[eng] hacktivity 2013 - alice in exploitland
DESCRIPTION
[ENG] Hacktivity 2013 - Alice in eXploitland - attack and defense evolutionTRANSCRIPT
![Page 1: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/1.jpg)
Alice in eXploitland Attack & defense evolution
Zoltán Balázs
Hacktivity 2013
![Page 2: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/2.jpg)
About:me
OSCP, C|HFI, CISSP, CPTS, MCP
Senior IT security consultant @ Deloitte Hungary
Proud member of the gula.sh team
https://hu.linkedin.com/in/zbalazs
Twitter – zh4ck
![Page 3: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/3.jpg)
What’s next?
Evolution of memory corruption attack & defense
Stack based buffer overflows
Stack canary
Structured Exception Handling
DEP
ASLR
Advanced mitigation
![Page 4: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/4.jpg)
Scope of this presentation
Focus on memory corruption Not Java vulnerabilities
Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits
High level overview only No details like Assembly
Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free
![Page 5: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/5.jpg)
Why you should care about exploits?
If you are a company outside of China (or place your favourite enemy here)
You are a target for intellectual property stealing
![Page 6: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/6.jpg)
Why you should care about exploits?
If you are a company outside of China (or place your favourite enemy here)
You are a target for intellectual property stealing
Your intellectual property will be stolen
social engineering
software exploits
![Page 7: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/7.jpg)
Why you should care about exploits?
If you are a company outside of China (or place your favourite enemy here)
You are a target for intellectual property stealing
Your intellectual property will be stolen
social engineering
software exploits
You will find your product on the local Chinese market
half the price
![Page 8: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/8.jpg)
Why you should care about exploits?
If you are a military team working for the Chinese (or other) government
To steal intellectual property
Your C&C server will be hacked through memory corruption vulnerability
![Page 9: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/9.jpg)
Why you should care about exploits?
If you are a military team working for the Chinese (or other) government
To steal intellectual property
Your C&C server will be hacked through memory corruption vulnerability
Your „projects” will be revealed by hackers from Luxembourg
![Page 10: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/10.jpg)
Why you should care about exploits?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
![Page 11: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/11.jpg)
Why you should care about exploits?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
Credit card stolen, internet bank hacked
![Page 12: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/12.jpg)
Why you should care?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
Credit card stolen, internet bank hacked
Identity stolen
![Page 13: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/13.jpg)
Why you should care about exploits?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
Credit card stolen, internet bank hacked
Identity stolen
Facebook wall spammed
![Page 14: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/14.jpg)
Function calls
void SayHello(char* userinput) { char buffer[100];
strcpy(buffer, userinput);
printf(„Hello %s\n", buffer); } int main() { SayHello(argv[1]); return 0; }
![Page 15: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/15.jpg)
Function calls 0x00000000
...
New stack frame
ESP - top of stack
....
0xFFFFFFFF
ESP - extended stack pointer
![Page 16: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/16.jpg)
Function calls 0x00000000
...
ESP - top of stack
ptr to argv[1]
....
0xFFFFFFFF
ESP - extended stack pointer
![Page 17: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/17.jpg)
Function calls 0x00000000
...
ESP - top of stack
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
![Page 18: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/18.jpg)
Function calls 0x00000000
...
ESP - top of stack
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 19: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/19.jpg)
Function calls 0x00000000
... ESP - top of stack
Space for buffer EBP - frame pointer
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 20: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/20.jpg)
Function calls 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 21: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/21.jpg)
![Page 22: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/22.jpg)
Stack based buffer overflow vulnerability
„Stack overflow happens when the user can put more data on the allocated stack, than available”
If more data is put on the stack (stack overflow) ... magic will happen
Buffer overflow
Stack based buffer overflow
Heap based buffer overflow
![Page 23: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/23.jpg)
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 24: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/24.jpg)
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP AAAA way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 25: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/25.jpg)
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP AAAA way
Saved EIP AAAA
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 26: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/26.jpg)
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP AAAA way
Saved EIP AAAA
ptr to argv[1] AAAA
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 27: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/27.jpg)
![Page 28: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/28.jpg)
Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
***
![Page 29: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/29.jpg)
Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
PaX team in 2000
![Page 30: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/30.jpg)
Stack overflow history
1972 – Computer Security Technology Planning Study
1988 – Morris worm
1996 – Smashing the Stack for Fun and Profit (Aleph One)
2000 – NSA – SELinux open sourced
2000 – PaX Team
2003 – SELinux merged into mainline Linux Kernel
2004 – Egghunters - against small buffers
![Page 31: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/31.jpg)
Shellcode
The attacker code what the attacker wants to execute
The instructions given by Alice to the rabbit
![Page 32: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/32.jpg)
Mitigation techniques
All of the following mitigation techniques are used against every memory corruption vulnerabilities
Not just against stack overflow
![Page 33: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/33.jpg)
Stack canary/cookie 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Random cookie 27384AB4CD457 way
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 34: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/34.jpg)
Stack canary/cookie 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Random cookie 27384AB4CD457 AAAA way
Saved EBP AAAA
Saved EIP AAAA
ptr to argv[1] AAAA
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
![Page 35: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/35.jpg)
![Page 36: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/36.jpg)
Stack canary/cookie history (/GS)
1997 - Linux (GCC)
2002 - MS (Visual Studio)
![Page 37: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/37.jpg)
Stack canary/cookie bypass
Method 1: Replace cookie on stack and in .data temper the sensor in way where water does not trigger an alarm
Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system
Method 3: Guess/calculate the cookie Static cookie
Method 4: Overwriting stack data in functions up the stack, switch case
![Page 38: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/38.jpg)
Structured Exception Handling exploit
In reality, traditional stack overflow exploits are sometimes
not possible
No EIP overwrite
No jump
Stack cookies
way too complicated to trigger
![Page 39: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/39.jpg)
Structured Exception Handling exploit
In reality, traditional stack overflow exploits are sometimes
not possible
No EIP overwrite
No jump
Stack cookies
Stack cookie not checked at exception handling
way too complicated to trigger
![Page 40: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/40.jpg)
SEH exploit – three step to profit
Step 1. overwriting first element in the exception-handling chain
Step 2. because of the overflow, the exception-handling is triggered
Step 3. via exception handling, return to the malicious shellcode (PROFIT)
![Page 41: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/41.jpg)
SEH exploit metaphor
If chaos occurs disaster recovery process to handle the chaos
Alice can rewrite the address, where the rabbit can find the disaster recovery process manual
![Page 42: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/42.jpg)
SEH exploit mitigation
SafeSEH table which specifies for the operating system about valid exception handlers
only a limited set of addresses where the disaster recovery manual can be found
Alice can not change those
SEHop OS performs SEH chain validation
breaks SEH overwrite exploitation techniques
Stamp from the queen on the addressess where the disaster recovery manual can be found
![Page 43: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/43.jpg)
DEP
DEP - Data Execution Prevention – Windows (OS level)
Protection: mark the stack as non executable
PageExec, W^X, NX, XD
![Page 44: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/44.jpg)
![Page 45: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/45.jpg)
PageExec, W^X, NX, XD, DEP
NX - Never Execute – AMD (CPU level)
XD - eXecution Disabled – Intel (CPU level)
W^X - Write XOR Execute – OpenBSD, OS X (OS level)
Non-Executable Memory – Linux (OS level)
Windows If CPU NX/XD enabled/supported
HW DEP == Real DEP
If CPU NX/XD disabled/not supported Software DEP == SafeSEH !!!
DEP modes Always off OptIn OptOut Always On
![Page 46: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/46.jpg)
PageExec, W^X, NX, XD, DEP
1997 - Openwall – Solar designer
2000 - PaX Team PageExec
2002 - Exec shield (Ingó Molnár)
2003 - OpenBSD
2004 - Linux (Ingó Molnár)
2004 - Windows XP SP2
2006 - OS X
![Page 47: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/47.jpg)
PageExec, W^X, NX, XD, DEP bypass
Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc) - 1997
![Page 48: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/48.jpg)
PageExec, W^X, NX, XD, DEP bypass
Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed
Does not work on protection „always on”
Method 3: Disable the protection for the process Does not work on protection „always on”
Method 4: Copy shellcode to executable area Exeucatable area usually read only
Allocate new memory with read – write - executable support (virtualalloc)
If attacking browser JavaScript heap spraying
Other magic here
![Page 49: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/49.jpg)
ASLR metaphor
ASLR = Address Space Layout Randomization
Changing the addressess of the memory layout every time
Changing the street names, house numbers every time
Alice can only go to a house she won’t know what will be the address at the time when the rabbit arrives
![Page 50: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/50.jpg)
ASLR
1997 - Memco
2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack)
2005 - OpenBSD
2005 - Linux – first implementation weak
2007 - Windows
2007 - OS X
2011 - Android
![Page 51: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/51.jpg)
ASLR bypass
2007 – MS07–017 ANI exploit – Alex Sotirov
Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won’t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like „4 house to the left, next to the original”
Method 2: Low entropy in random – brute force Catch all exception block is usually needed
You never write try{ code_her } catch (Every exception) { Do nothing } do you?
ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
![Page 52: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/52.jpg)
ASLR bypass ...
Method 2: Low entropy in random – brute force
Alice can give 1000 addresses to the rabbit
Rabbit will look for Alice in 1000 house
Finally the rabbit can find Alice
Alice can give him the malicious instructions
PROFIT
![Page 53: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/53.jpg)
ASLR bypass …
Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit
Java 7 ASLR
There are still some static street names, house numbers in eXploitland, that never change
Method 4: address space information disclosure Alice can ask an inhabitant in eXploitland
what the street name and house address will be of the house where Alice is when the rabbit arrives
![Page 54: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/54.jpg)
EMET
![Page 55: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/55.jpg)
Collect three gems
Exploiting stack overflow in 2003 on Windows
![Page 56: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/56.jpg)
Exploiting stack overflow in 2013 with ASLR + DEP
You have 3 ammo left
![Page 57: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/57.jpg)
ASLR + DEP bypass
Metasploit windows/browser/ms13_037_svg_dashstyle demo
Scenario 1. Disable ASLR, exploit fixed addresses
Scenario 2. Enable ASLR, exploit is not working
Scenario 3. Java 1.6 ROP with non-ASLR module works
Scenario 4. ASLR with original information leak exploit
Scenario 5. EMET heapspray only blocks exploit
![Page 58: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/58.jpg)
What to do if I’m a user?
Remove Java
If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can’t upgrade, use EMET
If you use Linux Upgrade to latest OS Use latest browser (Chrome)
If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome)
Upgrade your software
![Page 59: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/59.jpg)
What to do if I’m a CISO?
Remove Java At least in the browsers used for Internet browsing
If you use Windows Upgrade to latest OS
If can’t upgrade, use EMET from GPO (Group policy)
Install Microsoft and 3rd party patches
![Page 60: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/60.jpg)
What to do if I’m a developer?
Remove Java At least in the browsers used for Internet browsing
Learn secure application development
Use switchers in Visual Studio /GS (VS 2002)
/SafeSEH (VS 2003)
/DynamicBase (VS 2005)
/NXCompat (VS 2005)
/HIGHENTROPYVA (VS 2012)
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005)
BinScope
![Page 61: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/61.jpg)
What to do if I’m working for the Chinese government running vulnerable Poison Ivy servers?
Develop your own backdoor client/server
For details see previous slide
Until it is finished use EMET
![Page 62: [ENG] Hacktivity 2013 - Alice in eXploitland](https://reader036.vdocuments.us/reader036/viewer/2022081504/554d5657b4c90578428b46da/html5/thumbnails/62.jpg)
Lessons learned
Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection
Number of working IE9 (2011 March) exploits in Metasploit With Java 6 – 1
Without Java 6 – 1
Number of working IE10 exploits in Metasploit 0
Number of Java7 (2011 July) exploits in Metasploit 16
Price for zero day memory corruption exploit getting higher and higher