SlideShare a Scribd company logo

Exploit generation automation with WinDBG (Hacktivity 2017)

C
Csaba Fitzl

Hacktivity 2017 presentation

Technology
1 of 12
Download to read offline
Exploit generation automation with WinDBG Csaba Fitzl
whoami blue teamer security researcher, blogger husband, father hiker
Exploit writing challenges Time consuming Heavily manual intensive process Discovering memory layout Finding bad characters While (exploit doesn’t work == True): Start process, attach debugger, crash, Modify exploit
Exploit writing methodology - BoF Find EIP overwrite location Examine memory layout, registries Somehow jump to shellcode Generate shellcode Put all together
The task A tool which can automate the entire exploit writing process From crash PoC to working Exploit If possible n0 manual interaction
The tool Written in Python Uses the “pykd” library to interact with WinDBG
What can it do? Currently works for classic BoFs Can bypass ASLR Works for network and file based exploits Will create a successful exploit from a simple crash Automates the entire process (even finding bad characters!) No need to manually start the process / WinDBG
The logic Find EIP overwrite location / offset Find registers pointing to the buffers Find bad characters Find a way to jump to the shellcode (JMP, CALL, etc…) Generate shellcode Put it all together
demo time
How to use it? Some pre-work needs to be done Exploit is a Class Has to be populated with initial info (crash)
What has to be changed? def exploit(self): """ This function runs the actual exploit """ sleep(1) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1',80)) message = "GET " + ''.join(self.buffer) + " HTTP/ 1.1rnrn" sock.send(message) sock.close()
? twitter: @theevilbit tool: https://github.com/theevilbit/exploit_generator

Recommended

Browser controller testing for webapps (in Windows environment)
Browser controller testing for webapps (in Windows environment)Browser controller testing for webapps (in Windows environment)
Browser controller testing for webapps (in Windows environment)Adrian Spinei
 
Look beyond PHP
Look beyond PHPLook beyond PHP
Look beyond PHPFabien Potencier
 
De was doen. gr 1 2.pptx
De was doen. gr 1 2.pptxDe was doen. gr 1 2.pptx
De was doen. gr 1 2.pptx
Marjolein de Groot
 
Developer Efficiency
Developer EfficiencyDeveloper Efficiency
Developer EfficiencyDmitri Nesteruk
 
Developer Fundamentals - Logging
Developer Fundamentals - LoggingDeveloper Fundamentals - Logging
Developer Fundamentals - LoggingAxel Irriger
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?
Mikee Franklin
 
LVPHP.org
LVPHP.orgLVPHP.org
LVPHP.org
Joshua Copeland
 
Beginning development in go
Beginning development in goBeginning development in go
Beginning development in go
Equaleyes Solutions Ltd.
 

Recommended

Browser controller testing for webapps (in Windows environment)
Browser controller testing for webapps (in Windows environment)Browser controller testing for webapps (in Windows environment)
Browser controller testing for webapps (in Windows environment)Adrian Spinei
 
Look beyond PHP
Look beyond PHPLook beyond PHP
Look beyond PHPFabien Potencier
 
De was doen. gr 1 2.pptx
De was doen. gr 1 2.pptxDe was doen. gr 1 2.pptx
De was doen. gr 1 2.pptx
Marjolein de Groot
 
Developer Efficiency
Developer EfficiencyDeveloper Efficiency
Developer EfficiencyDmitri Nesteruk
 
Developer Fundamentals - Logging
Developer Fundamentals - LoggingDeveloper Fundamentals - Logging
Developer Fundamentals - LoggingAxel Irriger
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?
Mikee Franklin
 
LVPHP.org
LVPHP.orgLVPHP.org
LVPHP.org
Joshua Copeland
 
Beginning development in go
Beginning development in goBeginning development in go
Beginning development in go
Equaleyes Solutions Ltd.
 
Debugging with visual studio beyond 'F5'
Debugging with visual studio beyond 'F5'Debugging with visual studio beyond 'F5'
Debugging with visual studio beyond 'F5'
Dror Helper
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
David Glick
 
Php rules
Php rulesPhp rules
Php ruleschristopher mabunda
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
jduart
 
Introduction to Programming in Go
Introduction to Programming in GoIntroduction to Programming in Go
Introduction to Programming in Go
Amr Hassan
 
Node.js exception handling
Node.js exception handlingNode.js exception handling
Node.js exception handling
Minh Hoang
 
Php rules
Php rulesPhp rules
Php rules
christopher mabunda
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
kosborn
 
Improve your workflow
Improve your workflowImprove your workflow
Improve your workflow
Adam Štipák
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Continuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchhContinuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchh
Dirk Hoerig
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A Hacker
Paul Tarjan
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Mihai Brehar - Xdebug
Mihai Brehar - XdebugMihai Brehar - Xdebug
Mihai Brehar - Xdebug
Mihai Brehar
 
Logging with Monolog
Logging with MonologLogging with Monolog
Logging with Monolog
Tudor Barbu
 
Troubleshooting Plone
Troubleshooting PloneTroubleshooting Plone
Troubleshooting PloneRicado Alves
 
Bug Hunting Safari
Bug Hunting SafariBug Hunting Safari
Bug Hunting Safari
Janie Clayton
 
Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
Csaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 

More Related Content

Similar to Exploit generation automation with WinDBG (Hacktivity 2017)

Debugging with visual studio beyond 'F5'
Debugging with visual studio beyond 'F5'Debugging with visual studio beyond 'F5'
Debugging with visual studio beyond 'F5'
Dror Helper
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
David Glick
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
jduart
 
Introduction to Programming in Go
Introduction to Programming in GoIntroduction to Programming in Go
Introduction to Programming in Go
Amr Hassan
 
Node.js exception handling
Node.js exception handlingNode.js exception handling
Node.js exception handling
Minh Hoang
 
Php rules
Php rulesPhp rules
Php rules
christopher mabunda
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
kosborn
 
Improve your workflow
Improve your workflowImprove your workflow
Improve your workflow
Adam Štipák
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Continuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchhContinuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchh
Dirk Hoerig
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A Hacker
Paul Tarjan
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Mihai Brehar - Xdebug
Mihai Brehar - XdebugMihai Brehar - Xdebug
Mihai Brehar - Xdebug
Mihai Brehar
 
Logging with Monolog
Logging with MonologLogging with Monolog
Logging with Monolog
Tudor Barbu
 
Troubleshooting Plone
Troubleshooting PloneTroubleshooting Plone
Troubleshooting PloneRicado Alves
 
Bug Hunting Safari
Bug Hunting SafariBug Hunting Safari
Bug Hunting Safari
Janie Clayton
 

Similar to Exploit generation automation with WinDBG (Hacktivity 2017) (20)

Debugging with visual studio beyond 'F5'
Debugging with visual studio beyond 'F5'Debugging with visual studio beyond 'F5'
Debugging with visual studio beyond 'F5'
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
 
Php rules
Php rulesPhp rules
Php rules
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
 
Introduction to Programming in Go
Introduction to Programming in GoIntroduction to Programming in Go
Introduction to Programming in Go
 
Node.js exception handling
Node.js exception handlingNode.js exception handling
Node.js exception handling
 
Php rules
Php rulesPhp rules
Php rules
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
 
Improve your workflow
Improve your workflowImprove your workflow
Improve your workflow
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 
Continuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchhContinuous Deployment - Developers Conference Hamburg #dchh
Continuous Deployment - Developers Conference Hamburg #dchh
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A Hacker
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Mihai Brehar - Xdebug
Mihai Brehar - XdebugMihai Brehar - Xdebug
Mihai Brehar - Xdebug
 
Logging with Monolog
Logging with MonologLogging with Monolog
Logging with Monolog
 
Troubleshooting Plone
Troubleshooting PloneTroubleshooting Plone
Troubleshooting Plone
 
Bug Hunting Safari
Bug Hunting SafariBug Hunting Safari
Bug Hunting Safari
 

More from Csaba Fitzl

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
Csaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
Csaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
Csaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
Csaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
Csaba Fitzl
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
 

More from Csaba Fitzl (13)

Launch and Environment Constraints Overview
Launch and Environment Constraints OverviewLaunch and Environment Constraints Overview
Launch and Environment Constraints Overview
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
 
SecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdfSecurityFest-22-Fitzl-beyond.pdf
SecurityFest-22-Fitzl-beyond.pdf
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Exploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG luExploit generation and javascript analysis automation with WinDBG lu
Exploit generation and javascript analysis automation with WinDBG lu
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 

Exploit generation automation with WinDBG (Hacktivity 2017)

  • 2. whoami blue teamer security researcher, blogger husband, father hiker
  • 3. Exploit writing challenges Time consuming Heavily manual intensive process Discovering memory layout Finding bad characters While (exploit doesn’t work == True): Start process, attach debugger, crash, Modify exploit
  • 4. Exploit writing methodology - BoF Find EIP overwrite location Examine memory layout, registries Somehow jump to shellcode Generate shellcode Put all together
  • 5. The task A tool which can automate the entire exploit writing process From crash PoC to working Exploit If possible n0 manual interaction
  • 6. The tool Written in Python Uses the “pykd” library to interact with WinDBG
  • 7. What can it do? Currently works for classic BoFs Can bypass ASLR Works for network and file based exploits Will create a successful exploit from a simple crash Automates the entire process (even finding bad characters!) No need to manually start the process / WinDBG
  • 8. The logic Find EIP overwrite location / offset Find registers pointing to the buffers Find bad characters Find a way to jump to the shellcode (JMP, CALL, etc…) Generate shellcode Put it all together
  • 10. How to use it? Some pre-work needs to be done Exploit is a Class Has to be populated with initial info (crash)
  • 11. What has to be changed? def exploit(self): """ This function runs the actual exploit """ sleep(1) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1',80)) message = "GET " + ''.join(self.buffer) + " HTTP/ 1.1rnrn" sock.send(message) sock.close()