Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Talk - Writing My First Exploit
Search
James Moriarty
June 16, 2021
Programming
0
1.6k
Talk - Writing My First Exploit
James Moriarty
June 16, 2021
Tweet
Share
More Decks by James Moriarty
See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
1.2k
Other Decks in Programming
See All in Programming
AI Ramen Fight
yusukebe
0
120
マッチングアプリにおけるフリックUIで苦労したこと
yuheiito
0
250
Gemini CLI のはじめ方
ttnyt8701
1
110
顧客の画像データをテラバイト単位で配信する 画像サーバを WebP にした際に起こった課題と その対応策 ~継続的な取り組みを添えて~
takutakahashi
4
1.4k
React 使いじゃなくても知っておきたい教養としての React
oukayuka
17
4.6k
GPUを計算資源として使おう!
primenumber
1
300
プロダクトという一杯を作る - プロダクトチームが味の責任を持つまでの煮込み奮闘記
hiliteeternal
0
300
新しいモバイルアプリ勉強会(仮)について
uetyo
1
230
Bedrock AgentCore ObservabilityによるAIエージェントの運用
licux
8
460
Amazon Q CLI開発で学んだAIコーディングツールの使い方
licux
3
130
The Evolution of Enterprise Java with Jakarta EE 11 and Beyond
ivargrimstad
0
580
CLI ツールを Go ライブラリ として再実装する理由 / Why reimplement a CLI tool as a Go library
ktr_0731
3
770
Featured
See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Agile that works and the tools we love
rasmusluckow
329
21k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
21
1.4k
[RailsConf 2023] Rails as a piece of cake
palkan
56
5.7k
What's in a price? How to price your products and services
michaelherold
246
12k
A Tale of Four Properties
chriscoyier
160
23k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
1k
Balancing Empowerment & Direction
lara
1
510
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Writing Fast Ruby
sferik
628
62k
Unsuck your backbone
ammeep
671
58k
Transcript
Writing My First Exploit
Exploit? “...is a piece of software, a chunk of data,
or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia
What? Counter-Strike: Global Offensive • Source code leak from 2013
for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...
“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit
the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”
Video
How
How?
How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {
flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }
Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte
Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe
Broken Broken
Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe
gohack.exe
How func Instrument() (*gohack.Client, error) { ... offsets, err :=
gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }
Testing
Testing Value’s CS:GO • 30GB Package • Steam DRM +
VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs
Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err
:= Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }
Testing
github.com/jamesmoriarty/gohack
???
None
Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...
process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }
github.com/jamesmoriarty/gomem
jamesmoriarty.xyz/software/
Video