1
00:00:00,360 --> 00:00:00,900
All right.

2
00:00:00,900 --> 00:00:03,000
The video you have been waiting for.

3
00:00:03,000 --> 00:00:08,140
This is the last and final video in the course and now we're going to gain shell.

4
00:00:08,310 --> 00:00:09,960
So here's what's gonna happen.

5
00:00:09,960 --> 00:00:15,420
We're gonna use a tool called MSF phenom and we're gonna use that to generate show code.

6
00:00:15,420 --> 00:00:19,440
So I'm going to go ahead and copy and paste the command over and then we'll talk about what this command

7
00:00:19,440 --> 00:00:26,000
does so we're running MSF venom it's brought to you by medics flight and we're gonna set a switch a

8
00:00:26,000 --> 00:00:31,170
P for payload so we're gonna set the payload for Windows because we're attacking the Windows machine

9
00:00:31,680 --> 00:00:34,700
and we're gonna do a shell reverse DCP.

10
00:00:34,710 --> 00:00:41,100
So we didn't declare X 64 here so we're gonna assume X 86 but we'll declare that later just in case.

11
00:00:41,100 --> 00:00:46,050
So when we have a reverse shell like this what we're doing is we're having the victim connect back to

12
00:00:46,050 --> 00:00:46,760
us.

13
00:00:46,830 --> 00:00:49,540
So we need to provide our information.

14
00:00:49,740 --> 00:00:56,100
So by our information I mean the Cally machine IP address which is gonna be our l host right here and

15
00:00:56,150 --> 00:00:58,350
we're gonna also have a port we're gonna be listening on.

16
00:00:58,380 --> 00:01:01,200
So that's going to be our l port our listening port.

17
00:01:01,200 --> 00:01:05,210
And we're gonna declare that as four four four four.

18
00:01:05,250 --> 00:01:11,500
I'm setting an exit func equal to thread all that does is make our exploit a little bit more stable.

19
00:01:11,820 --> 00:01:13,590
We have a dash f for file type.

20
00:01:13,620 --> 00:01:21,580
We're gonna export this in a c a dash a for architecture that's X 86 and then a dash B for bad characters.

21
00:01:21,570 --> 00:01:24,690
Here's where finding the bad characters becomes important.

22
00:01:24,690 --> 00:01:30,180
So we didn't have any besides the normal bite but it's always good to teach it and explain why it would

23
00:01:30,180 --> 00:01:31,480
be important later.

24
00:01:31,500 --> 00:01:34,690
So if we had any bad characters this is where we would put them in.

25
00:01:34,690 --> 00:01:42,070
So let's go ahead and just hit enter here and we'll take just a second to generate this show code and

26
00:01:42,070 --> 00:01:49,080
once it does we're going to copy and paste it into R Python script that we've been using so we're gonna

27
00:01:49,080 --> 00:01:51,070
grab this information here.

28
00:01:51,090 --> 00:01:57,060
We don't need the semicolon and it's always good to take note of the payload size so it's not going

29
00:01:57,060 --> 00:02:02,520
to matter too much for us but if you do go and exploit development payload size can be everything it

30
00:02:02,520 --> 00:02:07,350
could be that you're working with a very limited space say you only have two hundred bytes left in a

31
00:02:07,350 --> 00:02:10,830
payload size of three hundred and fifty one is just not going to work because you're going to truncated

32
00:02:10,830 --> 00:02:11,970
at two hundred.

33
00:02:12,210 --> 00:02:18,660
So always good to know the payload size especially as you dive deeper into other projects if you do

34
00:02:18,690 --> 00:02:20,530
go farther in to exploit development.

35
00:02:21,090 --> 00:02:24,980
So let's go ahead now and open up our python script.

36
00:02:24,980 --> 00:02:25,720
We've been using.

37
00:02:25,740 --> 00:02:33,080
So I'm still on to that pie and I'm going to declare a new variable here up at the top.

38
00:02:33,080 --> 00:02:39,920
We're just going to call this overflow set it equal to this and add a parentheses hit enter and then

39
00:02:39,920 --> 00:02:47,440
add a closing parentheses like that so we're also going to do is really come down here and we're going

40
00:02:47,440 --> 00:02:49,620
to add in overflow.

41
00:02:49,750 --> 00:02:52,860
And then we're going to talk about this.

42
00:02:52,900 --> 00:02:55,790
So what we've got here is we've got the shell code right.

43
00:02:56,230 --> 00:03:01,710
So what's going to happen is we're going to submit the shell code in this variable shell code here.

44
00:03:01,750 --> 00:03:02,760
We're gonna say OK.

45
00:03:02,770 --> 00:03:04,270
Two thousand three bytes.

46
00:03:04,270 --> 00:03:07,500
That gets us to the IP when we get to the IP.

47
00:03:07,600 --> 00:03:09,370
We're gonna hit this pointer address right.

48
00:03:09,370 --> 00:03:11,280
This pointer address is just the jump address.

49
00:03:11,710 --> 00:03:16,240
So we're gonna jump to this set of instructions that we provide the set of instructions we're providing.

50
00:03:16,240 --> 00:03:18,170
Is this overflow here.

51
00:03:18,220 --> 00:03:23,770
So what we need to do before we submit this overflow is actually insert something else.

52
00:03:23,770 --> 00:03:25,350
And those are called knobs.

53
00:03:25,390 --> 00:03:27,790
So it's gonna look something like this.

54
00:03:27,820 --> 00:03:35,110
So it's called X 90 like this and we're just going to add 32 in and so knobs are padding essentially

55
00:03:35,370 --> 00:03:36,880
they stand for no operation.

56
00:03:36,880 --> 00:03:40,930
If you've ever heard of something called a knob sled that's kind of what you're referring to.

57
00:03:41,200 --> 00:03:45,700
So when we have something like this what we're doing is we're just adding a little bit of pad space

58
00:03:45,700 --> 00:03:49,740
in between this jump command in this overflow shell code right.

59
00:03:49,750 --> 00:03:55,690
So in an instance if we didn't have this it's possible that our overflow wouldn't actually work we wouldn't

60
00:03:55,690 --> 00:04:00,510
get a command execution on the computer because something interfered here.

61
00:04:00,520 --> 00:04:05,620
So we just like to add a little bit of padding in between these two and that makes it a little bit more

62
00:04:05,620 --> 00:04:06,340
safe.

63
00:04:06,430 --> 00:04:12,610
Again if you have a limited space say we go back to the two hundred byte example you might really need

64
00:04:12,640 --> 00:04:17,200
a little bit of padding like eight bytes sixteen bytes you have to play around that and figure it out.

65
00:04:17,200 --> 00:04:21,850
So a lot of exploit development is just messing around with the exploit until something works.

66
00:04:21,880 --> 00:04:23,800
So we're going to go ahead and just save this.

67
00:04:23,800 --> 00:04:24,160
Now

68
00:04:27,570 --> 00:04:27,890
OK.

69
00:04:27,890 --> 00:04:33,340
And then on another tab over here what we're gonna do is I'm going to set up net cat to listen.

70
00:04:33,560 --> 00:04:38,270
So it's gonna be in the LP like this and then I'm going to put the port to all fours.

71
00:04:38,300 --> 00:04:42,030
That's what we declared in our shell code generation OK.

72
00:04:42,060 --> 00:04:46,380
Lastly what we need do is we need to run Volm server as administrator.

73
00:04:46,380 --> 00:04:48,930
We don't have to have that immunity this time.

74
00:04:48,930 --> 00:04:54,120
All we have to do is just make sure it's running and then we're going to fire off this guy.

75
00:04:54,200 --> 00:04:57,500
So we're going to say to that pie hit enter.

76
00:04:57,500 --> 00:05:01,370
Check this over here and look at that we've got a shell.

77
00:05:01,370 --> 00:05:04,280
So now we are on this computer.

78
00:05:04,310 --> 00:05:06,140
We could say who am I.

79
00:05:06,140 --> 00:05:06,490
OK.

80
00:05:06,500 --> 00:05:07,850
It's Heath Heath is me.

81
00:05:07,850 --> 00:05:09,380
That's the administrator.

82
00:05:09,380 --> 00:05:09,970
Perfect.

83
00:05:09,980 --> 00:05:12,080
We are good to go.

84
00:05:12,080 --> 00:05:18,650
So we have gone from fuzzing a program spiking a program not knowing anything about the program finding

85
00:05:18,650 --> 00:05:20,310
the vulnerable try and command.

86
00:05:20,540 --> 00:05:22,430
We use that to fuzz it.

87
00:05:22,430 --> 00:05:25,760
We found and controlled the E IP.

88
00:05:25,850 --> 00:05:31,190
We found some bad characters we found the right module generated some shell code and now here we are

89
00:05:31,190 --> 00:05:32,430
we are rude.

90
00:05:32,450 --> 00:05:35,320
So hopefully this has been easy for you.

91
00:05:35,330 --> 00:05:41,060
My recommendation is to go through and make notes again try to understand the theory behind what's happening

92
00:05:41,390 --> 00:05:45,460
and also try to understand everything that's going on.

93
00:05:45,470 --> 00:05:52,070
This is as basic and simple as overflow can get of course or memory protections is not generally this

94
00:05:52,070 --> 00:05:52,460
easy.

95
00:05:52,460 --> 00:05:56,420
This is just meant to teach people how buffer overflows work.