SlideShare a Scribd company logo

Let Your Mach-O Fly, Black Hat DC 2009

Download as PPTX, PDF
V
Vincenzo Iozzo

Slides from Black Hat DC 2009 given by Vincenzo Iozzo

Technology
1 of 42
Letyour Mach-O fly Vincenzo Iozzo snagg@sikurezza.org
Whoam I? Student at Politecnico di Milano. Security Consultant at Secure Network srl. ReverseEngineer at ZynamicsGmbH. 2/18/09 2
Goal of the talk 2/18/09 3 In-memory execution of arbitrary binaries on a Mac OS X machine.
Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 4
Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 5
Mach-O file Header structure: information on the target architecture and options to interpret the file. Load commands: symbol table location, registers state. Segments: define region of the virtual memory, contain sections with code or data. 2/18/09 6
Segment and Sections 2/18/09 7
Important segments __PAGEZERO, if a piece of codeaccessesNULL it lands here. no protection flags. __TEXT, holds code and read-only data. RX protection. __DATA, holds data. RW protection. __LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection. 2/18/09 8
Mach-O representation 2/18/09 9
Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 10
Binary execution Conducted by the kernel and the dynamic linker. The kernel, when finishes his part, jumps to the dynamic linker entry point. The dynamic linker is not randomized. 2/18/09 11
Execution steps Kernel Maps the dynamic linker in the process address space. Parses the header structure and loads all segments. Creates a new stack. Dynamic linker Retrieves base address of the binary. Resolves symbols. Resolves library dependencies. Jumps to the binary entry point. 2/18/09 12
Stack Mach-O file base address. Command line arguments. Environment variables. Execution path. All padded. 2/18/09 13
Stack representation 2/18/09 14
Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 15
Proposed attack Userland-exec attack. Encapsulate a shellcode, aka auto-loader, and a crafted stack in the injected binary. Execute the auto-loader in the address space of the attacked process. 2/18/09 16
WWW Who: an attacker with a remote code execution in his pocket. Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary. Why: later in this talk. 2/18/09 17
What kind of binaries? AnyMach-O file, fromlstoSafari 2/18/09 18
A nice picture 2/18/09 19
Infected binary We need to find a place to store the auto-loader and the crafted stack. __PAGEZERO infection technique. Cavity infector technique. 2/18/09 20
__PAGEZERO INFECTION Change __PAGEZERO protection flags with a custom value. Store the crafted stack and the auto-loader code at the end of the binary. Point __PAGEZERO to the crafted stack. Overwrite the first bytes of the file with the auto-loader address. 2/18/09 21
Binary layout 2/18/09 22
Auto-loader Impersonates the kernel. Un-maps the old binary. Maps the new one. 2/18/09 23
Auto-loader description Parses the binary. Reads the virtual addresses of the injected binary segments. Unloads the attacked binary segments pointed by the virtual addresses. Loads the injected binary segments. 2/18/09 24
Auto-loader description(2) Maps the crafted stackreferenced by __PAGEZERO. Cleans registers. Cleans some libSystem variables. Jumps to dynamic linker entry point. 2/18/09 25
We do like pictures, don’t we? 2/18/09 26 Victim’s process address space TEXT DATA LINKEDIT SEGMENT -N TEXT DATA LINKEDIT SEGMENT-N
libSystem variables _malloc_def_zone_state _NXArgv_pointer _malloc_num_zones __keymgr_global 2/18/09 27
Why are those variables important? They are used in the initialization of malloc. Two of them are used for command line arguments parsing. Not cleaning them will result in a crash. 2/18/09 28
Hunts the variables Mac OS X Leopard has ASLR for libraries. Those variables are not exported. Cannot use dlopen()/dlsym() combo. 2/18/09 29
Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 30
Defeat ASLR Retrieve libSystem in-memory base address. Read symbols from the libSystem binary. Adjust symbols to the new address. 2/18/09 31
How ASLR works in Leopard Only libraries are randomized. The randomization is performed whenever the system or the libraries are updated. Library segments addresses are saved in dyld_shared_cache_arch.map. 2/18/09 32
Retrieve libSystem address Parse dyld_shared_cache_i386.map and search for libSystem entry. Adopt functions exported by the dynamic linker and perform the whole task in-memory. 2/18/09 33
Dyld functions _dyld_image_count() used to retrieve the number of linked libraries of a process. _dyld_get_image_header() used to retrieve the base address of each library. _dyld_get_image_name() used to retrieve the name of a given library. 2/18/09 34
Find ‘em Parse dyld load commands. Retrieve __LINKEDIT address. Iterate dyld symbol table and search for the functions name in __LINKEDIT. 2/18/09 35
Back to libSystem Non-exported symbols are taken out from the symbol table when loaded. Open libSystem binary, find the variables in the symbol table. Adjust variables to the base address of the in-memory __DATA segment. 2/18/09 36
Put pieces together Iterate the header structure of libSystem in-memory and find the __DATA base address. __DATA base address 0x2000 Symbol at 0x2054 In-memory __DATA base address 0x4000 Symbol in-memory at 0x4054 2/18/09 37
Results Run a binary into an arbitrary machine. No traces on the hard-disk. No execve(), the kernel doesn’t know about us. It works with every binary. It is possible to write payloads in a high level language. 2/18/09 38
Demo description Run a simple piece of code which acts like a shellcode and retrieve the binary. Execute the attack with nmap and Safari. Show network dump. Show memory layout before and after the attack. 2/18/09 39
DEMO 2/18/09 40
Future developments Employ encryption to avoid NIDS detection. Using cavity infector technique. Port the code to iPhone to evade code signing protection ( Catch you at BH Europe). 2/18/09 41
Thanks, questions? 2/18/09 42

Recommended

Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Dashti Abdullah
 
The real and another
The real and anotherThe real and another
The real and anotherIshika Biswas
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyJulia Yu-Chin Cheng
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2Julia Yu-Chin Cheng
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security VisualizationDoug Cogswell
 

Recommended

Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Dashti Abdullah
 
The real and another
The real and anotherThe real and another
The real and anotherIshika Biswas
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyJulia Yu-Chin Cheng
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2Julia Yu-Chin Cheng
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security VisualizationDoug Cogswell
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suitevasuballa
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Iikathomas
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Ldap injection
Ldap injectionLdap injection
Ldap injectionSujay Gankidi
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart ThemIBM Security
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
 
Client Side Honeypots
Client Side HoneypotsClient Side Honeypots
Client Side Honeypotsamiable_indian
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacksn|u - The Open Security Community
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration TestingChirag Jain
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015Shah Sheikh
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...OWASP Delhi
 
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
 

More Related Content

Viewers also liked

Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suitevasuballa
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Iikathomas
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart ThemIBM Security
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration TestingChirag Jain
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015Shah Sheikh
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...OWASP Delhi
 

Viewers also liked (20)

Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Ii
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Ldap injection
Ldap injectionLdap injection
Ldap injection
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Client Side Honeypots
Client Side HoneypotsClient Side Honeypots
Client Side Honeypots
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
 

Similar to Let Your Mach-O Fly, Black Hat DC 2009

Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
 
Miasm: Reverse Engineering Framework
Miasm: Reverse Engineering FrameworkMiasm: Reverse Engineering Framework
Miasm: Reverse Engineering FrameworkPriyanka Aash
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
From gcc to the autotools
From gcc to the autotoolsFrom gcc to the autotools
From gcc to the autotoolsThierry Gayet
 
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMMODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMAlexandre Borges
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
 
Running native code on Android #OSDCfr 2012
Running native code on Android #OSDCfr 2012Running native code on Android #OSDCfr 2012
Running native code on Android #OSDCfr 2012Cédric Deltheil
 
Practical real-time operating system security for the masses
Practical real-time operating system security for the massesPractical real-time operating system security for the masses
Practical real-time operating system security for the massesMilosch Meriac
 
ECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docxECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docxtidwellveronique
 
ECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docxECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docxtidwellveronique
 
ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata EvonCanales257
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Toursamrat das
 

Similar to Let Your Mach-O Fly, Black Hat DC 2009 (20)

Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
 
Strange security mitigations
Strange security mitigationsStrange security mitigations
Strange security mitigations
 
Miasm: Reverse Engineering Framework
Miasm: Reverse Engineering FrameworkMiasm: Reverse Engineering Framework
Miasm: Reverse Engineering Framework
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
From gcc to the autotools
From gcc to the autotoolsFrom gcc to the autotools
From gcc to the autotools
 
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAMMODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
 
9-roslyn-guidelines
9-roslyn-guidelines9-roslyn-guidelines
9-roslyn-guidelines
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
 
Running native code on Android #OSDCfr 2012
Running native code on Android #OSDCfr 2012Running native code on Android #OSDCfr 2012
Running native code on Android #OSDCfr 2012
 
Practical real-time operating system security for the masses
Practical real-time operating system security for the massesPractical real-time operating system security for the masses
Practical real-time operating system security for the masses
 
ECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docxECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docx
 
ECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docxECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docx
 
Lecture 11 compiler ii
Lecture 11 compiler iiLecture 11 compiler ii
Lecture 11 compiler ii
 
EKON27_Pas2JS_sign.pdf
EKON27_Pas2JS_sign.pdfEKON27_Pas2JS_sign.pdf
EKON27_Pas2JS_sign.pdf
 
ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata
 
Linux Kernel Tour
Linux Kernel TourLinux Kernel Tour
Linux Kernel Tour
 
Tips of Malloc & Free
Tips of Malloc & FreeTips of Malloc & Free
Tips of Malloc & Free
 

More from Vincenzo Iozzo

A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new blackVincenzo Iozzo
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paperVincenzo Iozzo
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperVincenzo Iozzo
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paperVincenzo Iozzo
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Vincenzo Iozzo
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 

More from Vincenzo Iozzo (9)

A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
 
Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new black
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paper
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paper
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 

Let Your Mach-O Fly, Black Hat DC 2009

  • 1. Letyour Mach-O fly Vincenzo Iozzo snagg@sikurezza.org
  • 2. Whoam I? Student at Politecnico di Milano. Security Consultant at Secure Network srl. ReverseEngineer at ZynamicsGmbH. 2/18/09 2
  • 3. Goal of the talk 2/18/09 3 In-memory execution of arbitrary binaries on a Mac OS X machine.
  • 4. Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 4
  • 5. Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 5
  • 6. Mach-O file Header structure: information on the target architecture and options to interpret the file. Load commands: symbol table location, registers state. Segments: define region of the virtual memory, contain sections with code or data. 2/18/09 6
  • 8. Important segments __PAGEZERO, if a piece of codeaccessesNULL it lands here. no protection flags. __TEXT, holds code and read-only data. RX protection. __DATA, holds data. RW protection. __LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection. 2/18/09 8
  • 10. Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 10
  • 11. Binary execution Conducted by the kernel and the dynamic linker. The kernel, when finishes his part, jumps to the dynamic linker entry point. The dynamic linker is not randomized. 2/18/09 11
  • 12. Execution steps Kernel Maps the dynamic linker in the process address space. Parses the header structure and loads all segments. Creates a new stack. Dynamic linker Retrieves base address of the binary. Resolves symbols. Resolves library dependencies. Jumps to the binary entry point. 2/18/09 12
  • 13. Stack Mach-O file base address. Command line arguments. Environment variables. Execution path. All padded. 2/18/09 13
  • 15. Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 15
  • 16. Proposed attack Userland-exec attack. Encapsulate a shellcode, aka auto-loader, and a crafted stack in the injected binary. Execute the auto-loader in the address space of the attacked process. 2/18/09 16
  • 17. WWW Who: an attacker with a remote code execution in his pocket. Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary. Why: later in this talk. 2/18/09 17
  • 18. What kind of binaries? AnyMach-O file, fromlstoSafari 2/18/09 18
  • 19. A nice picture 2/18/09 19
  • 20. Infected binary We need to find a place to store the auto-loader and the crafted stack. __PAGEZERO infection technique. Cavity infector technique. 2/18/09 20
  • 21. __PAGEZERO INFECTION Change __PAGEZERO protection flags with a custom value. Store the crafted stack and the auto-loader code at the end of the binary. Point __PAGEZERO to the crafted stack. Overwrite the first bytes of the file with the auto-loader address. 2/18/09 21
  • 23. Auto-loader Impersonates the kernel. Un-maps the old binary. Maps the new one. 2/18/09 23
  • 24. Auto-loader description Parses the binary. Reads the virtual addresses of the injected binary segments. Unloads the attacked binary segments pointed by the virtual addresses. Loads the injected binary segments. 2/18/09 24
  • 25. Auto-loader description(2) Maps the crafted stackreferenced by __PAGEZERO. Cleans registers. Cleans some libSystem variables. Jumps to dynamic linker entry point. 2/18/09 25
  • 26. We do like pictures, don’t we? 2/18/09 26 Victim’s process address space TEXT DATA LINKEDIT SEGMENT -N TEXT DATA LINKEDIT SEGMENT-N
  • 27. libSystem variables _malloc_def_zone_state _NXArgv_pointer _malloc_num_zones __keymgr_global 2/18/09 27
  • 28. Why are those variables important? They are used in the initialization of malloc. Two of them are used for command line arguments parsing. Not cleaning them will result in a crash. 2/18/09 28
  • 29. Hunts the variables Mac OS X Leopard has ASLR for libraries. Those variables are not exported. Cannot use dlopen()/dlsym() combo. 2/18/09 29
  • 30. Talk outline Mach-O file structure XNU binary execution Attack technique Defeat ASLR on libraries to enhance the attack 2/18/09 30
  • 31. Defeat ASLR Retrieve libSystem in-memory base address. Read symbols from the libSystem binary. Adjust symbols to the new address. 2/18/09 31
  • 32. How ASLR works in Leopard Only libraries are randomized. The randomization is performed whenever the system or the libraries are updated. Library segments addresses are saved in dyld_shared_cache_arch.map. 2/18/09 32
  • 33. Retrieve libSystem address Parse dyld_shared_cache_i386.map and search for libSystem entry. Adopt functions exported by the dynamic linker and perform the whole task in-memory. 2/18/09 33
  • 34. Dyld functions _dyld_image_count() used to retrieve the number of linked libraries of a process. _dyld_get_image_header() used to retrieve the base address of each library. _dyld_get_image_name() used to retrieve the name of a given library. 2/18/09 34
  • 35. Find ‘em Parse dyld load commands. Retrieve __LINKEDIT address. Iterate dyld symbol table and search for the functions name in __LINKEDIT. 2/18/09 35
  • 36. Back to libSystem Non-exported symbols are taken out from the symbol table when loaded. Open libSystem binary, find the variables in the symbol table. Adjust variables to the base address of the in-memory __DATA segment. 2/18/09 36
  • 37. Put pieces together Iterate the header structure of libSystem in-memory and find the __DATA base address. __DATA base address 0x2000 Symbol at 0x2054 In-memory __DATA base address 0x4000 Symbol in-memory at 0x4054 2/18/09 37
  • 38. Results Run a binary into an arbitrary machine. No traces on the hard-disk. No execve(), the kernel doesn’t know about us. It works with every binary. It is possible to write payloads in a high level language. 2/18/09 38
  • 39. Demo description Run a simple piece of code which acts like a shellcode and retrieve the binary. Execute the attack with nmap and Safari. Show network dump. Show memory layout before and after the attack. 2/18/09 39
  • 41. Future developments Employ encryption to avoid NIDS detection. Using cavity infector technique. Port the code to iPhone to evade code signing protection ( Catch you at BH Europe). 2/18/09 41

Editor's Notes

  1. 15minuti
  2. 30minuti
  3. 45minuti
  4. 60minuti