Presentation is loading. Please wait.

Presentation is loading. Please wait.

The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014.

Published byShavonne Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014."— Presentation transcript:

1 The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014

2 Agenda Introduction The past The present The (nearest) future Q&A

3 Introduction This talk is very high-level overview of past and present software exploitation techniques (and their first appearances) Mostly about memory corruptions and “binary” vulnerabilities The (nearest) future section is just thoughts of speaker

4 The past

5 Kick-off!!! 2 October 1988 Morris Worm Fingerd Sendmail Password bruting via rsh

6 fingerd stack-based buffer overflow Picture source: http://www.youtube.com/watch?v=xdnwR_T-qx0

7 November 08, 1996 (Phrack 49) Smashing The Stack For Fun And Profit http://phrack.org/issues/49/14.html

8 Bypassing the non-exec Stack (ret-2-libc) - 8/10/1997 http://seclists.org/bugtraq/1997/Aug/63 Solar Designer

9 Bypassing the non-exec Stack (ret-2-libc)

10

11 1/31/1999 - w00w00 on Heap Overflows http://www.w00w00.org/files/articles/heaptut.txt

12 9/20/1999 - Format String bug in proftpd http://seclists.org/bugtraq/1999/Sep/328

13 7/25/2000 - JPEG Com Marker vulnerability in Netscape http://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability

14 9/9/2000 - Format String Attacks http://seclists.org/bugtraq/2000/Sep/214

15 6/18/2001 - IIS.ida ISAPI filter Vulnerability Remove this slide?

16 7/13/2001 - Code Red Worm in the Wild Remove this slide?

17 11/8/2001 VUDO malloc tricks http://phrack.org/issues/57/8.html

18 11/8/2001 Once upon a free http://phrack.org/issues/57/9.html

19 2/7/2002 - Third Generation Exploits https://www.blackhat.com/presentations/bh-europe-01/halvar- flake/bh-europe-01-halvarflake-1.ppt

20 7/28/2002 - Advances in Format String Exploitation http://phrack.org/issues/59/7.html

21 7/10/2003 - "Variations in Exploit methods between Linux and Windows" http://www.blackhat.com/presentations/bh-usa-03/bh-us-03- litchfield-paper.pdf http://www.blackhat.com/presentations/bh-usa-03/bh-us-03- litchfield-paper.pdf

22 8/2/2003 - “Win32 device drivers communication vulnerabilities” http://seclists.org/fulldisclosure/2003/Aug/86 Arbitrary memory overwrite via ioctl METHOD_NEITHER

23 9/8/2003 - "Defeating the Stack Based Buffer Overflow Prevention Mechanism of MS Windows 2003 Server" https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03- litchfield.pdf

24 9/30/2003 - /SAFESEH introduced into Visual Studio Remove this slide?

25 4/21/2004 “Reliable Windows Heap Exploits” https://cansecwest.com/core04/cansecwest04.iso

26 7/28/2004 “Windows Heap Overflows” http://www.blackhat.com/presentations/win-usa-04/bh-win-04- litchfield/bh-win-04-litchfield.ppt

27 10/25/2004 - “On the effectiveness of ASLR” http://dl.acm.org/citation.cfm?id=1030124

28 "Heap Spraying" against Internet Explorer is demonstrated - 11/2/2004

29 1/21/2005 - "Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass" http://www.ptsecurity.com/download/defeating-xpsp2-heap- protection.pdf

30 2/17/2005 - “Remote Windows Kernel Exploitation” http://www.blackhat.com/presentations/bh-usa-05/BH_US_05- Jack_White_Paper.pdf

31 7/20/2005 - "Windows Kernel Pool Overflow Exploitation" http://packetstormsecurity.com/files/download/39742/Xcon2005_So BeIt.pdf

32 8/31/2005 - “Critical Section Heap Exploit Technique” http://www.symantec.com/connect/articles/new-way-bypass- windows-heap-protections

33 10/5/2005 - Technique published to bypass hardware DEP Uninformed Journal 2, Matt Miller (skape) and Ken Johnson (skywing) NtProtectVirtualMemory NtSetInformationProcess

34 11/30/2005 - Microsoft ships Visual Studio 2005 with GS v2 Remove this slide?

35 12/7/2005 - Technique published to exploit Freelist[0] on XP-SP2 http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Expl oiting%20Freelist[0]%20On%20XP%20Service%20Pack%202.pdf

36 10/31/2006 - "Memory Retrieval Vulnerabilities" http://alphastar.nl/corruption/2006/eeye-memretrievalbugs- Oct2006.pdf

37 1/19/2007 - "Double Free Vulnerabilities" http://www.symantec.com/connect/blogs/double-free- vulnerabilities-part-1

38 3/1/2007 - "GS and ASLR in Windows Vista"

39 3/27/2007 - "Heap Feng Shui in JavaScript" https://www.blackhat.com/presentations/bh-europe- 07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

40 7/6/2007 - "Understanding and Bypassing Windows Heap Protection" https://www.immunityinc.com/downloads/Heap_Singapore_Jun_200 7.pdf

41 4/14/2008 - "Application-Specific Attacks - Leveraging the ActionScript Virtual Machine" http://www.inf.fu-berlin.de/groups/ag- si/compsec_assign/Dowd2008.pdf

42 7/1/2008 "Real World Kernel Pool Exploitation" http://www.80sec.com/syscanhk/KernelPool.pdf

43 7/29/2008.Net controls used to exploit IE https://www.blackhat.com/presentations/bh-usa- 08/Sotirov_Dowd/bh08-sotirov-dowd.pdf

44 8/8/2008 "Attacking the Vista Heap" https://www.blackhat.com/presentations/bh-usa- 08/Hawkes/BH_US_08_Hawkes_Attacking_Vista_Heap.ppt

45 2/3/2010 - Pointer Inference and JIT Spray http://www.semantiscope.com/research/BHDC2010/BHDC-2010- Paper.pdf

46 The present

47 Drive-By-Download attacks Heap manipulation Turning Memory Corruption to Information leakage (ASLR bypass) ROP

48 Privilege Escalation attacks Arbitrary memory overwrites Simple jump to shellcode located in r3 address space ROP (seen not a lot)

49 The future More chained exploits More “Inter-Ring” exploits Firmware/Hardware bugs

50 Thank you for listening! Any questions?

Download ppt "The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
19-21 October 2006 Smashing Heap by Free Simulation Sandip Chaudhari Acknowledgements Thanks to everyone in my Security Team.

19-21 October 2006 Smashing Heap by Free Simulation Sandip Chaudhari Acknowledgements Thanks to everyone in my Security Team.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
An in depth analysis of CVE

An in depth analysis of CVE
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
PREVIOUS GNEWS. 11 Patches – 5 Critical Affecting most everything Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS10-018 - IE, Remote Execution.

PREVIOUS GNEWS. 11 Patches – 5 Critical Affecting most everything Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS IE, Remote Execution.

Similar presentations

Ads by Google