Talk - Writing My First Exploit

Writing My First Exploit

Exploit? “...is a piece of software, a chunk of data,
or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia

What? Counter-Strike: Global Offensive • Source code leak from 2013
for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...

“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit
the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”

How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {
flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }

Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte

Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe
Broken Broken

Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe
gohack.exe

How func Instrument() (*gohack.Client, error) { ... offsets, err :=
gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }

Testing

Testing Value’s CS:GO • 30GB Package • Steam DRM +
VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Ofﬂine • Loads a DLL and hangs

Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err
:= Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }

Testing

github.com/jamesmoriarty/gohack

Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...
process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }

github.com/jamesmoriarty/gomem

jamesmoriarty.xyz/software/

Talk - Writing My First Exploit

Talk - Writing My First Exploit

James Moriarty

More Decks by James Moriarty

Other Decks in Programming

Featured

Transcript

Writing My First Exploit

Exploit? “...is a piece of software, a chunk of data,

What? Counter-Strike: Global Offensive • Source code leak from 2013

“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit

Video

How

How?

How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {

Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte

Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe

Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe

How func Instrument() (*gohack.Client, error) { ... offsets, err :=

Testing

Testing Value’s CS:GO • 30GB Package • Steam DRM +

Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err

Testing

github.com/jamesmoriarty/gohack

???

Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...

github.com/jamesmoriarty/gomem

jamesmoriarty.xyz/software/

Video