KEMBAR78
On non existent 0-days, stable binary exploits and | PPTX
Uploaded byAlisa Esage Шевченко
PPTX, PDF3,902 views

On non existent 0-days, stable binary exploits and

This document discusses techniques for exploiting DLL hijacking vulnerabilities remotely through user interaction. It argues that DLL hijacking is still a viable attack vector despite protections like DEP and ASLR. It proposes manipulating the current directory to execute exploits and hiding DLLs in archives, email attachments, and browser redressing to trigger exploits without appearing suspicious. While not suitable for mass attacks, it concludes DLL hijacking enables rapid targeted attacks by abusing existing vulnerabilities.

Downloaded 71 times
On non-existent 0-days, stable binary exploits and user interaction Alisa Esage Esage Lab // ООО ЦОР
GOAL NEED SOME 0-DAY REMOTE EXPLOITS* FOR TOP SOFTWARE/OS, FAST
How they do it • Target memory corruption • X% fuzzing + Y% static analysis – Only combination is viable – Other approaches are inmature • Fuzzing: massive overhead – Set up a framework – Develop patterns/heuristics !! – Take machine time – Analyze crash dumps ! – Exploit, bypass DEP/ASLR/Sandbox !!! • Perspective – protections harden – need more and more time to succeed – and resources to begin with
Perspective vectors • By-design vulnerabilities – E.g. DLL Hijacking, UI redressing, LD_LIBRARY_PATH… • Sandbox bypass for complex systems – E.g. JAVA: bypass SecurityManager -> full privileges for unsigned applet -> win • Certificates – E.g. Adobe PDF: signed document -> trusted document -> full-privileged JavaScript -> win
Why DLL Hijacking? • Test hacking skills! – Succeed with a blind alley before hitting the highway • Looks easy – Plenty of previous research, e.g. binaryplanting.com – Interns must do research, too • Real world targetted attacks: CVE-2011-1980, CVE-2011- 1991, CVE-2011-2100 – They work • MS12-046 vbe6.dll – They still exist! • OS behaviour undocumented – There is place for research
Research focus • Top, clean platforms – Windows 7 – Windows XP – Office 2010 – Office 2007 – Adobe Acrobat/Reader • Find a new remote delivery vector – Not a “.dll” in e-mail attachment – Not a “.dll” in a network share • Find something yet unfound
Tech recap • Exe -> dll by relative path • DLL Search Order • Current Directory (CD) – MS DOS rudiment • Default: app path • File open: file path • Some other changes • Exploitation profit: Bypass restrictions, LPE, RCE • Vectors: local, local network, client-side
Advantages • 100% stable exploit • 100% silent execution on non-supported targets • Very little overhead • No mess with protections • ! Not fixable globally with simple measures like DEP/ASLR – Only developers education can help – Will reappear in new software forever
Challenges • Search – “Trivial => already found” myth • Exploitation – Nobody ever tried to manipulate CD • User interaction – Triggered by clicking menus… now what? • Masking / delivery – Document + DLL binding looks suspicious
Arguing myths NONEXISTENT?
7500+ missing Windows DLLs
20+ Mb filtered log per app
Arguing myths NOT EXPLOITABLE?
Good!
Not so good
Goal: manipulate CD
CD internals • 0:005> dt _PEB @$peb -r • ntdll!_PEB • ... • +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS • ... • +0x024 CurrentDirectory : _CURDIR • +0x000 DosPath : _UNICODE_STRING "C:Documents and SettingshMy Documents" • +0x008 Handle : 0x00000b50 Void • • // получение адреса CurrentDirectory (первый dword - размеры, второй – указатель на строку) • 0:005> dd poi(@$peb+0x010)+0x024 • 00020024 02080052 00020290 00000b50 01840182 • 00020034 00020498 006e006c 0002061c 00740072 • // проверка адреса CD • 0:005> du 0x20290 • 00020290 "C:Documents and SettingshMy D" • 000202d0 "ocuments" • • // точка останова • 0:005> ba w 4 0x20290
CD internals - 2 • MSDN: “it is the directory in which the active application started, unless it has been explicitly changed“ – actually no • Way of starting an app affects CD – App exec default: app dir – App exec: SoftwareMicrosoftWindowsCurrentVersionApp Paths – Exec by lnk: lnk dir – Document open: document dir – CreateProcess(): lpCurrentDirectory • CD set internally by some API – GetOpenFileName() / GetSaveFileName() – FindFirstFile() / FindNextFile() (presumably) • Many file system APIs depend on CD – So developers call SetCurrentDirectory() every now and then
So…?
Local exploitation • Bypass restrictions/LPE: place exploit DLL into unrestricted location • Consider %PATH%
PATH FTW
Remote exploitation • Just open a document (the lucky case) • Make user Open/Save/Import/Export files, then trigger • Or automate file operations with a script • Induce an app state with CD changed by developer • Set CD explicitly • Find an app that CreateProcess()-es vulnerable app with good CD
Arguing myths EXPLOIT DLL TOO OBVIOUS?
No hiding
A needle in the haystack
Torrents
Browser UI redressing • IE9 on Windows 7 • Context: Local directory, network shared directory, WebDAV • Explorer dir underneath a website • Demo • Also works in Chrome on Windows 7, but restricted to file download operations
Browser UI redressing (2) • Chrome on Windows 7 • Context: remote • Web server directory underneath a website • Click-jacking game to silently download necessary files one-by-one • Until all files are saved in %Downloads% • Open exploit document
Set CD macro (MS Office) • Context: local dir, network shared dir • You can just execute arbitrary DLL from a macro • But better to execute a kernel32!SetCurrentDirectory() API to fool forensic analysts • Demo
MHT • Single file in e-mail attachment • Can contain any types of files, incl. binary • Browser extracts files to %INET_TMP% • Open exploit document by clicking <a href=“.filesdocument.txt” • Exploit DLL will be executed from the same directory • IE9 on Windows 7
Archives • Any archives for Windows that extract all files by default? Not SFX of course • WinRAR (latest): browse archive, double- click a HTML document only – Will extract ALL files into %TMP% – Including exploit DLL – Local browser context already
WinRAR FTW
Multistage • Case: DLL triggered by manual file import, no registered extension handler – unexploitable? • Stage 1: User gets an e-mail from admin (fake) instructing to install the attached reg-file (looks innocent) • In two weeks, stage 2: user gets an e-mail from a friend with a RAR-ed html game • Click-jacked open file -> exploit • Or open file via network share • As simple as the user is
So, what do we have? • Some 0-day vulnerabilities in up-to-date top platforms – Think of non-top software • Ways to manipulate CD • Ways to hide DLL • Remote DLL Hijacking exploitation looks like normal client-side exploitation • What else?
Conclusions • Is this a good vector for mass attacks? – Authors of CVE-2011-1991, 1980, 2100 could tell us for sure – I say no – 0-day exploits are not necessary for mass attacks anyway • Excellent vector for rapid targeted/onsite attacks – Plenty of vulnerabilities everywhere – Easy ‘n fast to find in arbitrary environment – Ease ‘n fast to exploit (after this presentation  ) • Even the most trivial bug can be worked down to a good exploit
Questions? Thanks to my team and interns Thank you for attention @alisaesage

More Related Content

PPTX
IT109 Microsoft Windows 7 Operating Systems Unit 08 lesson 11
byblusmurfydot1
 
PPTX
Hacking Microsoft Remote Desktop Services for Fun and Profit
byAlisa Esage Шевченко
 
PPT
Remote control system (rcs)
byShekh Md Mehedi Hasan
 
PPTX
Горизонтальные перемещения в инфраструктуре Windows
byPositive Hack Days
 
PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
PDF
Linux kernel modules
byDheryta Jaisinghani
 
PDF
BlueHat v18 || First strontium uefi rootkit unveiled
byBlueHat Security Conference
 
PDF
BlueHat v18 || The matrix has you - protecting linux using deception
byBlueHat Security Conference
 
IT109 Microsoft Windows 7 Operating Systems Unit 08 lesson 11
byblusmurfydot1
 
Hacking Microsoft Remote Desktop Services for Fun and Profit
byAlisa Esage Шевченко
 
Remote control system (rcs)
byShekh Md Mehedi Hasan
 
Горизонтальные перемещения в инфраструктуре Windows
byPositive Hack Days
 
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
Linux kernel modules
byDheryta Jaisinghani
 
BlueHat v18 || First strontium uefi rootkit unveiled
byBlueHat Security Conference
 
BlueHat v18 || The matrix has you - protecting linux using deception
byBlueHat Security Conference
 

What's hot

PDF
Атаки на платформу Java Card с использованием вредоносных апплетов
byPositive Hack Days
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
bySam Bowne
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 2)
bySam Bowne
 
PDF
CNIT 126 11. Malware Behavior
bySam Bowne
 
PDF
Sans london april sans at night - tearing apart a fileless malware sample
byMichel Coene
 
PDF
CNIT 126 Ch 11: Malware Behavior
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 11: Malware Behavior
bySam Bowne
 
PDF
BlueHat v18 || Memory resident implants - code injection is alive and well
byBlueHat Security Conference
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
byNCC Group
 
PDF
CNIT 121: 10 Enterprise Services
bySam Bowne
 
PDF
CNIT 152: 12b Windows Registry
bySam Bowne
 
PPTX
Server Hardening Primer - Eric Vanderburg - JURINNOV
byEric Vanderburg
 
PPTX
metaploit framework
byLe Quyen
 
PDF
CNIT 152: 6. Scope & 7. Live Data Collection
bySam Bowne
 
PPT
Device Driver in WinCE 6.0 R2
byrahul_p_shukla
 
PPT
Kunal - Introduction to backtrack - ClubHack2008
byClubHack
 
PPS
Workshop on BackTrack live CD
byamiable_indian
 
PDF
CNIT 123: Ch 6: Enumeration
bySam Bowne
 
PPTX
Linux Device Driver’s
byRashmi Warghade
 
PDF
Ch 6: Enumeration
bySam Bowne
 
Атаки на платформу Java Card с использованием вредоносных апплетов
byPositive Hack Days
 
CNIT 126: 10: Kernel Debugging with WinDbg
bySam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 2)
bySam Bowne
 
CNIT 126 11. Malware Behavior
bySam Bowne
 
Sans london april sans at night - tearing apart a fileless malware sample
byMichel Coene
 
CNIT 126 Ch 11: Malware Behavior
bySam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
bySam Bowne
 
BlueHat v18 || Memory resident implants - code injection is alive and well
byBlueHat Security Conference
 
07182013 Hacking Appliances: Ironic exploits in security products
byNCC Group
 
CNIT 121: 10 Enterprise Services
bySam Bowne
 
CNIT 152: 12b Windows Registry
bySam Bowne
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
byEric Vanderburg
 
metaploit framework
byLe Quyen
 
CNIT 152: 6. Scope & 7. Live Data Collection
bySam Bowne
 
Device Driver in WinCE 6.0 R2
byrahul_p_shukla
 
Kunal - Introduction to backtrack - ClubHack2008
byClubHack
 
Workshop on BackTrack live CD
byamiable_indian
 
CNIT 123: Ch 6: Enumeration
bySam Bowne
 
Linux Device Driver’s
byRashmi Warghade
 
Ch 6: Enumeration
bySam Bowne
 

Similar to On non existent 0-days, stable binary exploits and

PDF
Esage on non-existent 0-days, stable binary exploits and user interaction
byDefconRussia
 
PPTX
Dll hijacking
byD4rk357 a
 
PPTX
Dll hijacking
byD4rk357 a
 
PPTX
Windows advanced
byyarden hanan
 
PDF
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
byFelipe Prado
 
PPTX
Buffer overflow – Smashing The Stack
byTomer Zait
 
PPTX
Dll hijacking
byantitree
 
PPTX
owasp lithuania chapter - exploit vs anti-exploit
byKęstutis Meškonis
 
PPTX
Vulnerability, exploit to metasploit
byTiago Henriques
 
PDF
Buffer Overflow - Smashing the Stack
byironSource
 
PDF
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
byRootedCON
 
PPT
Writing Metasploit Plugins
byamiable_indian
 
PPTX
Practical Windows Kernel Exploitation
byzeroSteiner
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
byJames Haughom Jr
 
PDF
Advanced Windows Exploitation
byUTD Computer Security Group
 
PPTX
Chasing the Adder. A tale from the APT world...
byStefano Maccaglia
 
PDF
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 
PDF
Modern Exploitation: Owning All of the Things
byPriyanka Aash
 
PDF
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
Esage on non-existent 0-days, stable binary exploits and user interaction
byDefconRussia
 
Dll hijacking
byD4rk357 a
 
Dll hijacking
byD4rk357 a
 
Windows advanced
byyarden hanan
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
byFelipe Prado
 
Buffer overflow – Smashing The Stack
byTomer Zait
 
Dll hijacking
byantitree
 
owasp lithuania chapter - exploit vs anti-exploit
byKęstutis Meškonis
 
Vulnerability, exploit to metasploit
byTiago Henriques
 
Buffer Overflow - Smashing the Stack
byironSource
 
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
byRootedCON
 
Writing Metasploit Plugins
byamiable_indian
 
Practical Windows Kernel Exploitation
byzeroSteiner
 
Let's Talk Technical: Malware Evasion and Detection
byJames Haughom Jr
 
Advanced Windows Exploitation
byUTD Computer Security Group
 
Chasing the Adder. A tale from the APT world...
byStefano Maccaglia
 
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 
Modern Exploitation: Owning All of the Things
byPriyanka Aash
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 

Recently uploaded

PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
2025 October Patch Tuesday
byIvanti
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 

On non existent 0-days, stable binary exploits and

  • 1.
    On non-existent 0-days,stable binary exploits and user interaction Alisa Esage Esage Lab // ООО ЦОР
  • 2.
    GOAL NEED SOME 0-DAYREMOTE EXPLOITS* FOR TOP SOFTWARE/OS, FAST
  • 3.
    How they doit • Target memory corruption • X% fuzzing + Y% static analysis – Only combination is viable – Other approaches are inmature • Fuzzing: massive overhead – Set up a framework – Develop patterns/heuristics !! – Take machine time – Analyze crash dumps ! – Exploit, bypass DEP/ASLR/Sandbox !!! • Perspective – protections harden – need more and more time to succeed – and resources to begin with
  • 4.
    Perspective vectors • By-designvulnerabilities – E.g. DLL Hijacking, UI redressing, LD_LIBRARY_PATH… • Sandbox bypass for complex systems – E.g. JAVA: bypass SecurityManager -> full privileges for unsigned applet -> win • Certificates – E.g. Adobe PDF: signed document -> trusted document -> full-privileged JavaScript -> win
  • 5.
    Why DLL Hijacking? •Test hacking skills! – Succeed with a blind alley before hitting the highway • Looks easy – Plenty of previous research, e.g. binaryplanting.com – Interns must do research, too • Real world targetted attacks: CVE-2011-1980, CVE-2011- 1991, CVE-2011-2100 – They work • MS12-046 vbe6.dll – They still exist! • OS behaviour undocumented – There is place for research
  • 6.
    Research focus • Top,clean platforms – Windows 7 – Windows XP – Office 2010 – Office 2007 – Adobe Acrobat/Reader • Find a new remote delivery vector – Not a “.dll” in e-mail attachment – Not a “.dll” in a network share • Find something yet unfound
  • 7.
    Tech recap • Exe-> dll by relative path • DLL Search Order • Current Directory (CD) – MS DOS rudiment • Default: app path • File open: file path • Some other changes • Exploitation profit: Bypass restrictions, LPE, RCE • Vectors: local, local network, client-side
  • 8.
    Advantages • 100% stableexploit • 100% silent execution on non-supported targets • Very little overhead • No mess with protections • ! Not fixable globally with simple measures like DEP/ASLR – Only developers education can help – Will reappear in new software forever
  • 9.
    Challenges • Search – “Trivial => already found” myth • Exploitation – Nobody ever tried to manipulate CD • User interaction – Triggered by clicking menus… now what? • Masking / delivery – Document + DLL binding looks suspicious
  • 10.
  • 11.
  • 12.
    20+ Mb filteredlog per app
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
    CD internals • 0:005> dt _PEB @$peb -r • ntdll!_PEB • ... • +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS • ... • +0x024 CurrentDirectory : _CURDIR • +0x000 DosPath : _UNICODE_STRING "C:Documents and SettingshMy Documents" • +0x008 Handle : 0x00000b50 Void • • // получение адреса CurrentDirectory (первый dword - размеры, второй – указатель на строку) • 0:005> dd poi(@$peb+0x010)+0x024 • 00020024 02080052 00020290 00000b50 01840182 • 00020034 00020498 006e006c 0002061c 00740072 • // проверка адреса CD • 0:005> du 0x20290 • 00020290 "C:Documents and SettingshMy D" • 000202d0 "ocuments" • • // точка останова • 0:005> ba w 4 0x20290
  • 18.
    CD internals -2 • MSDN: “it is the directory in which the active application started, unless it has been explicitly changed“ – actually no • Way of starting an app affects CD – App exec default: app dir – App exec: SoftwareMicrosoftWindowsCurrentVersionApp Paths – Exec by lnk: lnk dir – Document open: document dir – CreateProcess(): lpCurrentDirectory • CD set internally by some API – GetOpenFileName() / GetSaveFileName() – FindFirstFile() / FindNextFile() (presumably) • Many file system APIs depend on CD – So developers call SetCurrentDirectory() every now and then
  • 19.
  • 20.
    Local exploitation • Bypassrestrictions/LPE: place exploit DLL into unrestricted location • Consider %PATH%
  • 21.
  • 22.
    Remote exploitation • Justopen a document (the lucky case) • Make user Open/Save/Import/Export files, then trigger • Or automate file operations with a script • Induce an app state with CD changed by developer • Set CD explicitly • Find an app that CreateProcess()-es vulnerable app with good CD
  • 23.
  • 24.
  • 25.
    A needle inthe haystack
  • 26.
  • 27.
    Browser UI redressing •IE9 on Windows 7 • Context: Local directory, network shared directory, WebDAV • Explorer dir underneath a website • Demo • Also works in Chrome on Windows 7, but restricted to file download operations
  • 28.
    Browser UI redressing(2) • Chrome on Windows 7 • Context: remote • Web server directory underneath a website • Click-jacking game to silently download necessary files one-by-one • Until all files are saved in %Downloads% • Open exploit document
  • 29.
    Set CD macro(MS Office) • Context: local dir, network shared dir • You can just execute arbitrary DLL from a macro • But better to execute a kernel32!SetCurrentDirectory() API to fool forensic analysts • Demo
  • 30.
    MHT • Single filein e-mail attachment • Can contain any types of files, incl. binary • Browser extracts files to %INET_TMP% • Open exploit document by clicking <a href=“.filesdocument.txt” • Exploit DLL will be executed from the same directory • IE9 on Windows 7
  • 31.
    Archives • Any archivesfor Windows that extract all files by default? Not SFX of course • WinRAR (latest): browse archive, double- click a HTML document only – Will extract ALL files into %TMP% – Including exploit DLL – Local browser context already
  • 32.
  • 33.
    Multistage • Case: DLLtriggered by manual file import, no registered extension handler – unexploitable? • Stage 1: User gets an e-mail from admin (fake) instructing to install the attached reg-file (looks innocent) • In two weeks, stage 2: user gets an e-mail from a friend with a RAR-ed html game • Click-jacked open file -> exploit • Or open file via network share • As simple as the user is
  • 34.
    So, what dowe have? • Some 0-day vulnerabilities in up-to-date top platforms – Think of non-top software • Ways to manipulate CD • Ways to hide DLL • Remote DLL Hijacking exploitation looks like normal client-side exploitation • What else?
  • 35.
    Conclusions • Is thisa good vector for mass attacks? – Authors of CVE-2011-1991, 1980, 2100 could tell us for sure – I say no – 0-day exploits are not necessary for mass attacks anyway • Excellent vector for rapid targeted/onsite attacks – Plenty of vulnerabilities everywhere – Easy ‘n fast to find in arbitrary environment – Ease ‘n fast to exploit (after this presentation  ) • Even the most trivial bug can be worked down to a good exploit
  • 36.
    Questions? Thanks to myteam and interns Thank you for attention @alisaesage