Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Talk - Writing My First Exploit
Search
James Moriarty
June 16, 2021
Programming
0
1.6k
Talk - Writing My First Exploit
James Moriarty
June 16, 2021
Tweet
Share
More Decks by James Moriarty
See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
1.1k
Other Decks in Programming
See All in Programming
OUPC2024 Day 1 解説
kowerkoint
0
380
❄️ NixOS/nixpkgsにSATySFiサポートを実装する
momeemt
2
170
英語文法から学ぶ、クリーンな設計の秘訣
newnomad
1
260
私の愛したLaravel 〜レールを超えたその先へ〜
kentaroutakeda
11
2.7k
Kubernetesで実現できるPlatform Engineering の現在地
nwiizo
2
820
安全に倒し切るリリースをするために:15年来レガシーシステムのフルリプレイス挑戦記
sakuraikotone
5
1.9k
アプリのビルドを楽にするかわいいスクリプトを作ってみた
reimim
0
120
GDG Super.init(version=6) - From Where to Wear : 모바일 개발자가 워치에서 발견한 인사이트
haeti2
0
520
はじめてのIssueOps - GitHub Actionsで実現するコメント駆動オペレーション
tmknom
7
2.1k
複数ドメインに散らばってしまった画像…! 運用中のPHPアプリに後からCDNを導入する…!
suguruooki
0
360
AWS CDKにおけるL2 Constructの仕組み / aws-cdk-l2-construct
gotok365
4
900
PHPUnit 高速化テクニック / PHPUnit Speedup Techniques
pinkumohikan
1
650
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
30
1.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
Speed Design
sergeychernyshev
28
850
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Building Your Own Lightsaber
phodgson
104
6.3k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Automating Front-end Workflow
addyosmani
1369
200k
Measuring & Analyzing Core Web Vitals
bluesmoon
6
290
A Tale of Four Properties
chriscoyier
158
23k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.5k
Transcript
Writing My First Exploit
Exploit? “...is a piece of software, a chunk of data,
or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia
What? Counter-Strike: Global Offensive • Source code leak from 2013
for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...
“Steel-thread” Implementation • “Out of Box” win32 APIs to exploit
the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”
Video
How
How?
How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {
flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }
Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte
Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe
Broken Broken
Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe
gohack.exe
How func Instrument() (*gohack.Client, error) { ... offsets, err :=
gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }
Testing
Testing Value’s CS:GO • 30GB Package • Steam DRM +
VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs
Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err
:= Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }
Testing
github.com/jamesmoriarty/gohack
???
None
Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...
process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }
github.com/jamesmoriarty/gomem
jamesmoriarty.xyz/software/
Video