1
00:00:00,320 --> 00:00:01,610
Hello, my name is Tayfun.

2
00:00:01,610 --> 00:00:08,330
Now, in this lecture, let's embark on an exciting journey into the world of Shellcode creation.

3
00:00:08,330 --> 00:00:14,780
We will utilize our existing knowledge to generate straightforward and fully customized shellcode.

4
00:00:14,810 --> 00:00:21,380
As we will delve deeper, we will encounter challenges like problematic characters and learn strategies

5
00:00:21,380 --> 00:00:22,730
to eliminate them.

6
00:00:22,910 --> 00:00:28,730
And continuing our exploration, we will delve into the creation of more advanced shellcodes and additionally,

7
00:00:28,730 --> 00:00:35,240
we will discover how to generate our own shell codes automatically using the Metasploit framework.

8
00:00:35,240 --> 00:00:40,850
And in this section we will explore the fundamentals and dealing with troublesome characters.

9
00:00:40,880 --> 00:00:43,580
We will learn the relative addressing technique.

10
00:00:43,610 --> 00:00:48,780
We will also gain understanding of the exec weak syscall.

11
00:00:48,800 --> 00:00:50,750
We will create a bind TCP shell.

12
00:00:50,750 --> 00:00:52,700
We will develop a reverse TCP shell.

13
00:00:52,700 --> 00:00:56,830
And lastly, we will generate Shellcode through Metasploit framework.

14
00:00:56,840 --> 00:01:00,960
Now get ready to enhance your understanding of Shellcode creation.

15
00:01:00,960 --> 00:01:04,800
So to kick things off, let's grab the concept of Shellcode.

16
00:01:04,830 --> 00:01:10,140
So as we previously explored, Shellcode refers to a set of machine instructions.

17
00:01:11,860 --> 00:01:12,120
Here.

18
00:01:12,130 --> 00:01:16,500
Let's actually open our Hello World program that we created in assembly here.

19
00:01:16,510 --> 00:01:22,420
So it serves as a payload often utilized in stack overflow attacks.

20
00:01:22,420 --> 00:01:28,870
So these instructions are derived from assembly language and our approach is straightforward.

21
00:01:28,870 --> 00:01:34,480
We will write the desired functionality of the shellcode using assembly language and subsequently if

22
00:01:34,480 --> 00:01:39,790
you adjustments will be made before converting it into machine code.

23
00:01:39,820 --> 00:01:45,760
So let's take a shot at creating a simple Hello world shellcode and then transforming it into executable

24
00:01:45,760 --> 00:01:46,810
machine code.

25
00:01:46,840 --> 00:01:50,470
So for this task we will employ the Objdump command.

26
00:01:50,470 --> 00:01:56,590
But first, as you can see here, we already developed this in previous lectures and you can also just

27
00:01:56,590 --> 00:02:03,670
simply copy this and I will share this source code in the downloadable sections of our lecture.

28
00:02:04,120 --> 00:02:08,650
And now what we're going to do is we will open our terminal here.

29
00:02:08,650 --> 00:02:09,520
Let's actually.

30
00:02:11,610 --> 00:02:16,380
Open our terminal again and hear what we're going to go is.

31
00:02:16,560 --> 00:02:18,150
We'll go to this directory.

32
00:02:18,180 --> 00:02:25,640
CD our source source here assembly and hello dot ASM.

33
00:02:25,680 --> 00:02:26,040
Oops.

34
00:02:26,160 --> 00:02:28,470
Hello dot ACM is a directory of course.

35
00:02:28,470 --> 00:02:29,490
So that's it.

36
00:02:29,490 --> 00:02:32,520
So now in assembly we will go to Hello world.

37
00:02:32,730 --> 00:02:35,100
Uh, now, as you can see here we have this.

38
00:02:35,100 --> 00:02:35,580
Hello.

39
00:02:35,580 --> 00:02:37,740
So whenever we run this program.

40
00:02:38,610 --> 00:02:39,090
Hello?

41
00:02:39,090 --> 00:02:41,610
And we are printing just Hello world.

42
00:02:41,610 --> 00:02:45,360
And now we will use the obj dump.

43
00:02:47,570 --> 00:02:54,720
Actually, we can also use the make to create this Halo program from zero LA.

44
00:02:55,130 --> 00:03:00,050
And as you can see here, it is followed from zero.

45
00:03:00,050 --> 00:03:09,800
And now what we're going to do is we will run the objdump here, Objdump, Uppercase D, M and Intel

46
00:03:09,800 --> 00:03:13,610
and we will use the hello and that's it.

47
00:03:15,740 --> 00:03:19,280
So you can see here we have several outputs here.

48
00:03:20,600 --> 00:03:25,610
Now here we have the disassembly of section debug line.

49
00:03:25,610 --> 00:03:32,810
But what's important to us is the disassembly of section text and data for now.

50
00:03:34,300 --> 00:03:36,510
It should be somewhere.

51
00:03:36,520 --> 00:03:40,490
Disassembly of section as you can see, disassembly of section inter ARP.

52
00:03:40,690 --> 00:03:44,290
But we need the data and text.

53
00:03:46,550 --> 00:03:49,850
And I will show you the interesting thing about this.

54
00:03:54,310 --> 00:03:56,890
Age frame dynamics.

55
00:04:01,560 --> 00:04:02,870
The SS command.

56
00:04:04,010 --> 00:04:05,120
Debug info.

57
00:04:06,240 --> 00:04:09,480
And the bug line seems like we don't have.

58
00:04:11,950 --> 00:04:12,940
Output here.

59
00:04:22,850 --> 00:04:23,740
Dynamic.

60
00:04:27,120 --> 00:04:28,920
Oh, seems like we have this here.

61
00:04:29,080 --> 00:04:31,740
I just skipped it and didn't see it.

62
00:04:31,740 --> 00:04:34,170
And here we.

63
00:04:34,380 --> 00:04:36,840
You should see this, uh, text section.

64
00:04:38,230 --> 00:04:40,630
After the year.

65
00:04:41,510 --> 00:04:42,980
Action text.

66
00:04:43,010 --> 00:04:43,940
Where are you?

67
00:04:43,940 --> 00:04:44,390
Text?

68
00:04:44,390 --> 00:04:45,050
Yes.

69
00:04:45,530 --> 00:04:47,960
Yeah, we have the text section in it.

70
00:04:48,290 --> 00:04:50,210
And section text.

71
00:04:50,690 --> 00:04:56,780
And as you can see here, there's a content displayed in the middle of the.

72
00:04:56,870 --> 00:04:57,750
Hour terminal output.

73
00:04:57,770 --> 00:05:04,870
So this content here represents the machine code corresponding to our Hello world example.

74
00:05:04,880 --> 00:05:09,050
However, we aim to convert it into specific format.

75
00:05:09,050 --> 00:05:11,180
Something like this.

76
00:05:11,390 --> 00:05:13,610
Actually, let's open the new text file.

77
00:05:13,610 --> 00:05:18,320
So we will turn it something like like x.

78
00:05:18,320 --> 00:05:19,820
F, f x.

79
00:05:19,820 --> 00:05:20,000
F.

80
00:05:20,000 --> 00:05:21,200
F or x.

81
00:05:21,230 --> 00:05:21,960
A b.

82
00:05:22,770 --> 00:05:23,600
X this.

83
00:05:23,610 --> 00:05:25,350
So this is actually a shell code.

84
00:05:25,380 --> 00:05:34,770
So where our F so each two characters here, hex characters signifies an operation code while it's possible

85
00:05:34,770 --> 00:05:37,020
to perform this conversion manually.

86
00:05:37,260 --> 00:05:45,120
So I didn't I don't recommend that nobody does that and doing so line by line can also become a quite

87
00:05:45,120 --> 00:05:45,840
labourers.

88
00:05:45,840 --> 00:05:49,890
So luckily there's a more efficient method available to us.

89
00:05:49,890 --> 00:05:57,390
So if you want to do that manually, it would take like hours or even weeks to complete this and even

90
00:05:57,390 --> 00:05:58,290
without an error.

91
00:05:58,290 --> 00:06:06,390
So of course, so now what we're going to do is we will use again, we will use a objdump obj obj dump

92
00:06:06,930 --> 00:06:12,870
M here, Intel D and here you will enter your file name.

93
00:06:12,870 --> 00:06:15,150
In this case, it's Hello.

94
00:06:16,420 --> 00:06:21,110
And after that you will also use the grab this here.

95
00:06:21,130 --> 00:06:23,080
09AF.

96
00:06:26,490 --> 00:06:26,890
Sorry.

97
00:06:27,170 --> 00:06:27,520
Here.

98
00:06:27,530 --> 00:06:27,930
Yeah.

99
00:06:28,340 --> 00:06:29,600
Uh, that's actually right.

100
00:06:29,630 --> 00:06:30,770
From zero again.

101
00:06:30,770 --> 00:06:33,820
Uh, I accidentally pressed enter here while typing.

102
00:06:33,830 --> 00:06:35,150
So here.

103
00:06:35,420 --> 00:06:37,460
Uh, now we will again use pip.

104
00:06:37,460 --> 00:06:40,970
We will use grep v file.

105
00:06:43,950 --> 00:06:44,390
Part.

106
00:06:45,690 --> 00:06:52,650
Since I have a microphone I don't like, the microphone is always interrupting with the keyboard and

107
00:06:52,650 --> 00:06:55,740
that's why I accidentally pressed enter previous time.

108
00:06:55,980 --> 00:06:59,370
So F2D here pipe.

109
00:07:00,390 --> 00:07:02,790
Part F one.

110
00:07:03,960 --> 00:07:04,410
Zero.

111
00:07:04,440 --> 00:07:06,210
Let's actually check it from zero.

112
00:07:06,780 --> 00:07:12,800
So we objdump m Intel grep from zero nine and a f.

113
00:07:14,340 --> 00:07:20,850
And after that we have again pipe grip we file at F2.

114
00:07:21,330 --> 00:07:22,950
Yes, that's it.

115
00:07:23,190 --> 00:07:25,050
And here.

116
00:07:55,450 --> 00:07:55,780
Yes.

117
00:07:55,780 --> 00:07:57,460
And also, we need to.

118
00:07:58,580 --> 00:08:02,360
After this, we need to write some more codes here.

119
00:08:02,780 --> 00:08:11,330
After cut here, we will so cut f2 d and after that cut F1.

120
00:08:12,870 --> 00:08:13,710
F1.

121
00:08:13,780 --> 00:08:15,480
D here.

122
00:08:16,980 --> 00:08:18,390
And pipe again.

123
00:08:18,390 --> 00:08:19,210
TR.

124
00:08:19,260 --> 00:08:20,250
S.

125
00:08:23,000 --> 00:08:23,450
Public on.

126
00:08:25,380 --> 00:08:25,800
T.

127
00:08:31,460 --> 00:08:38,750
I will also share this moment for you because it's it's sometimes struggle to write it from zero.

128
00:08:39,380 --> 00:08:42,230
So the backslash and not much here.

129
00:08:43,130 --> 00:08:44,060
And.

130
00:08:46,970 --> 00:08:48,740
So said as.

131
00:08:53,160 --> 00:08:53,670
Yeah.

132
00:08:54,030 --> 00:08:55,530
And dollar sign.

133
00:08:56,320 --> 00:08:59,200
I will slack here.

134
00:09:01,660 --> 00:09:03,280
Let's again here.

135
00:09:07,220 --> 00:09:07,760
Six.

136
00:09:10,680 --> 00:09:10,950
Um.

137
00:09:11,570 --> 00:09:13,740
Here we will be paste.

138
00:09:15,230 --> 00:09:16,250
Be here.

139
00:09:20,230 --> 00:09:22,780
And it's actually try it again.

140
00:09:23,020 --> 00:09:25,510
So objdump m Intel grep.

141
00:09:26,600 --> 00:09:29,700
Run grab file cut f2 d.

142
00:09:30,790 --> 00:09:34,140
Card F17D.

143
00:09:36,020 --> 00:09:37,750
Uh, tears.

144
00:09:38,770 --> 00:09:40,870
Like, uh, the courts here.

145
00:09:40,870 --> 00:09:43,690
But this courts has spaces in it.

146
00:09:43,720 --> 00:09:47,910
I will share this, uh, code with you, as I said.

147
00:09:47,920 --> 00:09:49,540
And here.

148
00:09:50,600 --> 00:09:51,950
R e.

149
00:09:53,610 --> 00:09:55,080
Via three courts.

150
00:09:56,230 --> 00:09:57,250
And set.

151
00:10:05,910 --> 00:10:08,160
Yeah, I think it's okay.

152
00:10:08,340 --> 00:10:09,600
Yeah, that's it.

153
00:10:09,600 --> 00:10:12,630
And here, this is our machine language code here.

154
00:10:12,630 --> 00:10:20,790
So next, uh, we can use the CP, uh, code for testing our machine, uh, here.

155
00:10:20,790 --> 00:10:25,590
So in order to do that, we will open the new main.cpp here.

156
00:10:25,830 --> 00:10:27,960
Actually, let's close the previous one.

157
00:10:28,850 --> 00:10:29,420
And.

158
00:10:30,570 --> 00:10:31,680
Delete that too.

159
00:10:33,850 --> 00:10:38,440
Of again and iel new text file.

160
00:10:40,710 --> 00:10:42,510
So let's save it.

161
00:10:43,050 --> 00:10:45,750
And the source code.

162
00:10:46,170 --> 00:10:47,450
We also have this here.

163
00:10:47,460 --> 00:10:48,930
Yeah, we can save it here.

164
00:10:49,230 --> 00:10:51,010
Replace and that's it.

165
00:10:51,030 --> 00:10:59,250
And here what we're going to do is we will include the stdio dot h and we will also include the string

166
00:10:59,250 --> 00:10:59,760
here.

167
00:10:59,760 --> 00:11:01,530
String dot h.

168
00:11:02,530 --> 00:11:11,650
And we will create the unsigned character code, an unsigned character character, and let's name it

169
00:11:11,650 --> 00:11:14,190
code here, just basically code.

170
00:11:14,200 --> 00:11:24,850
And here we will use quotation marks here and we will get this here from just last ring, last character

171
00:11:24,850 --> 00:11:26,410
and without spaces.

172
00:11:26,410 --> 00:11:30,250
And copy this from the start of this.

173
00:11:30,940 --> 00:11:31,150
What?

174
00:11:31,150 --> 00:11:31,600
Here?

175
00:11:32,110 --> 00:11:35,830
Control shift C And after that we will put it here.

176
00:11:35,860 --> 00:11:36,670
That's it.

177
00:11:39,400 --> 00:11:44,920
And now what we're going to do is we will create our main function, integer main.

178
00:11:45,490 --> 00:11:47,080
And here.

179
00:11:49,380 --> 00:11:50,710
We will print f.

180
00:11:52,150 --> 00:11:52,990
This is.

181
00:11:53,680 --> 00:11:58,090
My shell cord length here.

182
00:11:58,940 --> 00:12:05,810
Now I'll use the decimal to show the shell length, and after that we will use a new line.

183
00:12:06,080 --> 00:12:10,700
And what we're going to do is we will use the comma here.

184
00:12:10,700 --> 00:12:11,810
Integer.

185
00:12:13,730 --> 00:12:23,000
STR Len here to show the string length and we will pass this code variable which we created earlier

186
00:12:23,000 --> 00:12:23,570
here.

187
00:12:25,270 --> 00:12:27,460
Code unsigned character.

188
00:12:28,280 --> 00:12:29,360
And that's it.

189
00:12:29,360 --> 00:12:30,830
And the code again.

190
00:12:30,830 --> 00:12:33,140
And we will use the integer.

191
00:12:34,390 --> 00:12:36,010
Right here.

192
00:12:39,530 --> 00:12:39,860
Oops.

193
00:12:57,010 --> 00:12:57,550
That's it.

194
00:12:58,270 --> 00:13:01,570
And after that, we will call this right here.

195
00:13:02,880 --> 00:13:04,350
And we are done.

196
00:13:04,350 --> 00:13:09,210
And what we're going to do is now we will open the oops, sorry here.

197
00:13:09,210 --> 00:13:14,840
So what we're going to do is now we will open the new terminal here, see to our project.

198
00:13:15,400 --> 00:13:19,110
I think it was on source here, say the shell code, LZ.

199
00:13:19,140 --> 00:13:26,310
And as you can see here, we have that main.cpp here and we have the shell code and main function.

200
00:13:26,310 --> 00:13:27,810
Now we need to compile this, right?

201
00:13:27,810 --> 00:13:38,610
So GCC F, no stack protector, protector, the exec stack here and main.cpp.

202
00:13:39,940 --> 00:13:47,470
And that's you can see here we got some error here related to this invalid conversion from unsigned

203
00:13:47,500 --> 00:13:50,290
character to const character.

204
00:13:51,810 --> 00:14:00,000
So this error actually seems to be related to an incorrect type conversion in our Printf statement here.

205
00:14:00,000 --> 00:14:06,360
So the error message is indicating that there is an invalid conversion from unsigned character, unsigned

206
00:14:06,390 --> 00:14:09,120
character to const character.

207
00:14:09,270 --> 00:14:13,380
And when you are trying to calculate the length of your shellcode, so.

208
00:14:14,300 --> 00:14:20,870
And and in C plus plus, when working with character arrays or strings, you should use appropriate

209
00:14:20,870 --> 00:14:22,850
datatypes and functions to handle them.

210
00:14:22,850 --> 00:14:29,930
Since you are dealing with shell code represented as unsigned character array, you need to use the

211
00:14:29,930 --> 00:14:33,850
correct format specifier in the parentheses as well.

212
00:14:33,860 --> 00:14:42,530
So what we're going to do is we will actually, um, use instead of using D here, we will use Z U and

213
00:14:42,710 --> 00:14:44,330
we will also use this.

214
00:14:44,360 --> 00:14:46,610
So we will delete this integer.

215
00:14:47,920 --> 00:14:52,780
And in Strlen actually it's this and write it again.

216
00:14:52,900 --> 00:14:56,230
But let's actually add the printf race here.

217
00:14:56,230 --> 00:14:59,980
So str Len str Len.

218
00:15:01,390 --> 00:15:02,080
Const.

219
00:15:02,770 --> 00:15:03,640
Character.

220
00:15:05,120 --> 00:15:06,700
And we will pass the code.

221
00:15:08,410 --> 00:15:10,480
So again, we got some error.

222
00:15:10,490 --> 00:15:12,880
So expected an expression here.

223
00:15:16,360 --> 00:15:23,380
Yes, because we also need to add this string and let's actually close this.

224
00:15:24,950 --> 00:15:26,000
That's it here.

225
00:15:26,000 --> 00:15:29,230
Let's actually try and run this.

226
00:15:29,240 --> 00:15:36,040
And as you can see here, our program is compiled successfully and we have that a dot out.

227
00:15:36,050 --> 00:15:37,310
So let's run it.

228
00:15:39,390 --> 00:15:40,650
Pay that out.

229
00:15:40,980 --> 00:15:44,700
And as you can see here, my shellcode length is 27.

230
00:15:44,700 --> 00:15:50,970
And we also have this segmentation file and I will explain what this output means.

231
00:15:50,970 --> 00:15:54,420
But before that, let's actually explain this code.

232
00:15:56,900 --> 00:15:59,090
So you basically know this main function here.

233
00:15:59,090 --> 00:16:03,410
What this main means, this is the main function, the starting point of the program's execution.

234
00:16:03,410 --> 00:16:06,830
And this is the where the program begins to run.

235
00:16:06,830 --> 00:16:09,290
And we also have this printf.

236
00:16:09,470 --> 00:16:13,250
Printf my shell code Strlen const char code.

237
00:16:13,280 --> 00:16:18,380
So this printf is a function from the C standard library used for formatted output.

238
00:16:18,380 --> 00:16:21,710
So if we delete this C studio here.

239
00:16:22,650 --> 00:16:26,640
And we will get with this on an undefined printf here.

240
00:16:26,640 --> 00:16:27,630
So we need this.

241
00:16:27,660 --> 00:16:35,610
We include this STD input output for the printf command here and also.

242
00:16:36,460 --> 00:16:41,110
Uh, so we have this is a marshall code length, uh, Z u.

243
00:16:41,110 --> 00:16:46,000
And here, this is a format string to display a message followed by an integer.

244
00:16:46,000 --> 00:16:53,980
And this remember we wrote, we actually coded it firstly with D for showing decimal, but now we've

245
00:16:53,980 --> 00:16:54,640
changed it.

246
00:16:54,640 --> 00:17:02,920
So this is a format specifier indicating that an unsigned size value will be inserted in place of the

247
00:17:02,950 --> 00:17:03,880
U here.

248
00:17:03,880 --> 00:17:07,540
And we also have the strlen, this expression here.

249
00:17:07,540 --> 00:17:14,380
So the Strlen function, as you know, calculates the length of the null terminated string.

250
00:17:14,380 --> 00:17:24,910
So here code is cast to const character type to match the expected argument type.

251
00:17:24,910 --> 00:17:27,670
And we also have the integer ret.

252
00:17:27,790 --> 00:17:30,220
So this declares.

253
00:17:30,220 --> 00:17:36,260
So here firstly, we are declaring a function pointer named ret.

254
00:17:36,260 --> 00:17:43,670
So this, this is a pointer to a function that takes no argument and returns an integer.

255
00:17:43,670 --> 00:17:50,900
And here we are assigning the address of code array to the RET function pointer and it uses the typecast

256
00:17:50,900 --> 00:17:59,300
integer here, as you can see here, to treat the address of code as a function pointer with a specified

257
00:17:59,300 --> 00:18:00,020
signature.

258
00:18:00,020 --> 00:18:06,740
And this RET also we have here, this is a function pointer declared in the previous line.

259
00:18:06,740 --> 00:18:10,070
So we are calling this with this syntax.

260
00:18:10,070 --> 00:18:13,100
We are calling the function pointed to by red.

261
00:18:13,100 --> 00:18:19,580
Since red points to the code here and the red points the codes arrays address.

262
00:18:19,580 --> 00:18:22,940
So this effectively starts executing the shell code.

263
00:18:23,300 --> 00:18:30,620
So in summary, this code takes advantage of function pointers and the ability to treat data, the code

264
00:18:30,620 --> 00:18:32,990
array in this case as executable code.

265
00:18:32,990 --> 00:18:40,190
So it prints the length of the code array which represents shell code, converts the arrays, address

266
00:18:40,190 --> 00:18:47,900
into function pointer and then calls that function pointer, effectively executing the shell code.

267
00:18:47,900 --> 00:18:57,920
And as you can see here, while we started this here, a dot out, we are seeing the, uh, you, you

268
00:18:57,920 --> 00:19:05,210
can see this output here and the segmentation fault because, uh.

269
00:19:06,580 --> 00:19:07,960
Our shellcode didn't work.

270
00:19:07,960 --> 00:19:12,520
So the reason was that there is a bad characters in it.

271
00:19:12,520 --> 00:19:17,530
So this takes us to the next lecture, which you will learn that here.

272
00:19:17,530 --> 00:19:23,890
So whenever no matter how many tries you make, you will get segmentation fault.

273
00:19:23,890 --> 00:19:30,250
And I did that on purpose too for the which is the as the next lectures.

274
00:19:31,160 --> 00:19:32,830
Uh, topic here.

275
00:19:32,840 --> 00:19:40,280
You will see how to avoid these bad characters and how not to get the segmentation fault error because

276
00:19:40,280 --> 00:19:43,400
this means that our shellcode did not execute it.

277
00:19:44,140 --> 00:19:45,580
Awaiting you in next lecture.