Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hinn blákaldi sannleikur maður er alltaf óöruggur

Rich Smith
February 08, 2013
Technology
0
130

Hinn blákaldi sannleikur maður er alltaf óöruggur

A talk I gave with Syndis co-founder Ýmir Vigfússon at UTMessan 2013 in Reykjavík, Iceland where we discuss the value of using offensive techniques to inform good defense.
The title roughly translates to 'The ice cold truth of the fact that one is always insecure' :)

Rich Smith

February 08, 2013
Tweet

More Decks by Rich Smith

See All by Rich Smith
Beyond The Hype: Zero Trust From An Attacker’s Perspective
iodboi
1
370
Building Security Through Culture (Craft Conf - Budapest 2016)
iodboi
2
2.3k
The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)
iodboi
1
230
Crafting an Effective Security Organisation (QCon NYC)
iodboi
3
6.8k
Crafting an Effective Security Organisation (KiwiCon 8)
iodboi
5
2.1k
Contiuously Deploying Culture 2.0 - Agile Ísland
iodboi
0
120
</CLOUD>
iodboi
1
210
Modern Post-Exploitation Strategies
iodboi
0
130
Pragmatic Approach to Breaking Mobile Apps
iodboi
0
110

Other Decks in Technology

See All in Technology
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
1
290
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
170
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
230
日経電子版のStoreKit2フルリニューアル
shimastripe
1
150
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
180
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
490
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
220
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
TypeScript、上達の瞬間
sadnessojisan
46
13k
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k

Featured

See All Featured
How to Ace a Technical Interview
jacobian
276
23k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Fireside Chat
paigeccino
34
3k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
For a Future-Friendly Web
brad_frost
175
9.4k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
380
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Code Review Best Practice
trishagee
64
17k

Transcript

  1. Ýmir Vigfússon Rich Smith

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None

  21. Understanding a real-world attack Bug seen exploited in the wild

    in December 2012 §  Hacked the Council of Foreign Affairs Fully patched Windows 7 §  Internet Explorer 8.0 §  Java 1.6 §  DEP Memory Protection We will demonstrate and explain our exploit CVE-2012-4792 A REAL-WORLD ATTACK

  22. DEMO

  23. Under the hood divelm formelm bu#on   Use after free

    appendChild used by the system 0c0c0c0c   CVE-2012-4792 Analogy 8256443

  24. c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea

    d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931c9dead07beef013ac9 78f3ff196569ba83144cc440 dead07beef013ac978f3ff19 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 badc0dedead07beef013ac9 78f3ff19dead07beef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff196569ba8 3144cc4401018971c731693 1c9dead07beef013ac978f3ff 19656dead07beef013ac978f 3ff196569ba83144cc440101 8971c7316569ba83144cc44 01018971c7316931c9dead0 7beef013ac978f3ff196569ba 83144cc4401018971c73169 31cad07beef013ac978f3ff19 6569ba83144cc44eef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff1965   Computer memory used by the system 0c0c0c0c   0x0c0c0c0c   system trusts the reference therefore, system executes

  25. c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea

    d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931c9dead07beef013ac9 78f3ff196569ba83144cc440 dead07beef013ac978f3ff19 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 badc0dedead07beef013ac9 78f3ff19dead07beef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff196569ba8 3144cc4401018971c731693 1c9dead07beef013ac978f3ff 19656dead07beef013ac978f 3ff196569ba83144cc440101 8971c7316569ba83144cc44 01018971c7316931c9dead0 7beef013ac978f3ff196569ba 83144cc4401018971c73169 31cad07beef013ac978f3ff19 6569ba83144cc44eef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff1965   Computer memory ff19656dead07beef013ac97 8f3ff196569ba83144cc4401 018971c7316569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931cad07beef013ac978f3 ff196569ba83144cc44eef01 3ac978f3ff196569ba83144c c4401018971c7316931c9de ad07beef013ac978f3ff1965   c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07c0ded13ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea   d07beef013ac978f3ff18f3 ff196569ba831018971c73 16569ba83144cc4401018 971c7316931c9dead07be ef01dead07c0ded13ac3ff1 96569ba83144cbadc0de   Data Execution Prevention d07beef013ac978f3ff18f3 ff196569ba831018971c73 16569ba83144cc4401018 971c7316931c9dead07be ef01dead07c0ded13ac3ff1 96569ba83144cbadc0de   Defeated by Return-Oriented Programming (ROP) ROP exploit relies entirely on existing code! 0x0c0c0c0c  

  26. Exploit that overcomes modern memory defenses WHAT ABOUT OTHER DEFENSES?

    FIREWALLS, ANTI-VIRUS, IDS/IPS, ...

  27. ATTACKS ARE INVOLVED Found the original bug by fuzzing Wrote

    a proof-of- concept exploit Wrote a DEP- resistant exploit Weaponized the exploit Created post- exploitation framework Sponsored the attacks Administered deployment
  28. None
  29. None
  30. None
  31. None
  32. None

  33. HOW MUCH DO I SPEND ON DEFENSE X? HOW MUCH

    DOES AN ATTACKER HAVE TO SPEND TO BYPASS X? HOW MUCH IS DEFENSE X ACTUALLY WORTH TO ME? WHAT IS BYPASSING DEFENSE X WORTH TO AN ATTACKER ?
  34. None
  35. None
  36. None