Secure Exploit Payload Staging

A session at SIGINT 2013

Friday 5th July, 2013

2:00pm to 2:45pm (CET)

… or how we did not kill a 0day at Defcon

Binary remote exploitation of an unprivileged service often requires an additional local exploit to elevate to root privileges. Even if your target is running as root already, you may want to preserve your exquisite backdoor from being analyzed.

This talk presents a case study of multiple shellcode stages to make sure your payload is not caught, even if the traffic is sniffed all the time and a disk dump is taken right after exploitation (we cannot avoid being caught in a physical memory dump, though). This is achieved by polymorphic obfuscation, proper public key cryptography and not touching the disk at all (while still being able to run any statically linked ELF payload).

The described code has been successfully used in the Defcon 2011 CTF to deliver a FreeBSD local 0day without disclosing it to the playing teams (or so we'd like to believe). A Honeynet Project Forensic Challenge was to analyze this code, now we can present the real code.

About the speaker

This person is speaking at this event.
Georg Wicherski

x86 and ARM Binarista at Starbugs; Senior Security Researcher at CrowdStrike bio from Twitter

Next session in Saal

3pm Das neue Lizenzmodell von Windows 8 by Marc Störing

Sign in to add slides, notes or videos to this session


Germany Germany, Cologne

5th7th July 2013

Tell your friends!


Time 2:00pm2:45pm CET

Date Fri 5th July 2013



Short URL


Official session page


View the schedule



See something wrong?

Report an issue with this session