Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk - Writing My First Exploit

James Moriarty
June 16, 2021
Programming
0
1.3k

Talk - Writing My First Exploit

James Moriarty

June 16, 2021
Tweet

More Decks by James Moriarty

See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
1k

Other Decks in Programming

See All in Programming
「無ければ作る」Backlogに欲しい機能を自分で作った話
nsuz
0
190
シン・リッチエディタ徹底解説
microcms
1
550
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
640
ユニットテスト実行を 45% 高速化した Repository テスト戦略 / Repository Test Strategy Speeds up Unit Test
yukana
2
100
From complexity to observability using OpenTelemetry
danilop
1
340
SPAでもデータをURLでシェアしたい / Kyoto.js 19
utgwkk
1
150
複雑性に立ち向かうためのサーバーサイドコード分割 / JJUG CCC 2023 Spring
hirokunimaeta
1
260
NotionのURLをWorkersで綺麗にしよう!
totto2727
0
210
230517chatGPT
skume
0
180
ユニットテストを学んだ次に知りたかったApple標準APIに対するテストのやり方
ojun9
1
200
若者とGPTのすべて
pyama86
0
210
Compose로 Android&Desktop 멀티플랫폼 만들기
pangmoo
0
110

Featured

See All Featured
Writing Fast Ruby
sferik
613
58k
It's Worth the Effort
3n
179
26k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.4k
Gamification - CAS2011
davidbonilla
75
4.2k
Teambox: Starting and Learning
jrom
124
8k
Optimizing for Happiness
mojombo
366
66k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.3k
Six Lessons from altMBA
skipperchong
16
2.5k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Building Flexible Design Systems
yeseniaperezcruz
315
35k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k

Transcript

  1. Writing
    My
    First
    Exploit

    View Slide

  2. Exploit?
    “...is a piece of software, a chunk of data, or a sequence of commands that
    takes advantage of a bug or vulnerability to cause unintended or
    unanticipated behavior...”
    Wikipedia

    View Slide

  3. What?
    Counter-Strike: Global Offensive
    ● Source code leak from 2013 for reference.
    ○ github.com/ValveSoftware/source-...
    ● Lots of existing exploit examples.
    ○ github.com/search?q=dwLocalPlaye...

    View Slide

  4. “Steel-thread” Implementation
    ● “Out of Box” win32 APIs to exploit the client side process.
    ○ read/write with kernel32.dll
    ○ input with with user32.dll
    ● “Benign” exploit impact.
    ○ client side jump abuse aka “bunny hop”

    View Slide

  5. Video

    View Slide

  6. How

    View Slide

  7. How?

    View Slide

  8. How func RunHop(client *Client) {
    for {
    if gomem.IsKeyDown(VK_SPACE) {
    flags, _ := client.Process.ReadByte(...)
    if (flags & CSGO_FL_ONGROUND) > 0 {
    client.Process.WriteByte(...)
    }
    }
    time.Sleep(100 * time.Nanosecond)
    }
    }

    View Slide

  9. Binary Compatibility
    Address
    E.g. 0x59bc2690
    Memory
    E.g. 00001000
    ReadByte

    View Slide

  10. Binary Compatibility
    1.0
    1.0
    1.1 1.2
    1.1 1.2
    csgo.exe
    gohack.exe
    Broken Broken

    View Slide

  11. Binary Compatibility
    1.0
    1.X w/ auto update
    1.1 1.2
    csgo.exe
    gohack.exe

    View Slide

  12. How func Instrument() (*gohack.Client, error) {
    ...
    offsets, err := gohack.GetOffsets()
    ...
    process, err := gomem.GetOpenProcessFromName("csgo.exe")
    ...
    client, err := gohack.GetClientFrom(process, offsets)
    ...
    return client, err
    }

    View Slide

  13. Testing

    View Slide

  14. Testing
    Value’s CS:GO
    ● 30GB Package
    ● Steam DRM + VAC Anti-cheat
    ● GUI + Internet
    ● A popular game
    My CS:GO
    ● 42KB Binary
    ● 14 LOC
    ● Headless + Offline
    ● Loads a DLL and hangs

    View Slide

  15. Testing func TestStubProcess(t *testing.T) {
    withProcess("test\\dll\\csgo.exe", func() {
    _, err := Instrument()
    got := err.Error()
    want := "Failed to get player offset"
    if got != want {
    t.Errorf("%q; want %q", got, want)
    }
    })
    }

    View Slide

  16. Testing

    View Slide

  17. github.com/jamesmoriarty/gohack

    View Slide

  18. ???

    View Slide

  19. View Slide

  20. Testing func TestProcessReadUInt32(t *testing.T) {
    ...
    valuePtr := (uintptr)(unsafe.Pointer(&value))
    ...
    process, err := GetOpenProcessFromName(name)
    ...
    assertValue, err := process.ReadUInt32(valuePtr)
    ...
    }

    View Slide

  21. github.com/jamesmoriarty/gomem

    View Slide

  22. jamesmoriarty.xyz/software/

    View Slide

  23. Video

    View Slide