This document discusses the history and evolution of computer exploits from early vulnerabilities like stack overflows to modern techniques like return oriented programming and kernel exploits. It provides examples of major exploits from the Morris Worm in 1988 to recent zero-days. It also outlines numerous bypass techniques for defenses such as ASLR, sandboxes, and KASLR. The document examines the sophisticated Pegasus spyware and its developer, the Israeli cybersecurity firm NSO Group.

1. DÜNDEN BUGÜNE EXPLOIT
DÜNYASI
Onur ALANBEL

2. $id -un
• Bilgisayar Mühendisi (İYTE)
• Kurucu @cricomtr (cri.com.tr)
• Geliştirici @TaintAll (taintall.com)
• Uygulama Güvenliği Araştırmacısı
• Github: github.com/onura
• Twitter: @onuralanbel
• https://packetstormsecurity.com/search/?q=onur+alanbel

3. VULNERABILITYVS POCVS
EXPLOIT
• Vulnerability: istismar edilebilir hata (bug).

4. VULNERABILITYVS POCVS
EXPLOIT
• Vulnerability: istismar edilebilir hata (bug).
• PoC: Zafiyeti tetikleyen kod.

5. VULNERABILITYVS POCVS
EXPLOIT
• Vulnerability: istismar edilebilir hata (bug).
• PoC: Zafiyeti tetikleyen kod.
• Exploit: Program akışını manipüle eden kod ve girdi
birleşimi.

6. NEREDE BULUNURLAR?

7. NEDEN KULLANILIRLAR?
• Yetkisiz Erişim
• YetkiYükseltme

8. SMASHINGTHE STACK
1996-11-08

9. MORRIS WORM
1988-11-02

10. MS08-067
• RPC RCE
• Conficker

12. DÜNVS BUGÜN
• SDLC (no stack overflow?)

13. DÜNVS BUGÜN

14. DÜNVS BUGÜN
➤ Buffer Overrun
➤ Buffer Overflow
➤ Stack overflow
➤ Heap overflow
➤ UAF
➤ Double Free
➤ Memory Corruption
➤ Unbound Memory Read / Write
➤ Arbitrary Memory Read / Write
➤ Type Confusion
➤ Race Condition
➤ Logic Bugs
➤ ….

15. CODE
Program
Instructions
RX
STACK
User
Input
RWX

16. CODE
Program
Instructions
RX
STACK
User
Input
RW
ROP
Return
Oriented
Programming
Non-Executable Memory or
DEP

17. CODE
Program
Instructions
RX
STACK
User
Input
RW
Address Space Layout Randomization
Stack
Heap
DLL Base
Code Base

18. ASLR BYPASS
• Info Leak
• Partial PC Overwrite
• Non-ASLR Components/Libraries
• Heap Spray (Nop Sled)
• PLT Overwrite
• GOT Dereference

19. SANDBOX
Target Process
OS Components
Limited Access
Other Processes

20. Kernel
shellcode
User
Process
Trigger a
NULL
Pointer
Dereference

21. Kernel
shellcode
User
Process
Run/Read

22. Kernel
PAGEZERO
inaccessable
User
Process
:(
Compatibility
Issues

23. ROP
Kernel
Fake Stack
User
Process
SMEP
Supervisor Mode Execution Prevention

24. ROP
Fake Stack
Kernel User
Process
SMEP/
SMAP
Supervisor Mode Access Prevention

25. KASLR BYPASS
• Info Leak
• Partial PC Overwrite
• Side Channel Attacks (UsuallyTime Based)

26. DIĞER KORUMALAR
• Stack Canaries/Cookies
• Memory Protector, Isolated heap
• Different Data/Code Caches
• …

27. PEGASUS OLAYI
• Milyon Dolarlık Exploit Nasıl Gözükür?

28. Kurban bir linke tıklar
UAF (CVE-2016-4657)
Arbitrary Read to
Break ASLR
Arbitrary Write to
Gain Code Execution
Fake NULL Pointer
Dereference
Info Leak (CVE-2016-4655)
Break KASLR
Kernel UAF (CVE-2016-4656) to
Jailbreak

29. ARKASINDA KİMVAR?
• NSO GroupTechnologies 2010 da kurulan İsrail çıkışlı
bir güvenlik firması.
• 200 çalışan, $40 milyon 2013, $150 milyon in 2015
yıllık gelir.
• İş tanımları: NSO Group provides "authorized
governments with technology that helps them
combat terror and crime”.

30. GÜNDEM
• Siber Silah
• Siber Caydırıcılık
• Aktif Siber Savaş