douglas mckee mark bereza - def con con 27/def con 27... · 2019-09-30 · what do we have?...
TRANSCRIPT
Douglas McKeeMark Bereza
••••
••••
•
•
••
•
•
•
•
DEBUG THIS,
NERD
Watchdog error message
Binary Patch
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
What do we have?
• Execution control via GOT override
• Netcat installed by def
• Memory on heap
What do we want?
• Persistence• Root access
How do we get it (easily)?
• Put shellcode in memory we control
• Fire off reverse shell by calling system()
What do we have?
• Execution control via GOT overwrite
• Netcat installed by default
• Memory on heap
What do we want?
• Persistence• Root access
How do we get it (easily)?
• Put shellcode in memory we control
• Fire off reverse shell by calling system()
What do we have?
• Execution control via GOT overwrite
• Netcat installed by default
• Memory on heap
What do we want?
• Persistence• Root access
How do we get it (easily)?
• Put shellcode in memory we control
• Fire off reverse shell by calling system()
What do we have?
• Execution control via GOT overwrite
• Netcat installed by default
• Memory on heap
What do we want?
• Root access• Persistence
How do we get it (easily)?
• Put shellcode in memory we control
• Fire off reverse shell by calling system()
What do we have?
• Execution control via GOT overwrite
• Netcat installed by default
• Memory on heap
What do we want?
• Root access• Persistence
How do we get it (easily)?
• Put shellcode in memory we control
• Fire off reverse shell by calling system()
What do we have?
• Execution control via GOT overwrite
• Netcat installed by default
• Memory on heap
What do we want?
• Root access• Persistence
How do we get it (easily)?
• Put shellcode in memory we control
• Fire off reverse shell by calling system()
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
R4 + offset gets us close to system() address
Hit when relay turns on
Call to ioctl() flips relay
•
•
•
•
•
•
•
•
•
•
•
•
Inserted into startup script using our exploit
1. Delta programming executes
2. Dynamic linker loads objects in the following order:
1. Delta programming executes
2. Dynamic linker loads objects in the following order:
3. I/O polling thread calls canioWriteOutput to flip a relay
1. Delta programming executes
1. Delta programming executes
2. Dynamic linker loads objects in the following order:
1. Delta programming executes
2. Dynamic linker loads objects in the following order:
3. I/O polling thread calls canioWriteOutput to flip a relay
1. Delta programming executes
2. Dynamic linker loads objects in the following order:
3. I/O polling thread calls canioWriteOutput to flip a relay
1. Delta programming executes
Device ID: 0x0836004B
Device state: 75.1038
Device description: “Room Temp”
•
•
•
•
•
•
•
•
•
•
•
•
••
•
•
•
•
•
•
••
•
•
•
•
•
•