Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Talk - Writing My First Exploit
Search
James Moriarty
June 16, 2021
Programming
0
1.4k
Talk - Writing My First Exploit
James Moriarty
June 16, 2021
Tweet
Share
More Decks by James Moriarty
See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
1.1k
Other Decks in Programming
See All in Programming
LPIXEL×CADDi_kaerururu
kaerururu
3
270
Faster, greener, and happier- why Quarkus should be your next tech stack
hollycummins
0
130
開発者体験を変えるInfrastructure as Codeの新機能6選!
konokenj
4
850
WasmOS: Wasmを実行する自作Microkernel
riru
0
360
軽率にVue 3で リアルタイム3Dアプリを作れる ライブラリを作ってみた/vue-with-3d-app
drumath2237
3
1.1k
iOS / Android ネイティブ 実装アプリの Flutter 化事例
mthiroshi
0
650
Laravel標準バリデーションでできること
hmb_ok
1
330
sbt-assemblyにハマってDB接続できず時間が溶けた話
wakye5815
1
660
GitHub Copilot Tips and Tricks
yuichielectric
2
260
期限が近づいてきた!Privacy Manifests対応
ryunakayama
5
3.1k
マイ隙間家具OSSたちのご紹介
karupanerura
2
130
オープンなデータ・ソフトウェアを活用した開発
404background
0
160
Featured
See All Featured
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Typedesign – Prime Four
hannesfritz
36
2k
Building a Scalable Design System with Sketch
lauravandoore
455
32k
BBQ
matthewcrist
78
8.7k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
4
1.4k
Fireside Chat
paigeccino
19
2.5k
Automating Front-end Workflow
addyosmani
1353
200k
How to train your dragon (web standard)
notwaldorf
71
5k
What the flash - Photography Introduction
edds
64
11k
Stop Working from a Prison Cell
hatefulcrawdad
265
19k
Transcript
Writing My First Exploit
Exploit? “...is a piece of software, a chunk of data,
or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia
What? Counter-Strike: Global Offensive • Source code leak from 2013
for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...
“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit
the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”
Video
How
How?
How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {
flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }
Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte
Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe
Broken Broken
Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe
gohack.exe
How func Instrument() (*gohack.Client, error) { ... offsets, err :=
gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }
Testing
Testing Value’s CS:GO • 30GB Package • Steam DRM +
VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs
Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err
:= Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }
Testing
github.com/jamesmoriarty/gohack
???
None
Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...
process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }
github.com/jamesmoriarty/gomem
jamesmoriarty.xyz/software/
Video