Learn, hack!

URL

http://dewy.fem.tu-ilmenau.de/CCC/22C3/video/22C3-553-en-syscall_proxying.mp4

File name

22C3-553-en-syscall_proxying.mp4

File size

374.4 MB

MD5

1d16206186d838addcbbecd9b7c67714

SHA1

fd10f3c81acf339a4c5d9a81d61c2d0b12a50d78

This talk is about how using syscall proxying technique for envolved attacks or other distributed applications. It includes source code examples like shellcodes, tools and a poc rootkit using this technique. This talk will be submited first at 0sec, a private security event we organize in switzerland in october. Since long time hackers are searching way to execute code on hosts through different types of vulnerabilities. The shellcode is one of the master part of a successfull exploitation. Making reliable exploit working in the wild with "universal" payload is the goal of every exploit writer. Syscall proxying is a technique which was introduced by Maximiliano Caceres (CORE SDI) which can provide a real remote interface to the host's kernel. The goal is writing universal "agents" to create all you can imagine locally but running it remotly. The best part of the syscall proxying technique is the attacker tools are locally stored but remotely executed through the payload. During this talk Casek will introduce this technique and his own implementation of syscall proxy shellcodes and tools. Different type of payloads, a library, tools and a proof of concept lightweight rootkit will be presented. He will discuss exploiting vulnerabilities with this goal: exploiting, privilege escalation if needed, rootkiting (remotly infecting processes or patching on the fly the kernel), covering traces etc... all in one time.