Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk - Writing My First Exploit

F1cc70c45ba7c0ef2af982701e71fdd5?s=47 James Moriarty
June 16, 2021
Programming
0
500

Talk - Writing My First Exploit

F1cc70c45ba7c0ef2af982701e71fdd5?s=128

James Moriarty

June 16, 2021
Tweet

More Decks by James Moriarty

See All by James Moriarty
F1cc70c45ba7c0ef2af982701e71fdd5?s=48 jamesmoriarty
0
630

Other Decks in Programming

See All in Programming
5c588fdfe782f92fa6b081903edd82bb?s=48 hr01
1
6.5k
F74146bada61d15a5e652919815bd355?s=48 satoki
0
320
Ae7a5166a7b7776ffdd5676c2d6ab42f?s=48 aseiide
1
250
B3b2139e4f2c0eca4efe2379fcebc1c5?s=48 afilina
PRO
1
670
2594ac7ce91fd7d9a3ce71ca7cc2d0c0?s=48 d_date
1
180
23e7f90fa36af44f13000c1229240984?s=48 uri
2
210
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
2
990
5d138ccf47c8d79aa8f0d29900f9e07b?s=48 rollbear
0
240
70762059db0218c6f0ff48042ca0756a?s=48 lchin
4
840
5f57d2d205e77e185986459c1b89a874?s=48 jeroenmols
2
290
1eecfce54b4f902784d046328935efd4?s=48 makoto_inoue
0
180
64fb973c47087ece7fb9b45d5b8593a4?s=48 yag_ays
7
5.6k

Featured

See All Featured
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
54
3.4k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.2k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
122
5.1k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
263
11k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
224
15k
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
73
7.7k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
778
200k
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
78
270k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.7k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
31
1.8k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
55
4.8k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
67
4.5k

Transcript

  1. Writing My First Exploit

  2. Exploit? “...is a piece of software, a chunk of data,

    or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior...” Wikipedia

  3. What? Counter-Strike: Global Offensive • Source code leak from 2013

    for reference. ◦ github.com/ValveSoftware/source-... • Lots of existing exploit examples. ◦ github.com/search?q=dwLocalPlaye...

  4. “Steel-thread” Implementation • “Out of Box” win32 APIs to exploit

    the client side process. ◦ read/write with kernel32.dll ◦ input with with user32.dll • “Benign” exploit impact. ◦ client side jump abuse aka “bunny hop”

  5. Video

  6. How

  7. How?

  8. How func RunHop(client *Client) { for { if gomem.IsKeyDown(VK_SPACE) {

    flags, _ := client.Process.ReadByte(...) if (flags & CSGO_FL_ONGROUND) > 0 { client.Process.WriteByte(...) } } time.Sleep(100 * time.Nanosecond) } }

  9. Binary Compatibility Address E.g. 0x59bc2690 Memory E.g. 00001000 ReadByte

  10. Binary Compatibility 1.0 1.0 1.1 1.2 1.1 1.2 csgo.exe gohack.exe

    Broken Broken

  11. Binary Compatibility 1.0 1.X w/ auto update 1.1 1.2 csgo.exe

    gohack.exe

  12. How func Instrument() (*gohack.Client, error) { ... offsets, err :=

    gohack.GetOffsets() ... process, err := gomem.GetOpenProcessFromName("csgo.exe") ... client, err := gohack.GetClientFrom(process, offsets) ... return client, err }

  13. Testing

  14. Testing Value’s CS:GO • 30GB Package • Steam DRM +

    VAC Anti-cheat • GUI + Internet • A popular game My CS:GO • 42KB Binary • 14 LOC • Headless + Offline • Loads a DLL and hangs

  15. Testing func TestStubProcess(t *testing.T) { withProcess("test\\dll\\csgo.exe", func() { _, err

    := Instrument() got := err.Error() want := "Failed to get player offset" if got != want { t.Errorf("%q; want %q", got, want) } }) }

  16. Testing

  17. github.com/jamesmoriarty/gohack

  18. ???

  19. None

  20. Testing func TestProcessReadUInt32(t *testing.T) { ... valuePtr := (uintptr)(unsafe.Pointer(&value)) ...

    process, err := GetOpenProcessFromName(name) ... assertValue, err := process.ReadUInt32(valuePtr) ... }

  21. github.com/jamesmoriarty/gomem

  22. jamesmoriarty.xyz/software/

  23. Video