SlideShare une entreprise Scribd logo

[PH-Neutral 0x7db] Exploit Next Generation®

Nelson Brito
Nelson Brito

PH-Neutral lecture about Permutation Oriented Programming (formerly known as Exploit Next Generation® Methodology). Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness.

TechnologieÉconomie & finance
1  sur  105
Exploit Next Generation® “Missão dada é missão cumprida!”
Agenda
Agenda • 0001 – Introduction
Agenda • 0001 – Introduction • 0010 – Brain at work
Agenda • 0001 – Introduction • 0010 – Brain at work • 0011 – ENG++ approach
Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0011 – ENG++ approach
Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach
Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach • 0110 – Questions and Answers
nbrito@pitbull:~$ whoami
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™ • WEB: • http://fnstenv.blogspot.com/ • http://twitter.com/nbrito
0001 – Introduction “Because five bytes can make the difference”
Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware • This technology is as need today as it was in the of its existence. past, but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the 0-day will expire – since a patch or • No matter how fast is the pattern-matching a mitigation is released (which comes first). algorithm, if a pattern does not match, it means that there is no vulnerability exploitation. • So we can conclude that, once expired (patched or mitigated), 0-day has no more value. If you • No vulnerability exploitation, no protection do not believe me, you can try to sell a well- action… But what if the pattern is wrong? known vulnerability to your vulnerability- broker. • How can we guarantee that the pattern, which was not matched, is the correct approach for a • Some security solutions fight against 0-day faster protection action? Was the detection really than the affected vendor. designed to detect the vulnerability?
Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation – Overlapping fragments • Fragroute / Fragrouter • Stream segmentation – Overlapping segments • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / “rpc-evade-poc.pl” / Others • URL obfuscation (+ SSL encryption) • “predator” • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
What is Exploit Next Generation®? The scenario The methodology • Remember: “Some security solutions fight against • To circumvent or avoid a pattern-matching 0-day faster than the affected vendor”. detection, there are two options: – Easier: know how the vulnerability is • This protection (mitigation) has a long life, and detected (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: • ENG++ is the hardest option: vulnerability mitigated, no patch… – Deep analysis of a vulnerability. – Use all the acquired knowledge to offer a • But what if an old and well-known variety of decision points (variants). vulnerability could be exploited, even on this – Interact with the trigger and the security approach model? additional entities, preparing the vulnerable ecosystem and performing • According to pattern-matching, any new some memory manipulation . variant of an old vulnerability exploitation is – Use randomness to provide unpredictable considered a new vulnerability, because there is payloads, i.e., permutation. no pattern to be matched yet!
ENG++ (pronounced /ěn’jĭn/ incremented) The truth The examples • ENG++ methodology deals with vulnerable • Server-side vulnerabilities: ecosystem and memory manipulation, rather – MS02-039: CVE-2002-0649/CWE-120. than shellcode – it is neither a new polymorphic shellcode technique, nor an – MS02-056: CVE-2002-1123/CWE-120. obfuscation technique, instead, ENG++ employs “Permutation Oriented Programming”. • Client-side vulnerabilities: – MS08-078: CVE-2008-4844/CWE-367. • ENG++ methodology can be applied to work with: Rapid7 Metasploit Framework, CORE Impact Pro, – MS09-002: CVE-2009-0075/CWE-367. Immunity CANVAS Professional, and stand-alone proof-of-concepts (a.k.a. freestyle coding). • Windows 32-bit shellcodes: – 波動拳: “CMD /k”. • ENG++ methodology is neither an additional – 昇龍拳: “CMD /k set DIRCMD=/b”. entropy for tools mentioned above, nor an Advanced Evasion Technique (AET). Instead, ENG++ methodology can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • ENG++ methodology maintains the exploitation examples for client-side in HTML and JavaScript. reliability, even using random decisions, it is able to achieve all exploitation requirements.
What if… exploit #1
What if… exploit #1 exploit #2
What if… exploit #1 exploit #N exploit #2
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone Exploit Next Generation®
0010 – Brain at work “Hardest option”
Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0- 1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
MS02-039 (CVE-2002-0649/CWE-120)
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
0011 – ENG++ approach Permutation Oriented Programming Also known as “(Re)searching for alternatives”
ENG++ approach Vulnerability
ENG++ approach Vulnerability Vulnerable Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Document Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Trigger Additional Entities
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
MS02-039 (CVE-2002-0649/CWE-120) POPed • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, – 115 permutations. except: 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. • Writable address and memory alignment: – 24,000 permutations. – There are 26,758 new writable addresses within SQLSORT.DLL (Microsoft SQL Server • Return address: 2000 SP0-2). There are much more – Uses the “jump to register” technique, in writable addresses if do not mind making this case the ESP register. it hardcoded. – Tools: “IDA Pro 5.0 Freeware” by Hex- – There are four (4) new possible return addresses within SQLSORT.DLL (Microsoft Rays, and “OlyDBG 2.01 alpha 2” by SQL Server 2000 SP0-2). There are much Oleh Yuschuk. more return addresses if do not mind – 26,758 permutations. making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, • Padding and memory alignment: (“Hacking Proof your Network – Second – ASCII hexa values from 0x01 to 0xff. Edition”, 2002), and “DumpOp.c” by Koskya – The length may vary, depending on JUMP, Kortchinsky (“Macro reliability in Win32 from 3,048 to 29,210 possibilities. Exploits” – Black Hat Europe, 2007). – 29,210 permutations. – 4 permutations.
MS08-078 (CVE-2008-4844/CWE-367) POPed
MS08-078 (CVE-2008-4844/CWE-367) POPed
MS08-078 (CVE-2008-4844/CWE-367) POPed • CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML Elements think so… to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only • XML Data Island: five (5) elements are useful. – There are two (2) options: using the – The HTML element is a key trigger, because Dynamic HTML (DHTML) <XML> element it points to a dereferenced XML DSO, but it within the HTML document or overloading does not have to be the same HTML element the HTML <SCRIPT> element. Unfortunately, to do so – it can be any mixed HTML the HTML <SCRIPT> element is useless. element. – The <XML> element accepts a combination – 25 permutations. of different types of elements, i.e., they can be anything. • Return address: – Uses “Heap Spray” technique, in this case • XML Data Source Object (DSO): the XML DSO handles the return address, – Characters like “<” and “&” are illegal in and can use “.NET DLL” technique by Mark <XML> element. To avoid errors <XML> Dowd and Alexander Sotirov (“How to element can be defined as CDATA (Unparsed Impress Girls with Browser Memory Character Data). But the <XML> element Protection Bypasses” – Black Hat USA, 2008). can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible – Both <IMG SRC= > and <IMAGE SRC= > return addresses. elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
0100 – Demonstration
What demo? The examples applying ENG++ methodology will be available – as soon as I connect to Internet. Thus you will be able to test by yourselves!!!
0101 – Conclusions
Conclusions • Some examples, applying ENG++ methodology, • The ENG++ methodology is not part of any will be available. For further details, please refer commercial or public tool and is freely available, to: although the examples were ported to work with Rapid7 Metasploit Framework – this is to show – http://fnstenv.blogspot.com/ how flexible its approach and deployment is – hoping it can help people to understand the • ENG++ examples are licensed under GNU threat, improving their infra-structure, security General Public License version 2. solutions and development approach. • ENG++ methodology can be freely applied, there • The examples cover pretty old vulnerabilities, such are no restrictions… No other than laziness. as: – MS02-039: 3,231 days since published. • ENG++ methodology can help different people, – MS02-056: 3,161 days since published. performing different tasks, such as: – MS08-078: 893 days since published. – Penetration-testing. – MS09-002: 838 days since published. – Development of exploit and proof-of-concept tools. – Evaluation and analysis of security solutions. • ENG++ is also not new: – Quality assurance for security solution. – Encore-NG: 980 days since BUGTRAQ and – Development of detection and protection FULL-DISCLOSURE. mechanisms. – ENG++ : 546 days since H2HC 6th Edition. – Etc…
0110 – Questions & Answers
Any questions?
[PH-Neutral 0x7db] Exploit Next Generation®

Recommandé

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 

Recommandé

Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET Journal
 
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...Universitat Politècnica de Catalunya
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyInsight Technology, Inc.
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidIntel® Software
 
David-FPGA
David-FPGADavid-FPGA
David-FPGAguest66dc5f
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Uvm dcon2013
Uvm dcon2013Uvm dcon2013
Uvm dcon2013sean chen
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkAdaCore
 
Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityAshish Malik
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 

Contenu connexe

Tendances

A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET Journal
 
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...Universitat Politècnica de Catalunya
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidIntel® Software
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Uvm dcon2013
Uvm dcon2013Uvm dcon2013
Uvm dcon2013sean chen
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkAdaCore
 

Tendances (18)

A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and Security
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryption
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
 
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developers
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in Android
 
David-FPGA
David-FPGADavid-FPGA
David-FPGA
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
 
Uvm dcon2013
Uvm dcon2013Uvm dcon2013
Uvm dcon2013
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
 

En vedette

Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityAshish Malik
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Project Student
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Nelson Brito
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyNelson Brito
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented ProgrammingNelson Brito
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Project Student
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practicesProject Student
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / TranslatorsProject Student
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Project Student
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 

En vedette (20)

Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow Vulnerability
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e Vulnerabilidades
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The Philosophy
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented Programming
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practices
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / Translators
 
FormacaoCrypto
FormacaoCryptoFormacaoCrypto
FormacaoCrypto
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
 
The Caesar Cipher
The Caesar Cipher The Caesar Cipher
The Caesar Cipher
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 

Similaire à [PH-Neutral 0x7db] Exploit Next Generation®

"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson BritoSegInfo
 
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson BritoVale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson BritoVale Security Conference
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
DEFCON 23 - John Seymour - “Quantum” Classification of Malware
DEFCON 23 - John Seymour - “Quantum” Classification of MalwareDEFCON 23 - John Seymour - “Quantum” Classification of Malware
DEFCON 23 - John Seymour - “Quantum” Classification of MalwareFelipe Prado
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
On codes, machines, and environments: reflections and experiences
On codes, machines, and environments: reflections and experiencesOn codes, machines, and environments: reflections and experiences
On codes, machines, and environments: reflections and experiencesVincenzo De Florio
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 

Similaire à [PH-Neutral 0x7db] Exploit Next Generation® (20)

"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
 
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson BritoVale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
 
DEFCON 23 - John Seymour - “Quantum” Classification of Malware
DEFCON 23 - John Seymour - “Quantum” Classification of MalwareDEFCON 23 - John Seymour - “Quantum” Classification of Malware
DEFCON 23 - John Seymour - “Quantum” Classification of Malware
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
On codes, machines, and environments: reflections and experiences
On codes, machines, and environments: reflections and experiencesOn codes, machines, and environments: reflections and experiences
On codes, machines, and environments: reflections and experiences
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
OWASP
OWASPOWASP
OWASP
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 

Plus de Nelson Brito

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support SlidesNelson Brito
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)Nelson Brito
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?Nelson Brito
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Nelson Brito
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryNelson Brito
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seNelson Brito
 

Plus de Nelson Brito (8)

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB Scanner
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support Slides
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror History
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-se
 

Dernier

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Dernier (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

[PH-Neutral 0x7db] Exploit Next Generation®

  • 1. Exploit Next Generation® “Missão dada é missão cumprida!”
  • 3. Agenda • 0001 – Introduction
  • 4. Agenda • 0001 – Introduction • 0010 – Brain at work
  • 5. Agenda • 0001 – Introduction • 0010 – Brain at work • 0011 – ENG++ approach
  • 6. Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0011 – ENG++ approach
  • 7. Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach
  • 8. Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach • 0110 – Questions and Answers
  • 10. nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems
  • 11. nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro
  • 12. nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™
  • 13. nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™ • WEB: • http://fnstenv.blogspot.com/ • http://twitter.com/nbrito
  • 14. 0001 – Introduction “Because five bytes can make the difference”
  • 15. Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware • This technology is as need today as it was in the of its existence. past, but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the 0-day will expire – since a patch or • No matter how fast is the pattern-matching a mitigation is released (which comes first). algorithm, if a pattern does not match, it means that there is no vulnerability exploitation. • So we can conclude that, once expired (patched or mitigated), 0-day has no more value. If you • No vulnerability exploitation, no protection do not believe me, you can try to sell a well- action… But what if the pattern is wrong? known vulnerability to your vulnerability- broker. • How can we guarantee that the pattern, which was not matched, is the correct approach for a • Some security solutions fight against 0-day faster protection action? Was the detection really than the affected vendor. designed to detect the vulnerability?
  • 16. Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation – Overlapping fragments • Fragroute / Fragrouter • Stream segmentation – Overlapping segments • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / “rpc-evade-poc.pl” / Others • URL obfuscation (+ SSL encryption) • “predator” • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
  • 17. What is Exploit Next Generation®? The scenario The methodology • Remember: “Some security solutions fight against • To circumvent or avoid a pattern-matching 0-day faster than the affected vendor”. detection, there are two options: – Easier: know how the vulnerability is • This protection (mitigation) has a long life, and detected (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: • ENG++ is the hardest option: vulnerability mitigated, no patch… – Deep analysis of a vulnerability. – Use all the acquired knowledge to offer a • But what if an old and well-known variety of decision points (variants). vulnerability could be exploited, even on this – Interact with the trigger and the security approach model? additional entities, preparing the vulnerable ecosystem and performing • According to pattern-matching, any new some memory manipulation . variant of an old vulnerability exploitation is – Use randomness to provide unpredictable considered a new vulnerability, because there is payloads, i.e., permutation. no pattern to be matched yet!
  • 18. ENG++ (pronounced /ěn’jĭn/ incremented) The truth The examples • ENG++ methodology deals with vulnerable • Server-side vulnerabilities: ecosystem and memory manipulation, rather – MS02-039: CVE-2002-0649/CWE-120. than shellcode – it is neither a new polymorphic shellcode technique, nor an – MS02-056: CVE-2002-1123/CWE-120. obfuscation technique, instead, ENG++ employs “Permutation Oriented Programming”. • Client-side vulnerabilities: – MS08-078: CVE-2008-4844/CWE-367. • ENG++ methodology can be applied to work with: Rapid7 Metasploit Framework, CORE Impact Pro, – MS09-002: CVE-2009-0075/CWE-367. Immunity CANVAS Professional, and stand-alone proof-of-concepts (a.k.a. freestyle coding). • Windows 32-bit shellcodes: – 波動拳: “CMD /k”. • ENG++ methodology is neither an additional – 昇龍拳: “CMD /k set DIRCMD=/b”. entropy for tools mentioned above, nor an Advanced Evasion Technique (AET). Instead, ENG++ methodology can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • ENG++ methodology maintains the exploitation examples for client-side in HTML and JavaScript. reliability, even using random decisions, it is able to achieve all exploitation requirements.
  • 19. What if… exploit #1
  • 20. What if… exploit #1 exploit #2
  • 21. What if… exploit #1 exploit #N exploit #2
  • 22. What if… exploit #1 exploit #N exploit #2 shared zone
  • 23. What if… exploit #1 exploit #N exploit #2 shared zone
  • 24. What if… exploit #1 exploit #N exploit #2 shared zone Exploit Next Generation®
  • 25. 0010 – Brain at work “Hardest option”
  • 26. Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0- 1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
  • 30. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 31. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 32. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 33. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 34. MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 35. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 36. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 37. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 38. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 39. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 40. arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 62. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 63. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 64. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 65. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 66. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 67. MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 73. MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
  • 74. MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
  • 75. 0011 – ENG++ approach Permutation Oriented Programming Also known as “(Re)searching for alternatives”
  • 78. ENG++ approach Vulnerability Vulnerable Documentation? Ecosystem
  • 79. ENG++ approach Vulnerability Vulnerable Documentation? Document Ecosystem
  • 80. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem
  • 81. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
  • 82. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
  • 83. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
  • 84. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
  • 85. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
  • 86. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
  • 87. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
  • 88. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Trigger Additional Entities
  • 89. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
  • 90. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
  • 91. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection
  • 92. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection
  • 93. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
  • 94. ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
  • 95. MS02-039 (CVE-2002-0649/CWE-120) POPed • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, – 115 permutations. except: 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. • Writable address and memory alignment: – 24,000 permutations. – There are 26,758 new writable addresses within SQLSORT.DLL (Microsoft SQL Server • Return address: 2000 SP0-2). There are much more – Uses the “jump to register” technique, in writable addresses if do not mind making this case the ESP register. it hardcoded. – Tools: “IDA Pro 5.0 Freeware” by Hex- – There are four (4) new possible return addresses within SQLSORT.DLL (Microsoft Rays, and “OlyDBG 2.01 alpha 2” by SQL Server 2000 SP0-2). There are much Oleh Yuschuk. more return addresses if do not mind – 26,758 permutations. making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, • Padding and memory alignment: (“Hacking Proof your Network – Second – ASCII hexa values from 0x01 to 0xff. Edition”, 2002), and “DumpOp.c” by Koskya – The length may vary, depending on JUMP, Kortchinsky (“Macro reliability in Win32 from 3,048 to 29,210 possibilities. Exploits” – Black Hat Europe, 2007). – 29,210 permutations. – 4 permutations.
  • 98. MS08-078 (CVE-2008-4844/CWE-367) POPed • CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML Elements think so… to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only • XML Data Island: five (5) elements are useful. – There are two (2) options: using the – The HTML element is a key trigger, because Dynamic HTML (DHTML) <XML> element it points to a dereferenced XML DSO, but it within the HTML document or overloading does not have to be the same HTML element the HTML <SCRIPT> element. Unfortunately, to do so – it can be any mixed HTML the HTML <SCRIPT> element is useless. element. – The <XML> element accepts a combination – 25 permutations. of different types of elements, i.e., they can be anything. • Return address: – Uses “Heap Spray” technique, in this case • XML Data Source Object (DSO): the XML DSO handles the return address, – Characters like “<” and “&” are illegal in and can use “.NET DLL” technique by Mark <XML> element. To avoid errors <XML> Dowd and Alexander Sotirov (“How to element can be defined as CDATA (Unparsed Impress Girls with Browser Memory Character Data). But the <XML> element Protection Bypasses” – Black Hat USA, 2008). can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible – Both <IMG SRC= > and <IMAGE SRC= > return addresses. elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
  • 100. What demo? The examples applying ENG++ methodology will be available – as soon as I connect to Internet. Thus you will be able to test by yourselves!!!
  • 102. Conclusions • Some examples, applying ENG++ methodology, • The ENG++ methodology is not part of any will be available. For further details, please refer commercial or public tool and is freely available, to: although the examples were ported to work with Rapid7 Metasploit Framework – this is to show – http://fnstenv.blogspot.com/ how flexible its approach and deployment is – hoping it can help people to understand the • ENG++ examples are licensed under GNU threat, improving their infra-structure, security General Public License version 2. solutions and development approach. • ENG++ methodology can be freely applied, there • The examples cover pretty old vulnerabilities, such are no restrictions… No other than laziness. as: – MS02-039: 3,231 days since published. • ENG++ methodology can help different people, – MS02-056: 3,161 days since published. performing different tasks, such as: – MS08-078: 893 days since published. – Penetration-testing. – MS09-002: 838 days since published. – Development of exploit and proof-of-concept tools. – Evaluation and analysis of security solutions. • ENG++ is also not new: – Quality assurance for security solution. – Encore-NG: 980 days since BUGTRAQ and – Development of detection and protection FULL-DISCLOSURE. mechanisms. – ENG++ : 546 days since H2HC 6th Edition. – Etc…
  • 103. 0110 – Questions & Answers