aka der hacker und die 7 gei lein 27 03 2018 exploit
play

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development - PowerPoint PPT Presentation

Dec 28, 2022 •123 likes •613 views

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies

  1. Ein Blick in die Hexenküche der Exploit Entwickler aka “Der Hacker und die 7 Geißlein ”

  2. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2

  3. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 3

  4. #whoami Florian Bogner IT Security Expert aka “Professional Hacker” Speaker and Trainer Bug Bounty Hunter More than 50 vulnerabilities reported to: 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 4

  5. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 5

  6. Who? Nation states / APT Money Fun / Learning Advanced Pentests / Hacking other Creating exploits for You have to start Red Teaming Attacks countries for “self APT Threat Actors somewhere, right? defense” and “peace” e.g. to check the Here’s the big money: From simply buffer security of a self- e.g. NSA, Russia, … Up to 1.5 million USD! overflows to really developed application. complex tutorials e.g. Zerodium available 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 6

  7. Douche Bags We make bags! Inc 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 7

  8. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 8

  9. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 9

  10. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 10

  11. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 11

  12. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 12

  13. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 13

  14. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 14

  15. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 15

  16. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main() { Parameters for Main() /* Application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 16

  17. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ Return address return; } Load’s local variables 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 17

  18. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ Return address return; } Load’s local variables What happens if load_from() returns more than 10 characters? 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 18

  19. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ Return address A stack overflow return; } Load’s local variables What happens if load_from() returns more than 10 characters? 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 19

  20. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); Return address /* More application logic */ Return address return; } Load’s local variables The attacker now controls the execution flow! 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 20

  21. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 21

  22. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 22

  23. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 23

  24. Fuzzing Normal flow Display Image File Irfan View Processing With Fuzzing Error / Vulnerability Image File Irfan View Processing 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 24

  25. Live Demo: Fuzzing with BFF

  26. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 26

  27. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 27

  28. What is a Stack Overflow? Program Stack 100 void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); Return address /* More application logic */ Return address return; } Load’s local variables The attacker now controls the execution flow! 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 28

  29. What is a Stack Overflow? Stack 100 Parameters for Main() Image Return address Stack “grows” from higher to lower addresses Main’s local variables Image content Parameters for Load() Return address Return address Shellcode Continue execution Load’s local variables with our Shellcode 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 29

  30. Live Demo: Weaponize 1/2!

  31. What is a Stack Overflow? Stack 100 Parameters for Main() Image Return address Stack “grows” from higher to lower addresses Main’s local variables Image content Parameters for Load() Return address Return address Shellcode Continue execution Load’s local variables with our Shellcode 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 31

  32. What is a Stack Overflow? Stack 100 Parameters for Main() Image Return address Stack “grows” from higher to lower addresses Main’s local variables Image content Parameters for Load() Magic Return address Return address Shellcode Continue execution Load’s local variables with our Shellcode 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 32

  33. What is a Stack Overflow? Image Return address Doesn’t work! Image is a memory mapped file Image content Shellcode 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 33

  34. What is a Stack Overflow? Image Return address 004D0BA9 POP POP RET Image content Stack Shellcode 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 34

  35. Live Demo: Weaponize 2/2!

  36. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 36

  37. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 37

  38. Final Demo: The Victim’s PoV

Recommend

CAN WE FIX IT? SEBASTIUS, HACKER HOTEL 2016 About me Sebastian Oort Teacher by day Self taught

CAN WE FIX IT? SEBASTIUS, HACKER HOTEL 2016 About me Sebastian Oort Teacher by day Self taught

CAN WE FIX IT? SEBASTIUS, HACKER HOTEL 2016 About me Sebastian Oort Teacher by day Self taught hacker/fixer Love retro-hardware CAN WE FIX IT? PROJECT 4 PRACTICAL REPAIRS FOR EVERYONE APRIL 2, 2016 HACKER HOTEL DATUM KLANT REFLOW BAKE

447 views • 23 slides
Deborah Lein VP and COO, Greater Public dlein@greaterpublic.org How different are we? Same:

Deborah Lein VP and COO, Greater Public dlein@greaterpublic.org How different are we? Same:

Deborah Lein VP and COO, Greater Public dlein@greaterpublic.org How different are we? Same: fundraising sources engagement strategies data access concerns Different: On-air fundraising The promise of CRM Better public

528 views • 24 slides
From Zero to Zero-day How I became a hacker and why you should Carl Svensson @ Detectify 5/12

From Zero to Zero-day How I became a hacker and why you should Carl Svensson @ Detectify 5/12

From Zero to Zero-day How I became a hacker and why you should Carl Svensson @ Detectify 5/12 2018 1 / 14 Background Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com

313 views • 14 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
Think Like a Hacker Assaf Harel, Chief Scientist and Co-Founder What Does it Mean? 2 |

Think Like a Hacker Assaf Harel, Chief Scientist and Co-Founder What Does it Mean? 2 |

Think Like a Hacker Assaf Harel, Chief Scientist and Co-Founder What Does it Mean? 2 | Confidential Provided for Workshop use only Why Would a Hacker Want to Hack a Car? Cryptocurrency Personal Information Ransomware Mining

517 views • 17 slides
P ARALLEL P ROGRAMS U SING A D OMAIN -S PECIFIC L ANGUAGE T OBIAS K LEIN T OOL F OR D EVELOPMENT

P ARALLEL P ROGRAMS U SING A D OMAIN -S PECIFIC L ANGUAGE T OBIAS K LEIN T OOL F OR D EVELOPMENT

T OWARDS I NTERACTIVE V ISUAL E XPLORATION OF M ASSIVELY P ARALLEL P ROGRAMS U SING A D OMAIN -S PECIFIC L ANGUAGE T OBIAS K LEIN T OOL F OR D EVELOPMENT AND A NALYSIS OF O PEN CL K ERNELS W HY V ISUALIZE P ARALLEL P ROGRAMS ? I NSPIRED BY A

610 views • 16 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
PRELIMINARY BUDGET PRESENTATION 2018-2019 DR. NANCY M. HACKER, SUPERINTENDENT MR. KENNETH KING,

PRELIMINARY BUDGET PRESENTATION 2018-2019 DR. NANCY M. HACKER, SUPERINTENDENT MR. KENNETH KING,

PRELIMINARY BUDGET PRESENTATION 2018-2019 DR. NANCY M. HACKER, SUPERINTENDENT MR. KENNETH KING, BUSINESS MANAGER OUR MISSION STATEMENT The Mission of the School District of Springfield Township is to educate and develop all students as

257 views • 13 slides
Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete

Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete

Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete 1 Threats Layer Stand - off Combined Arms Armies employ organic long-, mid-, and short-range systems to create operational and tactical

372 views • 9 slides
How to exploit CI as a means of deployment? Breakout session 26-27th Feb 2018 58th CREST Open

How to exploit CI as a means of deployment? Breakout session 26-27th Feb 2018 58th CREST Open

How to exploit CI as a means of deployment? Breakout session 26-27th Feb 2018 58th CREST Open Workshop About me - Software Engineer - Interests: code quality, testing, performance, AI/ML, NN, etc... - Strengthening teams and helping them go

366 views • 26 slides
------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP Ans: A 2)Which type of scan does not

431 views • 18 slides
Software Engineering Through the eyes of a hacker, academic, employee, and CEO Chad Spensky

Software Engineering Through the eyes of a hacker, academic, employee, and CEO Chad Spensky

Software Engineering Through the eyes of a hacker, academic, employee, and CEO Chad Spensky chad@allthenticate.net Founder and CEO of Allthenticate My Journey 1990s: Internet pirate, hacker, and master tinkerer 2004-2008: College student at

809 views • 53 slides
Reproducible Research The Hacker Within Monday 15 th October 2018 Simon Branford Advertising

Reproducible Research The Hacker Within Monday 15 th October 2018 Simon Branford Advertising

Reproducible Research The Hacker Within Monday 15 th October 2018 Simon Branford Advertising vs. Scholarship Jon Claerbout: An article about computational results is advertising, not scholarship. The actual scholarship is the full

399 views • 21 slides
EPP: powerful vehicle to exploit the Polish retail growth story Investor update NOVEMBER 2018

EPP: powerful vehicle to exploit the Polish retail growth story Investor update NOVEMBER 2018

EPP: powerful vehicle to exploit the Polish retail growth story Investor update NOVEMBER 2018 Disclaimer This document has been prepared and issued by and is the sole responsibility of the management of EPP N.V. (the Company or EPP)

769 views • 43 slides
CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure

929 views • 64 slides
Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

652 views • 46 slides
Bringing Riak to the Mobile Platform Kresten Krab Thorup Hacker @drkrab Bringing Riak to the

Bringing Riak to the Mobile Platform Kresten Krab Thorup Hacker @drkrab Bringing Riak to the

Bringing Riak to the Mobile Platform Kresten Krab Thorup Hacker @drkrab Bringing Riak to the Mobile Platform Client Kresten Krab Thorup Hacker @drkrab About the Speaker Language Geek Emacs/TeX Hacker, Objective C, NeXT, GNU Compiled

963 views • 41 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
STANDUP POKER KALPESH SHAH CULTURE HACKER & ENTERPRISE AGILE COACH A few things about me.

STANDUP POKER KALPESH SHAH CULTURE HACKER & ENTERPRISE AGILE COACH A few things about me.

STANDUP POKER KALPESH SHAH CULTURE HACKER & ENTERPRISE AGILE COACH A few things about me. CULTURE HACKER AGILE & LEAN Trainer SPEAKER Scrum & Agile User Groups Global Agile Conferences Guest Lecturer at

475 views • 19 slides
RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure We have

1.04k views • 52 slides
<3 Thursday, July 23, 2009 Artur Bergman artur@crucially.net perl hacker

<3 Thursday, July 23, 2009 Artur Bergman artur@crucially.net perl hacker

<3 Thursday, July 23, 2009 Artur Bergman artur@crucially.net perl hacker varnish hacker Operations & Engineering at Wikia Thursday, July 23, 2009 Wikia Hosts wiki communities www.wowwiki.com (second largest)

1.16k views • 103 slides
TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit isapieceofsoftware,achunkof data,orsequenceofcommandsthattake

398 views • 24 slides
A Day In The Life of a Hacker Things we get up to when nobody is looking, and that keep me awake

A Day In The Life of a Hacker Things we get up to when nobody is looking, and that keep me awake

A Day In The Life of a Hacker Things we get up to when nobody is looking, and that keep me awake at night... Adam Laurie adam@thebunker.net http://www.thebunker.net FIRST Geek Zone Seville, 2007 Contents InfraRed RFID ATMs /

1.34k views • 92 slides
Visualizing the Sonic Topology of a Poem Nina McCurdy, Julie Lein, Katharine Coles, Mirah Meyer

Visualizing the Sonic Topology of a Poem Nina McCurdy, Julie Lein, Katharine Coles, Mirah Meyer

Poemage: Visualizing the Sonic Topology of a Poem Nina McCurdy, Julie Lein, Katharine Coles, Mirah Meyer Domain Data Abstraction Visualization System Design Process Domain Data Abstraction Visualization System Design Process Distant

543 views • 25 slides

More recommend