1
00:00:00,380 --> 00:00:06,500
Bad characters are characters that have the potential to disrupt the execution of a shellcode as they

2
00:00:06,500 --> 00:00:09,140
might be interpreted as something different.

3
00:00:09,170 --> 00:00:14,030
For instance, consider the case of zero zero here.

4
00:00:15,300 --> 00:00:17,910
Here after three two.

5
00:00:17,950 --> 00:00:18,540
Right.

6
00:00:18,540 --> 00:00:21,690
So which denotes as a zero value, right.

7
00:00:21,690 --> 00:00:29,430
So however it gets, it gets interpreted as null terminator leading to premature string termination,

8
00:00:29,430 --> 00:00:32,180
as you learned in assembly language training.

9
00:00:32,190 --> 00:00:37,440
So to illustrate this, let's revisit the previous code snippet here.

10
00:00:37,440 --> 00:00:40,050
So now let's go here.

11
00:00:40,200 --> 00:00:48,570
So as you can see here, when we execute our program here, we get the my Shell code length 27.

12
00:00:48,570 --> 00:00:50,870
And after that we got the segmentation fault.

13
00:00:50,880 --> 00:00:58,770
So in this case, we need to be investigating in the shell code number 27 as the hexadecimal here.

14
00:00:58,770 --> 00:01:06,750
So let's go there actually and count it from zero to number 27.

15
00:01:06,750 --> 00:01:09,150
So each one of these counts as one.

16
00:01:09,150 --> 00:01:09,930
So.

17
00:01:11,770 --> 00:01:14,500
One, two, three, four, five.

18
00:01:14,530 --> 00:01:15,460
Actually in array mode.

19
00:01:15,490 --> 00:01:17,320
Of course it comes from the zero.

20
00:01:17,320 --> 00:01:18,760
But in this case, we will count from.

21
00:01:19,060 --> 00:01:19,580
Uh.

22
00:01:20,290 --> 00:01:21,130
Yes, let's.

23
00:01:21,250 --> 00:01:22,930
Let's actually count it from zero.

24
00:01:24,020 --> 00:01:24,590
Avon.

25
00:01:26,190 --> 00:01:31,650
0123, four, five, six, seven, eight, nine, ten, 11, 12.

26
00:01:31,650 --> 00:01:33,780
13, 14, 15.

27
00:01:35,410 --> 00:01:45,860
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26 and 27.

28
00:01:45,910 --> 00:01:47,560
And here we go.

29
00:01:48,730 --> 00:01:49,750
It's not.

30
00:01:50,130 --> 00:01:52,630
Yeah, I think you saw it, right?

31
00:01:52,660 --> 00:01:53,460
Yeah.

32
00:01:53,470 --> 00:01:54,310
Here.

33
00:01:55,540 --> 00:02:00,100
And after three two, we have this null string terminator.

34
00:02:00,160 --> 00:02:05,540
Actually, it's not a new string terminator, but our code like assumes it is.

35
00:02:05,560 --> 00:02:12,700
So these are we we we can also call this the problematic characters in Shellcode development.

36
00:02:12,700 --> 00:02:18,640
So there's a four main bad characters or problematic, problematic characters here.

37
00:02:18,670 --> 00:02:26,980
The zero zero which we have here is the zero value or null Terminator, which as you can see, this

38
00:02:26,980 --> 00:02:27,730
is zero.

39
00:02:27,880 --> 00:02:31,870
So this represents the zero value or null Terminator.

40
00:02:31,870 --> 00:02:35,130
And we also have the line feed.

41
00:02:35,140 --> 00:02:45,610
So zero A we have the form feed f f the indicating the form feed, and we also have the signifying carriage

42
00:02:45,610 --> 00:02:47,710
return, which is zero.

43
00:02:47,950 --> 00:02:53,140
So if we change this zero zero here, oops, not here.

44
00:02:53,140 --> 00:02:55,580
Please, just I don't want to save it.

45
00:02:55,580 --> 00:03:02,930
So if we change this zero zero to from like, let's actually zero, one, two, three, four and four

46
00:03:02,930 --> 00:03:04,880
here, zero zero.

47
00:03:05,030 --> 00:03:08,030
Remember it was 36, right?

48
00:03:08,110 --> 00:03:08,690
Yeah.

49
00:03:08,720 --> 00:03:09,740
Zero zero.

50
00:03:09,740 --> 00:03:13,730
And let's compile our program again and you will see something different here.

51
00:03:16,120 --> 00:03:19,420
And as you can see here, we have the my shell code length.

52
00:03:19,420 --> 00:03:21,820
So we have the segmentation fault.

53
00:03:21,820 --> 00:03:25,510
Again, because of that, we change this, Right?

54
00:03:25,510 --> 00:03:28,420
So I'm not sure if I remember that.

55
00:03:28,420 --> 00:03:31,060
Let's actually copy this again.

56
00:03:31,480 --> 00:03:31,990
Yeah.

57
00:03:31,990 --> 00:03:36,100
It was 64, 62, 36.

58
00:03:36,100 --> 00:03:38,290
62 what?

59
00:03:38,290 --> 00:03:39,670
Yeah, 62.

60
00:03:39,790 --> 00:03:40,870
36.

61
00:03:40,870 --> 00:03:48,190
So now how can we eliminate these troublesome characters from our shell code so we can achieve this

62
00:03:48,190 --> 00:03:51,580
by employing our current knowledge of assembly?

63
00:03:51,610 --> 00:03:53,410
You learned that in previous lectures, remember?

64
00:03:53,410 --> 00:04:01,510
So this involves selecting which part of registers content should we depend on the data size being moved?

65
00:04:01,510 --> 00:04:09,880
For instance, if we intend to move a small value like 15 to the Rax register, we can use move 15 here,

66
00:04:09,880 --> 00:04:11,380
but now.

67
00:04:12,190 --> 00:04:18,340
We will write our assembly code from zero so it will be better for us.

68
00:04:19,690 --> 00:04:25,120
So as everyone say, instead of editing a sample, just write it from zero for a small project.

69
00:04:25,120 --> 00:04:25,660
Of course.

70
00:04:25,660 --> 00:04:32,050
So now what we're going to do is we will, uh, let's actually come back our explorer here.

71
00:04:32,050 --> 00:04:34,150
So we will open the shell code.

72
00:04:34,150 --> 00:04:35,140
New file.

73
00:04:35,740 --> 00:04:37,330
Hello, Dot ASM.

74
00:04:37,360 --> 00:04:38,260
That's it.

75
00:04:38,260 --> 00:04:40,060
So what we're going to do is.

76
00:04:41,520 --> 00:04:49,050
And we will, as I said, we instead of, for instance, if we need intend to move a small value like

77
00:04:49,050 --> 00:04:55,530
15 to the racks register, we can use the move al 15 here instead of using the racks.

78
00:04:55,530 --> 00:05:02,460
So but now what we're going to do is and alternatively, arithmetic operations can also be utilized,

79
00:05:02,460 --> 00:05:04,500
for example, to achieve the same result.

80
00:05:04,500 --> 00:05:13,440
We can use x or x or racks racks here and we will add the racks.

81
00:05:14,400 --> 00:05:15,420
15 Right?

82
00:05:15,420 --> 00:05:22,230
So now let's delve into our machine code examining one instruction at a time.

83
00:05:22,230 --> 00:05:33,450
So but before that here, let's actually write our assembly code and get that machine code again from

84
00:05:33,450 --> 00:05:34,440
our assembly code.

85
00:05:34,440 --> 00:05:40,840
So this will be a better way to understand and learn the way of the things work.

86
00:05:40,840 --> 00:05:49,420
So what we're going to do is we will firstly global start here section text, oops, global start.

87
00:05:49,660 --> 00:05:52,960
So and after that section text here.

88
00:05:52,960 --> 00:06:00,640
So move al as I said, one x or I actually use tabs.

89
00:06:00,640 --> 00:06:05,960
So x or the I here again or the I.

90
00:06:06,630 --> 00:06:07,510
So tabs.

91
00:06:11,630 --> 00:06:12,070
Here.

92
00:06:13,370 --> 00:06:15,670
Uh, here.

93
00:06:15,680 --> 00:06:17,570
And we will add the.

94
00:06:19,520 --> 00:06:23,360
One move the RSI.

95
00:06:24,860 --> 00:06:25,780
Here.

96
00:06:26,180 --> 00:06:26,750
Hello.

97
00:06:27,970 --> 00:06:28,240
Well.

98
00:06:28,240 --> 00:06:30,760
So actually, let's also define the data section.

99
00:06:30,760 --> 00:06:35,680
Let's actually in this time, let's actually define the data section after.

100
00:06:35,860 --> 00:06:37,630
So hello world.

101
00:06:40,050 --> 00:06:41,910
Section data.

102
00:06:43,720 --> 00:06:48,460
Section data here and Hello world.

103
00:06:48,670 --> 00:06:49,870
We have.

104
00:06:51,110 --> 00:06:52,160
This is going to be string.

105
00:06:52,760 --> 00:06:54,920
Hello, world.

106
00:06:54,920 --> 00:07:00,710
And you will see instead of using zero, we will use 0XA.

107
00:07:01,730 --> 00:07:09,650
Right and length is going to be equal dollar sign minus Hello world.

108
00:07:10,880 --> 00:07:13,160
Not worth just a word.

109
00:07:14,030 --> 00:07:15,140
And here.

110
00:07:16,610 --> 00:07:17,570
So that's it.

111
00:07:17,600 --> 00:07:22,920
Now, we will also move the length to RDX.

112
00:07:26,060 --> 00:07:33,710
Length here and we will call the Cisco, and after that we will exit from the program here.

113
00:07:34,250 --> 00:07:35,270
Racks.

114
00:07:36,090 --> 00:07:38,580
60 and move.

115
00:07:39,630 --> 00:07:45,120
Or the one after that, let's actually call the Cisco again.

116
00:07:45,120 --> 00:07:47,190
So that's it with our program.

117
00:07:47,610 --> 00:07:52,140
Now, we can what is here is this.

118
00:07:52,410 --> 00:07:53,040
Yeah.

119
00:07:53,070 --> 00:07:55,380
Now we can also close this.

120
00:07:55,410 --> 00:07:58,230
Yeah, we have this here.

121
00:07:58,230 --> 00:08:01,290
So let's go back to here.

122
00:08:02,470 --> 00:08:03,760
Let's actually save.

123
00:08:03,910 --> 00:08:05,440
Save our main.cpp.

124
00:08:05,530 --> 00:08:07,840
So we will change the shellcode anyway.

125
00:08:09,040 --> 00:08:09,820
So.

126
00:08:12,360 --> 00:08:16,560
Now we will compile this first link here.

127
00:08:16,590 --> 00:08:18,900
F elf64.

128
00:08:19,230 --> 00:08:21,450
Hello dot RSM.

129
00:08:21,570 --> 00:08:22,290
Output is.

130
00:08:22,290 --> 00:08:23,460
Hello dot.

131
00:08:23,820 --> 00:08:28,920
Hello world dot o here now we will hear.

132
00:08:28,950 --> 00:08:32,010
Hello world dot o here.

133
00:08:32,490 --> 00:08:36,000
Let's actually get the executable file.

134
00:08:36,840 --> 00:08:37,590
Hello.

135
00:08:38,600 --> 00:08:38,900
Well.

136
00:08:40,880 --> 00:08:42,080
Yeah, that's it.

137
00:08:42,380 --> 00:08:43,830
We have this here.

138
00:08:43,850 --> 00:08:44,450
Hello, world.

139
00:08:44,450 --> 00:08:45,260
Let's actually run it.

140
00:08:45,290 --> 00:08:45,770
Hello, world.

141
00:08:45,770 --> 00:08:48,560
And as you can see, we have printed the Hello world here.

142
00:08:48,560 --> 00:08:49,400
That's basic.

143
00:08:49,400 --> 00:08:55,730
So now what we're going to do is we will objdump d m Intel.

144
00:08:55,760 --> 00:08:56,540
Hello, world.

145
00:08:56,570 --> 00:08:59,330
Oops, not this Hello world.

146
00:08:59,930 --> 00:09:01,820
And that's it.

147
00:09:01,820 --> 00:09:02,660
So.

148
00:09:04,450 --> 00:09:07,210
Now, as you can see here.

149
00:09:11,490 --> 00:09:11,960
Right.

150
00:09:11,970 --> 00:09:17,130
We have the text data and we yeah, we have text and data here.

151
00:09:17,550 --> 00:09:25,590
So we managed to remove all the bad characters from our shell code, which leaves us with how to deal

152
00:09:25,590 --> 00:09:28,650
with addresses when copying strings.

153
00:09:28,650 --> 00:09:29,220
Right?

154
00:09:29,220 --> 00:09:31,710
So now let's actually.

155
00:09:32,910 --> 00:09:33,720
Again.

156
00:09:35,770 --> 00:09:38,320
Get the shell code of our program here.

157
00:09:38,320 --> 00:09:39,790
So we have this.

158
00:09:39,840 --> 00:09:42,280
Let's actually, instead of writing from it's zero.

159
00:09:42,490 --> 00:09:43,780
Let's actually just copy it.

160
00:09:43,810 --> 00:09:44,770
Objdump.

161
00:09:44,770 --> 00:09:45,640
Hello.

162
00:09:46,120 --> 00:09:47,230
Notice here.

163
00:09:47,440 --> 00:09:48,280
Objdump.

164
00:09:48,280 --> 00:09:50,080
Hello, world.

165
00:09:52,050 --> 00:09:52,860
What was the.

166
00:09:54,270 --> 00:09:55,080
Executable name.

167
00:09:55,890 --> 00:09:56,700
Objdump.

168
00:09:56,730 --> 00:09:58,320
Hello, world.

169
00:09:58,410 --> 00:10:01,110
And this is our Shellcode.

170
00:10:01,260 --> 00:10:07,080
We also have this zero zero here, and you will see why we have this.

171
00:10:08,940 --> 00:10:10,490
That's it almost.

172
00:10:10,500 --> 00:10:10,980
Yeah.

173
00:10:11,930 --> 00:10:12,530
And also.

174
00:10:13,280 --> 00:10:13,460
Yes.

175
00:10:14,180 --> 00:10:14,840
Yeah.

176
00:10:14,930 --> 00:10:15,980
Now.

177
00:10:19,540 --> 00:10:20,860
Let's run this again.

178
00:10:23,740 --> 00:10:26,740
And that's because we got this without problem.

179
00:10:26,860 --> 00:10:32,950
And as you can see here, we got the segmentation for the segmentation fault.

180
00:10:32,950 --> 00:10:35,170
And we have the.

181
00:10:37,310 --> 00:10:41,450
Ararat, Shellcode 11, which which is here.

182
00:10:41,690 --> 00:10:46,970
And in next lecture you will learn about how to fix that with relative address technique.

183
00:10:47,000 --> 00:10:48,530
I'm waiting you in next lecture.