2. Disclaimer
The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here
are solely mine and have nothing to do with the company or the
organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded
is responsible for any damage or loss caused due to use or
misuse of the information presented here.
4. Why Exploits?
Difficult to understand
No proper intel
Can own a Researcher and Newbie alike
You really need to know your stuff
5. Information
Tools used are public and free
EMET (Microsoft)
Anti Exploit (Malware Bytes)
Hitman Alert (Surfright)
Note: They do a very good job in protecting end
users, But nothing is perfect.
Kudos to them!
6. Introduction to Exploitation
Exploits are crafted pieces of Art which can
elevate a Software Bug and grant you one time
access to Code Execution.
Loopholes or Logic Bugs
Memory Corruption
Information Disclosure
7. Introduction to Exploitation
Details
Pre Exploitation or Setup
Spray
Corruption of Meta-Information
InfoLeak
Exploitation
Corruption
Payload Execution
ROP
CodeExecution
Post Exploitation
Malware
9. Public Protections
3rd Party support
MemProt
Rop
CallerCheck
StackPivot
SimExecFlow
LoadLibrary
Shellcode Protection
OS & Processor supported
ASLR (Enforced)
DEP (Enforced)
11. Exploitation
Defeat DEP by ROP
Defeat ASLR by memory leak (provided in
sample exploit)
Crux of Exploitation Detection techniques
Exploitation Detection Hurdles left
ROP
Shellcode
Defeating protections from Stack based exploits
is for next meetup probably.
12. Exploitation
In the End
Most of browser based vulnerabilities can be used to
cover ASLR by leaking memory to form a valid ROP
Chain.
Nearly all exploits come down to
1. Spray
2. ROP
3. Shellcode
So we will focus on bypassing these only.
22. Bypassing CFI
Null out LBR before ApiCall
Borrow functions (hard, unless automated)
Be Creative (what we did)
Note: We bypassed a public implementation of CFI,
doesn’t mean if its implemented another way it can
still be bypassed the same way.
29. Targeted Bypassing
“Other Tools”
Just like EMET we can bypass other public and free
toolkits as well.
However, That is not the scope of this presentation.
=)
30. Conclusion
An attacker who has studied the system can
break anything & everything.
Best method of protecting yourself is using a
custom protection, and never letting the
adversary know what you use.