aka der hacker und die 7 gei lein 27 03 2018 exploit
play

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development - PowerPoint PPT Presentation

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies


  1. Ein Blick in die Hexenküche der Exploit Entwickler aka “Der Hacker und die 7 Geißlein ”

  2. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2

  3. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 3

  4. #whoami Florian Bogner IT Security Expert aka “Professional Hacker” Speaker and Trainer Bug Bounty Hunter More than 50 vulnerabilities reported to: 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 4

  5. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 5

  6. Who? Nation states / APT Money Fun / Learning Advanced Pentests / Hacking other Creating exploits for You have to start Red Teaming Attacks countries for “self APT Threat Actors somewhere, right? defense” and “peace” e.g. to check the Here’s the big money: From simply buffer security of a self- e.g. NSA, Russia, … Up to 1.5 million USD! overflows to really developed application. complex tutorials e.g. Zerodium available 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 6

  7. Douche Bags We make bags! Inc 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 7

  8. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 8

  9. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 9

  10. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 10

  11. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 11

  12. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 12

  13. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 13

  14. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 14

  15. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 15

  16. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main() { Parameters for Main() /* Application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 16

  17. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ Return address return; } Load’s local variables 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 17

  18. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ Return address return; } Load’s local variables What happens if load_from() returns more than 10 characters? 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 18

  19. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ Return address A stack overflow return; } Load’s local variables What happens if load_from() returns more than 10 characters? 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 19

  20. What is a Stack Overflow? Program Stack 100 Stack frame for Main void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Stack frame for Load Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); Return address /* More application logic */ Return address return; } Load’s local variables The attacker now controls the execution flow! 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 20

  21. 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 21

  22. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 22

  23. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 23

  24. Fuzzing Normal flow Display Image File Irfan View Processing With Fuzzing Error / Vulnerability Image File Irfan View Processing 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 24

  25. Live Demo: Fuzzing with BFF

  26. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 26

  27. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 27

  28. What is a Stack Overflow? Program Stack 100 void main( const char *the_file) { Parameters for Main() const char *bitmap = load_file(the_file); /* More application logic */ } Return address Stack “grows” from higher to lower addresses Main’s local variables const char * load_file( const char *the_file) { Parameters for Load() char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); Return address /* More application logic */ Return address return; } Load’s local variables The attacker now controls the execution flow! 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 28

  29. What is a Stack Overflow? Stack 100 Parameters for Main() Image Return address Stack “grows” from higher to lower addresses Main’s local variables Image content Parameters for Load() Return address Return address Shellcode Continue execution Load’s local variables with our Shellcode 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 29

  30. Live Demo: Weaponize 1/2!

  31. What is a Stack Overflow? Stack 100 Parameters for Main() Image Return address Stack “grows” from higher to lower addresses Main’s local variables Image content Parameters for Load() Return address Return address Shellcode Continue execution Load’s local variables with our Shellcode 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 31

  32. What is a Stack Overflow? Stack 100 Parameters for Main() Image Return address Stack “grows” from higher to lower addresses Main’s local variables Image content Parameters for Load() Magic Return address Return address Shellcode Continue execution Load’s local variables with our Shellcode 10 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 32

  33. What is a Stack Overflow? Image Return address Doesn’t work! Image is a memory mapped file Image content Shellcode 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 33

  34. What is a Stack Overflow? Image Return address 004D0BA9 POP POP RET Image content Stack Shellcode 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 34

  35. Live Demo: Weaponize 2/2!

  36. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Seite 36

  37. Our Plan Win! Weaponize Information Gathering Vulnerability Identify Target Search for Attack Vulnerabilities 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 37

  38. Final Demo: The Victim’s PoV

Recommend


More recommend