Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk - Writing My First Exploit

James Moriarty
June 16, 2021
Programming
0
1.6k

Talk - Writing My First Exploit

James Moriarty

June 16, 2021
Tweet

More Decks by James Moriarty

See All by James Moriarty
Lightning Talk - Call Graphs
jamesmoriarty
0
1.1k

Other Decks in Programming

See All in Programming
生成AIでGitHubソースコード取得して仕様書を作成
shukob
0
630
歴史と現在から考えるスケーラブルなソフトウェア開発のプラクティス
i10416
0
300
週次リリースを実現するための グローバルアプリ開発
tera_ny
1
1.2k
Beyond ORM
77web
11
1.6k
混沌とした例外処理とエラー監視に秩序をもたらす
morihirok
13
2.2k
PHPで作るWebSocketサーバー ~リアクティブなアプリケーションを知るために~ / WebSocket Server in PHP - To know reactive applications
seike460
PRO
2
770
盆栽転じて家具となる / Bonsai and Furnitures
aereal
0
1.8k
DevFest - Serverless 101 with Google Cloud Functions
tunmise
0
140
毎日13時間もかかるバッチ処理をたった3日で60%短縮するためにやったこと
sho_ssk_
1
550
PicoRubyと暮らす、シェアハウスハック
ryosk7
0
220
各クラウドサービスにおける.NETの対応と見解
ymd65536
0
250
『改訂新版 良いコード/悪いコードで学ぶ設計入門』活用方法−爆速でスキルアップする!効果的な学習アプローチ / effective-learning-of-good-code
minodriven
28
4.1k

Featured

See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
132
33k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Scaling GitHub
holman
459
140k
The Power of CSS Pseudo Elements
geoffreycrofte
74
5.4k
Six Lessons from altMBA
skipperchong
27
3.6k
The Cost Of JavaScript in 2023
addyosmani
46
7.2k
BBQ
matthewcrist
85
9.4k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
28
2.2k
Producing Creativity
orderedlist
PRO
343
39k
Fashionably flexible responsive web design (full day workshop)
malarkey
406
66k
Visualization
eitanlees
146
15k

Transcript

  1. Writing My First Exploit

  2. Exploit? “...is a piece of software, a chunk of data,

    or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia

  3. What? Counter-Strike: Global Offensive • Source code leak from 2013

    for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...

  4. “Steel-thread” Implementation • “Out of Box” win32 APIs to exploit

    the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”

  5. Video

  6. How

  7. How?

  8. How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {

    flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }

  9. Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte

  10. Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe

    Broken Broken

  11. Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe

    gohack.exe

  12. How func Instrument() (*gohack.Client, error) { ... offsets, err :=

    gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }

  13. Testing

  14. Testing Value’s CS:GO • 30GB Package • Steam DRM +

    VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs

  15. Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err

    := Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }

  16. Testing

  17. github.com/jamesmoriarty/gohack

  18. ???

  19. None

  20. Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...

    process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }

  21. github.com/jamesmoriarty/gomem

  22. jamesmoriarty.xyz/software/

  23. Video