1 00:00:00,530 --> 00:00:11,120 Hello and welcome to a new lesson in the previous lesson, we saw how to write Melva, they can embed 2 00:00:11,300 --> 00:00:13,820 shellcode in the text section. 3 00:00:14,480 --> 00:00:21,080 And in this lesson, you are going to see how to embed Chowk in the data section. 4 00:00:21,830 --> 00:00:29,000 So going down to these new project here called Piil in data section, and you can put it in the same 5 00:00:29,000 --> 00:00:33,560 forward as the previous lesson 02 imbedding bill. 6 00:00:36,110 --> 00:00:43,820 So as usual, we have to FA's compile script and also the source code. 7 00:00:44,600 --> 00:00:52,340 So let us take a look at the source code calk payroll data section, thus GPP. 8 00:00:53,300 --> 00:00:53,570 Right. 9 00:00:53,690 --> 00:00:56,900 Click on it and open it if not back. 10 00:00:56,910 --> 00:00:57,590 Plus, plus. 11 00:00:59,780 --> 00:01:07,910 You will see that it is almost similar to the previous version where we embedded the Chalco in the tech 12 00:01:07,910 --> 00:01:10,790 section in the previous lesson. 13 00:01:11,180 --> 00:01:22,130 This show was in sight and main function, and therefore it is found in the taxation of the file itself, 14 00:01:22,550 --> 00:01:25,130 which contains the executable code. 15 00:01:26,090 --> 00:01:29,210 Now we put our site to function. 16 00:01:29,840 --> 00:01:38,180 So when you put any kind of object variable, our site function becomes a global variable or a global 17 00:01:38,210 --> 00:01:38,810 object. 18 00:01:39,440 --> 00:01:42,620 So this code is now in the data section. 19 00:01:43,580 --> 00:01:50,760 That data session is where all the initialized data are stored in F.R.. 20 00:01:51,770 --> 00:01:54,350 And also, many of these loaded in memory. 21 00:01:54,590 --> 00:01:57,920 It is also starting a data session in memory. 22 00:01:58,220 --> 00:02:05,660 All of those objects in today's session, global variables global because our site and you function 23 00:02:06,530 --> 00:02:13,250 the same thing also applies to this variable here, which is our site in the main function. 24 00:02:13,700 --> 00:02:16,070 Therefore, this is also a global variable. 25 00:02:16,820 --> 00:02:23,150 And also, it can be found in the data saying there isn't a quote is to see exactly the same as the 26 00:02:23,150 --> 00:02:23,880 previous one. 27 00:02:24,350 --> 00:02:27,230 We have what you along to allocate memory. 28 00:02:27,920 --> 00:02:36,080 And then once we collect memory, which is set to read and write, we will print out the addresses for 29 00:02:36,080 --> 00:02:42,590 the shellcode and also the address for the other key to memory, which came from which you ALAC. 30 00:02:43,310 --> 00:02:50,780 And then we will copy the Chalco into the allocated memory and then change the protection for using 31 00:02:50,780 --> 00:02:54,860 which will protect to make it readable and executable. 32 00:02:55,880 --> 00:02:58,430 And then we sure prompt us to use it. 33 00:02:58,730 --> 00:02:59,440 Presenter. 34 00:02:59,900 --> 00:03:02,750 And then he waits for the user to press in Turkey. 35 00:03:03,200 --> 00:03:10,010 And then down here we test whether the return value for which is protected was successful. 36 00:03:10,490 --> 00:03:12,980 If you are successful, you should be non-zero. 37 00:03:13,370 --> 00:03:19,070 And then you enter here and create a tray out of these allocated memory which came from which you are 38 00:03:19,160 --> 00:03:19,370 OK. 39 00:03:21,080 --> 00:03:22,730 Then you will wait for a single object. 40 00:03:22,820 --> 00:03:27,090 Meaning that you will wait for the check to close before the program quits. 41 00:03:27,920 --> 00:03:30,680 So that is now compile this as usual. 42 00:03:31,580 --> 00:03:34,840 Def command line executable for sixty four. 43 00:03:35,540 --> 00:03:42,830 So go down to the bottom left and key native and then select the first one. 44 00:03:43,550 --> 00:03:48,350 Excessive for native to command from four v v s two zero one nine. 45 00:03:50,140 --> 00:03:54,940 And then we are going to change our directory to this location. 46 00:03:55,360 --> 00:04:00,040 So we called you click on these right click and copy this path. 47 00:04:01,180 --> 00:04:11,110 Come down here, see this space correctly, paste above, hit, enter to go to that path type diyar, 48 00:04:11,360 --> 00:04:15,640 release the contents of that territory and confirmed. 49 00:04:15,640 --> 00:04:17,080 And you compiled Becky's name. 50 00:04:17,590 --> 00:04:24,100 So we are now going to run the compiled script to compile this source code into executable. 51 00:04:24,940 --> 00:04:28,720 So we just type the name of the script and enter. 52 00:04:30,860 --> 00:04:34,040 Now he's in the process of compiling and he has succeeded. 53 00:04:34,520 --> 00:04:38,720 As you can see, these new far has been created. 54 00:04:40,630 --> 00:04:44,320 We are at one small to confirm the following day. 55 00:04:44,780 --> 00:04:53,540 And now we are going to run this file so we type be a president and keep pressing. 56 00:04:53,540 --> 00:04:58,610 DETTMAN Did you get any kind of ifar into the security? 57 00:04:59,250 --> 00:05:05,690 Immediately you will see that he prints the address of the shellcode, as well as the educated memory. 58 00:05:06,770 --> 00:05:11,060 And this coming from the previous who over here in here. 59 00:05:12,020 --> 00:05:14,430 So now we copy these analyses. 60 00:05:14,480 --> 00:05:17,180 So we just select all of this. 61 00:05:21,330 --> 00:05:22,740 Right click to copy. 62 00:05:24,240 --> 00:05:31,500 Come back to take on, file you to create a new blank file and then directly in peace. 63 00:05:31,920 --> 00:05:38,180 These two lines in here now, they're going to examine this memory. 64 00:05:38,190 --> 00:05:44,280 So we are going to attach a 64 dbg to this running process. 65 00:05:44,850 --> 00:05:47,730 So open the ICC for me, Ruggie. 66 00:05:49,770 --> 00:05:55,500 Sure, that have used to 64 bit version and then options, preferences. 67 00:05:56,190 --> 00:06:03,450 Make sure your system breakpoint is unchecked, your gas callback is unchecked, leaving comedie entry 68 00:06:03,460 --> 00:06:04,290 breakpoint checked. 69 00:06:04,980 --> 00:06:06,210 Any check on safe. 70 00:06:07,290 --> 00:06:14,200 Now click on file attach against the ingraining process, which is in memory. 71 00:06:16,200 --> 00:06:17,280 Going to attach. 72 00:06:19,170 --> 00:06:25,770 I tend to go to the CMOs here, so like on the mainland, you hear, because they are also known as 73 00:06:25,770 --> 00:06:36,150 their user, Miyu, and then you go goodday and being run to synchronize your debugger with the running 74 00:06:36,150 --> 00:06:36,810 process. 75 00:06:37,560 --> 00:06:40,440 Now we are going to press enter on the keyboard. 76 00:06:42,810 --> 00:06:51,870 So when you press, enter your big boss and the breakpoint here containing the key interrupt three, 77 00:06:52,470 --> 00:06:53,580 which is the shellcode. 78 00:06:54,630 --> 00:06:56,460 So this is coming from. 79 00:06:58,020 --> 00:06:58,200 They. 80 00:06:59,700 --> 00:07:08,250 So that when you press enter here just now, the president here get shower has captured the enter key 81 00:07:08,580 --> 00:07:10,740 and then proceeded to create the tray. 82 00:07:11,430 --> 00:07:16,430 So the trick here will go take these allocated memory here and execute. 83 00:07:17,190 --> 00:07:26,400 And once it executes, you execute these four Chalco here, which are nine zero nine zero, C, C, 84 00:07:26,400 --> 00:07:27,060 C three. 85 00:07:27,600 --> 00:07:31,290 And then you pass it this interrupt here. 86 00:07:31,950 --> 00:07:35,700 So this interrupt here cost the debugger to pass. 87 00:07:36,700 --> 00:07:37,950 This is interrupts easy. 88 00:07:39,580 --> 00:07:47,650 So now this form circle here, we can search for any memory to see where it is phone picking on a memory 89 00:07:47,650 --> 00:07:56,590 tab and right click and you can click on find Pétain key in the pattern for the shortcut, which is 90 00:07:56,590 --> 00:07:58,270 nine zero nine zero. 91 00:07:58,540 --> 00:08:03,070 C, c, c three, which is coming from here. 92 00:08:03,400 --> 00:08:04,490 Nine zero nine zero. 93 00:08:04,510 --> 00:08:05,350 C, C three. 94 00:08:05,890 --> 00:08:08,770 You can also confirm he's in a c.p.u just now. 95 00:08:08,770 --> 00:08:09,040 Maybe. 96 00:08:09,040 --> 00:08:09,400 Sorry. 97 00:08:10,300 --> 00:08:11,530 So now click on OK. 98 00:08:11,530 --> 00:08:12,410 And he search. 99 00:08:12,820 --> 00:08:14,140 He is found to eat. 100 00:08:14,810 --> 00:08:17,000 So let us copy this now correctly. 101 00:08:17,500 --> 00:08:26,050 Copy corruptible and go to the Lang file and basic below here. 102 00:08:26,740 --> 00:08:26,960 Right. 103 00:08:27,040 --> 00:08:31,810 We can paste the first address here. 104 00:08:32,260 --> 00:08:40,330 He's referring to the allocated memory address that which is allocated for the process. 105 00:08:41,140 --> 00:08:49,710 And if you look at it in memory in this region, Pfeifle and back Fonzi rules five four eight four zero. 106 00:08:50,680 --> 00:08:53,650 He saw here this pi. 107 00:08:55,120 --> 00:09:00,600 It is highlighted and because the iboga was passed in this location. 108 00:09:04,140 --> 00:09:07,080 So this is one way to allocate allocated for us. 109 00:09:07,560 --> 00:09:15,030 And you guys, I mean, here you can see it is nice private, meaning that what you created is for the 110 00:09:15,030 --> 00:09:16,800 private use of this process. 111 00:09:17,820 --> 00:09:25,320 And being here, you know, the protection is executable and readable, previously was readable and 112 00:09:25,320 --> 00:09:25,890 writeable. 113 00:09:27,240 --> 00:09:34,800 And if you go back to the program, so you can see that originally were channeller and then you created 114 00:09:35,100 --> 00:09:36,360 this region of memory. 115 00:09:37,020 --> 00:09:39,390 You set it to be readable and writable. 116 00:09:40,080 --> 00:09:44,730 That's why you get RW as the initial production value. 117 00:09:45,690 --> 00:09:54,920 Then later on, after we call this API to copy the Chako to the allocated region of memory, we will 118 00:09:54,960 --> 00:10:02,970 use which protect to change you protection from readable, writable to become readable, acceptable. 119 00:10:03,420 --> 00:10:06,520 That's why you see here now it is executable. 120 00:10:06,540 --> 00:10:06,930 You're the. 121 00:10:09,810 --> 00:10:15,690 Now the next one is taking place in memory that this chocolate is found. 122 00:10:16,470 --> 00:10:18,620 He said this address, one tree. 123 00:10:19,550 --> 00:10:21,660 He triple zero. 124 00:10:22,230 --> 00:10:28,680 If you look at it in the memory map, he's in the guitar section here. 125 00:10:30,210 --> 00:10:33,300 One tree, five, f e triple zero. 126 00:10:34,590 --> 00:10:38,910 This has to be expected it to be the initialised data section. 127 00:10:40,360 --> 00:10:40,860 Daytime. 128 00:10:41,410 --> 00:10:51,370 So this shows that the global variable this is this is starting a global variable section known as a 129 00:10:51,370 --> 00:10:53,410 doctor transaction in memory. 130 00:10:56,390 --> 00:11:04,970 So this video shows you how to create Shellcode Einstein in the data section. 131 00:11:05,750 --> 00:11:13,040 So to do that, you just put your shellcode as a global variable, and that means to put it outside 132 00:11:13,040 --> 00:11:13,910 of any function. 133 00:11:14,900 --> 00:11:16,880 That's all for this video lesson. 134 00:11:17,360 --> 00:11:19,220 Thank you for watching.