1
00:00:00,240 --> 00:00:00,780
Hello.

2
00:00:01,050 --> 00:00:09,000
In the previous lessons, we have seen how the fourth experiment failed 32 percent, 64 bit payload

3
00:00:09,360 --> 00:00:19,950
cannot be injected into a 64 bit process because of the, well, emulator security features.

4
00:00:20,520 --> 00:00:22,860
So the only way to do that now is to bypass it.

5
00:00:22,860 --> 00:00:33,300
Using this heaven's gate exploit following differing views execute x64 and x64 functions, which is

6
00:00:33,300 --> 00:00:35,070
in the Metasploit Framework.

7
00:00:36,180 --> 00:00:38,700
So let's take a look at see how we can do that.

8
00:00:39,750 --> 00:00:43,190
So we are using this same project, which we downloaded earlier.

9
00:00:43,980 --> 00:00:50,610
And then, yes, also notes Here you can go in download, which contains important links for study.

10
00:00:51,720 --> 00:00:53,850
No, the experiment.

11
00:00:55,380 --> 00:00:57,000
Now the x64.

12
00:00:58,640 --> 00:01:04,490
Quote comes from here, this here, Annie X-T4 function comes from this line here.

13
00:01:05,450 --> 00:01:06,650
So both these things.

14
00:01:08,450 --> 00:01:17,470
Here, as you can see, this one is different, viewer said x64 execute, x64 could.

15
00:01:20,870 --> 00:01:25,010
And then this one you see as key for function.

16
00:01:25,580 --> 00:01:26,900
Also by stealing fuel.

17
00:01:31,550 --> 00:01:35,390
And then if you take a look at Fodor.

18
00:01:37,890 --> 00:01:44,270
Heaven's gate for the day, the far here, heaven's gate, Visconti's The.

19
00:01:46,200 --> 00:01:48,280
They shall call for this.

20
00:01:49,020 --> 00:01:51,570
Hey, this move.

21
00:01:53,600 --> 00:01:56,150
And this comes from this here.

22
00:02:00,590 --> 00:02:01,390
This link.

23
00:02:05,150 --> 00:02:06,590
There are two versions.

24
00:02:06,650 --> 00:02:10,100
Is a new one and the older one, we are using the new one.

25
00:02:10,280 --> 00:02:13,530
So if you go to this link here now, you can get the shot.

26
00:02:13,550 --> 00:02:15,890
Go for these images here.

27
00:02:17,600 --> 00:02:19,880
So this one is the method Britta.

28
00:02:21,820 --> 00:02:24,250
So interpreted Metasploit ballots.

29
00:02:25,030 --> 00:02:28,060
So this first one is the shock for you.

30
00:02:30,010 --> 00:02:37,090
And second one is a show called For One Night, which is also known as remote trick, also known as

31
00:02:37,990 --> 00:02:39,460
x64 function.

32
00:02:41,430 --> 00:02:49,800
Which refers to this X-T4 as a city for an excessive force of emissions and also can be seen from this

33
00:02:49,800 --> 00:02:55,290
diagram here as excessive force, how good is this first one?

34
00:02:56,660 --> 00:02:59,600
And actually, for function, you need a second one.

35
00:03:00,230 --> 00:03:04,880
So these two are used in our heaven's gate injection.

36
00:03:05,780 --> 00:03:07,430
If you don't open the.

37
00:03:08,390 --> 00:03:14,570
The source code for intrusion, you will find a classic injection, which you were using before.

38
00:03:15,140 --> 00:03:20,540
And there's another one called Heaven's Gate Injection, which we are going to use now in this project.

39
00:03:21,140 --> 00:03:23,760
Heaven's gate injection misuse of the shellcode.

40
00:03:24,440 --> 00:03:28,400
So what we do now is we copy and you shall call.

41
00:03:29,720 --> 00:03:31,100
These shall go and we shall quote.

42
00:03:31,700 --> 00:03:36,290
He's coming from this speech, which I shall with you this speech here.

43
00:03:36,680 --> 00:03:42,650
So I just merely copied this speech and put it in here for easy reference.

44
00:03:43,280 --> 00:03:48,770
So what we do is we copy this first one actually before shackled and basically here.

45
00:03:51,460 --> 00:04:00,040
And then called Copy the second one, which is your excuse for function, shackle and PC here.

46
00:04:05,680 --> 00:04:10,660
Next thing we do is we are going to inject the payload into the target process.

47
00:04:11,470 --> 00:04:15,320
What we do first is to allocate memory in the target process.

48
00:04:15,320 --> 00:04:19,030
So the target process here is first to use Microsoft Paint.

49
00:04:19,990 --> 00:04:23,050
He refers to this target process.

50
00:04:24,250 --> 00:04:28,600
So what we do is we allocate memory in the target process.

51
00:04:33,850 --> 00:04:38,470
He had to get him in a target process here today, process.

52
00:04:39,340 --> 00:04:42,310
And then we copy our chocolate over to it.

53
00:04:43,040 --> 00:04:46,120
So copy the payload or do it over here.

54
00:04:46,660 --> 00:04:48,550
So that refers to this line here.

55
00:04:49,950 --> 00:04:57,160
Then next, we allocate memory in a local process for this chocolate, which is here.

56
00:04:57,490 --> 00:04:58,650
This is this line does.

57
00:04:59,710 --> 00:05:04,070
Then you look in memory for X-T4 function, which is this line here.

58
00:05:04,090 --> 00:05:09,310
So these two lines allocating memory in a local process, the Trojan itself.

59
00:05:12,410 --> 00:05:22,250
Next, we copy the shackle into the Alcatel memory, so this line here Mary copies active for AS ex-City

60
00:05:22,280 --> 00:05:29,240
for into the allocated region and then changed the permission to become executable here.

61
00:05:29,780 --> 00:05:34,990
So we make this executable by using virtual instead of which.

62
00:05:36,260 --> 00:05:39,350
Normally we use which, along with the first parameter, would be null.

63
00:05:39,980 --> 00:05:42,020
But over here we're using yellow.

64
00:05:43,190 --> 00:05:50,240
First parameter is the allocated region and what are doing is newly changing the permission to become

65
00:05:50,450 --> 00:05:51,950
readable in a secure book.

66
00:05:52,340 --> 00:05:57,860
So after this line is executed, Haskell, 64, becomes executable.

67
00:05:59,270 --> 00:06:03,620
And next, we are going to copy the A64 function to the allocated region.

68
00:06:04,040 --> 00:06:08,390
So we are copying this X-T4 shortcut into the active region.

69
00:06:09,860 --> 00:06:13,190
So allocated reunions of memories this one.

70
00:06:13,530 --> 00:06:14,450
And here is a show.

71
00:06:15,740 --> 00:06:23,090
So what we're doing is copying this shellcode over to the allocated region.

72
00:06:26,990 --> 00:06:31,580
Next, we are going to set up the perimeter to run the.

73
00:06:32,850 --> 00:06:35,020
As said, excessive function.

74
00:06:35,610 --> 00:06:42,540
Now, if you take a look at this over here, this function coming from here, this is where you declare

75
00:06:42,540 --> 00:06:47,220
any function pointers for x64 and rescued x64.

76
00:06:48,120 --> 00:06:52,410
And down here is very used to switching pointers over here.

77
00:06:55,750 --> 00:07:03,340
OK, so the first barometer is if he he's the equity for function and second parameter, it is contains

78
00:07:03,340 --> 00:07:04,060
all these things.

79
00:07:05,290 --> 00:07:06,290
This is a context.

80
00:07:06,370 --> 00:07:07,930
Context comes from here.

81
00:07:09,470 --> 00:07:13,930
He's gone days, which is actually a structure which we declare here.

82
00:07:14,750 --> 00:07:17,810
This structure comes from a different view with GitHub itself.

83
00:07:18,320 --> 00:07:21,380
If you go back to Steve, if you will, is going to have.

84
00:07:22,340 --> 00:07:26,570
You can see the structure here.

85
00:07:28,610 --> 00:07:34,330
He started his use by default function, so we have to replicate it in here.

86
00:07:36,830 --> 00:07:38,180
He coming back to this.

87
00:07:39,770 --> 00:07:50,180
So now after you've already initialize the contents to his problem, which is your name, I guess offbeat

88
00:07:50,660 --> 00:07:56,750
and remote causes of shock, which is the message and a barometer to the message.

89
00:07:56,750 --> 00:07:57,930
Bociurkiw is zero.

90
00:07:57,950 --> 00:07:59,310
So we put now, no.

91
00:07:59,450 --> 00:08:00,470
So we put zero here.

92
00:08:01,820 --> 00:08:02,680
Then we execute it.

93
00:08:03,560 --> 00:08:09,350
After that, we once executed it will be in a suspended state.

94
00:08:10,600 --> 00:08:15,370
So we have to resume it in order to execute the chocolate.

95
00:08:16,240 --> 00:08:17,350
So this is how it works.

96
00:08:17,980 --> 00:08:21,460
So there is now trying to do this saying see action.

97
00:08:22,900 --> 00:08:30,730
So we open X 86 92 and we go to this directory and combine.

98
00:08:35,200 --> 00:08:44,800
After compiling the random bin to make sure there is indeed a Teletubby application and we confirm it,

99
00:08:44,980 --> 00:08:45,640
yes, it is.

100
00:08:46,270 --> 00:08:49,390
And we need to inject this.

101
00:08:52,140 --> 00:08:57,480
Into City for the process, so we need to run the city for Microsoft Be.

102
00:09:01,930 --> 00:09:04,570
64Bit, maybe something is wrong.

103
00:09:05,890 --> 00:09:09,280
No, we can run our routine.

104
00:09:12,110 --> 00:09:16,450
So my I've been bids to the segregated.

105
00:09:17,690 --> 00:09:25,360
And this is a memory insight because I've been used as an educator to inject the payload, which is

106
00:09:25,360 --> 00:09:26,390
the message box payload.

107
00:09:27,170 --> 00:09:32,210
So this presenter and this is the memory allocator in a Trojan horse.

108
00:09:32,210 --> 00:09:39,400
So for this to chuckle, which is referring to these two shall locally.

109
00:09:40,400 --> 00:09:42,740
He's addressing what causes this address here.

110
00:09:43,490 --> 00:09:48,460
And just to address here, he's referring to to address in the local process, Italian.

111
00:09:49,130 --> 00:09:50,570
So you enter.

112
00:09:52,880 --> 00:09:59,150
OK, so the church has started in a suspended state, so we're now in this part of the.

113
00:10:00,810 --> 00:10:04,740
So it is about to call resume trade, so we enter, he will resume.

114
00:10:05,880 --> 00:10:07,920
And we should get our chocolate.

115
00:10:08,740 --> 00:10:13,590
I can hear the beep sound and I hear you chuckling.

116
00:10:14,670 --> 00:10:16,050
Health regulations.

117
00:10:17,220 --> 00:10:25,640
So let us try to confirm that this message box is indeed coming from Microsoft Paint, we can use process

118
00:10:25,650 --> 00:10:27,060
occur to confirm.

119
00:10:27,690 --> 00:10:32,890
So let's run for hacker and then we drank this icon.

120
00:10:32,980 --> 00:10:34,390
Find windows and tray.

121
00:10:35,010 --> 00:10:37,800
Drag it over to our message box and release.

122
00:10:38,730 --> 00:10:43,890
And you confirmed the parent for the message boxes in the Microsoft Paint.

123
00:10:44,580 --> 00:10:52,140
And then if you go to memory and go to the protection columns, Quadrophenia to our X, which means

124
00:10:52,140 --> 00:10:54,330
a readable executable.

125
00:10:55,470 --> 00:11:02,520
You will find one region of memory, which is an our X.

126
00:11:02,760 --> 00:11:06,420
But for now, if you double click this, you will find your shell code.

127
00:11:07,500 --> 00:11:15,180
OK, so this is how we can use heaven's gate to bypass limitation of WHO While 64 emulator.

128
00:11:16,680 --> 00:11:25,230
So you don't even have completed this all the four experiments for our project.

129
00:11:26,220 --> 00:11:27,630
So that's all for this video.

130
00:11:28,050 --> 00:11:29,280
Thank you for watching.