Friday 5th July, 2013
2:00pm to 2:45pm
… or how we did not kill a 0day at Defcon
Binary remote exploitation of an unprivileged service often requires an additional local exploit to elevate to root privileges. Even if your target is running as root already, you may want to preserve your exquisite backdoor from being analyzed.
This talk presents a case study of multiple shellcode stages to make sure your payload is not caught, even if the traffic is sniffed all the time and a disk dump is taken right after exploitation (we cannot avoid being caught in a physical memory dump, though). This is achieved by polymorphic obfuscation, proper public key cryptography and not touching the disk at all (while still being able to run any statically linked ELF payload).
The described code has been successfully used in the Defcon 2011 CTF to deliver a FreeBSD local 0day without disclosing it to the playing teams (or so we'd like to believe). A Honeynet Project Forensic Challenge was to analyze this code, now we can present the real code.
x86 and ARM Binarista at Starbugs; Senior Security Researcher at CrowdStrike bio from Twitter
Sign in to add slides, notes or videos to this session