1
00:00:00,330 --> 00:00:00,690
OK.

2
00:00:00,690 --> 00:00:02,840
Now on to finding the right module.

3
00:00:02,910 --> 00:00:07,260
So when we talk about finding the right module what we're saying is we're looking for a DSL or something

4
00:00:07,260 --> 00:00:16,890
similar inside of a program that has no memory protections meaning no DEP no cell are no safe SDH etc..

5
00:00:17,070 --> 00:00:23,730
Now there's a tool out there called mono modules that we can use with immunity debugger to achieve this.

6
00:00:23,730 --> 00:00:28,260
So if you go out to Google and you search model modules you should be able to find a get hub page for

7
00:00:28,260 --> 00:00:28,770
it.

8
00:00:28,890 --> 00:00:34,970
You're going to need to download this moment out py file and put it in this specific folder here.

9
00:00:35,010 --> 00:00:41,750
So the specific folder Is this P.C. Program Files 686 immunity Inc.

10
00:00:41,790 --> 00:00:46,280
Immunity debugger pi commands and you're going to paste it right into here.

11
00:00:46,290 --> 00:00:47,940
So go ahead and do that.

12
00:00:47,970 --> 00:00:56,570
And then once you're ready let's go back to immunity debugger and now I already have the program attached

13
00:00:56,570 --> 00:00:58,100
to phone servers here.

14
00:00:58,100 --> 00:01:03,040
And what we're gonna do is we're going to actually type in this little bar down here.

15
00:01:03,230 --> 00:01:06,690
So what you can type in is exclamation.

16
00:01:06,710 --> 00:01:13,110
Mono modules and hit enter so that'll pop this guy up here.

17
00:01:13,650 --> 00:01:22,260
And if you look what we can see is these protection settings right here look we've got false false false

18
00:01:22,260 --> 00:01:28,230
false false across the board for some of these protection settings and that's what is ideal for us right.

19
00:01:28,230 --> 00:01:31,460
We've got troops on some of these other things.

20
00:01:31,470 --> 00:01:35,250
But really what we're looking for is we're looking for something attached to vote and server itself

21
00:01:35,600 --> 00:01:40,500
which you could see this phone server right here and we're looking for all forces.

22
00:01:40,530 --> 00:01:46,270
So a prime candidate immediately right away is this ISIS funk that deal.

23
00:01:46,650 --> 00:01:51,210
So we're going to go ahead and just keep that in the back of our minds because we actually need to do

24
00:01:51,240 --> 00:01:56,250
one other thing now if we know this by memory we can go ahead and type it out right here.

25
00:01:56,250 --> 00:01:59,500
But I want to show you the process for actually finding what we're about to do.

26
00:01:59,610 --> 00:02:03,840
We're about to do is find the app code equivalent of a jump.

27
00:02:03,930 --> 00:02:06,920
So let's go ahead and look at how to do that.

28
00:02:06,930 --> 00:02:13,790
To do that we're going to go into Cally Linux and we're going to locate something called Nassim shell.

29
00:02:13,790 --> 00:02:21,860
So it was type locate Nassim shell and go ahead and just copy this ruby right here and then paste it

30
00:02:21,860 --> 00:02:29,110
in like this and hit enter so when we say we're looking for the app code equivalent we're trying to

31
00:02:29,110 --> 00:02:32,480
convert assembly language into hex code.

32
00:02:32,530 --> 00:02:36,790
So what I'm doing is I'm going to type in this assembly language just JM PSP.

33
00:02:36,790 --> 00:02:38,290
This is a jump command.

34
00:02:38,290 --> 00:02:42,070
So what we're gonna do is we're going to use this as a pointer.

35
00:02:42,070 --> 00:02:46,960
So the pointer is going to jump to our malicious shell code and that'll make more sense here in just

36
00:02:46,960 --> 00:02:48,220
a little bit.

37
00:02:48,280 --> 00:02:55,100
So the hex code equivalent of Jan PSP is F F E for OK.

38
00:02:55,130 --> 00:03:00,410
So now what we're going to do is we're gonna take this information this F F E four and we're to go back

39
00:03:00,410 --> 00:03:05,230
into immunity and we're gonna type this instead.

40
00:03:05,230 --> 00:03:06,760
So let's delete the modules part.

41
00:03:06,760 --> 00:03:14,960
We're gonna keep Mona and we're gonna say Mona find and we'll do a dash s and we're gonna say x f f

42
00:03:15,230 --> 00:03:24,660
slash X E for and then we're gonna say m for module and we're gonna use this ESFs funk dot DL L so that

43
00:03:24,660 --> 00:03:30,790
makes sense we've got our code equivalent here the F F E for and then we've got the module of ISIS funk

44
00:03:30,790 --> 00:03:37,020
that DL L which is right here again we chose this because it goes with the Volt server program and it

45
00:03:37,020 --> 00:03:38,910
has no memory protections.

46
00:03:39,060 --> 00:03:41,920
So this is a good candidate for what we want to do.

47
00:03:42,170 --> 00:03:44,380
So let's go ahead and just hit enter on this guy.

48
00:03:44,440 --> 00:03:44,820
OK.

49
00:03:44,850 --> 00:03:46,410
And I think I forgot to slash here.

50
00:03:46,410 --> 00:03:47,310
Let's check this out.

51
00:03:50,920 --> 00:03:51,460
OK.

52
00:03:51,650 --> 00:03:53,690
So that is better.

53
00:03:53,690 --> 00:03:58,450
So we're looking for it here is we're looking for these return addresses.

54
00:03:58,640 --> 00:04:05,350
So if you look at this 6 2 5 0 1 1 a f that is going to be a return address.

55
00:04:05,570 --> 00:04:07,850
So let's go ahead and just write this one down.

56
00:04:07,850 --> 00:04:11,060
We're going to go right down the list and find what works.

57
00:04:11,060 --> 00:04:12,510
So I would like to start at the top.

58
00:04:12,710 --> 00:04:18,350
And you can see here that it found this ISIS Funky DL L and it's got all the memory protections here

59
00:04:18,350 --> 00:04:20,090
listed as false.

60
00:04:20,090 --> 00:04:25,070
So now what with this information what we're going to do is we're going to go into Cally

61
00:04:29,390 --> 00:04:37,020
we're going gonna just type exit here on this Nassim shell and we need to edit our python script.

62
00:04:37,020 --> 00:04:41,210
So whatever python script you're apt I'm still on to that pie.

63
00:04:41,220 --> 00:04:47,240
Go ahead and open that guy up let's delete out the bad characters because we did already find those

64
00:04:49,660 --> 00:04:58,230
and now we're gonna do is we're gonna delete out this B for so let's write in real quick what our return

65
00:04:58,230 --> 00:04:58,860
address was.

66
00:04:58,860 --> 00:05:03,660
Remember it was 6 2 5 0 1 1 A F.

67
00:05:03,690 --> 00:05:09,990
So now instead of having four B's in place of the IP we're gonna put this pointer there.

68
00:05:09,990 --> 00:05:16,230
So we're gonna have the IP be a junk code and then the junk code is gonna go to malicious code.

69
00:05:16,230 --> 00:05:18,570
So we're going to enter that in here.

70
00:05:18,630 --> 00:05:20,850
Now we're gonna enter in a little special.

71
00:05:20,850 --> 00:05:28,780
So what we're gonna do is we're actually going to enter it and like this we're gonna say slash x f slash

72
00:05:28,870 --> 00:05:39,900
x eleven slash X Five Zero slash x six to if you notice this is actually in reverse.

73
00:05:39,970 --> 00:05:43,940
So you see a f 1 1 5 0 6 2.

74
00:05:44,020 --> 00:05:46,630
We're doing this reverse for a special reason.

75
00:05:46,660 --> 00:05:53,650
So when we're talking with X 86 architecture we're doing something called Little Indian format so x

76
00:05:53,670 --> 00:05:59,290
86 architecture actually stores the low order bite at the lowest address in the high order by at the

77
00:05:59,290 --> 00:06:00,310
highest address.

78
00:06:00,340 --> 00:06:06,240
So we actually have to put this in reverse order so what this should do now is this should throw the

79
00:06:06,240 --> 00:06:09,600
same error before but it's going to hit a jump point.

80
00:06:09,600 --> 00:06:13,320
So we can do something special in immunity to actually catch this.

81
00:06:13,320 --> 00:06:21,850
Let's go ahead and hit save on this script and let's open up immunity again so let's go ahead and minimize

82
00:06:21,850 --> 00:06:26,350
this and let's maximize this guy again.

83
00:06:26,530 --> 00:06:28,810
OK so we're gonna do something special here.

84
00:06:28,830 --> 00:06:32,750
So first what we're gonna do is we're going to need to click on this little arrow here.

85
00:06:32,760 --> 00:06:39,890
It's kind of bluish black and we're going to enter in this expression of follow 6 2 5 0 1 1.

86
00:06:39,920 --> 00:06:41,300
A F.

87
00:06:41,300 --> 00:06:42,920
So remember that's going to be our jump code.

88
00:06:42,920 --> 00:06:49,850
So if we hit OK we should find this F F E for this GMP GSP right.

89
00:06:50,000 --> 00:06:53,570
And this is perfect this is exactly what we want right here.

90
00:06:53,570 --> 00:06:56,290
So we're gonna do is we're going to hit F two.

91
00:06:56,440 --> 00:07:01,440
So F two we'll turn it blue and what we have just done is we've set a breakpoint.

92
00:07:01,730 --> 00:07:06,370
So we have the breakpoint running what this means is we're gonna overflow the buffer.

93
00:07:06,380 --> 00:07:11,830
But if we hit this specific spot this jump code it's not going to jump to further instruction.

94
00:07:11,840 --> 00:07:16,880
It's actually going to break the program and pause right here for further instruction from us and that's

95
00:07:16,880 --> 00:07:17,450
all we want.

96
00:07:17,450 --> 00:07:19,400
We don't have anywhere to jump to right now.

97
00:07:19,400 --> 00:07:20,380
So it's not important.

98
00:07:20,390 --> 00:07:22,200
We just need to know that we are hitting this.

99
00:07:22,190 --> 00:07:25,260
We're overwriting the IP in the exact spot we need to.

100
00:07:25,400 --> 00:07:27,220
And then we're gonna be able to jump forward.

101
00:07:27,260 --> 00:07:31,810
So let's go ahead play here and then we're we're gonna do is going to go back into Cally we're going

102
00:07:31,810 --> 00:07:35,210
to execute our script so let's go ahead and do that.

103
00:07:35,480 --> 00:07:41,180
We'll say to that pi here run that out.

104
00:07:41,220 --> 00:07:44,490
You know what I did apologize here.

105
00:07:44,490 --> 00:07:48,020
I never deleted the original code here.

106
00:07:48,050 --> 00:07:48,940
So if you caught that.

107
00:07:48,950 --> 00:07:52,540
Good job OK.

108
00:07:52,590 --> 00:07:54,660
Let's go ahead and try that now

109
00:07:58,000 --> 00:08:01,250
case we ran it and what happened.

110
00:08:01,330 --> 00:08:08,370
You see breakpoint at ESFs funk that 6 2 5 0 1 when a f happened the program is now paused.

111
00:08:08,470 --> 00:08:09,870
We have hit our breakpoint.

112
00:08:09,880 --> 00:08:16,570
That means we control this e IP look at this 6 2 5 0 1 1 F we control the IP.

113
00:08:16,570 --> 00:08:21,920
Now all we have to do is generate some shell code point directly to that show code and we are home free

114
00:08:21,940 --> 00:08:25,800
with root so going to go ahead and do that in the next video now catch you over there.