Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk - Writing My First Exploit

F1cc70c45ba7c0ef2af982701e71fdd5?s=47 James Moriarty
June 16, 2021
Programming
0
250

Talk - Writing My First Exploit

F1cc70c45ba7c0ef2af982701e71fdd5?s=128

James Moriarty

June 16, 2021
Tweet

More Decks by James Moriarty

See All by James Moriarty
F1cc70c45ba7c0ef2af982701e71fdd5?s=48 jamesmoriarty
0
480

Other Decks in Programming

See All in Programming
B7424f2bb6afd48c51cf88c2c15c395d?s=48 t2kob
0
120
923b578031e1a6393f93ff3a8355b594?s=48 io3110
0
140
42a6a049ac8f5265f31858a9509217fb?s=48 uhooi
1
450
6885b1c7fe50f4c0a23775b7b94ebd94?s=48 nosuke0926
0
100
6bf08ada80199f23061a6c22f03f0ed2?s=48 masahiro_nishimi
0
460
A0f8acd52ed0bac0c4d87220ef0aa383?s=48 shotarok
0
540
271fad8d53cd1f12f2b4b6d38e3d7bd3?s=48 uzulla
24
7.9k
91b77d9a98b86e27838b183407270bc0?s=48 supikiti
6
1.6k
378406b82e2c225bdc1a76c9a886f955?s=48 haru01
4
860
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
220
D07d36d7d3263da869c7d030ba4a64a6?s=48 y__mattu
1
150
47e8496b5cc69a2ac8bf5e99d03fd8cf?s=48 yasuohosotani
0
130

Featured

See All Featured
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
170
7.5k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
5.5k
282d599b414022eba5096510f675b6e2?s=48 chrislema
174
14k
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
653
120k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
11k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
6.8k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
104
11k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
224
15k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
167
19k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
779
240k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
633
49k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
3.7k

Transcript

  1. Writing My First Exploit

  2. Exploit? “...is a piece of software, a chunk of data,

    or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia

  3. What? Counter-Strike: Global Offensive • Source code leak from 2013

    for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...

  4. “Steel-thread” Implementation • “Out of Box” win32 APIs to exploit

    the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”

  5. Video

  6. How

  7. How?

  8. How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {

    flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }

  9. Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte

  10. Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe

    Broken Broken

  11. Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe

    gohack.exe

  12. How func Instrument() (*gohack.Client, error) { ... offsets, err :=

    gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }

  13. Testing

  14. Testing Value’s CS:GO • 30GB Package • Steam DRM +

    VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs

  15. Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err

    := Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }

  16. Testing

  17. github.com/jamesmoriarty/gohack

  18. ???

  19. None

  20. Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...

    process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }

  21. github.com/jamesmoriarty/gomem

  22. jamesmoriarty.xyz/software/

  23. Video