Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk - Writing My First Exploit

F1cc70c45ba7c0ef2af982701e71fdd5?s=47 James Moriarty
June 16, 2021
Programming
0
830

Talk - Writing My First Exploit

F1cc70c45ba7c0ef2af982701e71fdd5?s=128

James Moriarty

June 16, 2021
Tweet

More Decks by James Moriarty

See All by James Moriarty
Lightning Talk - Call Graphs
F1cc70c45ba7c0ef2af982701e71fdd5?s=48 jamesmoriarty
0
810

Other Decks in Programming

See All in Programming
あなたの会社の古いシステム、なんとかしませんか?~システム刷新から考えるDX化への道筋とバリエーション~/webinar20220420-grapecity
Dcbf2269af2483cabf43128ad1718c11?s=48 grapecity_dev
0
140
NieR Re[in]carnationにおけるUnityアニメーション活用術
Ea7f7af2b8f62b7abf8cf0c9af394cc0?s=48 applibot
1
800
Git Rebase
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
7
1k
Micro Frontends with Module Federation: Beyond the Basics @jax2022
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
1
290
GraphQL+KMM開発でわかったこと / What we learned from GraphQL+KMM development
E505897a79eede1a676f92740261e8f8?s=48 kubode
0
130
Quartoを使ってみませんか / quarto_get_started
D12a80cab206033a820ccff8319f957b?s=48 s_uryu
2
360
よりUXに近いSLI・SLOの運用による可用性の再設計
953d2907b80dd5955c561d695ea9a494?s=48 kazumanagano
3
860
CIでAndroidUIテストの様子を録画してみた
46b3bc302e3a40f8df60cfb60d59c313?s=48 mkeeda
0
190
WindowsコンテナDojo:第2回 Windowsコンテナアプリのビルド、公開、デプロイ
E5eb221d34d4ffbe973f8542b4c3a00e?s=48 oniak3ibm
PRO
0
150
You CANt teach an old dog new tricks
Bd5b8981a308c94b642befb656d8cf8f?s=48 michaelbukachi
0
120
[RailsConf 2022] The pitfalls of realtime-ification
52cc8a838bf44a589d2572833b2dd1b9?s=48 palkan
0
240
Cloud-Conference-Day-Spring Cloud + Spring Webflux: como desenvolver seu primeiro microsserviço reativo em Java?
102398563fd1bf878b35dc2d5ee67cbe?s=48 kamilahsantos
1
150

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
B47b288784fda77a94aeb234ca743c24?s=48 keavy
113
15k
Faster Mobile Websites
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
28k
Raft: Consensus for Rubyists
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
126
5.4k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
39
59k
The Illustrated Children's Guide to Kubernetes
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
14
35k
GraphQLとの向き合い方2022年版
893f54413c2bd9ba41d11d753aacaf2c?s=48 quramy
16
8.1k
Thoughts on Productivity
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
43
2.2k
What's in a price? How to price your products and services
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
229
9.3k
Designing Experiences People Love
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
130
22k
The Language of Interfaces
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k
Bootstrapping a Software Product
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
295
110k
How to Ace a Technical Interview
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
265
21k

Transcript

  1. Writing My First Exploit

  2. Exploit? “...is a piece of software, a chunk of data,

    or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia

  3. What? Counter-Strike: Global Offensive • Source code leak from 2013

    for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...

  4. “Steel-thread” Implementation • “Out of Box” win32 APIs to exploit

    the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”

  5. Video

  6. How

  7. How?

  8. How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {

    flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }

  9. Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte

  10. Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe

    Broken Broken

  11. Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe

    gohack.exe

  12. How func Instrument() (*gohack.Client, error) { ... offsets, err :=

    gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }

  13. Testing

  14. Testing Value’s CS:GO • 30GB Package • Steam DRM +

    VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs

  15. Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err

    := Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }

  16. Testing

  17. github.com/jamesmoriarty/gohack

  18. ???

  19. None

  20. Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...

    process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }

  21. github.com/jamesmoriarty/gomem

  22. jamesmoriarty.xyz/software/

  23. Video