This document discusses various exploit techniques, mitigations against exploits, and ways to bypass mitigations. It covers popular exploitation methods like stack-based buffer overflows, heap overflows, and return-oriented programming (ROP). It also outlines key mitigations like stack cookies, data execution prevention (DEP), address space layout randomization (ASLR), and structured exception handler overwrite protection (SEHOP). Finally, it examines techniques for bypassing protections like avoiding ASLR, memory leaks to disclose addresses, and using ROP chains combined with memory leaks to bypass DEP and ASLR. The document provides a technical overview of the exploit-mitigation landscape.
The document discusses just-in-time (JIT) compilers in the Java Virtual Machine (JVM). It describes how JIT compilers work by compiling bytecode to native machine code during execution based on profiling information. This allows for optimizations like inlining, devirtualization, loop unrolling and eliding unnecessary synchronization that improve performance. The JIT compiler uses feedback from profiling to enable more aggressive optimizations like these.
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.
High Performance Erlang - Pitfalls and SolutionsYinghai Lu
Presented at Erlang Factory 2016, San Francisco, CA.
Erlang is widely used for building concurrent applications. However, when we push the performance of our Erlang based application to handle millions of concurrent clients, some Erlang scalability issues begin to show and some conventional programming paradigm of Erlang no longer hold. We would like to share some of these issue and how we address them. In addition, we share some of our experience on how to profile an Erlang application to identify bottlenecks.
We will take a deep look at some of the basic mechanisms of Erlang and show how they behave under high load and parallelism, which includes message delivery, process management and shared data structures such as maps and ETS tables. We will demonstrate their limitations and propose techniques to alleviate the issues.
We will also share profiling techniques on how to find those bottlenecks in Erlang applications across different levels. We will share techniques for writing highly performant Erlang applications.
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
This document discusses incident response strategies in a containerized and immutable infrastructure environment like Docker. It addresses challenges like lack of system and software inventory visibility due to rapid container changes, and lack of agent-based security due to single-purpose containers. It proposes solutions like establishing managed base container OSs, whitelisting allowed containers and files, and leveraging logs and sidecar containers to monitor for detections. Response challenges around long investigation timeframes due to short container lifetimes and lack of access are addressed with strategies like comprehensive logging, filesystem artifact preservation, and automating remote response capabilities.
This is the slides accompanying the talk I gave at BSides Hannover 2015, discussing the reverse engineering and exploitation of numerous vulnerabilities in Icomera Moovmanage products along with the post exploitation of such, including the potential creation of a firmware rootkit
High performance network programming on the jvm oscon 2012 Erik Onnen
This document summarizes a talk on high performance network programming on the JVM. The talk discusses choosing between synchronous and asynchronous I/O, with examples of when each approach is best. It also covers how to optimize synchronous I/O on the JVM to maximize throughput. The document provides benchmarks comparing the performance of a simple synchronous memcache client versus an asynchronous one.
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
This document discusses techniques used by Patchguard, a mechanism in Windows 8.1 and 10 that protects the kernel from modifications. Patchguard uses code obfuscation, anti-debugging tricks, and periodic checksum validation to prevent unauthorized kernel patches. The document outlines various approaches that could be used to bypass Patchguard such as patching the kernel image, hooking functions, modifying checkers, or descheduling the context verification processes used by Patchguard. It provides details on specific functions and methods involved in Patchguard's context verification and suggests ways these could be descheduled to bypass the mechanism.
When performance hits rock-bottom everybody (and their dog) is called upon and all of a sudden developers should have been responsible for last half a year or so and code with performance in mind (and deadlines, but that of course goes unsaid). So, here I'm talking about what can a dev do to meet those unreasonable demands) and what might he do anticipating them.
Strictly JVM, mostly Sun Hotspot impl, but number of points can be used to other JVMs as wel
Hystrix is a latency and fault tolerance library designed by Netflix to isolate points of access to remote systems and services. It stops failures from cascading and improves resilience. Hystrix uses concepts like thread pooling, timeouts, circuit breakers, and fallbacks to achieve reliability. It provides commands for synchronous and asynchronous access to remote resources, and can be configured using properties or code. Hystrix also includes a dashboard for monitoring metrics and failures.
This document describes Hydra, a polymorphic shellcode engine for x86 systems. Hydra integrates several obfuscation techniques to bypass signature-based, statistical, and emulator-based intrusion detection systems. It features techniques like nop sled obfuscation, multi-part decoding, multi-layer ciphering, statistical mimicry, and time-locked ciphering to evade detection. The goal of Hydra is to generate unique, obfuscated shellcode for each attack to avoid detection by intrusion prevention systems.
The document discusses the author's Kubernetes environment and tools including kubectl, Minikube, and Helm. The author details how they use Minikube to create a single node Kubernetes cluster with kubectl and deploy charts with Helm. They also discuss charts they have already tried like Prometheus and Spinnaker as well as creating their own original chart called abematv-comment-receiver.
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.
DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them allFelipe Prado
The document discusses various techniques for injecting processes on Windows 10 x64 systems. It begins with introductions and background on the authors. It then explains the goals and scope of discussing true process injection techniques rather than related methods like process spawning. The body of the document details several classic techniques for memory allocation, writing to processes, and executing code in another process. It covers limitations and defenses for each technique under modern Windows protections.
This summary provides an overview of the lightning talks presented at the NetflixOSS Open House:
- Jordan Zimmerman from Netflix presented on several NetflixOSS projects he works on including Curator, a Java library that makes using ZooKeeper easier, and Blitz4j, an asynchronous logging library that improves performance over Log4j.
- Additional talks covered Eureka, a REST service for discovering middle-tier services; Ribbon for load balancing between middle-tier instances; Archaius for dynamic configuration; Astyanax for interacting with Cassandra; and various other NetflixOSS projects.
- The talks highlighted the motivation for these projects including addressing challenges of scaling for Netflix's large data
This document discusses how to automate OpenSCAP compliance scanning with Foreman. It introduces OpenSCAP and how it integrates with Foreman using the foreman_openscap, smart_proxy_openscap, and foreman_scap_client plugins. The installation process and workflow are described, where Foreman is used to define profiles and assign them to hosts, Puppet configures clients, scans are run and reports uploaded to the Smart Proxy and Foreman for evaluation.
How do you deal with issues that happen in production? Error and Event logs are helpful but often they provide little to no help with things like deadlocks and memory leaks.
In this session we'll explore some low level utilities that allow us to take snapshots of running code and bring it back in house for analysis.
This document discusses intrinsic methods in the HotSpot JVM. It provides background on what intrinsic methods are and how they are implemented and optimized in JVMs and native compilers. It gives examples of intrinsic methods in HotSpot VM like System.currentTimeMillis(), Unsafe.compareAndSwapInt(), and Math.log(). It also discusses intrinsic methods added in TaobaoJDK like TCrc32 and how to experiment implementing your own intrinsic methods in the C1 and C2 compilers.
The document discusses Apache OpenWhisk, a serverless computing platform or Function as a Service (FaaS) that allows running code in response to events. It provides an overview of OpenWhisk architecture including the controller, invoker, and provider components. Examples of using OpenWhisk with Yahoo! Japan and for FaaS are described. Monitoring and developer tools for OpenWhisk are also mentioned.
The document provides an overview of the Erlang programming language and its history and uses. It describes how Erlang was originally written in Prolog, discusses its core features like concurrency, distribution and fault tolerance, and gives examples of code modules. It also summarizes Erlang's use in large telecom systems and major companies like Facebook.
2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities o...chen yuki
This document describes three methods for exploiting a Java native vulnerability on Windows 7 with JRE 7 to bypass data execution prevention and address space layout randomization. The first method uses information leakage to conduct return-oriented programming. The second overwrites the length of a Java array and the access control context of a statement object. The third method sprays Java just-in-time compiled functions to control the instruction pointer and execute shellcode. Examples and limitations of each method are provided. In conclusion, the document recommends choosing an exploitation method based on the vulnerability and system configuration.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
The document discusses efficient techniques for detecting shellcode inline. It describes the structure of shellcode and challenges in detecting it. It introduces libscizzle, which uses efficient emulation to identify possible shellcode execution sequences and verifies candidates using sandboxed hardware execution. Libscizzle scans data at gigabit speeds with no false positives and no known false negatives, representing about a 1000x speed improvement over previous tools like libemu.
InvokeDynamic is a new JVM instruction that allows method calls to be dynamically dispatched at runtime based on the actual object type, enabling just-in-time compilation optimizations for any language by making non-Java call sites visible to the HotSpot JVM compiler. It uses bootstrap methods, call sites holding method handle chains, and switch points to dynamically bind calls based on guard conditions checking the actual object type and rebinding if needed.
DEFCON 25 presentation. An overview of the basis for needing memory integrity validation (secure hash) checks of a running VM. Edit memory through python scripting. Enhance timeline assurances that you have not missed events with multiple complementary event sources.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
You're Off the Hook: Blinding Security SoftwareCylance
User-mode hooking is dead. It’s also considered harmful due to interference with OS-level exploit mitigations like Control Flow Guard (CFG). At BlackHat US 2016, the “Captain Hook” talk revealed there were multiple serious security issues in AV hooking — we will put the final nail in the coffin by showing how trivial it is to bypass user-mode hooks. We will demonstrate a universal user-mode unhooking approach that can be included in any binary to blind security software from monitoring code execution and perform heuristic analysis. The tool and source code will be released on GitHub after the talk.
Alex Matrosov | Principal Research Scientist
Jeff Tang | Senior Security Researcher
The document discusses the current and future states of automated malware generation and malware defense techniques. It describes how malware distribution networks currently work and trends showing rising malware samples. The future of malware defense is proposed to apply more machine learning and statistical techniques to model malware behaviors and attributes in order to handle growing sample volumes. This would involve training machine learning classifiers on features identified by human experts to classify and cluster malware more effectively.
Unity Makes Strength discusses how security tools and systems can benefit from sharing information and coordinating responses through open communication. The presentation outlines examples of using common protocols and APIs to integrate firewalls, intrusion detection, malware analysis and other tools. Dynamic integration allows the systems to automatically update configurations and block threats in real-time based on intelligence from multiple sources. While powerful, proper controls and testing are needed to avoid potential risks from increased connectivity.
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
This document provides an introduction to Node.js, a framework for building scalable server-side applications with asynchronous JavaScript. It discusses what Node.js is, how it uses non-blocking I/O and events to avoid wasting CPU cycles, and how external Node modules help create a full JavaScript stack. Examples are given of using Node modules like Express for building RESTful APIs and Socket.IO for implementing real-time features like chat. Best practices, limitations, debugging techniques and references are also covered.
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
This document discusses attacking the Linux pseudo-random number generator (PRNG) on Android and embedded devices. It begins by motivating the attack by describing a previous vulnerability discovered in the Android keystore. It then provides an overview of the Linux PRNG and describes how an attacker could reconstruct the PRNG's internal state by simulating PRNGs with different seeds and comparing to leaked values from the real PRNG. It discusses problems with mounting the attack and where leaks could be obtained, such as during the kernel or platform boot process. It then describes a local attack method using a malware to obtain a PRNG seed and bypass stack canary protection.
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
In this presentation we discuss gathering data with syslog-ng in order to properly feed your SIEM system such as ArcSight ESM. This presentation is from HP/ArcSight Protect 2011.
C++ in kernel mode, Roman Beleshev
Вы когда-нибудь писали драйвера для Windows? А на С++? Пора развенчать миф о том, что драйверописательство - это только С и только хардкор. О различиях между Kernel mode и User mode, о технических моментах реализации некоторых возможностей С++, и о том, что писать драйвера на С++ можно, нужно и очень приятно и увлекательно.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
Linux EDRs present challenges for adversaries seeking to evade detection. The document discusses several strategies and techniques for evading Linux EDRs, including:
1) Utilizing existing trusted system binaries as decoys to bypass process pattern matching. Techniques include using ld.so and busybox to launch payloads.
2) Developing "Uber preloaders" that can load modular payloads and provide command line arguments for evasion.
3) Storing payloads in volatile memory using techniques like memfd_create to avoid detection by EDRs scanning files on disk.
4) Coordinating payloads and preloaders through a "Zombie Ant Farm" module that stores
Next Generation DevOps in Drupal: DrupalCamp London 2014Barney Hanlon
In this talk, Barney will be discussing and demonstrating how to:
- Use nginx, Varnish and Apache together in a "SPDY sandwich" to support HTTP 2.0
- Setting up SSL properly to mitigate against attack vectors
- Performance improvements with mod_pagespeed and nginx
- Deploying Drupal sites with Docker containers
Barney is a Technical Team Leader at Inviqa, a Drupal Association member and writes for Techportal on using technologies to improve website performance. He first started using PHP professionally in 2003, and has over seventeen years experience in software development. He is an advocate of Scrum methodology and has an interest in performance optimization, researching and speaking on various techniques to improve user experience through faster load times.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
Similar to owasp lithuania chapter - exploit vs anti-exploit (20)
Internet Celebrities and Purposeful Content Creationsilnan
This presentation is my proposal for my 2025 South-by-Southwest (#SxSW2025) Book Reading. There will be an overview of the the three parts of my new book "Digital Culture in the Platform Era: Studying influence, celebrity, and superstars online." Specifically, this overview will focus on the different personality types that drive online engagement, the purposeful content that one creates to connect with their community, and how we reach online to be meaningful to others.
DataVinci: Expert Google Analytics Agency offering GA4 Consulting Services, GTM Consulting Services, and CRO solutions to elevate your digital strategy and optimize conversions.
How Can Microsoft Office 365 Improve Your Productivity?Digital Host
Microsoft Office 365 is a cloud-based subscription service offering essential productivity tools. It includes Word for documents, Excel for data analysis, PowerPoint for presentations, Outlook for email, OneDrive for cloud storage, and Teams for collaboration. Key benefits are accessibility from any device, advanced security, and regular updates. Office 365 enhances collaboration with real-time co-authoring and Teams, streamlines communication with Outlook and Teams Chat, and improves data management with OneDrive and SharePoint. For reliable office 365 hosting, Digital Host offers various subscription plans, setup support, and training resources. Visit https://www.digitalhost.com/email-office/office-365/
Nomad Internet: Leading Internet Provider for Rural Areas in the USANomad Internet
Nomad Internet specializes in delivering reliable, high-speed wireless internet to rural areas and travelers across the United States. Whether you're in a remote location or on the move, our flexible plans and exceptional customer support ensure you stay connected wherever you are. Experience seamless internet access with Nomad Internet, designed to meet the unique needs of rural and traveling users.
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANYthesocialstem05
WELCOME TO DIGITAL WORLD!
THE SOCIAL STEM, #1 trusted digital marketing company in jalandhar, is a trusted digital partner.
As DIGITAL THINKERS, social stem is dedicated to enhancing the presence of your business digitally, so get ready to dive in the ocean of digital world.
THE SOCIAL STEM offers a full range of Digital Marketing Services including SEO, SMO, PPC, website designing, web development,Content marketing, and many more.
We at social stem know how to boost your online presence and announce your brand to millions of customers.
At THE SOCIAL STEM, we are passionate about harnessing the power of digital marketing to elevate brands and drive business success. Our expert platoon is dedicated to creating customized strategies that align with your goals and drive measurable results.
From SEO and content marketing to social media management and PPC campaigns, we utilize a multifaceted approach to ensure your brand stands out in the digital landscape.
OUR VISION AND MISSION
THE SOCIAL STEM#1 trusted digital marketing company in jalandhar visions to become the leading digital marketing company in Jalandhar, renowned for our innovative strategies, extraordinary customised services and superlative results.
THE SOCIAL STEM#1 trusted digital marketing company in jalandhar mission is to provide our clients with expert digital solutions that drive ROI.We also empower businesses by enhancing their online visibility and turning into loyal customers. We endeavour to create customised marketing strategies, aligning with our clients’ goals, ensuring sustainable growth and success.
This guide explains how businesses can prepare for and respond to Disaster Recovery IT Services Orange County. It covers the basics of keeping important data safe, quickly recovering systems after problems, and minimizing downtime to ensure business operations continue smoothly.
Learn More: https://skywardit.com/services/
The Money Wave 2024 Review_ Is It the Key to Financial Success.pdfnirahealhty
What is The Money Wave?
The Money Wave is a comprehensive financial program designed to equip individuals with the knowledge and tools necessary for achieving financial independence. It encompasses a range of resources, including educational materials, webinars, and community support, all aimed at helping users understand and leverage various financial opportunities.
➡️ Click here to get The Money Wave from the official website.
Key Features of The Money Wave
Educational Resources: The Money Wave offers a wealth of educational materials that cover essential financial topics, including budgeting, investing, and wealth-building strategies. These resources are designed to empower users with the knowledge needed to make informed financial decisions.
Expert Guidance: Users gain access to insights from financial experts who share their experiences and strategies for success. This guidance can be invaluable for individuals looking to navigate the complexities of personal finance.
Community Support: The program fosters a supportive community where users can connect with like-minded individuals. This network provides encouragement, accountability, and shared experiences that can enhance the learning process.
Actionable Strategies: The Money Wave emphasizes practical, actionable strategies that users can implement immediately. This focus on real-world application sets it apart from other financial programs that may be more theoretical in nature.
Flexible Learning: The program is designed to accommodate various learning styles and schedules. Users can access materials at their convenience, making it easier to integrate financial education into their daily lives.
Benefits of The Money Wave
Increased Financial Literacy: One of the primary benefits of The Money Wave is the enhancement of financial literacy. Users learn essential concepts that enable them to make better financial decisions, ultimately leading to improved financial health.
Empowerment: By providing users with the tools and knowledge needed to take control of their finances, The Money Wave empowers individuals to take proactive steps toward achieving their financial goals.
Networking Opportunities: The community aspect of The Money Wave allows users to connect with others who share similar financial aspirations. This network can lead to valuable partnerships, collaborations, and support systems.
Long-Term Success: The strategies taught in The Money Wave are designed for long-term success. Users are encouraged to adopt a mindset of continuous learning and growth for sustained financial well-being.
Accessibility: With its online format, The Money Wave is accessible to anyone with an internet connection. This inclusivity allows individuals from various backgrounds to benefit from the program.
WTF is Food Journalism? An introduction to Food MediaDamian Radcliffe
Slides from the introductory class of my Food Journalism in France class, as part of a study abroad program in summer 2024. https://geo.uoregon.edu/programs/europe-france/food-journalism-france
2. Slide subject structure
• Exploit: - popular exploitation technique
• Mitigation: - anti-exploit (mitigation) technique
• Bypass: - anti-anti-exploit (anti-mitigation) evasion technique
• Test : - test to check mitigation in action or to bypass it a
bypass
mitigation
exploit
32. Mitigation: DEP
• Hardware-enforced DEP NX /NXCOMPAT flag
• Software-enforced DEP
• Dynamic DEP (4)
• Stack Exec (2)
• DEP turnoff (1)
AlwaysON flag – MUST!!!
34. Bypass: Anti-DEP
• Return-into-libc attack
• Disable DEP for a process
• Mark memory area as
executable
• Allocate new executable area
and copy shellcode
• DLL load
• Code reuse (ROP)
35. Tests: generic DEP and DEP bypass
• Execute shellcode from PAGE_READWRITE heap memory area
• Marks the stack memory executable: PAGE_EXECUTE_READWRITE
via VirtualProtect()
A B
crash
C D
A B C D
51. HEAP layout
Process virtual memory
Heap 1 Base
(default heap)
Heap 2 Base Heap N Base
Segment 1 Header
(default segment)
Segment 2 Header
Segment N Header
chunk1
chunk N
chunk2
55. ASLR(HEAP) – HELL, where is my shellcode???
Base of default ProcessHeap is ASLR’ed (randomized)!!!
56. Windows Heap Manager predictable behavior
Low fragmentation heap – LFH (turned off by default),
memory chunks are the same size and at predictable locations
64. Test: Heap spraying in action
• Execute shellcode via single byte NOP sled
• Execute shellcode via multi-byte (polymorphic) NOP sled
• Fill heap with prepared Javascript ArrayBuffer objects
B CA
B CA
B
C
Caller
Check
A
D
Memory
Limit
HeapSpr
Check
TEST
FAILED
D
66. Bypass: Code Reuse concept
• Overflow using code injection is difficult nowadays!
• Let’s reuse code from victim process itself!!!
• Setup function arguments on the stack using instructions from
loaded modules. CALL <API function> and bypass DEP. Get
shellcode execution after function ends.
67. Bypass: ROP Chains
• ROP Gadget – a set of instructions
• ROP Chain – many ROP gadgets chained together
Gadget chaining types:
• RETN ROP gadget
• CALL/JMP ROP gadget
69. Tests: ROP tests VirtualProtect()
• Create memory page, copies shellcode, make executable using VirtualProtect() and jmp to
shellcode
• Create memory page, copies shellcode, make executable using CALL-ROP-gadget from DLLs to
use VirtualProtect() and jmp to shellcode
• Create memory page, copies shellcode, make executable using chain Jump to the legitimate
code where a call to VirtualProtect() is located and jmp to shellcode
B C
A
Caller
check
D
B
C
Caller
check
A
Caller
check
D
B
C
Caller
check
A D
70. Tests: ROP tests NtProtectVirtualMemory()
• Chain that create memory page, copies shellcode, make executable using
NtProtectVirtualMemory() and jmp to shellcode
• Wow64 bypass NtProtectVirtualMemory()
• Exploit Wow64 NtProtectVirtualMemory()
B C
A
Caller
check
D
B CA
B CA
D
D
71. Tests: Stack Pivot / Stack Unpivot
• Point stack pointer to heap new allocated memory with shellcode
• Executes ROP-chain on both pivoted and native stack
A B C D
ROP
A B C D