Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk - Writing My First Exploit

Talk - Writing My First Exploit

James Moriarty

June 16, 2021
Tweet

More Decks by James Moriarty

Other Decks in Programming

Transcript

  1. Writing
    My
    First
    Exploit

    View Slide

  2. Exploit?
    “...is a piece of software, a chunk of data, or a sequence of commands that
    takes advantage of a bug or vulnerability to cause unintended or
    unanticipated behavior...”
    Wikipedia

    View Slide

  3. What?
    Counter-Strike: Global Offensive
    ● Source code leak from 2013 for reference.
    ○ github.com/ValveSoftware/source-...
    ● Lots of existing exploit examples.
    ○ github.com/search?q=dwLocalPlaye...

    View Slide

  4. “Steel-thread” Implementation
    ● “Out of Box” win32 APIs to exploit the client side process.
    ○ read/write with kernel32.dll
    ○ input with with user32.dll
    ● “Benign” exploit impact.
    ○ client side jump abuse aka “bunny hop”

    View Slide

  5. Video

    View Slide

  6. How

    View Slide

  7. How?

    View Slide

  8. How func RunHop(client *Client) {
    for {
    if gomem.IsKeyDown(VK_SPACE) {
    flags, _ := client.Process.ReadByte(...)
    if (flags & CSGO_FL_ONGROUND) > 0 {
    client.Process.WriteByte(...)
    }
    }
    time.Sleep(100 * time.Nanosecond)
    }
    }

    View Slide

  9. Binary Compatibility
    Address
    E.g. 0x59bc2690
    Memory
    E.g. 00001000
    ReadByte

    View Slide

  10. Binary Compatibility
    1.0
    1.0
    1.1 1.2
    1.1 1.2
    csgo.exe
    gohack.exe
    Broken Broken

    View Slide

  11. Binary Compatibility
    1.0
    1.X w/ auto update
    1.1 1.2
    csgo.exe
    gohack.exe

    View Slide

  12. How func Instrument() (*gohack.Client, error) {
    ...
    offsets, err := gohack.GetOffsets()
    ...
    process, err := gomem.GetOpenProcessFromName("csgo.exe")
    ...
    client, err := gohack.GetClientFrom(process, offsets)
    ...
    return client, err
    }

    View Slide

  13. Testing

    View Slide

  14. Testing
    Value’s CS:GO
    ● 30GB Package
    ● Steam DRM + VAC Anti-cheat
    ● GUI + Internet
    ● A popular game
    My CS:GO
    ● 42KB Binary
    ● 14 LOC
    ● Headless + Offline
    ● Loads a DLL and hangs

    View Slide

  15. Testing func TestStubProcess(t *testing.T) {
    withProcess("test\\dll\\csgo.exe", func() {
    _, err := Instrument()
    got := err.Error()
    want := "Failed to get player offset"
    if got != want {
    t.Errorf("%q; want %q", got, want)
    }
    })
    }

    View Slide

  16. Testing

    View Slide

  17. github.com/jamesmoriarty/gohack

    View Slide

  18. ???

    View Slide

  19. View Slide

  20. Testing func TestProcessReadUInt32(t *testing.T) {
    ...
    valuePtr := (uintptr)(unsafe.Pointer(&value))
    ...
    process, err := GetOpenProcessFromName(name)
    ...
    assertValue, err := process.ReadUInt32(valuePtr)
    ...
    }

    View Slide

  21. github.com/jamesmoriarty/gomem

    View Slide

  22. jamesmoriarty.xyz/software/

    View Slide

  23. Video

    View Slide