2009-04-04:

SysDay 2009 post conference materials (and the unicorn)

blog:security:windows:sysday:medium:lecture
I'm sorry, but the slides are, again, in Polish (well, the source codes and demo videos don't have Polish in them, mostly because they don't have any text at all). I've been informed that a video from the lecture will available, so I'll take my time and attach English subtitles if anyone will be interested in it (let me know if you are interested).

Anyway, my lecture was about return-oriented exploiting (yep, I've already touched this topic the other day on this blog) - it contained a little history, how does it work, how to make loops and conditional jumps, and also I've presented a small app (for source/binary see below) that scans the memory of a process for usable return-ended instruction sequences (I've named it rta_finder).

The lecture went quite smooth, however I must admit that I was worried that I'll loose my voice - I attended the conference with a cold, and my voice was hoarse - hopefully the organizers gave me a glass of hot water, and in the end I lost my voice after my lecture ;>

Enough of that, the materials are available here:
Slideshow (336kb PDF)
The demos (all of them) (15mb ZIP(AVI)) - they are "synced" with the "DEMO XX" slide in the slideshow.
A single demo - sysday_01.avi (5mb AVI) - DEMO 01 - presenting the vulnerable application
A single demo - sysday_02.avi (5mb AVI) - DEMO 02 - searching for instruction sequences
A single demo - sysday_03.avi (3mb AVI) - DEMO 03 - first exploit (exp1) in action
A single demo - sysday_04.avi (6mb AVI) - DEMO 04 - an unconditional jump under the debugger
Sources, executables (220kb ZIP(CPP,EXE)) - the test application, rta_finder and exploits, all with source code (warning: chaos inside)

And thats all.

P.S. Until today 7 readers have found the pink unicorn on the main page of my blog, good work (I'll attach a full unicorn hall of fame later)!

Add a comment:

Nick:
URL (optional):
Math captcha: 3 ∗ 6 + 5 =