Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Talk - Writing My First Exploit
James Moriarty
June 16, 2021
Programming
0
830
Talk - Writing My First Exploit
James Moriarty
June 16, 2021
Tweet
Share
More Decks by James Moriarty
See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
810
Other Decks in Programming
See All in Programming
あなたの会社の古いシステム、なんとかしませんか?~システム刷新から考えるDX化への道筋とバリエーション~/webinar20220420-grapecity
grapecity_dev
0
140
NieR Re[in]carnationにおけるUnityアニメーション活用術
applibot
1
800
Git Rebase
bkuhlmann
7
1k
Micro Frontends with Module Federation: Beyond the Basics @jax2022
manfredsteyer
PRO
1
290
GraphQL+KMM開発でわかったこと / What we learned from GraphQL+KMM development
kubode
0
130
Quartoを使ってみませんか / quarto_get_started
s_uryu
2
360
よりUXに近いSLI・SLOの運用による可用性の再設計
kazumanagano
3
860
CIでAndroidUIテストの様子を録画してみた
mkeeda
0
190
WindowsコンテナDojo:第2回 Windowsコンテナアプリのビルド、公開、デプロイ
oniak3ibm
PRO
0
150
You CANt teach an old dog new tricks
michaelbukachi
0
120
[RailsConf 2022] The pitfalls of realtime-ification
palkan
0
240
Cloud-Conference-Day-Spring Cloud + Spring Webflux: como desenvolver seu primeiro microsserviço reativo em Java?
kamilahsantos
1
150
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
113
15k
Faster Mobile Websites
deanohume
294
28k
Raft: Consensus for Rubyists
vanstee
126
5.4k
How to name files
jennybc
39
59k
The Illustrated Children's Guide to Kubernetes
chrisshort
14
35k
GraphQLとの向き合い方2022年版
quramy
16
8.1k
Thoughts on Productivity
jonyablonski
43
2.2k
What's in a price? How to price your products and services
michaelherold
229
9.3k
Designing Experiences People Love
moore
130
22k
The Language of Interfaces
destraynor
148
20k
Bootstrapping a Software Product
garrettdimon
295
110k
How to Ace a Technical Interview
jacobian
265
21k
Transcript
Writing My First Exploit
Exploit? “...is a piece of software, a chunk of data,
or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia
What? Counter-Strike: Global Offensive • Source code leak from 2013
for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...
“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit
the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”
Video
How
How?
How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {
flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }
Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte
Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe
Broken Broken
Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe
gohack.exe
How func Instrument() (*gohack.Client, error) { ... offsets, err :=
gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }
Testing
Testing Value’s CS:GO • 30GB Package • Steam DRM +
VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs
Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err
:= Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }
Testing
github.com/jamesmoriarty/gohack
???
None
Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...
process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }
github.com/jamesmoriarty/gomem
jamesmoriarty.xyz/software/
Video