This document describes Hydra, a polymorphic shellcode engine for x86 systems. Hydra integrates several obfuscation techniques to bypass signature-based, statistical, and emulator-based intrusion detection systems. It features techniques like nop sled obfuscation, multi-part decoding, multi-layer ciphering, statistical mimicry, and time-locked ciphering to evade detection. The goal of Hydra is to generate unique, obfuscated shellcode for each attack to avoid detection by intrusion prevention systems.
This document discusses merging Xen/IA64 virtualization support into the Linux kernel. It proposes using paravirt_ops to implement the virtualization interface, as was done for x86. This approach faces challenges on IA64 due to privileged instructions and hand-written assembly code. Current status shows paravirt_ops merged for minimal domU support, with future work planned on optimizations, dom0 support, and other features.
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
An introduction to exploit development.
I gave this talk at Hack the North 2014, and most of this information is pulled out of classics like Smashing the Stack for Fun and Profit, so there shouldn't be anything novel in here.
This document provides an introduction to Riak, an open source distributed database. It discusses that Riak is eventually consistent, follows the BASE model, and is highly available, fault tolerant, and horizontally scalable. It also summarizes key features of Riak including its use of consistent hashing, hinted handoff for fault tolerance, and various client APIs and storage backends. Finally, it provides an overview of hands-on setup and configuration of Riak.
This document discusses various exploit techniques, mitigations against exploits, and ways to bypass mitigations. It covers popular exploitation methods like stack-based buffer overflows, heap overflows, and return-oriented programming (ROP). It also outlines key mitigations like stack cookies, data execution prevention (DEP), address space layout randomization (ASLR), and structured exception handler overwrite protection (SEHOP). Finally, it examines techniques for bypassing protections like avoiding ASLR, memory leaks to disclose addresses, and using ROP chains combined with memory leaks to bypass DEP and ASLR. The document provides a technical overview of the exploit-mitigation landscape.
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDefconRussia
This document discusses code obfuscation techniques used to protect software and malware, and methods for deobfuscation. It describes common obfuscation methods like code virtualization, morphing, and encryption. It then introduces the Ariadne engine, which can decompile machine code, emulate instructions, and apply techniques like dead code elimination and pointer analysis to deobfuscate code through its AIR Wave technology. Testing showed it could effectively reverse many protector's weak obfuscations.
Return-Oriented Programming: Exploits Without Code Injectionguest9f4856
The document discusses return-oriented programming, which allows arbitrary computation without code injection by chaining together small "gadgets" found in program code or libraries. It presents the thesis that any sufficiently large program codebase contains enough gadgets to enable Turing-complete computation by controlling the program stack. The technique works by diverting the control flow to return addresses on the stack rather than injecting code. It poses a threat to security systems like W^X that aim to prevent code injection.
1. The document provides an overview of the phylum Cnidaria, which includes jellyfish, corals, and hydroids.
2. Cnidarians are radially or biradially symmetrical and have stinging cells called nematocysts. They exhibit a diploblastic body plan with two tissue layers separated by a gelatinous mesoglea.
3. Many cnidarians alternate between a sessile polyp stage and a motile medusa stage. Reproduction involves external fertilization producing a planula larva.
This document discusses merging Xen/IA64 virtualization support into the Linux kernel. It proposes using paravirt_ops to implement the virtualization interface, as was done for x86. This approach faces challenges on IA64 due to privileged instructions and hand-written assembly code. Current status shows paravirt_ops merged for minimal domU support, with future work planned on optimizations, dom0 support, and other features.
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
An introduction to exploit development.
I gave this talk at Hack the North 2014, and most of this information is pulled out of classics like Smashing the Stack for Fun and Profit, so there shouldn't be anything novel in here.
This document provides an introduction to Riak, an open source distributed database. It discusses that Riak is eventually consistent, follows the BASE model, and is highly available, fault tolerant, and horizontally scalable. It also summarizes key features of Riak including its use of consistent hashing, hinted handoff for fault tolerance, and various client APIs and storage backends. Finally, it provides an overview of hands-on setup and configuration of Riak.
This document discusses various exploit techniques, mitigations against exploits, and ways to bypass mitigations. It covers popular exploitation methods like stack-based buffer overflows, heap overflows, and return-oriented programming (ROP). It also outlines key mitigations like stack cookies, data execution prevention (DEP), address space layout randomization (ASLR), and structured exception handler overwrite protection (SEHOP). Finally, it examines techniques for bypassing protections like avoiding ASLR, memory leaks to disclose addresses, and using ROP chains combined with memory leaks to bypass DEP and ASLR. The document provides a technical overview of the exploit-mitigation landscape.
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDefconRussia
This document discusses code obfuscation techniques used to protect software and malware, and methods for deobfuscation. It describes common obfuscation methods like code virtualization, morphing, and encryption. It then introduces the Ariadne engine, which can decompile machine code, emulate instructions, and apply techniques like dead code elimination and pointer analysis to deobfuscate code through its AIR Wave technology. Testing showed it could effectively reverse many protector's weak obfuscations.
Return-Oriented Programming: Exploits Without Code Injectionguest9f4856
The document discusses return-oriented programming, which allows arbitrary computation without code injection by chaining together small "gadgets" found in program code or libraries. It presents the thesis that any sufficiently large program codebase contains enough gadgets to enable Turing-complete computation by controlling the program stack. The technique works by diverting the control flow to return addresses on the stack rather than injecting code. It poses a threat to security systems like W^X that aim to prevent code injection.
1. The document provides an overview of the phylum Cnidaria, which includes jellyfish, corals, and hydroids.
2. Cnidarians are radially or biradially symmetrical and have stinging cells called nematocysts. They exhibit a diploblastic body plan with two tissue layers separated by a gelatinous mesoglea.
3. Many cnidarians alternate between a sessile polyp stage and a motile medusa stage. Reproduction involves external fertilization producing a planula larva.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
The document discusses techniques for monitoring native 64-bit API calls in 32-bit WoW64 applications running on 64-bit Windows. It describes injecting a 64-bit DLL using various methods like Wow64log.dll injection, Heaven's Gate transitions, and APC injection. It also discusses overcoming challenges like CFG validation and implementing inline hooks without dependencies on 32-bit libraries. The techniques allow deep monitoring of WoW64 processes not possible with typical user-mode hooking.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
InvokeDynamic is a new JVM instruction that allows method calls to be dynamically dispatched at runtime based on the actual object type, enabling just-in-time compilation optimizations for any language by making non-Java call sites visible to the HotSpot JVM compiler. It uses bootstrap methods, call sites holding method handle chains, and switch points to dynamically bind calls based on guard conditions checking the actual object type and rebinding if needed.
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldAnne Nicolas
Jason Donenfeld presented Zinc, a proposed new lightweight and minimal crypto API for the Linux kernel. It would provide simple crypto functions like ChaCha20 and Poly1305 without complex configuration. In contrast to the existing crypto API, Zinc would offer formally verified implementations from academic sources, be optimized for speed through compiler inlining and SIMD, and reduce security vulnerabilities through a simpler design. The goal is to include Zinc alongside the WireGuard VPN in the Linux 5.0 kernel release.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
The document discusses emulating hardware with JavaScript. It begins by introducing the speaker, Alexander Dickson, and his background. It then discusses the capabilities of modern JavaScript for emulation purposes, including canvas, Web Audio API, typed arrays, and requestAnimationFrame().
The document goes on to define what an emulator is and discusses some common emulator implementations like interpreters and just-in-time compilation. It suggests starting with a simple system like Chip-8 for beginners.
As an example system, it provides an overview of the Nintendo Entertainment System, describing its 6502 CPU, memory layout, and other components like the PPU and sound hardware. It discusses concepts like the von Neumann architecture and opcodes.
The document discusses efficient techniques for detecting shellcode inline. It describes the structure of shellcode and challenges in detecting it. It introduces libscizzle, which uses efficient emulation to identify possible shellcode execution sequences and verifies candidates using sandboxed hardware execution. Libscizzle scans data at gigabit speeds with no false positives and no known false negatives, representing about a 1000x speed improvement over previous tools like libemu.
The document discusses optimization techniques used by the Java Virtual Machine (JVM) during just-in-time (JIT) compilation. It describes how the JIT profiler gathers execution data to guide optimizations like inlining, loop unrolling, escape analysis, intrinsic methods, and monomorphic dispatch. Tools like JITWatch are used to analyze the JIT compilation log and visualize these optimizations. The JIT aims to improve performance over interpretation or ahead-of-time compilation by leveraging runtime profiles to generate machine-specific optimized code.
This document discusses GPU programming concepts from the hardware perspective to coding using CUDA. It begins by introducing the two major GPU manufacturers, NVIDIA and AMD, and focuses on NVIDIA since the author only has an NVIDIA GPU. It then explains the SIMT programming model used in NVIDIA GPUs and discusses three key aspects: single instruction multiple register sets, single instruction multiple addresses, and single instruction multiple flow paths. It provides examples to illustrate how these concepts are implemented in CUDA code. The document also discusses warp scheduling, occupancy, and techniques to improve performance like increasing instruction level parallelism.
The document discusses the relationship between hardware, operating systems, and Java Virtual Machines over time. It describes how early systems in the 1970s-1990s attempted to execute bytecode natively but never fully implemented it. Intermediate languages have existed since the 1960s to abstract code from hardware. The Java Virtual Machine model introduced in 1995 provided memory protection, type checking, and a "sandbox" environment for Java bytecode, influencing many later virtual machines. Overall, the JVM takes on operating system-like roles through threads, memory management, and locking, while still interfacing with the underlying OS.
The document discusses automatic program analysis using dynamic binary instrumentation. It describes using the Pin tool to instrument binaries at runtime in order to analyze dynamic program behavior. Key topics covered include static vs dynamic analysis, dynamic binary instrumentation with Pin, instrumentation granularities in Pin, and the Puncture tool for analyzing system calls and generating behavior reports.
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
The document discusses automatic program analysis using dynamic binary instrumentation. It describes using the Pin tool to instrument binaries at runtime in order to analyze their dynamic behavior. Key points covered include how Pin works, its instrumentation capabilities at different levels of granularity, and an example Pin tool called Puncture that is used to generate behavior logs and reports on instrumented programs.
Using techniques like ARP spoofing and NAT, it is possible to acquire an IP address and internet access on a network without a DHCP server. By intercepting traffic between an existing node and gateway, one can insert themselves as the "man in the middle" and route traffic through a NAT configuration using the hijacked node's IP address. This allows acquiring internet access without a free IP address by multiplexing sessions through the NAT. Scanrand port scanning observations can also reveal network topology details like firewall locations through analysis of TTL values.
This document discusses security issues with microcontrollers (uCs). uCs are commonly used in devices like cars, medical implants, and infrastructure systems. The Atmel AVR8 uC architecture is examined in depth. Issues discussed include weak randomness for crypto, race conditions due to lack of concurrency controls, buffer overflows enabled by the Harvard architecture separating code and data, and attacks involving NULL pointers, uninitialized memory, and dereferencing memory beyond physical limits. Exploiting these issues could allow taking control of uC firmware to potentially manipulate connected devices and systems.
This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.
Practical reverse engineering and exploit development for AVR-based Embedded ...Alexander Bolshev
The document outlines an agenda for a training on practical firmware reversing and exploit development for AVR-based embedded devices. The training will cover: (1) an introduction to the AVR architecture through an example; (2) pre-exploitation techniques; (3) exploitation and building return-oriented programming (ROP) chains; and (4) post-exploitation tricks. It provides background information on the AVR architecture, which is used widely in embedded and IoT devices, and discusses features like memory organization, registers, interrupts, and assembly instructions. Development tools for AVR like Atmel Studio, AVR-GCC, and debuggers are also briefly mentioned.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
The document discusses challenges in malware analysis and describes a system for automated static malware analysis. It outlines techniques for capturing malware, disassembling malware binaries, resolving obfuscated API calls, and handling obfuscation techniques used by malware authors to evade analysis. The system aims to unpack malware, recover the original program structure, and produce a higher-level representation to facilitate understanding the malware's purpose and functionality.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
The document discusses techniques for monitoring native 64-bit API calls in 32-bit WoW64 applications running on 64-bit Windows. It describes injecting a 64-bit DLL using various methods like Wow64log.dll injection, Heaven's Gate transitions, and APC injection. It also discusses overcoming challenges like CFG validation and implementing inline hooks without dependencies on 32-bit libraries. The techniques allow deep monitoring of WoW64 processes not possible with typical user-mode hooking.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
InvokeDynamic is a new JVM instruction that allows method calls to be dynamically dispatched at runtime based on the actual object type, enabling just-in-time compilation optimizations for any language by making non-Java call sites visible to the HotSpot JVM compiler. It uses bootstrap methods, call sites holding method handle chains, and switch points to dynamically bind calls based on guard conditions checking the actual object type and rebinding if needed.
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldAnne Nicolas
Jason Donenfeld presented Zinc, a proposed new lightweight and minimal crypto API for the Linux kernel. It would provide simple crypto functions like ChaCha20 and Poly1305 without complex configuration. In contrast to the existing crypto API, Zinc would offer formally verified implementations from academic sources, be optimized for speed through compiler inlining and SIMD, and reduce security vulnerabilities through a simpler design. The goal is to include Zinc alongside the WireGuard VPN in the Linux 5.0 kernel release.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
The document discusses emulating hardware with JavaScript. It begins by introducing the speaker, Alexander Dickson, and his background. It then discusses the capabilities of modern JavaScript for emulation purposes, including canvas, Web Audio API, typed arrays, and requestAnimationFrame().
The document goes on to define what an emulator is and discusses some common emulator implementations like interpreters and just-in-time compilation. It suggests starting with a simple system like Chip-8 for beginners.
As an example system, it provides an overview of the Nintendo Entertainment System, describing its 6502 CPU, memory layout, and other components like the PPU and sound hardware. It discusses concepts like the von Neumann architecture and opcodes.
The document discusses efficient techniques for detecting shellcode inline. It describes the structure of shellcode and challenges in detecting it. It introduces libscizzle, which uses efficient emulation to identify possible shellcode execution sequences and verifies candidates using sandboxed hardware execution. Libscizzle scans data at gigabit speeds with no false positives and no known false negatives, representing about a 1000x speed improvement over previous tools like libemu.
The document discusses optimization techniques used by the Java Virtual Machine (JVM) during just-in-time (JIT) compilation. It describes how the JIT profiler gathers execution data to guide optimizations like inlining, loop unrolling, escape analysis, intrinsic methods, and monomorphic dispatch. Tools like JITWatch are used to analyze the JIT compilation log and visualize these optimizations. The JIT aims to improve performance over interpretation or ahead-of-time compilation by leveraging runtime profiles to generate machine-specific optimized code.
This document discusses GPU programming concepts from the hardware perspective to coding using CUDA. It begins by introducing the two major GPU manufacturers, NVIDIA and AMD, and focuses on NVIDIA since the author only has an NVIDIA GPU. It then explains the SIMT programming model used in NVIDIA GPUs and discusses three key aspects: single instruction multiple register sets, single instruction multiple addresses, and single instruction multiple flow paths. It provides examples to illustrate how these concepts are implemented in CUDA code. The document also discusses warp scheduling, occupancy, and techniques to improve performance like increasing instruction level parallelism.
The document discusses the relationship between hardware, operating systems, and Java Virtual Machines over time. It describes how early systems in the 1970s-1990s attempted to execute bytecode natively but never fully implemented it. Intermediate languages have existed since the 1960s to abstract code from hardware. The Java Virtual Machine model introduced in 1995 provided memory protection, type checking, and a "sandbox" environment for Java bytecode, influencing many later virtual machines. Overall, the JVM takes on operating system-like roles through threads, memory management, and locking, while still interfacing with the underlying OS.
The document discusses automatic program analysis using dynamic binary instrumentation. It describes using the Pin tool to instrument binaries at runtime in order to analyze dynamic program behavior. Key topics covered include static vs dynamic analysis, dynamic binary instrumentation with Pin, instrumentation granularities in Pin, and the Puncture tool for analyzing system calls and generating behavior reports.
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
The document discusses automatic program analysis using dynamic binary instrumentation. It describes using the Pin tool to instrument binaries at runtime in order to analyze their dynamic behavior. Key points covered include how Pin works, its instrumentation capabilities at different levels of granularity, and an example Pin tool called Puncture that is used to generate behavior logs and reports on instrumented programs.
Using techniques like ARP spoofing and NAT, it is possible to acquire an IP address and internet access on a network without a DHCP server. By intercepting traffic between an existing node and gateway, one can insert themselves as the "man in the middle" and route traffic through a NAT configuration using the hijacked node's IP address. This allows acquiring internet access without a free IP address by multiplexing sessions through the NAT. Scanrand port scanning observations can also reveal network topology details like firewall locations through analysis of TTL values.
This document discusses security issues with microcontrollers (uCs). uCs are commonly used in devices like cars, medical implants, and infrastructure systems. The Atmel AVR8 uC architecture is examined in depth. Issues discussed include weak randomness for crypto, race conditions due to lack of concurrency controls, buffer overflows enabled by the Harvard architecture separating code and data, and attacks involving NULL pointers, uninitialized memory, and dereferencing memory beyond physical limits. Exploiting these issues could allow taking control of uC firmware to potentially manipulate connected devices and systems.
This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.
Practical reverse engineering and exploit development for AVR-based Embedded ...Alexander Bolshev
The document outlines an agenda for a training on practical firmware reversing and exploit development for AVR-based embedded devices. The training will cover: (1) an introduction to the AVR architecture through an example; (2) pre-exploitation techniques; (3) exploitation and building return-oriented programming (ROP) chains; and (4) post-exploitation tricks. It provides background information on the AVR architecture, which is used widely in embedded and IoT devices, and discusses features like memory organization, registers, interrupts, and assembly instructions. Development tools for AVR like Atmel Studio, AVR-GCC, and debuggers are also briefly mentioned.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
The document discusses challenges in malware analysis and describes a system for automated static malware analysis. It outlines techniques for capturing malware, disassembling malware binaries, resolving obfuscated API calls, and handling obfuscation techniques used by malware authors to evade analysis. The system aims to unpack malware, recover the original program structure, and produce a higher-level representation to facilitate understanding the malware's purpose and functionality.
3. INSTRUCTIONS LOCAL VARIABLE LOCAL VARIABLE LOCAL VARIABLE EIP
Address of Calling function
NOP SLED PAYLOAD RETURN ZONE
Overwrites EIP
INSTRUCTIONS LOCAL VARIABLE LOCAL VARIABLE LOCAL VARIABLE EIP
NOP SLED PAYLOAD RETURN ZONE
“ret” jumps here
3
2
7. NOP Sled ObfuscaAon
• Not just single‐byte NOPS. MulA‐byte NOP instrucAons by way
of recursive NOP. (Phrack, CLET)
• Find all 1‐byte NOP instrucAons by brute‐force, then find two‐
byte NOPs where 2nd byte is a one‐byte NOP. Repeat.
• Larger NOP instrucAon recursively contains smaller NOPs.
ExecuAon can land anywhere in the instrucAon.
7
6
8. NOP Sled ObfuscaAon
• Hydra uAlizes two types of NOP instrucAons.
1. Basic NOP equivalent instrucAons which can be used to
build a sled and safely pass execuAon into the payload.
2. NOPs which can be safely inserted between instrucAons.
• Second case: “State‐safe” NOPs do not contain instrucAons
which modify the stack, registers, control flow, etc.
• 1.9M total NOP equivalent instrucAons found. 30,000 state‐
safe NOPs. 8
7
9. Random register operaAons
• Different synonymous instrucAons per invocaAon.
Two example ways to clear a register
Method 1: Method 2:
mov reg, <key> push dword <key>
sub reg, <key> pop reg
sub reg, <key>
• Hydra provides a large library of such instrucAons and a
plamorm to add more.
• For some operaAons, the key used is randomly generated to
further obfuscate the payload. 8
9
11. MulA‐Layer Ciphering
• MulAple cipher operaAons, subsets selected at random per
invocaAon. Very useful technique (ADMmutate, CLET,..)
• Random cipher operaAons: ROR/ROL, XOR, ADD/ SUB, etc…
• Cipher order is random each Ame.
• A randomly chosen 32‐bit key is generated per cipher.
• Six rounds of ciphering by default – user can specify number.
11
10
12. Inline Junk Code InserAon
• Hydra automaAcally adds space between instrucAons.
Arbitrary data can be inserted:
[instr 1][junk][instr 2][junk][instr 3][junk][instr4]
• Amount of data to be inserted can be specified.
• Can insert NOP instrucAons, anA‐disassembly code, random
junk, etc. The ciphers will skip these areas during decoding.
• Can also insert certain bytes for staAsAcal mimicry.
12
11
13. StaAsAcal Mimicry
• StaAsAcal IDS – typically work by learning frequencies for
normal content then detecAng exploits as anomalies.
• Hydra uses machine learning‐based techniques to make
shellcode mimic normal traffic.
• Learn a staAsAcal model for the distribuAon of n‐grams within
legiAmate network content.
• Sample from this distribuAon, and use padding and inline
padding (junk inserAon) to skew the distribuAon of shellcode
to appear normal.
13
12
14. Randomized Address Zone
• Sequence of repeated target addresses.
• Used to overwrites %ESP on the stack to point to NOP sled.
• An IDS can look for a structural signature such as the existence
of NOP instrucAons and repeated numbers (sled + return
zone.)
• Break signatures by adding random offsets to each address
element in the return address zone.
1414
14
15. Time‐Cipher Shellcode
• Emulator IDS? Build stripped down x86 emulator and
dynamically execute ALL network traffic. Look for self‐
decrypAon behavior and/or large basic blocks.
• SoluAon? Use syscall‐based ciphering. Exploit the fact that
emulators can’t handle full OS funcAonality.
• Hydra uses the Ame() syscall. Most significant bits used as key
to decode the main cipher instrucAons (ROR, XOR, etc).
• Syscall not handled? Time runs out? Shellcode is decoded
incorrectly – no polymorphic behavior is observed.
15
16. Time‐Cipher Shellcode
• Good for a user‐defined period of Ame. User can adjust the
“shell‐life” window by the number of bits used.
• Network IDS can’t emulate all possible syscalls.
• Time‐ciphered shellcode will pass through the emulators and
arrive on the target host where the syscalls can be handled .
• Bypasses some emulator and disassembly based methods,
and slows down human reverse engineers.
16
17. Forking Shellcode
• Exploit could cause the target process to hang. Not good –
could be picked up by an IDS. Graceful recovery (Skyler
CanSecWest ’09.)
• SoluAon: fork()’ing shellcode. Child executes payload, parent
a1empts to recover the exploited process.
• Recovery is hard – correct %EIP is normally lost during exploit.
• Need to know target process address space – relaAve offset.
• Hydra fork()s your shellcode for you automaAcally. 17
17
22. StaAsAcal Mimicry
Song, et al. Machine Learning Journal. 2009.
Markov chains and
Monte-Carlo simulation.
• Hydra accept “training samples” for normal data and learns
models for normal traffic.
• Inline‐pad shellcode to make it look staAsAcally similar. 22
13