The talk will be about 0-day cyber weapons. We will cover hot topics about software vulnerabilities and vulnerability market.

1. Vulnerability Market
Celil ÜNÜVER
SignalSEC Ltd.
www.signalsec.com

2. About me
• Co-founder and Researcher @ SignalSEC Corp.
• Vulnerability Research and Intelligence
• Have discovered lots of vuln affects Adobe,
IBM, Microsoft, Facebook, SCADA , Novell etc.
• Speaker at CONFidence, Hackfest, Swiss Cyber
Storm, c0c0n etc.
• Organizer of NOPcon Hacker Conference

3. Briefly
I’m interested in bug hunting

4. Jargon / Terminology
• Vulnerability: software bug which causes a security
issue.
• 0-day: Unknown vulnerability in a computer
application. No patch!
• Exploit: A software to break software and take
advantage 

5. SCADA (in)Security

6. No more stuxnet

7. Exploit Market
Underground:

8. Exploit Market
Legal Buyers: Governments , Brokers (iDefense,
ZDI, Netragard, Exodus etc.)

9. Price List

10. Price List

11. Price List
• Price depends on where you live and who you
are  (800 usd for zeroday attacks)

12. How you serve it?
PoC Weaponized
Exploit

13. Price List
• And price depends on how you serve it:
Weaponized Exploit

14. Fighting Crime with the help
of cyber weapons
A spy software and exploits used in Mexico to arrest a drug lord and
organized crime leader

15. Bug Hunting Methods
• Reversing

16. Reversing
There are 10 types of people in the world: Those who
understand binary and those who don’t.

17. Bug Hunter’s Toolbag
1-) Debugger:
- Debugger
2-) Disassembler:
- IDA Pro

18. WinDBG

19. IDA Disassembler

20. SCADA Vulns
Sometimes it’s really easy to find SCADA VULNS!!!

21. Why it’s easy?
There was not a real threat for SCADA software
untill 2010
So the developers were not aware of SECURE
Development

22. Case-1: CoDeSys Vulnerability
• CoDeSys PLC Visualization Software – WebVisu
Vulnerability
• WebVisu uses a webserver which is usually
open to Internet for visualization of PLC
• Discovered by me
• http://ics-cert.us-cert.gov/pdf/ICSA-12-006-01.pdf

23. Case-1: CoDeSys Vulnerability
• France, Poland, Deutch Telecom use this
software
• Buffer overflow vulnerability when parsing
long http requests due to an unsafe function

24. Case-1: CoDeSys Vulnerability
• Direct contol on EIP

25. Case-2: Schneider IGSS Vulnerability
• Oslo Traffic Center, Czech Republic Gas
Center, Kuala Lumpur Airport

26. Case-2: Schneider IGSS Vulnerability
• Discovered by SignalSEC
• http://ics-cert.us-cert.gov/pdf/ICSA-11-355-01-7.pdf
• IGSS listens 12399 and 12397 ports in runtime
• A simple bunch of code causes to Buffer Overflow
use IO::Socket;
$host = "localhost";
$port = 12399;
$port2 = 12397;
$first = "x01x01x00x00";
$second = "x02x01x00x00";

27. Finding Targets
• Banner Information: “SCXWebServer”
HTTP/1.1 200 OK
Content-Encoding: deflate
Date: Tue, 14 Dec 2010 19:09:52 GMT
Expires: Tue, 14 Dec 2010 19:09:52 GMT
Cache-Control: no-cache
Server: SCXWebServer/6.0

28. Search on SHODAN

29. CoDeSys ENI on SHODAN
• Server’s Banner : “ENIServer”
• Shodan Results: 195

30. CoDeSys WebServer on SHODAN
• Server’s Banner : “3S_WebServer”
• Shodan Results: 151

31. Reversing Tips
• It’s hard to find bugs via static reversing
• Use debugger + disassembler together and do
dynamic reversing!

32. Static Reversing
• Bol
• Good luck!

33. Dynamic Reversing
BreakPoint on some “juicy” instructions and functions:
REP MOVSD = memcpy (edi , esi, ecx)
REP STOSD = memset (edi, eax, ecx)
STRCPY
RECV
WSARecv

34. Office Zero-day Exploit
• Demo

35. D Thank you!
• Contact:
• cunuver@signalsec.com
• www.signalsec.com
• vis.signalsec.com
• Twitter: @celilunuver