1
00:00:00,230 --> 00:00:01,160
Hello everyone.

2
00:00:01,160 --> 00:00:07,070
My name is Stephen and in this lecture we are diving into the realm of creating a functional shell code

3
00:00:07,070 --> 00:00:08,960
using the exec with syscall.

4
00:00:09,050 --> 00:00:13,430
But first let's grab the concept of the exec syscall.

5
00:00:13,430 --> 00:00:20,030
So the exec syscall plays a key role in executing programs or scripts.

6
00:00:20,030 --> 00:00:24,710
And to understand it better, let's refer to the man page.

7
00:00:25,010 --> 00:00:33,110
Uh for using with using this command man two exec v and as you can see here, exec V means execute program

8
00:00:33,110 --> 00:00:36,170
library standard C library synopsis here is used.

9
00:00:36,260 --> 00:00:44,270
We are firstly need to include this header file and the executes the program referred to by Pathname.

10
00:00:44,270 --> 00:00:50,870
So this causes the program that is currently being run by the calling process to be replaced with new

11
00:00:50,870 --> 00:00:56,600
programs with newly initialized stack heap and initialize an uninitialized data segments.

12
00:00:56,600 --> 00:00:57,680
And here we have.

13
00:00:57,680 --> 00:01:04,670
The Pathname must be either a binary executable or a script, starting with a line of the form interpreter.

14
00:01:04,670 --> 00:01:08,990
And uh, here we also have our argue.

15
00:01:08,990 --> 00:01:15,830
Here is an array of pointers to strings based on the new program as its command line arguments.

16
00:01:15,830 --> 00:01:17,900
And we have a envp here.

17
00:01:18,050 --> 00:01:23,690
This is an array of pointers of two strings, conventionally, uh, of the form key value, which are

18
00:01:23,690 --> 00:01:26,060
passed as the environment of the new program.

19
00:01:26,060 --> 00:01:29,600
So the Envp array must be terminated by a null pointer.

20
00:01:29,600 --> 00:01:31,910
And the first argument here.

21
00:01:33,170 --> 00:01:35,420
My actually this scroll.

22
00:01:36,020 --> 00:01:40,310
Mouse scroll is pretty broken and that's why I'm struggling.

23
00:01:41,050 --> 00:01:41,920
Now we're getting this fixed.

24
00:01:41,920 --> 00:01:42,490
Yeah.

25
00:01:42,700 --> 00:01:47,620
And here the first argument is the program we intend to execute.

26
00:01:48,360 --> 00:01:53,340
And the second argument Ari give here is an array of arguments related to the program.

27
00:01:53,340 --> 00:01:57,540
And importantly, it should include the program's name itself.

28
00:01:57,540 --> 00:02:00,240
And we have the Envp here.

29
00:02:00,240 --> 00:02:01,890
This is the third argument.

30
00:02:01,980 --> 00:02:05,220
Envp allows us to pass arguments to the environment.

31
00:02:05,220 --> 00:02:07,500
In our case, we can set it to null.

32
00:02:07,500 --> 00:02:12,180
So now let's go to Visual Studio again and create a new program.

33
00:02:12,180 --> 00:02:16,080
Let's actually delete this one here and new new C file.

34
00:02:16,080 --> 00:02:21,030
So let's name it uh c Sysinfo dot c.

35
00:02:21,450 --> 00:02:27,840
And now we will include the uh honesty dot header file.

36
00:02:27,900 --> 00:02:32,610
Now this not include yeah include here.

37
00:02:32,820 --> 00:02:38,310
And after that after that we will integer main.

38
00:02:40,120 --> 00:02:41,500
Uh, character.

39
00:02:42,570 --> 00:02:53,100
Const are give here and the first we will pass the cat and and then the.

40
00:02:53,130 --> 00:02:53,880
Etk.

41
00:02:54,150 --> 00:02:55,020
Uggie.

42
00:02:56,200 --> 00:02:57,190
And Newell.

43
00:02:58,630 --> 00:02:59,410
Here.

44
00:02:59,410 --> 00:03:01,630
And after that, we will call the exec.

45
00:03:02,260 --> 00:03:03,100
We.

46
00:03:04,770 --> 00:03:07,710
And pin cat.

47
00:03:07,710 --> 00:03:10,230
Here are give.

48
00:03:12,320 --> 00:03:13,010
No.

49
00:03:15,000 --> 00:03:16,980
And we will return zero.

50
00:03:17,740 --> 00:03:23,800
And we compile this code and execute it to see the contents of ATC Udgir.

51
00:03:25,650 --> 00:03:27,150
Let's do that.

52
00:03:30,450 --> 00:03:31,980
Source shellcode.

53
00:03:32,010 --> 00:03:32,730
Lzw.

54
00:03:32,760 --> 00:03:33,450
Sysinfo.

55
00:03:33,480 --> 00:03:35,910
Let's compile gcc sysinfo.

56
00:03:36,780 --> 00:03:38,400
That's it.

57
00:03:38,400 --> 00:03:41,280
And now let's run this executable.

58
00:03:41,280 --> 00:03:45,480
And as you can see here Caligineus GNU Linux rolling.

59
00:03:45,480 --> 00:03:47,400
So if you run this cat.

60
00:03:47,730 --> 00:03:50,910
E-t-c Usuay we will get the same result.

61
00:03:50,910 --> 00:03:53,610
So we are basically executing this command here.

62
00:03:56,120 --> 00:03:57,140
And, uh.

63
00:03:58,440 --> 00:03:59,370
Here.

64
00:04:00,460 --> 00:04:01,030
That's it.

65
00:04:01,030 --> 00:04:01,360
Right.

66
00:04:01,360 --> 00:04:04,030
So we executed our code successfully.

67
00:04:04,030 --> 00:04:12,640
And now we will delve into the direct and technical approach of utilizing the Executesql within a C

68
00:04:12,670 --> 00:04:13,270
program.

69
00:04:13,270 --> 00:04:19,960
And our goal is to execute the command without relying on intricate shellcode techniques for now.

70
00:04:19,960 --> 00:04:24,910
So let's, uh, dissect the provided code here.

71
00:04:24,910 --> 00:04:28,630
Uh, actually, let's, uh, change this provided code.

72
00:04:28,900 --> 00:04:32,140
And uh, for a deeper understanding, you will see.

73
00:04:32,230 --> 00:04:36,340
So we will open a terminal here and it will be awesome here.

74
00:04:36,340 --> 00:04:39,010
So const we will not change anything here.

75
00:04:39,010 --> 00:04:41,620
Just we will change the bin.

76
00:04:42,890 --> 00:04:44,600
S h here.

77
00:04:45,780 --> 00:04:47,940
And been.

78
00:04:49,220 --> 00:04:50,120
S h.

79
00:04:50,120 --> 00:04:53,120
So there's a magic comes in.

80
00:04:55,610 --> 00:04:56,570
Clear.

81
00:04:59,400 --> 00:05:00,870
Uh, can you hear my voice?

82
00:05:00,870 --> 00:05:01,260
Yeah.

83
00:05:01,260 --> 00:05:01,920
Perfect.

84
00:05:02,640 --> 00:05:08,010
Now GCC here and a dot on we have unexpected.

85
00:05:08,250 --> 00:05:08,700
Yeah.

86
00:05:08,700 --> 00:05:09,420
Where.

87
00:05:12,700 --> 00:05:12,940
Mm.

88
00:05:19,040 --> 00:05:21,740
Const r r g v.

89
00:05:21,770 --> 00:05:22,640
Here.

90
00:05:22,940 --> 00:05:23,510
Cat.

91
00:05:23,510 --> 00:05:25,880
No, no, we don't need that cat here.

92
00:05:30,540 --> 00:05:31,320
Perfect.

93
00:05:31,980 --> 00:05:33,480
And that's it.

94
00:05:33,480 --> 00:05:35,430
So we got this shell here.

95
00:05:35,430 --> 00:05:38,460
But now let's let's explain this code here.

96
00:05:38,460 --> 00:05:43,380
So we begin by including the necessary header file and an honest.

97
00:05:44,940 --> 00:05:53,730
On SDH here, which contains system call declarations for our Zigbee and with main.

98
00:05:53,730 --> 00:05:58,950
Here, our program starts with the main function serving as the entry point for execution, and here

99
00:05:58,950 --> 00:06:01,350
an array named RGV.

100
00:06:01,380 --> 00:06:04,350
Here arguments uh is defined.

101
00:06:04,350 --> 00:06:09,480
It holds two elements boenisch and uh null here.

102
00:06:09,480 --> 00:06:16,470
So boenisch represents the shell binary acting as the command interpreter, and null here signifies

103
00:06:16,470 --> 00:06:23,460
the end of the argument array as required by the Zigbee syscall, and so executes syscall behnisch rg

104
00:06:23,460 --> 00:06:25,380
with rgv null.

105
00:06:25,380 --> 00:06:30,480
Here this line invokes the Zigbee syscall directly, and uh.

106
00:06:30,480 --> 00:06:36,240
The first argument, minus h, specifies the program to execute the shell, and the second argument

107
00:06:36,240 --> 00:06:45,330
RGV points to our array of arguments, in this case boenisch and the, uh, second argument null and

108
00:06:45,330 --> 00:06:47,700
indicates no additional environment arguments.

109
00:06:48,780 --> 00:06:52,290
And here we have the return.

110
00:06:52,290 --> 00:06:55,680
Lastly, the program concludes with the standard return statement.

111
00:06:55,680 --> 00:06:58,230
And that's it.

112
00:06:58,230 --> 00:06:58,710
Yeah.

113
00:06:58,890 --> 00:07:00,750
We are basically got this here.

114
00:07:00,750 --> 00:07:03,150
Who am I typhoon.

115
00:07:03,150 --> 00:07:03,750
Yeah.

116
00:07:03,750 --> 00:07:04,440
Clear.

117
00:07:04,440 --> 00:07:04,770
Yeah.

118
00:07:04,770 --> 00:07:07,440
We are basically got this shell here.

119
00:07:07,440 --> 00:07:08,910
So what's the significance here.

120
00:07:08,910 --> 00:07:13,440
Is that direct utilization of this execution cycle within a C program.

121
00:07:13,440 --> 00:07:19,530
So this sidesteps the need for complex shell code accomplishing command execution through straightforward

122
00:07:19,530 --> 00:07:20,250
means.

123
00:07:20,250 --> 00:07:27,390
So this approach not only simplifies the process but also fosters a solid grasp of core system call

124
00:07:27,390 --> 00:07:28,170
mechanics.

125
00:07:28,170 --> 00:07:32,580
And our journey continues as we delve into assembly programming.

126
00:07:32,580 --> 00:07:40,620
In our next example, by examining registers, memory, and Ram instructions, and we will gain a deeper

127
00:07:40,620 --> 00:07:44,010
insight into system interactions and execution.

128
00:07:44,010 --> 00:07:46,260
So in the next lecture, let's start.

129
00:07:46,290 --> 00:07:51,210
Let's delve into the world of low level programming and further expanding our knowledge.

130
00:07:51,210 --> 00:07:52,650
I'm waiting you in next lecture.