1
00:00:00,000 --> 00:00:05,040
Now I know what you're thinking. We haven't had any demonstrations yet and there's been a lot

2
00:00:05,040 --> 00:00:10,000
of discussion about memory exploits. Well I'm glad you asked because here we are.

3
00:00:10,800 --> 00:00:15,040
Inside of our lab I want to show you a couple things real quick as we start off.

4
00:00:15,040 --> 00:00:21,360
I am in the Windows 10 BWAP system and this is going to be our targeted practice here.

5
00:00:21,360 --> 00:00:26,480
But I also want to point out that I am logged in as I send the all control delete command here.

6
00:00:27,440 --> 00:00:33,279
Oh don't see it in there. I'm logged in as Eric and the password for Eric is password.

7
00:00:33,279 --> 00:00:39,279
The reason that I've done this is because quite simply I wanted a regular user on the system

8
00:00:39,279 --> 00:00:44,480
and not an administrator for us to pick with. Because I want to get as far as we can using

9
00:00:44,480 --> 00:00:49,919
that regular user and making sure that we can exploit memory corruption in the stack or the

10
00:00:49,919 --> 00:00:56,560
heap and basically kind of keep this as a real world example. Now I want you to see right off

11
00:00:56,560 --> 00:01:02,720
the bat that we already have dummy.exe going and I put it on the desktop here. Now that should

12
00:01:02,720 --> 00:01:07,360
already tell us a couple of things. First of all dummy doesn't require to be in it. You don't have

13
00:01:07,360 --> 00:01:14,080
to be an administrator to run dummy and that's why when we create packages using msfvenom using

14
00:01:14,080 --> 00:01:19,360
the specified file types they can be a little bit dangerous when you start sending them around to

15
00:01:19,360 --> 00:01:25,760
organizations that aren't prepared for this. So like a pentest and that's why there is always

16
00:01:25,760 --> 00:01:30,400
things like cybersecurity training, cybersecurity awareness, CompTIA security plus here on CBT

17
00:01:30,400 --> 00:01:38,080
Nuggets. But this allows us to be able to connect to the actual system itself because I have created

18
00:01:38,080 --> 00:01:43,760
another connection over here. Let me get rid of that for a second and show you that I am in the

19
00:01:43,760 --> 00:01:51,919
session for Eric and I am right there. Session two. Now you may have seen already that I had a

20
00:01:51,919 --> 00:01:57,040
couple of things pulled up but we're going to start by doing a quick search. Now I will be

21
00:01:57,040 --> 00:02:02,000
jumping through this because there's a lot of waiting for something like this to happen

22
00:02:02,959 --> 00:02:08,720
and what we're going to be using here and all the codes below this video is doing an exploit search

23
00:02:08,720 --> 00:02:14,639
on the actual system itself. Now I know as I've mentioned already in the text above this video

24
00:02:14,639 --> 00:02:20,880
that we've already completed vulnerability scans as part of our recon process and always going back

25
00:02:20,880 --> 00:02:26,720
to that as we go through the pentesting lifecycle. But this is no exception because once we have an

26
00:02:26,720 --> 00:02:32,639
open reverse shell to the system in this case through meter printer that we're going to do a

27
00:02:32,639 --> 00:02:37,919
little bit more recon and see if there's any exploits that are shown through Metasploit

28
00:02:38,479 --> 00:02:43,199
and that may be because let's say the vulnerability assessment tools that we're using

29
00:02:43,199 --> 00:02:49,679
don't necessarily show this as an actual vulnerability on the system. In fact I went

30
00:02:49,679 --> 00:02:54,559
back in some of the previous skills in between the last set of videos and this one and did a little

31
00:02:54,559 --> 00:03:00,720
bit of digging inside of OpenVAS scans and I didn't see this in the reported scan against the actual

32
00:03:00,720 --> 00:03:06,240
BWAP system. So this is something to keep in kind of your hip pocket because once you have an

33
00:03:06,240 --> 00:03:13,759
established session you can actually run this. And in order to do it again codes below we're

34
00:03:13,759 --> 00:03:19,039
going to be using the post multi-recon local exploit suggester and when you hit that you're

35
00:03:19,039 --> 00:03:24,000
going to go into the sub menu for it. Now you could go through and set all the different options

36
00:03:24,000 --> 00:03:28,800
by hitting show option but I'm going to jump straight to the point here and just go to set

37
00:03:28,800 --> 00:03:36,399
session two and that will basically throw everything to session two in order to be able

38
00:03:36,399 --> 00:03:41,199
to say hey what are we scanning session two is what we're scanning. Now just in case you're curious

39
00:03:42,479 --> 00:03:47,199
show options let's go ahead and go in there and see that and see that there aren't many in here.

40
00:03:47,199 --> 00:03:51,119
Now the exploit that we will be running does require us to have an option set up

41
00:03:51,919 --> 00:03:59,440
uh here momentarily but once you already set the session id or in this case two you just simply

42
00:03:59,440 --> 00:04:05,759
hit run. Now this is going to go through a known database inside of Metasploit so this is why we

43
00:04:05,759 --> 00:04:12,559
always try to keep our pen testing systems up to date. And right now as of this recording there are

44
00:04:12,559 --> 00:04:19,920
2,570 different individual vulnerabilities that Metasploit knows about in order to be able to

45
00:04:19,920 --> 00:04:25,920
search for. You can kind of disregard some of the traffic that you're seeing here on the actual

46
00:04:25,920 --> 00:04:32,320
system itself even though it does say that you have a couple that appear to be vulnerable to

47
00:04:32,320 --> 00:04:39,119
that system. You're going to get a printout here momentarily right there to let you know what is

48
00:04:39,119 --> 00:04:45,440
and what isn't popping up as a good vulnerability. Scroll up to the top and skip all the ones that

49
00:04:45,440 --> 00:04:52,959
you don't see. Basically all the ones here numbers one through five and I'll zoom in for you here

50
00:04:52,959 --> 00:04:58,000
real quick are the ones that we're taking a look at. But the one in particular that we really want

51
00:04:58,000 --> 00:05:07,920
to focus in on is number four and that is CVE-2024-35250ks driver. Now why am I picking on

52
00:05:07,920 --> 00:05:15,519
this one in particular? Well wouldn't you know that this CVE is actually a high one very critical

53
00:05:15,519 --> 00:05:22,079
inside the Windows world and as you can see in our BWAP system before that's a Windows 10

54
00:05:22,079 --> 00:05:29,359
workstation. So this is actually predominantly found in workstations of the Windows variety

55
00:05:29,359 --> 00:05:36,000
specifically in Windows 10. And there are known patches for it but if you remember like we were

56
00:05:36,000 --> 00:05:40,320
talking about with the vulnerability assessments this never really came up. Now I haven't gone

57
00:05:40,320 --> 00:05:46,559
through and patched Windows 10 inside of our lab environment. You may find on your own system if

58
00:05:46,559 --> 00:05:53,200
you run Windows 10 that this vulnerability does not exist. Now that being said what's going on

59
00:05:53,200 --> 00:06:01,839
here? Well when this module is ran on a targeted system like what we're doing here especially a

60
00:06:01,839 --> 00:06:08,720
compromised Windows system that has this vulnerability we're taking a low-level user

61
00:06:08,720 --> 00:06:17,519
account like Eric and we're trying to exploit Windows through a driver that we make have

62
00:06:17,519 --> 00:06:23,600
access to system on the actual operating system. So trying to make it the highest admin possible.

63
00:06:24,239 --> 00:06:30,480
Now this does not use any kind of buffer overflow or tag in case you're doing memory analysis but it

64
00:06:30,480 --> 00:06:38,559
uses a very weird technique called arbitrary write. And this is usually because it has an

65
00:06:38,559 --> 00:06:50,000
untrusted pointer difference. And so what does all that mean? Well this is actually a memory

66
00:06:50,000 --> 00:06:57,679
attack for the heap itself. And it's using excess memory that's not being properly allocated

67
00:06:57,679 --> 00:07:05,519
or properly assigned statically for programs being ran and for that we would normally use

68
00:07:05,519 --> 00:07:11,760
for buffer overflow attacks. Now with that being said now that we're on this targeted system over

69
00:07:11,760 --> 00:07:19,760
here we're going to go ahead and use that particular exploit on the system. And that's

70
00:07:19,760 --> 00:07:25,279
as simple as going to use exploit and I'm just scrolling up because I had to make sure that this

71
00:07:25,279 --> 00:07:31,679
vulnerability did exist on the target system. And again codes below you'll see use exploit windows

72
00:07:31,679 --> 00:07:37,519
local cve yada yada. Now when you do this you will need to check your show options on this one

73
00:07:38,079 --> 00:07:48,079
because even though we do have the ability to tie to a session this will need a local host in order

74
00:07:48,079 --> 00:07:54,239
to reach back to i.e. us. So the only thing that you'll need to do here is first set session

75
00:07:55,760 --> 00:08:06,640
uh excuse me singular not plural to and then set local host to 192.168.0.53 i.e. the

76
00:08:06,640 --> 00:08:12,959
Kali box that we're using in this demonstration. And then once that's done I want to show you so

77
00:08:12,959 --> 00:08:18,239
that way you know what's actually going on. In particular I want to make sure that we are

78
00:08:18,239 --> 00:08:25,839
focused on right here uh learn my alphabet a little bit better down at the end area.

79
00:08:26,480 --> 00:08:33,119
So the reason is is because the last time I ran this it opened up notepad and it should still

80
00:08:33,119 --> 00:08:41,679
open up notepad but it should do it at a different level. And so we see nis serve serve.exe as being

81
00:08:41,679 --> 00:08:49,760
our only in for the alphabet. Let's go ahead and go in here to Kali and say run.

82
00:08:52,479 --> 00:09:03,520
Now we've injected you can see here that we've done a DLL injection and notepad was ran at PID 9208.

83
00:09:05,280 --> 00:09:10,799
All right well let's go over to our Windows system here real quick. Yep there it is.

84
00:09:10,799 --> 00:09:18,239
Now it is ran as me but does this give us admin privileges or can we do anything else?