SlideShare une entreprise Scribd logo
1  sur  16
First of all
I'm sorry for my English...
WHOAMI
many people know me from this image
WHOAMI_2
Markov Pavel:
Found zero-day in Windows (execute arbitrary
code by manipulating with folder settings)
Just a developer
Agievich Igor:
Found vulnerability in Outpost Security Suite
(2012), VirtualBox (2011), vBulletin (2005-2006)
Not even a developer :)
Actually, we are trying to create a
fuzzer...
Yet another bicycle?
Our goals
We want to fuzz filetypes of our company
But actually any file types can be fuzzed with our
fuzzer, depending on how much you know about
specific file format (that's how we've found a
bug in Yandex browser)
Our own fuzzing: how does it work?
It's a client-server based software
Basicly consists of:

Generator (one or more)

Clients for testing generated samples (one or more). At the
moment of development they could only detect exceptions.
Using IdebugClient with Python wrapper (allows faster
development than using Debug API).
In addition we found out:

Also this approach helps to find shell code in electronic
documents
Our own fuzzing: how does it work?
Let's use a new source for testing
our fuzzing
We tried using a real file from some received
email and we found... Exceptions! It was CVE-
2012-0158 (.rtf)
Then uploaded this file to Virtest, which returned:
We need to go deeper and create something
new!
Let's try to play with exploit
Original file from email (on the left) and modified
file, still working (on the right)

What can shell code do

Has functions for download andor execution
We can find suspicious workflow
Suspicious workflow depends on tested software.
For example, creation of the new process is
suspicious for:
Word 2003, Internet Explorer 6, Adobe Reader 8
Not suspicious for:
Google Chrome, Adobe Reader 11, Internet Explorer
8-9)
Our soft in action

Full video:
http://www.youtube.com/watch?v=v3h_H5ZGIT8
And a good marksman may miss
Does Yandex know about fuzzing?
I think they do...
But we've found a new bug anyway!
Our results
We tested our programm on:

> 20 000 *.pdf files (was open in Adobe Reader 9-11, Foxit
Reader 3-6, Google Chrome, Yandex.Browser)

> 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003,
2007, Libre Office 4.0)

OS Win XP, Win 7
We've found:

Some APT attacks with some known CVE (CVE-2012-0158
and some else) for MS Word 2003, 2007

Bug in Yandex.Browser (fixed in latest version)
Any questions?
If you have got any questions in English please
wait until I am drunk and my speaking skills of
English are leveled up :)
Anyway, you can contact me on Internet
twitter: @shanker_sec

Contenu connexe

Tendances

Openoffice Portable In 2008conference
Openoffice Portable In 2008conferenceOpenoffice Portable In 2008conference
Openoffice Portable In 2008conferenceTony Liu
 
Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automaticallyMrko3ko3
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Why use version control software
Why use version control softwareWhy use version control software
Why use version control softwareJon Spriggs
 
Introduction of deno 1
Introduction of deno 1Introduction of deno 1
Introduction of deno 1Vishal Sharma
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovyPuneet Behl
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Eduard Trayan
 
Android Presentation
Android Presentation Android Presentation
Android Presentation Nik Sharma
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Google chrome os
Google chrome osGoogle chrome os
Google chrome osdevaj kumar
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
Real-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisReal-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisYork Tsai
 
Google chrome operating system
Google chrome operating systemGoogle chrome operating system
Google chrome operating systemkondalarao7
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epubepuborwu
 

Tendances (20)

Openoffice Portable In 2008conference
Openoffice Portable In 2008conferenceOpenoffice Portable In 2008conference
Openoffice Portable In 2008conference
 
Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automatically
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Why use version control software
Why use version control softwareWhy use version control software
Why use version control software
 
Introduction of deno 1
Introduction of deno 1Introduction of deno 1
Introduction of deno 1
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?
 
Understand study
Understand studyUnderstand study
Understand study
 
Android Presentation
Android Presentation Android Presentation
Android Presentation
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Google chrome os
Google chrome osGoogle chrome os
Google chrome os
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Real-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisReal-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and Redis
 
Google chrome operating system
Google chrome operating systemGoogle chrome operating system
Google chrome operating system
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epub
 

En vedette

Red y estado del arte megaproética
Red y estado del arte megaproéticaRed y estado del arte megaproética
Red y estado del arte megaproéticaAl Cougar
 
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENTKAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENTConnie Piggott
 
At the coal face in spanish 240415 en la línea de fuego. presentación en español
At the coal face in spanish 240415 en la línea de fuego. presentación en españolAt the coal face in spanish 240415 en la línea de fuego. presentación en español
At the coal face in spanish 240415 en la línea de fuego. presentación en españolAdrian Hawkes
 
Keri And Britt
Keri And BrittKeri And Britt
Keri And Brittkpalm2010
 
ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)Pingkee Chan
 
Henley Outlook Aug 2012
Henley Outlook Aug 2012Henley Outlook Aug 2012
Henley Outlook Aug 2012stujrankin
 
UN Guiding Principles on IDPs (1998 English)
UN Guiding Principles on IDPs (1998 English)UN Guiding Principles on IDPs (1998 English)
UN Guiding Principles on IDPs (1998 English)fatanews
 
How to motivate a staff
How to motivate a staffHow to motivate a staff
How to motivate a staffBettShow
 
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015Oliver Grave
 
Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...Alexander Decker
 
Reducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In WaterwaysReducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In WaterwaysJason Schroeder
 
Mechanic 15. Sayı
Mechanic 15. SayıMechanic 15. Sayı
Mechanic 15. SayıDeko Medya
 

En vedette (17)

Red y estado del arte megaproética
Red y estado del arte megaproéticaRed y estado del arte megaproética
Red y estado del arte megaproética
 
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENTKAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
 
At the coal face in spanish 240415 en la línea de fuego. presentación en español
At the coal face in spanish 240415 en la línea de fuego. presentación en españolAt the coal face in spanish 240415 en la línea de fuego. presentación en español
At the coal face in spanish 240415 en la línea de fuego. presentación en español
 
Keri And Britt
Keri And BrittKeri And Britt
Keri And Britt
 
The Hundert
The HundertThe Hundert
The Hundert
 
ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)
 
Henley Outlook Aug 2012
Henley Outlook Aug 2012Henley Outlook Aug 2012
Henley Outlook Aug 2012
 
El bolero
El boleroEl bolero
El bolero
 
UN Guiding Principles on IDPs (1998 English)
UN Guiding Principles on IDPs (1998 English)UN Guiding Principles on IDPs (1998 English)
UN Guiding Principles on IDPs (1998 English)
 
• Somerville STEAM Academy slide show
•	Somerville STEAM Academy slide show •	Somerville STEAM Academy slide show
• Somerville STEAM Academy slide show
 
Glucidos
GlucidosGlucidos
Glucidos
 
Irma González
Irma González   Irma González
Irma González
 
How to motivate a staff
How to motivate a staffHow to motivate a staff
How to motivate a staff
 
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
 
Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...
 
Reducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In WaterwaysReducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In Waterways
 
Mechanic 15. Sayı
Mechanic 15. SayıMechanic 15. Sayı
Mechanic 15. Sayı
 

Similaire à Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents

Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...Andrey Karpov
 
Contributing To The Mozilla Codebase
Contributing To The Mozilla CodebaseContributing To The Mozilla Codebase
Contributing To The Mozilla CodebaseSouradeep De
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012Nouh Walid
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in ITMichal Špaček
 
Nt1310 Unit 2 Individual Assignment
Nt1310 Unit 2 Individual AssignmentNt1310 Unit 2 Individual Assignment
Nt1310 Unit 2 Individual AssignmentCathy Baumgardner
 
Selje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdfSelje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdfEric Selje
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version Englishchen yuki
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"
Suse Studio: "How to create a live openSUSE image with  OpenFOAM® and CFD tools"Suse Studio: "How to create a live openSUSE image with  OpenFOAM® and CFD tools"
Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"Baltasar Ortega
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDEPoitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDEFlorent BENOIT
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid usCsaba Fitzl
 
Hacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfHacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfShaiAlmog1
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016Florent BENOIT
 

Similaire à Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents (20)

Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
 
Contributing To The Mozilla Codebase
Contributing To The Mozilla CodebaseContributing To The Mozilla Codebase
Contributing To The Mozilla Codebase
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in IT
 
Nt1310 Unit 2 Individual Assignment
Nt1310 Unit 2 Individual AssignmentNt1310 Unit 2 Individual Assignment
Nt1310 Unit 2 Individual Assignment
 
Selje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdfSelje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdf
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version English
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
C6713 Unit 5
C6713 Unit 5C6713 Unit 5
C6713 Unit 5
 
Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"
Suse Studio: "How to create a live openSUSE image with  OpenFOAM® and CFD tools"Suse Studio: "How to create a live openSUSE image with  OpenFOAM® and CFD tools"
Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDEPoitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your  CI / CD12 tricks to avoid hackers breaks your  CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
Hacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfHacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdf
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
 
File hippo
File hippoFile hippo
File hippo
 
Netbeans
NetbeansNetbeans
Netbeans
 

Plus de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Plus de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Dernier

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 

Dernier (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 

Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents

  • 1. First of all I'm sorry for my English...
  • 2. WHOAMI many people know me from this image
  • 3. WHOAMI_2 Markov Pavel: Found zero-day in Windows (execute arbitrary code by manipulating with folder settings) Just a developer Agievich Igor: Found vulnerability in Outpost Security Suite (2012), VirtualBox (2011), vBulletin (2005-2006) Not even a developer :)
  • 4. Actually, we are trying to create a fuzzer... Yet another bicycle?
  • 5. Our goals We want to fuzz filetypes of our company But actually any file types can be fuzzed with our fuzzer, depending on how much you know about specific file format (that's how we've found a bug in Yandex browser)
  • 6. Our own fuzzing: how does it work? It's a client-server based software Basicly consists of:  Generator (one or more)  Clients for testing generated samples (one or more). At the moment of development they could only detect exceptions. Using IdebugClient with Python wrapper (allows faster development than using Debug API). In addition we found out:  Also this approach helps to find shell code in electronic documents
  • 7. Our own fuzzing: how does it work?
  • 8. Let's use a new source for testing our fuzzing We tried using a real file from some received email and we found... Exceptions! It was CVE- 2012-0158 (.rtf) Then uploaded this file to Virtest, which returned:
  • 9. We need to go deeper and create something new!
  • 10. Let's try to play with exploit Original file from email (on the left) and modified file, still working (on the right) 
  • 11. What can shell code do  Has functions for download andor execution
  • 12. We can find suspicious workflow Suspicious workflow depends on tested software. For example, creation of the new process is suspicious for: Word 2003, Internet Explorer 6, Adobe Reader 8 Not suspicious for: Google Chrome, Adobe Reader 11, Internet Explorer 8-9)
  • 13. Our soft in action  Full video: http://www.youtube.com/watch?v=v3h_H5ZGIT8
  • 14. And a good marksman may miss Does Yandex know about fuzzing? I think they do... But we've found a new bug anyway!
  • 15. Our results We tested our programm on:  > 20 000 *.pdf files (was open in Adobe Reader 9-11, Foxit Reader 3-6, Google Chrome, Yandex.Browser)  > 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003, 2007, Libre Office 4.0)  OS Win XP, Win 7 We've found:  Some APT attacks with some known CVE (CVE-2012-0158 and some else) for MS Word 2003, 2007  Bug in Yandex.Browser (fixed in latest version)
  • 16. Any questions? If you have got any questions in English please wait until I am drunk and my speaking skills of English are leveled up :) Anyway, you can contact me on Internet twitter: @shanker_sec