1
00:00:01,450 --> 00:00:08,600
Code execution vulnerabilities these type of vulnerabilities allow us to execute operating system code

2
00:00:08,840 --> 00:00:13,970
on the target server solves the target server uses Windows will be able to execute Windows commands

3
00:00:14,230 --> 00:00:18,500
if it uses Linux then we'll be able to use the next command.

4
00:00:18,520 --> 00:00:24,600
Clearly this is a really critical problem that will allow us to do anything we want with the targets

5
00:00:24,610 --> 00:00:31,840
really we can upload a PH reshelve using them when you get command or upload a payload or virus or anything

6
00:00:31,840 --> 00:00:35,610
we want using didn't really care that we get linux command.

7
00:00:35,770 --> 00:00:40,360
You just need to make sure that you're uploading it to a file or to a directory which you're allowed

8
00:00:40,360 --> 00:00:42,300
to write stuff to.

9
00:00:42,430 --> 00:00:49,360
Another way of exploiting this vulnerability is to just run OS commands and get a reverse shield based

10
00:00:49,360 --> 00:00:50,350
on these commands.

11
00:00:50,350 --> 00:00:55,420
So because we can run operating system commands we can use the programming language is supported by

12
00:00:55,420 --> 00:01:01,180
that operating system to try and get a reverse connection on our computer.

13
00:01:02,570 --> 00:01:10,280
So first of all let's just assume that we're browsing here and we managed we're going around and then

14
00:01:10,280 --> 00:01:17,010
we got to a tab and the Web site where it allows you to for example do a thing.

15
00:01:17,030 --> 00:01:23,780
Now what you should do is you should always try to experiment with any input box you see try to see

16
00:01:23,810 --> 00:01:30,390
what the input box does and what can you inject into it what can you do to get stuff running.

17
00:01:30,530 --> 00:01:33,760
So for example this impuls box is telling you it's going to do a ping.

18
00:01:34,130 --> 00:01:39,780
And if you pull it out if you for example I'm going to put 10 2014 two or three which is my own IP.

19
00:01:40,000 --> 00:01:45,290
And just to see it to use it as a normal person and I'm going to do as I've made and is going to go

20
00:01:45,290 --> 00:01:48,590
ahead and think it for me and give me the pin results.

21
00:01:48,890 --> 00:01:55,530
So what looks like here it's actually executing the ping command and Linux systems.

22
00:01:55,540 --> 00:01:59,810
Now let's see if we can exploit that if it's actually executing the pin.

23
00:01:59,810 --> 00:02:00,150
Come on.

24
00:02:00,150 --> 00:02:04,800
So what it's doing is it's going on and it's due in.

25
00:02:04,840 --> 00:02:13,570
So we're sending 10 2014 to all three as the paying and then going to the web server and the web server

26
00:02:13,600 --> 00:02:19,850
is doing paying 10 2014 to 3.

27
00:02:19,860 --> 00:02:23,200
So let's see if we can exploit this how we exploited.

28
00:02:23,220 --> 00:02:32,820
If it's taking what we're put in right here and then it's due and paying that now in Linux and Unix

29
00:02:32,820 --> 00:02:40,710
based commands you can use the design to execute multiple commands on one line.

30
00:02:40,710 --> 00:02:44,730
So if you do this for example in your own terminal.

31
00:02:44,730 --> 00:02:49,950
So I'm just going to go to my terminal here and I'm just going to do ls which is the list command and

32
00:02:49,950 --> 00:02:54,290
then PWT is what lists what shows your working directory.

33
00:02:54,300 --> 00:03:01,250
So if I do on Elyas followed by design and then do PWT it will execute both commands.

34
00:03:01,290 --> 00:03:05,960
So it will do this and then it will show where the working directory is.

35
00:03:06,040 --> 00:03:09,870
So we can do the same thing with this and see if it works for us.

36
00:03:09,910 --> 00:03:18,340
So we got an IP right IP and then I'm just going to do PWT and see if it'll execute the PWT for me if

37
00:03:18,340 --> 00:03:21,380
it does that this is a code execution vulnerability.

38
00:03:21,550 --> 00:03:24,790
And I can execute anything I want on the server.

39
00:03:24,820 --> 00:03:26,120
So let's see what's going to happen.

40
00:03:26,120 --> 00:03:34,040
I'll paste this and I'm going to hit Submit now as you can see we got the results for the end.

41
00:03:34,040 --> 00:03:35,830
We got our current working directory.

42
00:03:35,840 --> 00:03:46,640
So it was the only W.W. DV w able ability as an exec so it executed the PWT that I inserted.

43
00:03:46,640 --> 00:03:55,160
And that means I can insert any commands I want in there and they'll be executed so I've inserted resources

44
00:03:55,160 --> 00:04:01,670
file that will that you can use to get a reverse connection from the target computer.

45
00:04:01,670 --> 00:04:05,940
Now there's a number of ways a number of commands that will give you a reverse connection.

46
00:04:05,960 --> 00:04:11,230
All of these commands depend on the programming language so for example we have commands and BHB we

47
00:04:11,240 --> 00:04:11,810
have commands.

48
00:04:11,800 --> 00:04:20,180
Ruby you have perl commands and we have the one for bash bash is the linux shell command language.

49
00:04:20,270 --> 00:04:25,240
So all UNIX operating systems will be able to execute Passhe commands.

50
00:04:25,280 --> 00:04:29,290
So that's a very good way of doing that.

51
00:04:29,780 --> 00:04:35,780
So most Unix system this command should work on most unix based systems.

52
00:04:35,780 --> 00:04:38,330
So this would be a really good way of doing it.

53
00:04:38,510 --> 00:04:44,350
Again most of them would have Python so Python would be a good way netcat most of them do have netcat

54
00:04:44,390 --> 00:04:47,080
as well so netcast is a good way of doing that.

55
00:04:47,210 --> 00:04:49,890
And we're actually going to use netcat in this video.

56
00:04:50,300 --> 00:04:54,890
So what I'm going to do is first I'm going to listen for connections just like we used to do with me

57
00:04:54,890 --> 00:04:57,620
to exploit when we used to do what we have learned.

58
00:04:57,620 --> 00:05:01,350
You can actually use a multi-hundred for this and listen for connections.

59
00:05:01,350 --> 00:05:06,710
Well I'm just going to keep it simpler and show you a new way and I'm going to use netcat so and I cat

60
00:05:11,830 --> 00:05:16,170
as just a tool that allows you to listen and connect computers together.

61
00:05:16,970 --> 00:05:18,810
So I'm going to listen on port 88.

62
00:05:18,840 --> 00:05:24,920
So that's got the program DVDs just to see us out so we can see a lot about what anything goes wrong

63
00:05:24,920 --> 00:05:25,920
we can see it.

64
00:05:26,090 --> 00:05:30,410
And we're telling it to listen using the L option on port 88.

65
00:05:31,250 --> 00:05:36,290
So I'm going to hit enter and that's saying it's just listening on port 80 80 that's all it's going

66
00:05:36,290 --> 00:05:36,960
to do.

67
00:05:37,730 --> 00:05:43,730
The next commander we're going to do is we're going to try to connect from the web server back to my

68
00:05:43,730 --> 00:05:45,890
computer using netcat as well.

69
00:05:46,040 --> 00:05:48,380
So we're assuming the web server has netcat.

70
00:05:48,410 --> 00:05:50,690
We're gonna try it and see if that works.

71
00:05:50,690 --> 00:05:57,430
So the command is very simple it's not cut and we're telling you to use the bin bash and we'll give

72
00:05:57,490 --> 00:06:03,320
it the IP of my device my attacker or device which is 10 20 14

73
00:06:06,350 --> 00:06:11,570
and then the port which is 80 80 which is we're listening on right here.

74
00:06:12,600 --> 00:06:20,770
So I'm going to copy that and I'm just going to execute it the same way we use to execute dPw dPw did

75
00:06:20,780 --> 00:06:25,930
come up so the last thing we did was 10 20

76
00:06:28,810 --> 00:06:34,500
14 2 0 3 and then we did PWT.

77
00:06:34,500 --> 00:06:40,110
So what I'm going to do now I'm going to remove the PWT and paste the code that we just created which

78
00:06:40,110 --> 00:06:46,000
will try to connect from the web server back to the Callimachi into the attack machine.

79
00:06:46,460 --> 00:06:47,550
I'm going to come here.

80
00:06:48,670 --> 00:06:55,500
And as you can see we've got a connection back from two to us from 10 20 40 to 0 4.

81
00:06:55,540 --> 00:06:57,720
So that's the target computer.

82
00:06:58,120 --> 00:07:06,330
And if we do have EWG you'll see that we have a reversal if we do unless we do an I.D. you'll see that

83
00:07:06,350 --> 00:07:14,370
we're we that we data and if we do a you name just to confirm that I'm going to be exploitable and you

84
00:07:14,370 --> 00:07:20,220
can see that I'm an dimittis portable and I'm able to run any command that I want on the target computer.

85
00:07:20,220 --> 00:07:23,610
So basically I have full access to the target computer.