1
00:00:00,430 --> 00:00:01,240
Hello, students.

2
00:00:01,240 --> 00:00:07,840
My name is Stephan, and in the previous sessions we have been delving into the world of Shellcode development

3
00:00:07,840 --> 00:00:13,720
and assembly programming, and we learned about crafting shellcode, addressing bad characters, utilizing

4
00:00:13,720 --> 00:00:18,250
relative addressing and refining our code to ensure efficient execution.

5
00:00:18,610 --> 00:00:22,440
In today's lecture, we are about to embark on an exciting journey.

6
00:00:22,450 --> 00:00:28,870
We will focus on assembling and linking our code, ultimately creating a piece of C malware.

7
00:00:28,870 --> 00:00:30,460
But that's not all.

8
00:00:30,460 --> 00:00:37,990
And we are taking things a step further by injecting our carefully crafted shellcode into our application.

9
00:00:37,990 --> 00:00:44,260
So this integration promises to be a fascinating intersection of theory and practical implementation.

10
00:00:44,260 --> 00:00:52,060
So fasten your shellcodes because we are about to explore the process of turning concepts into tangible

11
00:00:52,060 --> 00:00:52,990
executable code.

12
00:00:53,020 --> 00:00:58,540
Now let's dive into the world of assembling, linking and injecting a shellcode into our CPP.

13
00:00:58,540 --> 00:01:04,370
So we're reached an important let's actually close this, open a new tab.

14
00:01:04,760 --> 00:01:05,960
Yeah, we have this here.

15
00:01:05,960 --> 00:01:13,430
So we have here we have reached an important juncture in our learning journey.

16
00:01:13,430 --> 00:01:20,270
As you recall, we have been carefully constructing a shellcode that encompasses a series of intricate

17
00:01:20,270 --> 00:01:20,960
steps.

18
00:01:20,960 --> 00:01:24,920
And one of these steps involves manipulating memory addresses.

19
00:01:24,920 --> 00:01:31,610
So in our current phase, we are dealing with address of this malware injected string.

20
00:01:31,610 --> 00:01:38,420
So this address is expertly pushed onto the stack and the pivotal area of memory used for temporary

21
00:01:38,450 --> 00:01:39,410
data storage.

22
00:01:39,410 --> 00:01:45,230
So subsequently we perform a pivotal operation which is the pop RC here.

23
00:01:45,380 --> 00:01:52,940
So this instruction takes the address we have placed on the stack and seamlessly transfers it into the

24
00:01:52,940 --> 00:01:54,170
RC register.

25
00:01:54,170 --> 00:01:58,250
So a specialized storage location within the CPU.

26
00:01:58,250 --> 00:02:07,120
So by executing the pop RC here, we facilitate efficient access to the address now stored in the RC

27
00:02:07,120 --> 00:02:07,720
register.

28
00:02:07,720 --> 00:02:15,040
So this action will prove crucial as we proceed to build this address in this next step of our shellcode

29
00:02:15,040 --> 00:02:15,970
development.

30
00:02:15,970 --> 00:02:23,020
And remember, each step contributes to the intricate dance of assembly programming, resulting in culmination

31
00:02:23,050 --> 00:02:25,720
of our meticulously designed shellcode.

32
00:02:25,750 --> 00:02:27,010
Now let's actually.

33
00:02:27,160 --> 00:02:30,040
So we have compiled this assembly code.

34
00:02:30,340 --> 00:02:34,210
We have assembled it, linked it in previous lectures.

35
00:02:34,210 --> 00:02:40,600
And as you can see here, when we run this, it prints out in the terminal that the malware is injected.

36
00:02:40,600 --> 00:02:43,780
So this is just the print print function here.

37
00:02:43,780 --> 00:02:51,790
Actually, we didn't have any malware in it, but we can manipulate this in a way that we can here,

38
00:02:51,790 --> 00:02:57,850
like the buffer overflows and other privilege escalation attacks.

39
00:02:57,850 --> 00:03:05,270
Now what we're going to do is we will we will create the shellcode since we have already have this assembly

40
00:03:05,630 --> 00:03:08,420
program here, runnable here.

41
00:03:08,420 --> 00:03:20,840
So we will again use this long cmd long terminal command here Objdump m Intel D Hello here the Hello.

42
00:03:20,840 --> 00:03:24,800
And as we write this I will explain this line by line.

43
00:03:24,800 --> 00:03:27,170
Let's actually first write it down here.

44
00:03:27,530 --> 00:03:30,050
090.

45
00:03:30,090 --> 00:03:30,250
Oops.

46
00:03:30,260 --> 00:03:34,190
Actually, let me fix this microphone here or can you hear me?

47
00:03:34,190 --> 00:03:35,330
Yeah, perfect.

48
00:03:35,870 --> 00:03:41,240
Now what we're going to do is we will use the 9AF.

49
00:03:42,510 --> 00:03:47,850
And here pipe grep v So we are.

50
00:03:48,430 --> 00:03:49,330
We will, we will.

51
00:03:49,380 --> 00:03:54,330
We don't want to see any files here cut or header information.

52
00:03:54,330 --> 00:03:58,290
So if 2D cut.

53
00:04:01,240 --> 00:04:06,400
Uh, cut F1FF17D.

54
00:04:07,190 --> 00:04:08,110
Here.

55
00:04:08,270 --> 00:04:10,210
Here's.

56
00:04:11,210 --> 00:04:11,630
Here.

57
00:04:13,090 --> 00:04:14,520
A.R..

58
00:04:17,070 --> 00:04:17,430
He.

59
00:04:19,760 --> 00:04:22,340
Set as here.

60
00:04:23,330 --> 00:04:25,460
And dollar sign.

61
00:04:26,340 --> 00:04:27,900
Double slash g.

62
00:04:31,980 --> 00:04:32,730
Said.

63
00:04:34,630 --> 00:04:35,320
As.

64
00:04:37,620 --> 00:04:38,280
Next.

65
00:04:39,690 --> 00:04:42,150
And lastly, paste.

66
00:04:43,080 --> 00:04:43,710
The.

67
00:04:44,850 --> 00:04:45,390
S.

68
00:04:49,210 --> 00:04:50,650
Objdump.

69
00:04:51,040 --> 00:04:52,390
Not objdump.

70
00:04:54,090 --> 00:04:54,470
Oops.

71
00:04:54,870 --> 00:04:58,440
And we also need to enter our program here.

72
00:04:58,440 --> 00:05:02,310
So hacked here, as you can see.

73
00:05:04,260 --> 00:05:09,300
And we got this option requires an argument.

74
00:05:11,370 --> 00:05:13,290
We actually have this here.

75
00:05:14,750 --> 00:05:16,460
So cut.

76
00:05:20,520 --> 00:05:21,150
Here.

77
00:05:21,150 --> 00:05:21,630
Here.

78
00:05:31,170 --> 00:05:31,920
Yeah, I think.

79
00:05:31,920 --> 00:05:32,160
Yeah.

80
00:05:32,160 --> 00:05:34,080
We need to make space here.

81
00:05:34,290 --> 00:05:34,440
Right?

82
00:05:35,430 --> 00:05:37,830
We got this error again.

83
00:05:38,250 --> 00:05:38,910
Like this.

84
00:05:40,060 --> 00:05:40,500
Here.

85
00:05:40,510 --> 00:05:41,680
Let's fix that also.

86
00:05:41,680 --> 00:05:45,010
And as you can see here, this is our shell code.

87
00:05:48,870 --> 00:05:55,260
And as you can see here, we have something wrong in the shell code because we need to add spaces between

88
00:05:55,260 --> 00:05:55,920
these.

89
00:05:56,740 --> 00:05:57,910
Courts here.

90
00:05:57,910 --> 00:06:03,550
Also, I think we need to know we don't need this spaces here.

91
00:06:04,710 --> 00:06:05,460
Let's try it.

92
00:06:05,460 --> 00:06:08,400
And as you can see here, this is a valid shell code.

93
00:06:08,400 --> 00:06:14,130
So if you are seeing this axis without any values hexadecimal characters, then this means there is

94
00:06:14,130 --> 00:06:16,170
something wrong with your shell code here.

95
00:06:16,170 --> 00:06:18,450
And this is our shell code here.

96
00:06:18,450 --> 00:06:23,760
Now, what we're going to do is I want to also explain this Objdump command here.

97
00:06:23,760 --> 00:06:28,290
So this objdump m Intel hacked here.

98
00:06:28,290 --> 00:06:36,150
This part runs the objdump command on the file named hacked and disassembles it using the Intel syntax.

99
00:06:36,150 --> 00:06:39,690
And it provides a detailed disassembly of the binary.

100
00:06:39,690 --> 00:06:46,620
And we have grep 09AF, and this here.

101
00:06:46,620 --> 00:06:53,550
This filters the lines that start with the hexadecimal number, followed by a colon which are indicative

102
00:06:53,550 --> 00:06:56,820
of assembler instruction and grep with file here.

103
00:06:56,820 --> 00:07:03,210
This excludes the lines that contain the word file, possibly removing some hidden information from

104
00:07:03,210 --> 00:07:04,320
the output.

105
00:07:04,320 --> 00:07:09,900
And we also have this here cut F2D this extracts the second field.

106
00:07:09,900 --> 00:07:14,610
This is the actual assembler code using the colon as the delimiter delimiter.

107
00:07:14,610 --> 00:07:19,230
And we also have cut F17D with quotes here.

108
00:07:19,230 --> 00:07:27,000
So this is extracts the first two seven fields from the output which are usually the hexadecimal opcodes.

109
00:07:27,210 --> 00:07:32,340
And as you can see, we also have t r s with quotes.

110
00:07:32,340 --> 00:07:34,170
So this says this.

111
00:07:34,260 --> 00:07:41,340
This squeezes multiple spaces into a single space, helping to standardize the format.

112
00:07:41,340 --> 00:07:45,030
And we also have this like double quotes here.

113
00:07:45,800 --> 00:07:47,960
No double single quotes here.

114
00:07:47,960 --> 00:07:51,380
So this replaces tabs with spaces.

115
00:07:52,110 --> 00:07:56,820
And we also have set a set dollar sign G.

116
00:07:56,850 --> 00:08:01,740
So this removes any trailing spaces at the end of each line.

117
00:08:01,740 --> 00:08:12,060
And we also have set s slashes a lot and this replaces each space with this X to format the output in

118
00:08:12,060 --> 00:08:14,520
a way that's often used for shellcode.

119
00:08:14,550 --> 00:08:17,400
This is this as you can see, the that's it.

120
00:08:17,520 --> 00:08:26,910
And we also have the paste, the lastly paste the s, so this constant, so this actually concentrates

121
00:08:26,940 --> 00:08:32,190
all the lines together to form a continuous string of formatted shellcode.

122
00:08:32,190 --> 00:08:40,410
So when you run this entire command together, it takes the disassembled machine code output from Objdump

123
00:08:40,410 --> 00:08:48,720
process, it processes it through the of series of transformations and outputs as a string of shellcode

124
00:08:48,720 --> 00:08:50,190
in a specific format.

125
00:08:50,190 --> 00:08:57,340
So this format of shellcode is then ready for use in your C or assembly programming.

126
00:08:57,340 --> 00:08:59,860
Now what we're going to do is we will create a new.

127
00:09:01,470 --> 00:09:02,820
Her main dot see here.

128
00:09:02,820 --> 00:09:04,080
Or hacked.

129
00:09:06,730 --> 00:09:09,720
Hacked to hear that.

130
00:09:09,730 --> 00:09:10,360
See?

131
00:09:11,350 --> 00:09:16,960
And now what we're going to do is we will include the include the Stdio.h.

132
00:09:16,960 --> 00:09:20,530
So do H, include the string.

133
00:09:22,150 --> 00:09:27,100
That age and now we will create our main function.

134
00:09:27,780 --> 00:09:30,500
In this main function we will oops.

135
00:09:30,600 --> 00:09:33,360
Notice here this main function.

136
00:09:33,360 --> 00:09:39,780
We will firstly create our unsigned character, which we will name it our shellcode.

137
00:09:39,780 --> 00:09:46,290
And after that we will enter this output into our array here.

138
00:09:46,290 --> 00:09:56,250
So unsigned character array called array or actually let's make it Shellcode Shellcode array here.

139
00:09:56,370 --> 00:10:00,510
And with this we will enter in the codes here.

140
00:10:00,510 --> 00:10:01,710
Let's copy this.

141
00:10:02,460 --> 00:10:03,960
From here.

142
00:10:05,920 --> 00:10:09,040
Paste here and semicolon.

143
00:10:09,070 --> 00:10:22,180
Now, we will here we will also print that how the length of our shell code print f the shell code length.

144
00:10:23,790 --> 00:10:25,560
We will use the here.

145
00:10:26,350 --> 00:10:29,440
And after that, we will actually use the new line.

146
00:10:30,480 --> 00:10:32,400
After printing our shellcode length.

147
00:10:32,400 --> 00:10:35,910
So integer str Len.

148
00:10:36,970 --> 00:10:37,900
And cut.

149
00:10:39,710 --> 00:10:40,370
Shellcode.

150
00:10:42,040 --> 00:10:42,610
Now.

151
00:10:42,610 --> 00:10:43,290
That's it.

152
00:10:43,300 --> 00:10:44,120
Here.

153
00:10:44,670 --> 00:10:46,270
No, not here.

154
00:10:46,270 --> 00:10:46,930
Here.

155
00:10:46,930 --> 00:10:47,800
And now.

156
00:10:47,800 --> 00:10:50,520
We will also use the integer.

157
00:10:50,770 --> 00:10:53,440
Create a new function here, basically.

158
00:10:54,720 --> 00:10:57,720
And Integer does.

159
00:10:59,260 --> 00:11:00,130
Here.

160
00:11:01,400 --> 00:11:05,080
And I saw outside of the civil right shellcode.

161
00:11:06,490 --> 00:11:08,200
And we will call this function.

162
00:11:09,570 --> 00:11:10,050
That's it.

163
00:11:10,800 --> 00:11:18,480
Now, this code is a C program that's designed to execute a shell code, which represented as a sequence

164
00:11:18,480 --> 00:11:19,890
of hexadecimal values.

165
00:11:19,890 --> 00:11:23,100
Now, let's break it down step by step here.

166
00:11:24,000 --> 00:11:26,430
So here we are using two includes.

167
00:11:26,430 --> 00:11:28,200
We are including two header files.

168
00:11:28,200 --> 00:11:34,740
So these are the preprocessor directives that include the necessary standard libraries for input output

169
00:11:34,740 --> 00:11:36,750
and string manipulation.

170
00:11:36,750 --> 00:11:41,880
And we also have the this is the main function, this is the main function of the program where the

171
00:11:41,880 --> 00:11:42,960
execution starts.

172
00:11:42,960 --> 00:11:50,550
And here in this unsigned cash shell code, this line, initialize an array named Shellcode to hold

173
00:11:50,730 --> 00:11:51,780
our shell codes.

174
00:11:51,780 --> 00:11:59,220
So the shell code itself is carries of hexadecimal values that represent machine instructions, and

175
00:11:59,220 --> 00:12:05,730
it's stored as an array of unsigned characters, which is also we can call bytes.

176
00:12:05,850 --> 00:12:12,780
Now here, this part contains the actual shell code represented as a hexadecimal values, and each pair

177
00:12:12,780 --> 00:12:17,160
of hexadecimal digits represents a byte of machine code.

178
00:12:17,160 --> 00:12:25,600
So the shell code here performs a specific action such as executing our syscall and printing the here

179
00:12:25,600 --> 00:12:32,800
injected malware injected string on the command line here, and we also have integer.

180
00:12:32,800 --> 00:12:34,480
So the print here.

181
00:12:35,230 --> 00:12:35,910
Uh, yeah.

182
00:12:35,920 --> 00:12:38,970
Before this read we have print.

183
00:12:38,980 --> 00:12:41,410
So this line prints the length of the shell code.

184
00:12:41,410 --> 00:12:48,090
Using this print f function, it calculates the length of the shell code using the using shell code

185
00:12:48,100 --> 00:12:54,640
array using this str Len and prints it as an integer.

186
00:12:54,640 --> 00:12:58,330
And we also have the integer read integer shell code.

187
00:12:58,360 --> 00:13:01,540
So this line declares a function pointer named read.

188
00:13:01,540 --> 00:13:07,000
So this function pointer is initialized to point to the memory address of the code array.

189
00:13:07,000 --> 00:13:10,630
So this effectively creates a callable function from the shell code.

190
00:13:10,630 --> 00:13:12,640
And with this, here we are.

191
00:13:12,670 --> 00:13:13,870
This line call.

192
00:13:13,870 --> 00:13:18,790
With this line here we are calling function pointer to by the read pointer.

193
00:13:18,790 --> 00:13:21,760
And in other words, it executes the shell code.

194
00:13:21,790 --> 00:13:29,740
So in summary, this C program acts as an executor for this provided shell code and it calculates and

195
00:13:29,740 --> 00:13:34,780
prints the length of the shell code, converts the shell code into a callable function using the function

196
00:13:34,880 --> 00:13:37,490
pointer and then executes the shell code.

197
00:13:38,140 --> 00:13:45,640
And this also allows you to test and observe the behavior of your shell code within a controlled environment.

198
00:13:45,670 --> 00:13:49,570
Now, what we're going to do is we will let's actually compile this main here.

199
00:13:50,050 --> 00:13:51,100
Clear.

200
00:13:51,340 --> 00:13:53,110
Now we have this.

201
00:13:54,960 --> 00:13:58,100
Hacks tool that see here.

202
00:13:58,110 --> 00:14:01,470
Now, in order to compile it, there's a simple command.

203
00:14:01,510 --> 00:14:03,930
We will use the GCC F.

204
00:14:05,310 --> 00:14:07,920
No stack protector.

205
00:14:09,140 --> 00:14:16,940
Z x x stack here and here we will hacked tool dot C.

206
00:14:18,130 --> 00:14:20,410
Now we have some problem here.

207
00:14:20,440 --> 00:14:26,420
As you can see here, integer from incompatible pointer type integer.

208
00:14:26,440 --> 00:14:29,410
Let's see it here.

209
00:14:31,880 --> 00:14:38,120
So we got the type conversion error, but we can simply fix that easily here.

210
00:14:38,810 --> 00:14:43,250
Now, as I said, we have some type conversion errors here.

211
00:14:43,250 --> 00:14:51,470
And in the this initial code, we were trying to calculate the length of the shell code array using

212
00:14:51,470 --> 00:14:56,570
the STR Len, which returns a value of size t.

213
00:14:56,600 --> 00:15:03,770
However, we were trying to cast it into integer, which could lead to potential users, especially

214
00:15:03,770 --> 00:15:07,950
in the length is larger than what an integer can hold.

215
00:15:07,970 --> 00:15:17,330
So in this corrected code here, what we're going to change is we will change it to Xu here and here

216
00:15:17,330 --> 00:15:19,280
we will use we will actually.

217
00:15:21,110 --> 00:15:31,730
Delete that and we will use str Len here and const character here pointer and after that we will enter

218
00:15:31,730 --> 00:15:33,230
code shellcode.

219
00:15:35,430 --> 00:15:36,420
And that's it.

220
00:15:36,420 --> 00:15:38,790
Here, our code is fixed.

221
00:15:38,970 --> 00:15:41,580
Now let's try this.

222
00:15:41,580 --> 00:15:42,960
And we got that.

223
00:15:43,790 --> 00:15:44,660
Error again.

224
00:15:44,660 --> 00:15:47,550
So integer from incompatible pointer type.

225
00:15:47,570 --> 00:15:49,460
Integer pointer here.

226
00:15:53,130 --> 00:15:54,750
Shellcode character.

227
00:15:54,750 --> 00:16:00,190
And we also have at the line eight here you.

228
00:16:02,350 --> 00:16:06,400
And we've got the same error here, but we change this.

229
00:16:06,400 --> 00:16:16,450
So if because it's actually our error was not raised here, but since we changed it, it actually we

230
00:16:16,450 --> 00:16:23,110
did a good thing here because if our shellcode was bigger than the size of our integer, then we will

231
00:16:23,110 --> 00:16:26,560
get the error at line seven.

232
00:16:26,560 --> 00:16:33,580
And now what we're going to do is we will fix that here so we get some type of problem.

233
00:16:33,580 --> 00:16:35,890
Integer Shellcode here.

234
00:16:36,530 --> 00:16:39,830
So the problem is here.

235
00:16:40,620 --> 00:16:41,940
After that.

236
00:16:43,780 --> 00:16:44,380
Yeah.

237
00:16:48,180 --> 00:16:49,050
And here.

238
00:16:49,840 --> 00:16:52,510
Now, the problem will be fixed here.

239
00:16:52,510 --> 00:16:54,760
And as you can see here, our.

240
00:16:56,540 --> 00:17:02,240
Program is compiled and we can run it a dot out.

241
00:17:02,360 --> 00:17:04,730
Now let's run it again in the new line.

242
00:17:04,730 --> 00:17:12,200
And as you can see here, Shellcode length is 55 and malware is injected.

243
00:17:12,200 --> 00:17:14,540
So fantastic.

244
00:17:14,570 --> 00:17:14,840
All right.

245
00:17:14,840 --> 00:17:16,640
So you've wrapped a.

246
00:17:18,480 --> 00:17:21,120
Uh, so now we have wrapped our.

247
00:17:21,810 --> 00:17:24,960
Lecture beautifully and in the session.

248
00:17:24,960 --> 00:17:32,430
We have covered a wide range of crucial topics from the Shellcode, which we used here.

249
00:17:32,850 --> 00:17:34,470
Let's actually go here.

250
00:17:34,650 --> 00:17:43,990
So we use the GMP technique to explore new debugging styles with GDB and utilizing tools like valgrind.

251
00:17:44,010 --> 00:17:44,940
In previous lectures.

252
00:17:44,940 --> 00:17:52,650
So these insights are invaluable for anyone interested in shellcode and exploit exploit creation.

253
00:17:52,650 --> 00:17:59,700
So by delving into these techniques and tools you are, you are equipping yourself with essential skills

254
00:17:59,700 --> 00:18:06,300
for creating efficient and secure code as well as gaining deeper understanding of the intricate world

255
00:18:06,300 --> 00:18:07,680
of shellcode development.

256
00:18:07,680 --> 00:18:13,360
So I'm excited to continue this learning journey with you in our next lecture.

257
00:18:13,380 --> 00:18:20,080
Feel free to bring any questions, doubts or ideas you'd like to explore further.

258
00:18:20,100 --> 00:18:26,710
Until then, keep up the great work and I look forward to our next session.