Getting a Shell

00:00

getting a shell

00:02

are learning objective is to understand how to create shell code to ultimately get a shell on the box or buffer overflow box.

00:11

So at this point shutdown immunity. D bugger if you want to you can go back and use it again and attach the program. But if you want to live life dangerously,

00:21

just leave the program up here. You know, start to stack buffer overflow good

00:27

and just let it run

00:29

so I'll go back to my Cali box.

00:37

And what I'll do now is I want to create my shell code.

00:43

So I'm using MSF venom again and I'm using my payload Windows Shell, reverse TCP, you can change this, you can make it uh Shell, you can do interpreter, reverse TCP.

00:55

I like shel reverse TCP because I can use Net Cat. I don't have to set up,

01:00

You know, I don't have to set up medicine played again. So you'll see that my local host is my Cali box by port is 4444.

01:07

Exit function threat is to prevent the program from crashing If I get out of my neck. Cat shell,

01:14

Our format is in Python and we're using an encoding of X 86 Shikata Ghana.

01:19

No, I I should help them saying that right. Shikata ga nai.

01:23

And here's our here are bad characters. So we went through all that whole process of finding bad characters. Right? Don't forget this step because if you forget this or if you don't include the bad characters in here, your shell is not going to work and you're gonna be wondering why? I would say a lot of the problems. I ran into a lot of the reasons why my shells did not work was because I didn't find all the bad characters. So that's why I keep

01:44

saying is important to find the bad characters

01:48

and I'm going to call it shell when I put it into my python script.

01:55

So you see here here's the final size of the Python file. This is 1008 and seven bites. Why is it? That becomes important when

02:02

you only have a certain buffer size and if you make your shell code too big,

02:09

it won't execute, it won't work. But I know in my trying this out that this size is fine and it does work but just

02:19

be cognizant depending on what the program is, the more bites you have, um you know, the more you're writing to the program and the more chance you have of it crashing and not working. So I like to keep my shell code as small as possible

02:32

so I'll take this,

02:35

I'm going to add it to our

02:38

script Now.

02:40

You can see if I've already done this before, but here's my comment. I like to know what I did because I can't remember what port

02:47

I need to have for Net Cat.

02:51

Mhm.

02:53

He did it.

02:55

So of course

02:59

What I'm changing here is I have a nop sled or not slide, which is this X 90.

03:05

I have it at 10. Some people use three, some people use eight, I'm going to use 10 and then I'm adding my shell code to it.

03:13

If you read through the guide,

03:15

the author does not like not sleds. He actually hates them.

03:20

Um but I'm going off of what I learned from the P. W. K. Material again. Try both ways, try the way the author wrote and try this way and see which one you like. His code is beautiful. Like I said, mine is probably a lot more messy, but this is the way I learned it. So this is the way that I write it

03:38

and hopefully it works.

03:42

So I will save this

03:44

and I will set up my Net cat listener.

03:50

And what I'll do now

03:55

is I'm going to launch our shell script and hope that I see

04:00

a nice Windows command prompt pop up in the right window

04:05

and there we go.

04:06

We can see we have the connection received from our Windows box and we can see we're on the desktop.

04:15

So now here is where you can ultimately find your proof file or local file and uh you've successfully done the buffer overflow a lot of work. Um, but ultimately, you know, when I see that command prompt pop up,

04:31

that's one of the best things I can see after all that work.

04:34

So again, if you're not seeing this,

04:38

go back through the bad characters and see if there are more

04:43

um, and just go through the steps before. I I've done it before, where I start from square one,

04:50

and I would say most of the time, the reason I don't get a shell is because of bad characters, so keep that in mind.