The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
The document discusses post-exploitation techniques on macOS and iOS. It summarizes a technique called "userland-exec" that allows executing binaries on macOS without involving the kernel. It then describes efforts to port this technique to iOS by injecting libraries instead of binaries due to code signing restrictions. The author demonstrates injecting an unsigned library into a process on a factory iPhone by hijacking the dlopen function and loading the library from memory. This technique paves the way for developing advanced payloads like Meterpreter on unmodified iOS devices.
The document discusses Java serialization and common myths surrounding it. It summarizes that Java serialization allows for flexible evolution of classes while maintaining backwards compatibility through the use of serialVersionUID. It debunks common myths that Java serialization is slow, inflexible, or that changing private fields breaks compatibility. The document explains that serialization performance depends more on how streams are used rather than the underlying implementation.
The State of Managed Runtimes 2013, by Attila SzegediZeroTurnaround
There’s JVM, and that’s it, right? Well, not exactly. Even within JVM, there’s an increasing support for running all kinds of non-Java languages: we have invokedynamic, but it’s being improved, and new layers of functionality are emerging on top of it, making JVM a better home for all kinds of programming languages. There’s life outside of JVM too. JavaScript seems to be a new assembler-lever compilation target even for C programs (I’ll show some amusing examples of what exactly you can run these days in a browser) , and there are some independent efforts at managed runtimes in various stages of completion that seem promising – PyPy, Topaz, Rubinius, Parrot VM (it’s alive again!). This talk is admittedly a language-runtime-enthusiast’s walk-through the things he finds interesting happening this year. Recorded at GeekOut 2013.
This document discusses programming techniques for low-latency Java applications. It begins by explaining what low-latency means and when it is needed. It then covers various techniques including: using concurrent flows and minimizing context switches; exchanging data between threads via queues instead of shared memory; preallocating objects to avoid allocations; and directly accessing serialized data instead of object instances. The document also discusses memory issues like garbage collection pauses and cache line contention. It covers alternatives for accessing native code like JNA, JNI, and shared memory. Critical JNI is presented as a faster option than regular JNI.
The document provides an overview of writing idiomatic Objective-C code. It discusses key Objective-C concepts like classes, methods, memory management with ARC, properties, protocols, threading with GCD, blocks, and common design patterns used in Apple's frameworks like MVC, target-action, KVC, and delegation. It emphasizes adopting Apple's conventions for naming, file organization, and other practices to write code that fits with Cocoa frameworks.
This document summarizes the basics of memory management in Python. It discusses key concepts like variables, objects, references, and reference counting. It explains how Python uses reference counting with generational garbage collection to manage memory and clean up unused objects. The document also covers potential issues with reference counting like cyclic references and threads, and how the global interpreter lock impacts multi-threading in Python.
Mastering java bytecode with ASM - GeeCON 2012Anton Arhipov
The document provides an overview of using the ASM bytecode manipulation framework. It discusses constructing a ClassWriter to output bytecode, visiting classes and methods, and generating simple bytecode instructions like loading constants, invoking methods, and control flow instructions like if/goto. The goal is to demonstrate how to generate and modify Java bytecode programmatically using ASM.
The document discusses a market data vendor that processes data from exchange feeds and distributes it to customers. It provides millions of quotes per second using a pure Java solution called QDS Core, which parses, normalizes, and distributes the data. QDS Core uses optimized data structures like arrays and lock-free synchronization to achieve high performance. The vendor also provides an easier to use API called dxFeed on top of QDS Core to enable integration.
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
The document discusses post-exploitation techniques on macOS and iOS. It summarizes a technique called "userland-exec" that allows executing binaries on macOS without involving the kernel. It then describes efforts to port this technique to iOS by injecting libraries instead of binaries due to code signing restrictions. The author demonstrates injecting an unsigned library into a process on a factory iPhone by hijacking the dlopen function and loading the library from memory. This technique paves the way for developing advanced payloads like Meterpreter on unmodified iOS devices.
The document discusses Java serialization and common myths surrounding it. It summarizes that Java serialization allows for flexible evolution of classes while maintaining backwards compatibility through the use of serialVersionUID. It debunks common myths that Java serialization is slow, inflexible, or that changing private fields breaks compatibility. The document explains that serialization performance depends more on how streams are used rather than the underlying implementation.
The State of Managed Runtimes 2013, by Attila SzegediZeroTurnaround
There’s JVM, and that’s it, right? Well, not exactly. Even within JVM, there’s an increasing support for running all kinds of non-Java languages: we have invokedynamic, but it’s being improved, and new layers of functionality are emerging on top of it, making JVM a better home for all kinds of programming languages. There’s life outside of JVM too. JavaScript seems to be a new assembler-lever compilation target even for C programs (I’ll show some amusing examples of what exactly you can run these days in a browser) , and there are some independent efforts at managed runtimes in various stages of completion that seem promising – PyPy, Topaz, Rubinius, Parrot VM (it’s alive again!). This talk is admittedly a language-runtime-enthusiast’s walk-through the things he finds interesting happening this year. Recorded at GeekOut 2013.
This document discusses programming techniques for low-latency Java applications. It begins by explaining what low-latency means and when it is needed. It then covers various techniques including: using concurrent flows and minimizing context switches; exchanging data between threads via queues instead of shared memory; preallocating objects to avoid allocations; and directly accessing serialized data instead of object instances. The document also discusses memory issues like garbage collection pauses and cache line contention. It covers alternatives for accessing native code like JNA, JNI, and shared memory. Critical JNI is presented as a faster option than regular JNI.
The document provides an overview of writing idiomatic Objective-C code. It discusses key Objective-C concepts like classes, methods, memory management with ARC, properties, protocols, threading with GCD, blocks, and common design patterns used in Apple's frameworks like MVC, target-action, KVC, and delegation. It emphasizes adopting Apple's conventions for naming, file organization, and other practices to write code that fits with Cocoa frameworks.
This document summarizes the basics of memory management in Python. It discusses key concepts like variables, objects, references, and reference counting. It explains how Python uses reference counting with generational garbage collection to manage memory and clean up unused objects. The document also covers potential issues with reference counting like cyclic references and threads, and how the global interpreter lock impacts multi-threading in Python.
Mastering java bytecode with ASM - GeeCON 2012Anton Arhipov
The document provides an overview of using the ASM bytecode manipulation framework. It discusses constructing a ClassWriter to output bytecode, visiting classes and methods, and generating simple bytecode instructions like loading constants, invoking methods, and control flow instructions like if/goto. The goal is to demonstrate how to generate and modify Java bytecode programmatically using ASM.
The document discusses a market data vendor that processes data from exchange feeds and distributes it to customers. It provides millions of quotes per second using a pure Java solution called QDS Core, which parses, normalizes, and distributes the data. QDS Core uses optimized data structures like arrays and lock-free synchronization to achieve high performance. The vendor also provides an easier to use API called dxFeed on top of QDS Core to enable integration.
A presentation at Twitter's official developer conference, Chirp, about why we use the Scala programming language and how we build services in it. Provides a tour of a number of libraries and tools, both developed at Twitter and otherwise.
The document discusses Guild, a new concurrency abstraction for Ruby that allows parallel execution across Guilds while avoiding data races. It provides demonstrations of Guild performance on a 40 vCPU system. Guilds allow sharing immutable and specially defined mutable objects between Guilds, while normal mutable objects cannot be shared to avoid data races. Inter-Guild communication uses an actor model with sending/receiving semantics. Non-shareable objects can be sent between Guilds either by copying or moving ownership.
This document discusses the runtime of Node.js and its V8 JavaScript engine. It describes how V8 uses fast property access through hidden classes, dynamic machine code generation to compile JavaScript directly to machine code, and efficient garbage collection. It also provides an example "Hello World" Node.js program.
A status update on JRuby, covering compatibility, Rails, and next-gen performance numbers. JRuby is currently the fastest way to run Rails apps, and we're doing work to make it even faster in the future.
The document discusses differences between Ruby and Scala programming languages. Some key similarities include both being class-based object-oriented languages with functional features. Differences include Scala using explicit types while Ruby is dynamically typed, and Scala having separate concepts of methods and functions while Ruby blurs the distinction. The document also compares features like class definitions, collections, functions as values, and enhancing existing classes.
What's a macro?: Learning by Examples / Scalaのマクロに実用例から触れてみよう!scalaconfjp
Macros allow code to generate code by replacing expressions during compilation. They enable simplifying code and improving efficiency. While macros are powerful, their implementation can be complex, requiring knowledge of compiler internals. The scala.meta library aims to simplify metaprogramming by representing programs as trees without losing information, making macros easier to write without deep compiler expertise.
The document discusses Java memory allocation profiling using the Aprof tool. It explains that Aprof works by instrumenting bytecode to inject calls that count and track object allocations. This allows it to provide insights on where memory is being allocated and identify potential performance bottlenecks related to garbage collection.
The document discusses threads, which allow for multiple paths of execution within an application. All user interface updates must occur on the main thread. While performing background tasks, one can use timers, performSelector methods, or manual NSThreads to ensure the main thread remains responsive for UI updates. JSON provides a simple format for communicating data between client and server applications on iPhone, and the SBJSON framework can be used to parse JSON strings into Objective-C objects.
Down the Rabbit Hole: An Adventure in JVM WonderlandCharles Nutter
The document discusses exploring interesting Java features and how they are compiled and executed by the JVM. It will look at bytecode, compiler logs, and native code generated for simple Java examples. The goal is to understand hidden performance costs, how code design impacts performance, and what the JVM can and cannot optimize. It begins with a "Hello World" example and examines the bytecode, compiler logs showing inlining, and native assembly code generated by the JIT compiler.
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
This document summarizes an overview of parallelism and multithreading on iOS. It covers key topics like parallelism terminology, why parallelization is important, and how it can be achieved through multiple processes, threads, high-level abstractions like Grand Central Dispatch and operation queues, and instruction-level parallelism. It also discusses challenges like race conditions and synchronization issues that must be addressed with techniques like locks and mutexes when working with threads.
Bringing Concurrency to Ruby - RubyConf India 2014Charles Nutter
The document discusses bringing concurrency to Ruby. It begins by defining concurrency and parallelism, noting that both are needed but platforms only enable parallelism if jobs can split into concurrent tasks. It reviews concurrency and parallelism in popular Ruby platforms like MRI, JRuby, and Rubinius. The document outlines four rules for concurrency and discusses techniques like immutable data, locking, atomics, and specialized collections for mutable data. It highlights libraries that provide high-level concurrency abstractions like Celluloid for actors and Sidekiq for background jobs.
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
This document discusses the Dalvik virtual machine used in Android and how to decompile Dalvik bytecode using the Dedexer tool. It provides background on Android's use of Java and the Dalvik VM. Key points include: Dalvik uses its own bytecode format rather than Java bytecode and executes applications; the Dedexer tool can be used to disassemble DEX files back into Dalvik bytecode; and differences in Dalvik like its register-based rather than stack-based design are explained. Examples of Dalvik bytecode instructions and register usage are also provided.
The document introduces a plan to cover Java and Android basics, Android UI topics, and Android in action over three parts. Part I provides an introduction to Java concepts like the JVM, garbage collection, threads, and an overview of the Android architecture and building blocks. It also demonstrates an NDK example. The document outlines the topics that will be covered in each part of the training.
Type Profiler: An Analysis to guess type signaturesmametter
This document discusses type profiling, which is a technique for extracting type information from Ruby code without requiring type annotations. It proposes three type profilers:
1. Static Analysis 1 (SA1) guesses type signatures for method parameters based on which methods are called on those parameters.
2. Static Analysis 2 (SA2) focuses on guessing types for built-in classes.
3. Dynamic Analysis (DA) enhances the existing RubyTypeInference tool by running test suites and monitoring method calls and returns to aggregate type information.
The document evaluates SA1 on a sample WEBrick codebase and finds some common failures in the guessed types. Overall, type profiling aims to extract type information automatically as an alternative
Scala is a modern programming language created by Martin Odersky that provides static typing and supports both object-oriented and functional programming paradigms. It compiles to Java bytecode and runs on the Java Virtual Machine (JVM), allowing it to interoperate with Java. Many consider Scala to be a better alternative to Java due to its concise and expressive syntax. Scala sees widespread use in production systems and has growing job opportunities for developers with Scala skills.
The document discusses representing instance variables in Pharo as first-class objects called slots. It describes how slots can be composed of a storage slot and decorator slots to combine behaviors. This solves the problem of wanting to combine certain slot types, like making a observable slot that also has a default value, without exploding the number of possible slot combinations. The proposed solution is a composed slot that has one storage slot and any number of decorator slots. Decorators modify behavior before and after reads and writes, while wrappers wrap the underlying slot. Most wrappers can be implemented as decorators instead to simplify composition. Status is work in progress to reimplement all existing slots to work with this composable model.
The document discusses representing instance variables in Pharo as first-class objects called slots. This allows instance variables to be customized by creating subclasses of slots. However, there is a combinatorial explosion problem when trying to combine the behaviors of different slot types. The proposed solution is to allow slots to be composed of one storage slot plus zero or more decorator slots, addressing this problem. Decorators can modify behavior before, after, or around reads and writes to the storage slot. This composition approach allows flexible combination of slot behaviors without exponential growth of subclasses.
This document provides an introduction to .NET and Core C# programming. It discusses the .NET Framework, Common Language Infrastructure (CLI), Common Type System (CTS), Common Language Specification (CLS), and Common Intermediate Language (CIL). It also covers Mono, building and running C# applications on different platforms, and using various IDEs like Visual Studio.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
This document summarizes an approach to auditing the Adobe Shockwave file format and verifying vulnerabilities. It describes how the authors:
1) Encountered difficulties reversing the Shockwave memory manager using traditional debugging tools.
2) Developed a technique using dynamic binary instrumentation to hook the Shockwave file read function and search read buffers for fuzzed file data.
3) Further refined their approach by directly hooking the file read function in MSVCR71.dll, allowing the technique to be reused for other projects.
A presentation at Twitter's official developer conference, Chirp, about why we use the Scala programming language and how we build services in it. Provides a tour of a number of libraries and tools, both developed at Twitter and otherwise.
The document discusses Guild, a new concurrency abstraction for Ruby that allows parallel execution across Guilds while avoiding data races. It provides demonstrations of Guild performance on a 40 vCPU system. Guilds allow sharing immutable and specially defined mutable objects between Guilds, while normal mutable objects cannot be shared to avoid data races. Inter-Guild communication uses an actor model with sending/receiving semantics. Non-shareable objects can be sent between Guilds either by copying or moving ownership.
This document discusses the runtime of Node.js and its V8 JavaScript engine. It describes how V8 uses fast property access through hidden classes, dynamic machine code generation to compile JavaScript directly to machine code, and efficient garbage collection. It also provides an example "Hello World" Node.js program.
A status update on JRuby, covering compatibility, Rails, and next-gen performance numbers. JRuby is currently the fastest way to run Rails apps, and we're doing work to make it even faster in the future.
The document discusses differences between Ruby and Scala programming languages. Some key similarities include both being class-based object-oriented languages with functional features. Differences include Scala using explicit types while Ruby is dynamically typed, and Scala having separate concepts of methods and functions while Ruby blurs the distinction. The document also compares features like class definitions, collections, functions as values, and enhancing existing classes.
What's a macro?: Learning by Examples / Scalaのマクロに実用例から触れてみよう!scalaconfjp
Macros allow code to generate code by replacing expressions during compilation. They enable simplifying code and improving efficiency. While macros are powerful, their implementation can be complex, requiring knowledge of compiler internals. The scala.meta library aims to simplify metaprogramming by representing programs as trees without losing information, making macros easier to write without deep compiler expertise.
The document discusses Java memory allocation profiling using the Aprof tool. It explains that Aprof works by instrumenting bytecode to inject calls that count and track object allocations. This allows it to provide insights on where memory is being allocated and identify potential performance bottlenecks related to garbage collection.
The document discusses threads, which allow for multiple paths of execution within an application. All user interface updates must occur on the main thread. While performing background tasks, one can use timers, performSelector methods, or manual NSThreads to ensure the main thread remains responsive for UI updates. JSON provides a simple format for communicating data between client and server applications on iPhone, and the SBJSON framework can be used to parse JSON strings into Objective-C objects.
Down the Rabbit Hole: An Adventure in JVM WonderlandCharles Nutter
The document discusses exploring interesting Java features and how they are compiled and executed by the JVM. It will look at bytecode, compiler logs, and native code generated for simple Java examples. The goal is to understand hidden performance costs, how code design impacts performance, and what the JVM can and cannot optimize. It begins with a "Hello World" example and examines the bytecode, compiler logs showing inlining, and native assembly code generated by the JIT compiler.
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
This document summarizes an overview of parallelism and multithreading on iOS. It covers key topics like parallelism terminology, why parallelization is important, and how it can be achieved through multiple processes, threads, high-level abstractions like Grand Central Dispatch and operation queues, and instruction-level parallelism. It also discusses challenges like race conditions and synchronization issues that must be addressed with techniques like locks and mutexes when working with threads.
Bringing Concurrency to Ruby - RubyConf India 2014Charles Nutter
The document discusses bringing concurrency to Ruby. It begins by defining concurrency and parallelism, noting that both are needed but platforms only enable parallelism if jobs can split into concurrent tasks. It reviews concurrency and parallelism in popular Ruby platforms like MRI, JRuby, and Rubinius. The document outlines four rules for concurrency and discusses techniques like immutable data, locking, atomics, and specialized collections for mutable data. It highlights libraries that provide high-level concurrency abstractions like Celluloid for actors and Sidekiq for background jobs.
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
This document discusses the Dalvik virtual machine used in Android and how to decompile Dalvik bytecode using the Dedexer tool. It provides background on Android's use of Java and the Dalvik VM. Key points include: Dalvik uses its own bytecode format rather than Java bytecode and executes applications; the Dedexer tool can be used to disassemble DEX files back into Dalvik bytecode; and differences in Dalvik like its register-based rather than stack-based design are explained. Examples of Dalvik bytecode instructions and register usage are also provided.
The document introduces a plan to cover Java and Android basics, Android UI topics, and Android in action over three parts. Part I provides an introduction to Java concepts like the JVM, garbage collection, threads, and an overview of the Android architecture and building blocks. It also demonstrates an NDK example. The document outlines the topics that will be covered in each part of the training.
Type Profiler: An Analysis to guess type signaturesmametter
This document discusses type profiling, which is a technique for extracting type information from Ruby code without requiring type annotations. It proposes three type profilers:
1. Static Analysis 1 (SA1) guesses type signatures for method parameters based on which methods are called on those parameters.
2. Static Analysis 2 (SA2) focuses on guessing types for built-in classes.
3. Dynamic Analysis (DA) enhances the existing RubyTypeInference tool by running test suites and monitoring method calls and returns to aggregate type information.
The document evaluates SA1 on a sample WEBrick codebase and finds some common failures in the guessed types. Overall, type profiling aims to extract type information automatically as an alternative
Scala is a modern programming language created by Martin Odersky that provides static typing and supports both object-oriented and functional programming paradigms. It compiles to Java bytecode and runs on the Java Virtual Machine (JVM), allowing it to interoperate with Java. Many consider Scala to be a better alternative to Java due to its concise and expressive syntax. Scala sees widespread use in production systems and has growing job opportunities for developers with Scala skills.
The document discusses representing instance variables in Pharo as first-class objects called slots. It describes how slots can be composed of a storage slot and decorator slots to combine behaviors. This solves the problem of wanting to combine certain slot types, like making a observable slot that also has a default value, without exploding the number of possible slot combinations. The proposed solution is a composed slot that has one storage slot and any number of decorator slots. Decorators modify behavior before and after reads and writes, while wrappers wrap the underlying slot. Most wrappers can be implemented as decorators instead to simplify composition. Status is work in progress to reimplement all existing slots to work with this composable model.
The document discusses representing instance variables in Pharo as first-class objects called slots. This allows instance variables to be customized by creating subclasses of slots. However, there is a combinatorial explosion problem when trying to combine the behaviors of different slot types. The proposed solution is to allow slots to be composed of one storage slot plus zero or more decorator slots, addressing this problem. Decorators can modify behavior before, after, or around reads and writes to the storage slot. This composition approach allows flexible combination of slot behaviors without exponential growth of subclasses.
This document provides an introduction to .NET and Core C# programming. It discusses the .NET Framework, Common Language Infrastructure (CLI), Common Type System (CTS), Common Language Specification (CLS), and Common Intermediate Language (CIL). It also covers Mono, building and running C# applications on different platforms, and using various IDEs like Visual Studio.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
This document summarizes an approach to auditing the Adobe Shockwave file format and verifying vulnerabilities. It describes how the authors:
1) Encountered difficulties reversing the Shockwave memory manager using traditional debugging tools.
2) Developed a technique using dynamic binary instrumentation to hook the Shockwave file read function and search read buffers for fuzzed file data.
3) Further refined their approach by directly hooking the file read function in MSVCR71.dll, allowing the technique to be reused for other projects.
When Node.js Goes Wrong: Debugging Node in Production
The event-oriented approach underlying Node.js enables significant concurrency using a deceptively simple programming model, which has been an important factor in Node's growing popularity for building large scale web services. But what happens when these programs go sideways? Even in the best cases, when such issues are fatal, developers have historically been left with just a stack trace. Subtler issues, including latency spikes (which are just as bad as correctness bugs in the real-time domain where Node is especially popular) and other buggy behavior often leave even fewer clues to aid understanding. In this talk, we will discuss the issues we encountered in debugging Node.js in production, focusing upon the seemingly intractable challenge of extracting runtime state from the black hole that is a modern JIT'd VM.
We will describe the tools we've developed for examining this state, which operate on running programs (via DTrace), as well as VM core dumps (via a postmortem debugger). Finally, we will describe several nasty bugs we encountered in our own production environment: we were unable to understand these using existing tools, but we successfully root-caused them using these new found abilities to introspect the JavaScript VM.
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
Blocks is a cool concept and is very much needed for performance improvements and responsiveness. GCD helps run blocks effortlessly by scheduling on a desired queue, priority and lots more.
DEP and ASLR are security mechanisms to prevent code execution from non-executable memory regions and randomize memory locations of processes. DEP can be disabled at runtime by finding functions like NtSetInformationProcess. ASLR weaknesses include incompatible applications and DLLs that are statically positioned. Attackers can also bypass ASLR by partially overwriting memory or leveraging memory information leaks.
Lyon Yang gave a presentation about exploiting IoT and embedded devices. He discussed how he became interested in embedded systems exploitation and contributed to the field. Yang explained common vulnerabilities he finds, such as stack overflows, backdoors, and exposed credentials. He demonstrated attacks like privilege escalation, command injection, and exploiting cache coherency issues. Yang provided tips for writing exploits against various architectures and overcoming challenges like bad characters and auto-restarting services.
Dynamic Languages in Production: Progress and Open Challengesbcantrill
This document discusses dynamic languages in production and open challenges. It summarizes the history and rise of dynamic languages like Lisp, Java, and Node.js. It then describes tools developed at Joyent to debug Node.js applications in production environments, including mdb_v8 for post-mortem debugging using core dumps, and integrating Node.js with DTrace for live tracing and profiling. These tools allow inspecting runtime state, identifying memory leaks, and debugging non-reproducible issues.
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
Linux EDRs present challenges for adversaries seeking to evade detection. The document discusses several strategies and techniques for evading Linux EDRs, including:
1) Utilizing existing trusted system binaries as decoys to bypass process pattern matching. Techniques include using ld.so and busybox to launch payloads.
2) Developing "Uber preloaders" that can load modular payloads and provide command line arguments for evasion.
3) Storing payloads in volatile memory using techniques like memfd_create to avoid detection by EDRs scanning files on disk.
4) Coordinating payloads and preloaders through a "Zombie Ant Farm" module that stores
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
This document discusses using WinDbg for kernel debugging and analyzing rootkits. It explains that WinDbg can debug in both user-mode and kernel-mode, unlike OllyDbg which is only for user-mode. Device drivers run code in the Windows kernel and are difficult to analyze. The DriverEntry routine is called when a driver is loaded and it registers callback functions. Malware often imports functions from Ntoskrnl.exe and Hal.dll to manipulate the kernel. WinDbg commands like bp, lm, and dt are demonstrated for setting breakpoints, listing modules, and viewing structures. Symbol files from Microsoft provide function and structure names to make debugging easier.
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
Raffaele Rialdi discusses building plugins for Node.js that interface with .NET Core. He covers hosting the CoreCLR from C++, building a C++ V8 addon, and introduces xcore which allows calling .NET from JavaScript/TypeScript by analyzing metadata and optimizing performance. Examples show loading CLR, creating a .NET object, and calling methods from JavaScript using xcore. Potential use cases include Node.js apps, Electron apps, scripting Powershell, and Nativescript mobile apps.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
Reid Wightman's presentation at AppSec DC 2012. Reid provides background and the lates on Digital Bond's Project Basecamp. New PLC exploit modules include a Stuxnet-type attack on the Modicon Quantum.
Halvar Flake and Sebastian Porst present BinCrowd, a tool for analyzing disassembled binaries. It allows uploading analysis results to a central database for later retrieval and comparison to other binaries. This helps identify code reuse across different programs. The presentation covers techniques for function matching and scoring file similarity. It also discusses how BinCrowd can be accessed using IDA Pro and managing access levels for team collaboration.
Browsers nowadays are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications. This sets the grounds for a new fertile environment in which a new breed of malware can come to life. Malware that is OS and architecture independent, as covert as a cutting edge rootkit but at the same time implemented through a series of API\'s and a generous variety of high-level OOP languages simplifying the task
This document discusses techniques for exploiting DLL hijacking vulnerabilities remotely through user interaction. It argues that DLL hijacking is still a viable attack vector despite protections like DEP and ASLR. It proposes manipulating the current directory to execute exploits and hiding DLLs in archives, email attachments, and browser redressing to trigger exploits without appearing suspicious. While not suitable for mass attacks, it concludes DLL hijacking enables rapid targeted attacks by abusing existing vulnerabilities.
The document summarizes upcoming features and enhancements in Java 8, including project Jigsaw for modules, the Nashorn JavaScript engine, JVM convergence between HotSpot and JRockit, lambda expressions, and functional updates to core Java collections. It also discusses design decisions around lambda translation using invokedynamic and the benefits this approach provides.
This document discusses return-oriented programming (ROP) techniques for exploiting systems with non-executable memory pages. It provides an overview of ROP, describes algorithms for automatically finding "gadgets" (snippets of code) within a binary that can be chained together to perform tasks, and introduces a ROP compiler called The Wolf that helps chain gadgets while accounting for side effects. The goal is to execute attacker-controlled code on systems with protections like code signing and sandboxing enabled.
Automated Mobile Malware Classificationzynamics GmbH
This document discusses developing an automated system called VxClass for classifying mobile malware. It summarizes the current state of mobile malware, the problem of variant detection, and proposes using program comparison tools to analyze malware variants at scale. The system would allow users to upload files to check against a malware database, identify variants, and optionally share samples. Pricing models and a roadmap are proposed to adapt the system to emerging mobile platforms and file types.
Applications of the Reverse Engineering Language REILzynamics GmbH
1) REIL is a platform-independent intermediate language designed for reverse engineering. It has a small instruction set and simple operand types to simplify analysis.
2) Applications of REIL include register tracking to follow data flow, index underflow detection to find bugs, automated deobfuscation to make code more readable, and ROP gadget generation to create return-oriented shellcode.
3) Future work includes developing BinAudit with more vulnerability research algorithms and type reconstruction to determine higher-level data types in registers.
VxClass is a malware classification tool that analyzes binary code samples through structural comparison rather than byte-by-byte matching. It automatically unpacks samples using emulation, extracts structural information, compares samples to known malware families, and stores results in a database for correlation and visualization. This allows unknown samples to be categorized even if they were obtained or obfuscated differently, aiding incident response and malware analysis.
The document describes the Reverse Engineering Intermediate Language (REIL), which aims to provide a simple, platform-independent intermediate representation for binary code analysis. REIL uses a small set of instructions that can be easily translated from various processor architectures into a common format. This allows analyses like register tracking to be implemented using the same algorithms regardless of the original platform. REIL is implemented using a technique called MonoREIL that models the program as a graph and solves it using a lattice-based dataflow analysis approach. This enables powerful analyses to be built from the common REIL representation.
Platform-independent static binary code analysis using a meta-assembly languagezynamics GmbH
This document describes a platform-independent static code analysis framework called MonoREIL that uses abstract interpretation. It introduces an intermediate representation called REIL that can be extracted from disassembled binary code. MonoREIL implements abstract interpretation over REIL code to perform analyses like register tracking and detecting negative array indexing without dependence on platform or source code. The framework is intended for offensive security purposes like binary analysis where source is unavailable.
This document outlines a technique for executing arbitrary binaries in memory on a Mac OS X machine by defeating address space layout randomization (ASLR). It discusses:
1. The structure of Mach-O files and how binaries are executed by the kernel and dynamic linker in Mac OS X.
2. A proposed attack that embeds a shellcode and crafted stack in a binary to impersonate the kernel and load a new binary into memory.
3. How ASLR works in Mac OS X Leopard and a method to retrieve the base address of the libSystem library to adjust symbol addresses and defeat ASLR, enhancing the attack.
4. A demonstration of the technique executing Nmap and Safari
Automated static deobfuscation in the context of Reverse Engineeringzynamics GmbH
This document discusses automated static deobfuscation in the context of reverse engineering. It describes challenges with deobfuscation like side effects, code blowup, and address mapping. It summarizes the authors' approach of translating obfuscated assembly to REIL and running algorithms on it. However, it notes limitations like inability to debug and side effects. It considers alternatives like effect comments, formula extraction, and a full compiler to better address problems but notes the significant work required.
2. Who I am
• Student at Politecnico di Milano
• Security Consultant at Secure Network srl
• Reverse Engineer at zynamics GmbH
3. Quick overview
• The old guy:
– Userland-exec on OSX
– Some practical examples
• The new guy:
– Something similar to userland-exec on factory
Iphone
– Proof that it works
– First step toward Meterpreter on factory iPhone
4. Mach-O file
• Header structure: information on the target
architecture and options to interpret the file.
• Load commands: symbol table location,
registers state.
• Segments: define region of the virtual
memory, contain sections with code or data.
7. Let your Mach-O fly!
• Userland-exec
– Execute an application without the kernel
• Technique was presented at BH DC
• The first part of this talk covers technique and
some applications of it to Mac OS X
8. WWW
• Who: an attacker with a remote code
execution in his pocket.
• Where: the attack is two-staged. First run a
shellcode to receive the binary, then run the
auto-loader contained in the binary.
• Why: later in this talk.
9. What kind of binaries?
• Any Mach-O file, from ls to Safari
• In real life, probably stuff like keyboard
sniffers, other not-so-nice programs
10. What normally happens
• You want to run your binary: mybin
• execve system call is called
• Kernel parses the binary, maps code and data,
and creates a stack for the binary
• Dyld resolves dependencies and jumps to the
binary entry point
11. What Mach-O on the Fly does
• Craft a binary which contains a stack identical
to the one created by the kernel and a piece
of code which mimics the kernel
• Send binary to exploited process
• Do some cleanup, jump to the dynamic linker
entry point (as the kernel would do)
15. Auto-loader
• Embedded in binary
• Impersonates the kernel
• Un-maps the old binary
• Maps the new one
16. Auto-loader description
• Parses the binary
• Reads the virtual addresses of the injected
binary segments
• Unloads the attacked binary segments pointed
by the virtual addresses
• Loads the injected binary segments
17. Auto-loader description(2)
• Maps the crafted stack referenced by
__PAGEZERO
• Cleans registers
• Cleans some libSystem variables
• Jumps to dynamic linker entry point
18. We do like pictures, don’t we?
Victim’s process address space
TEXT DATA LINKEDIT SEGMENT
-N
TEXT DATA LINKEDIT SEGMENT-N
19. Infected binary
• We need to find a place to store the auto-
loader and the crafted stack
• __PAGEZERO infection technique
• Cavity infector technique
20. PAGEZERO Infection
• Change __PAGEZERO protection flags with a
custom value
• Store the crafted stack and the auto-loader
code at the end of the binary
• Point __PAGEZERO to the crafted stack
• Overwrite the first bytes of the file with the
auto-loader address
21. Binary layout
MODIFIED HEADER
INFECTED __PAGEZERO
LOAD COMMANDS AND
SEGMENTS
SECTIONS AND BINARY DATA
SHELLCODE
CRAFTED STACK
22. Let’s clean things up
• We need to clean up some variables in order
to make the attack work
• They are stored in libSystem
• They are not exported
• ASLR for libraries makes this non-trivial
• No dlopen/dlsym combo
23. Defeat ASLR using the dynamic
linker
• The dynamic linker has a list of the linked
libraries
• We can access this list by using some of its
function
• Remember that we want to perform
everything in memory
24. Useful dyld functions
• _dyld_image_count() used to retrieve the
number of linked libraries of a process.
• _dyld_get_image_header() used to retrieve
the base address of each library.
• _dyld_get_image_name() used to retrieve the
name of a given library.
25. Find ‘em
• Parse dyld load commands.
• Retrieve __LINKEDIT address.
• Iterate dyld symbol table and search for the
functions name in __LINKEDIT.
26. Back to libSystem
• Non-exported symbols are taken out from the
symbol table when loaded.
• Open libSystem binary, find the variables in
the symbol table.
• Adjust variables to the base address of the in-
memory __DATA segment.
27. Put pieces together
• Iterate the header structure of libSystem in-
memory and find the __DATA base address.
– __DATA base address 0x2000
– Symbol at 0x2054
– In-memory __DATA base address 0x4000
– Symbol in-memory at 0x4054
28. Mach-O Fly payload
• Not much bigger than bind shellcode
• A lot of work is in preparing the binary to send
30. Results
• Execute a binary to an arbitrary machine.
• No traces on the hard-disk.
• No execve(), the kernel doesn’t know about
us.
• It works with every binary.
• It is possible to write payloads in a high level
language.
33. Iphone nightmare - first step
• We (I and Charlie) tried to port my attack to
Iphone and we succeeded on jailbroken ones
• We, as everyone else who tried to write
attacks for this OS, were convinced it would
have worked on factory phones too
34. Iphone nightmare – step two
• It didn’t.
• Code signing and XN bit are a huge problem
on factory iPhones
• You cannot execute a page unless is signed
• You cannot set a page executable if it was
writable
36. A step toward success
• Just two days before our presentation at BH
EU Charlie discovered that it is possible to set
execution flags on a writable page
• But only shared libraries pages
38. But still..
• My attack could not work anyway cause we
cannot touch the executable pages
• So instead of a binary we decided to inject a
library..
• .. It worked!
40. Why so?
• Until now there was no way to execute your
own code on a factory phone
– No advanced payloads
– In most cases no payloads at all
– Just some very hard return-into-libSystem stuff
• With this attack we have:
– Advanced payloads(Meterpreter anyone?)
– No need to play with return-into-something stuff
anymo
41. A few questions
• How Charlie’s trick works?
• How can we map a library?
• Ok you have an injected library, now what?
• How do we play with dyld in order to link our
library?
42. How Charlie’s trick works?
• Three steps:
– Call vm_protect() in order to change page
permissions to readable and writable
– Write whatever you want
– Call vm_protect() again with readable and
executable flags
43. How can we map a library?
• Mapping a library is no different from
mapping an executable
• We need to make sure to map the injected
library upon an already mapped one
• Clearly we cannot just memcpy() stuff
44. Leveraging the trick
• For each segment we need to map we issue a
vm_protect with READ and WRITE flags
• We copy the segment
• We issue another vm_protect with the
protection flags the segment expects
45. Ok you have an injected library,
now what?
• A non-linked library is useless
• The linking process is in charge of resolving
library dependencies and link the executable
to the library
• We need to work on the dynamic linker in
order to understand how to link it
46. Osx dyld vs iPhone dyld
• On Osx you have a bunch of ways for linking a
library stored in memory
• None of them work on iPhone (they have
taken out the code for doing this)
47. So how do you load a library on
Iphone?
• The library must be on the disk
• You need to call dlopen()
• The library must be signed
49. What to do now?
• Dyld has still a way of mapping a binary from
memory (it has to for loading the main binary)
• We should use it
• But it’s simply not enough
50. The idea
• After we mapped the library we call dlopen()
• We hijack dlopen() execution in order to call
the function which loads a binary from
memory
• A few patches are needed
53. So we’re done?
• Not really
• When the library is linked it searches for
symbols in each linked library
• *each linked library* means even the one we
have overwritten
54. One last patch
• Before overwriting the victim library we force
dlclose() to unlink it
• To “force” means to ignore the garbage
collector for libraries
• We need to be careful with this one, some
frameworks will crash if they are forced to be
unloaded
56. Results
• It is possible to load a arbitrary non-signed
library in the address space of an arbitrary
process (despite the code signing stuff)
• It’s the only reliable way to have a working-
payloads on factory phones
• Rooms for improvements
– Meterpreter anyone?