830
Let's maximize this.

77
00:05:47,690 --> 00:05:52,400
So we have a poppy and their return instruction, so we step through it.

78
00:05:52,430 --> 00:05:55,040
Notice the pointer to virtual protect is right here.

79
00:05:58,940 --> 00:06:00,680
Then we have additional instructions.

80
00:06:01,750 --> 00:06:05,440
Which moves a pointer to virtual protect to somewhere else and then returns.

81
00:06:07,110 --> 00:06:11,160
Pop MVP, the pop extended base pointer and then return.

82
00:06:13,080 --> 00:06:14,970
Pop X register return.

83
00:06:18,210 --> 00:06:20,280
Negative Operation X and a return.

84
00:06:21,470 --> 00:06:25,190
Exchange X and ABC's registers return.

85
00:06:26,090 --> 00:06:28,610
But press play to hit the next breakpoint.

86
00:06:29,890 --> 00:06:34,750
And then not only are we at the bottom of our rock chain, which were about to.

87
00:06:36,170 --> 00:06:38,120
Notice what's located.

88
00:06:39,240 --> 00:06:39,690
Here.

89
00:06:40,610 --> 00:06:47,270
Virtual protect we are about to call virtual protect to set the entire stack is executable.

90
00:06:50,090 --> 00:06:50,750
So.

91
00:06:52,130 --> 00:06:54,440
We step through and the return.

92
00:06:56,690 --> 00:06:57,590
Then press play.

93
00:07:02,520 --> 00:07:03,900
And go back to your machine.

94
00:07:04,140 --> 00:07:06,330
You now open another metrofibre shell right here.

95
00:07:09,350 --> 00:07:15,020
Now because the thread the program has not finished executing press play again.

96
00:07:19,260 --> 00:07:21,900
And you're now your makeup session is fully loaded.

97
00:07:24,390 --> 00:07:28,620
So this is just another, more detailed walk through of rock shading.

98
00:07:29,160 --> 00:07:34,410
And I think that this is what better be a capstone to this chapter.

99
00:07:34,890 --> 00:07:35,760
Thank you for watching.