DefconRussia, profile picture
Uploaded byDefconRussia
PDF, PPTX468 views

Esage on non-existent 0-days, stable binary exploits and user interaction

This document discusses techniques for exploiting DLL hijacking vulnerabilities remotely without user interaction. It outlines challenges with traditional fuzzing and static analysis approaches and argues that DLL hijacking remains a viable attack vector. Several methods are proposed for manipulating the current directory to execute an exploit DLL from a remote location, including browser UI redressing, macros, MHT files, archives, and multistage attacks. The document concludes DLL hijacking is well-suited for targeted attacks but not mass attacks due to reliance on user interaction and 0-days.

Download as PDF, PPTX
On non-existent 0-days, stable binary exploits and user interaction Alisa Esage Esage Lab // ООО ЦОР
GOAL NEED SOME 0-DAY REMOTE EXPLOITS* FOR TOP SOFTWARE/OS, FAST
How they do it • Target memory corruption • X% fuzzing + Y% static analysis – Only combination is viable – Other approaches are inmature • Fuzzing: massive overhead – Set up a framework – Develop patterns/heuristics !! – Take machine time – Analyze crash dumps ! – Exploit, bypass DEP/ASLR/Sandbox !!! • Perspective – protections harden – need more and more time to succeed – and resources to begin with
Perspective vectors • By-design vulnerabilities – E.g. DLL Hijacking, UI redressing, LD_LIBRARY_PATH… • Sandbox bypass for complex systems – E.g. JAVA: bypass SecurityManager -> full privileges for unsigned applet -> win • Certificates – E.g. Adobe PDF: signed document -> trusted document -> full-privileged JavaScript -> win
Why DLL Hijacking? • Test hacking skills! – Succeed with a blind alley before hitting the highway • Looks easy – Plenty of previous research, e.g. binaryplanting.com – Interns must do research, too • Real world targetted attacks: CVE-2011-1980, CVE-2011- 1991, CVE-2011-2100 – They work • MS12-046 vbe6.dll – They still exist! • OS behaviour undocumented – There is place for research
Research focus • Top, clean platforms – Windows 7 – Windows XP – Office 2010 – Office 2007 – Adobe Acrobat/Reader • Find a new remote delivery vector – Not a “.dll” in e-mail attachment – Not a “.dll” in a network share • Find something yet unfound
Tech recap • Exe -> dll by relative path • DLL Search Order • Current Directory (CD) – MS DOS rudiment • Default: app path • File open: file path • Some other changes • Exploitation profit: Bypass restrictions, LPE, RCE • Vectors: local, local network, client-side
Advantages • 100% stable exploit • 100% silent execution on non-supported targets • Very little overhead • No mess with protections • ! Not fixable globally with simple measures like DEP/ASLR – Only developers education can help – Will reappear in new software forever
Challenges • Search – “Trivial => already found” myth • Exploitation – Nobody ever tried to manipulate CD • User interaction – Triggered by clicking menus… now what? • Masking / delivery – Document + DLL binding looks suspicious
Arguing myths NONEXISTENT?
7500+ missing Windows DLLs
20+ Mb filtered log per app
Arguing myths NOT EXPLOITABLE?
Good!
Not so good
Goal: manipulate CD
CD internals • 0:005> dt _PEB @$peb -r • ntdll!_PEB • ... • +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS • ... • +0x024 CurrentDirectory : _CURDIR • +0x000 DosPath : _UNICODE_STRING "C:Documents and SettingshMy Documents" • +0x008 Handle : 0x00000b50 Void • • // получение адреса CurrentDirectory (первый dword - размеры, второй – указатель на строку) • 0:005> dd poi(@$peb+0x010)+0x024 • 00020024 02080052 00020290 00000b50 01840182 • 00020034 00020498 006e006c 0002061c 00740072 • // проверка адреса CD • 0:005> du 0x20290 • 00020290 "C:Documents and SettingshMy D" • 000202d0 "ocuments" • • // точка останова • 0:005> ba w 4 0x20290
CD internals - 2 • MSDN: “it is the directory in which the active application started, unless it has been explicitly changed“ – actually no • Way of starting an app affects CD – App exec default: app dir – App exec: SoftwareMicrosoftWindowsCurrentVersionApp Paths – Exec by lnk: lnk dir – Document open: document dir – CreateProcess(): lpCurrentDirectory • CD set internally by some API – GetOpenFileName() / GetSaveFileName() – FindFirstFile() / FindNextFile() (presumably) • Many file system APIs depend on CD – So developers call SetCurrentDirectory() every now and then
So…?
Local exploitation • Bypass restrictions/LPE: place exploit DLL into unrestricted location • Consider %PATH%
PATH FTW
Remote exploitation • Just open a document (the lucky case) • Make user Open/Save/Import/Export files, then trigger • Or automate file operations with a script • Induce an app state with CD changed by developer • Set CD explicitly • Find an app that CreateProcess()-es vulnerable app with good CD
Arguing myths EXPLOIT DLL TOO OBVIOUS?
No hiding
A needle in the haystack
Torrents
Browser UI redressing • IE9 on Windows 7 • Context: Local directory, network shared directory, WebDAV • Explorer dir underneath a website • Demo • Also works in Chrome on Windows 7, but restricted to file download operations
Browser UI redressing (2) • Chrome on Windows 7 • Context: remote • Web server directory underneath a website • Click-jacking game to silently download necessary files one-by-one • Until all files are saved in %Downloads% • Open exploit document
Set CD macro (MS Office) • Context: local dir, network shared dir • You can just execute arbitrary DLL from a macro • But better to execute a kernel32!SetCurrentDirectory() API to fool forensic analysts • Demo
MHT • Single file in e-mail attachment • Can contain any types of files, incl. binary • Browser extracts files to %INET_TMP% • Open exploit document by clicking <a href=“.filesdocument.txt” • Exploit DLL will be executed from the same directory • IE9 on Windows 7
Archives • Any archives for Windows that extract all files by default? Not SFX of course • WinRAR (latest): browse archive, double- click a HTML document only – Will extract ALL files into %TMP% – Including exploit DLL – Local browser context already
WinRAR FTW
Multistage • Case: DLL triggered by manual file import, no registered extension handler – unexploitable? • Stage 1: User gets an e-mail from admin (fake) instructing to install the attached reg-file (looks innocent) • In two weeks, stage 2: user gets an e-mail from a friend with a RAR-ed html game • Click-jacked open file -> exploit • Or open file via network share • As simple as the user is
So, what do we have? • Some 0-day vulnerabilities in up-to-date top platforms – Think of non-top software • Ways to manipulate CD • Ways to hide DLL • Remote DLL Hijacking exploitation looks like normal client-side exploitation • What else?
Conclusions • Is this a good vector for mass attacks? – Authors of CVE-2011-1991, 1980, 2100 could tell us for sure – I say no – 0-day exploits are not necessary for mass attacks anyway • Excellent vector for rapid targeted/onsite attacks – Plenty of vulnerabilities everywhere – Easy ‘n fast to find in arbitrary environment – Ease ‘n fast to exploit (after this presentation  ) • Even the most trivial bug can be worked down to a good exploit
Questions? Thanks to my team and interns Thank you for attention @alisaesage

More Related Content

PPTX
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
byJeremy Brown
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
From zero to SYSTEM on full disk encrypted windows system
byNabeel Ahmed
 
PDF
Level Up! - Practical Windows Privilege Escalation
byjakx_
 
PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
PPTX
A Bug Hunter's Perspective on Unix Drivers
byJeremy Brown
 
PPTX
Hacking Virtual Appliances
byJeremy Brown
 
PPTX
On non existent 0-days, stable binary exploits and
byAlisa Esage Шевченко
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
byJeremy Brown
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
From zero to SYSTEM on full disk encrypted windows system
byNabeel Ahmed
 
Level Up! - Practical Windows Privilege Escalation
byjakx_
 
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
A Bug Hunter's Perspective on Unix Drivers
byJeremy Brown
 
Hacking Virtual Appliances
byJeremy Brown
 
On non existent 0-days, stable binary exploits and
byAlisa Esage Шевченко
 

What's hot

PPTX
Reverse Engineering the TomTom Runner pt. 1
byLuis Grangeia
 
PPTX
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
PPTX
Windows Privilege Escalation
byRiyaz Walikar
 
PDF
Entomology 101
bysnyff
 
PDF
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
PDF
CNIT 152: 13 Investigating Mac OS X Systems
bySam Bowne
 
PPTX
Introduction to .NET Performance Measurement
bySasha Goldshtein
 
PDF
Visiting the Bear Den
byESET
 
PDF
ColdFusion for Penetration Testers
byChris Gates
 
PDF
Lares from LOW to PWNED
byChris Gates
 
PDF
Unpack your troubles*: .NET packer tricks and countermeasures
byESET
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PDF
CNIT 128 8. Android Implementation Issues (Part 2)
bySam Bowne
 
PDF
Process injection - Malware style
bySander Demeester
 
PDF
When is something overflowing
byPeter Hlavaty
 
PPTX
Заполучили права администратора домена? Игра еще не окончена
byPositive Hack Days
 
PPTX
An Introduction to Sysinternals
byRiyaz Walikar
 
PPTX
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 
PPTX
Executing Windows Malware through WSL (Bashware)
byRiyaz Walikar
 
Reverse Engineering the TomTom Runner pt. 1
byLuis Grangeia
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
Windows Privilege Escalation
byRiyaz Walikar
 
Entomology 101
bysnyff
 
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
CNIT 152: 13 Investigating Mac OS X Systems
bySam Bowne
 
Introduction to .NET Performance Measurement
bySasha Goldshtein
 
Visiting the Bear Den
byESET
 
ColdFusion for Penetration Testers
byChris Gates
 
Lares from LOW to PWNED
byChris Gates
 
Unpack your troubles*: .NET packer tricks and countermeasures
byESET
 
Malware analysis
byPrakashchand Suthar
 
CNIT 128 8. Android Implementation Issues (Part 2)
bySam Bowne
 
Process injection - Malware style
bySander Demeester
 
When is something overflowing
byPeter Hlavaty
 
Заполучили права администратора домена? Игра еще не окончена
byPositive Hack Days
 
An Introduction to Sysinternals
byRiyaz Walikar
 
Invoke-Obfuscation DerbyCon 2016
byDaniel Bohannon
 
Executing Windows Malware through WSL (Bashware)
byRiyaz Walikar
 

Similar to Esage on non-existent 0-days, stable binary exploits and user interaction

PPTX
Dll hijacking
byD4rk357 a
 
PPTX
Dll hijacking
byD4rk357 a
 
PPTX
Windows advanced
byyarden hanan
 
PPTX
Dll hijacking
byantitree
 
PPTX
owasp lithuania chapter - exploit vs anti-exploit
byKęstutis Meškonis
 
PDF
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
byFelipe Prado
 
PPTX
Buffer overflow – Smashing The Stack
byTomer Zait
 
PDF
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
byRootedCON
 
PDF
Buffer Overflow - Smashing the Stack
byironSource
 
PPTX
Vulnerability, exploit to metasploit
byTiago Henriques
 
PPTX
Chasing the Adder. A tale from the APT world...
byStefano Maccaglia
 
PPTX
Practical Windows Kernel Exploitation
byzeroSteiner
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
PPT
Writing Metasploit Plugins
byamiable_indian
 
PDF
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
PDF
Advanced Windows Exploitation
byUTD Computer Security Group
 
PPTX
Malware Analysis Techniques &Incident Response.pptx
byGol D Roger
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
PPTX
Ch0 1
byTylerDerdun
 
PDF
1780 1783
byEditor IJARCET
 
Dll hijacking
byD4rk357 a
 
Dll hijacking
byD4rk357 a
 
Windows advanced
byyarden hanan
 
Dll hijacking
byantitree
 
owasp lithuania chapter - exploit vs anti-exploit
byKęstutis Meškonis
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
byFelipe Prado
 
Buffer overflow – Smashing The Stack
byTomer Zait
 
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
byRootedCON
 
Buffer Overflow - Smashing the Stack
byironSource
 
Vulnerability, exploit to metasploit
byTiago Henriques
 
Chasing the Adder. A tale from the APT world...
byStefano Maccaglia
 
Practical Windows Kernel Exploitation
byzeroSteiner
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
Writing Metasploit Plugins
byamiable_indian
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
Advanced Windows Exploitation
byUTD Computer Security Group
 
Malware Analysis Techniques &Incident Response.pptx
byGol D Roger
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
Ch0 1
byTylerDerdun
 
1780 1783
byEditor IJARCET
 

More from DefconRussia

PPTX
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
byDefconRussia
 
PDF
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
byDefconRussia
 
PPTX
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
byDefconRussia
 
PDF
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
byDefconRussia
 
PDF
Георгий Зайцев - Reversing golang
byDefconRussia
 
PDF
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
byDefconRussia
 
PPTX
Cisco IOS shellcode: All-in-one
byDefconRussia
 
PPT
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
byDefconRussia
 
PPTX
HTTP HOST header attacks
byDefconRussia
 
PPTX
Attacks on tacacs - Алексей Тюрин
byDefconRussia
 
PPTX
Weakpass - defcon russia 23
byDefconRussia
 
PDF
nosymbols - defcon russia 20
byDefconRussia
 
PDF
static - defcon russia 20
byDefconRussia
 
PDF
Zn task - defcon russia 20
byDefconRussia
 
PDF
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
PDF
Nedospasov defcon russia 23
byDefconRussia
 
PDF
Advanced cfg bypass on adobe flash player 18 defcon russia 23
byDefconRussia
 
PDF
Miasm defcon russia 23
byDefconRussia
 
PDF
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
byDefconRussia
 
PDF
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
byDefconRussia
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
byDefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
byDefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
byDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
byDefconRussia
 
Георгий Зайцев - Reversing golang
byDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
byDefconRussia
 
Cisco IOS shellcode: All-in-one
byDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
byDefconRussia
 
HTTP HOST header attacks
byDefconRussia
 
Attacks on tacacs - Алексей Тюрин
byDefconRussia
 
Weakpass - defcon russia 23
byDefconRussia
 
nosymbols - defcon russia 20
byDefconRussia
 
static - defcon russia 20
byDefconRussia
 
Zn task - defcon russia 20
byDefconRussia
 
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
Nedospasov defcon russia 23
byDefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
byDefconRussia
 
Miasm defcon russia 23
byDefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
byDefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
byDefconRussia
 

Esage on non-existent 0-days, stable binary exploits and user interaction

  • 1.
    On non-existent 0-days,stable binary exploits and user interaction Alisa Esage Esage Lab // ООО ЦОР
  • 2.
    GOAL NEED SOME 0-DAYREMOTE EXPLOITS* FOR TOP SOFTWARE/OS, FAST
  • 3.
    How they doit • Target memory corruption • X% fuzzing + Y% static analysis – Only combination is viable – Other approaches are inmature • Fuzzing: massive overhead – Set up a framework – Develop patterns/heuristics !! – Take machine time – Analyze crash dumps ! – Exploit, bypass DEP/ASLR/Sandbox !!! • Perspective – protections harden – need more and more time to succeed – and resources to begin with
  • 4.
    Perspective vectors • By-designvulnerabilities – E.g. DLL Hijacking, UI redressing, LD_LIBRARY_PATH… • Sandbox bypass for complex systems – E.g. JAVA: bypass SecurityManager -> full privileges for unsigned applet -> win • Certificates – E.g. Adobe PDF: signed document -> trusted document -> full-privileged JavaScript -> win
  • 5.
    Why DLL Hijacking? •Test hacking skills! – Succeed with a blind alley before hitting the highway • Looks easy – Plenty of previous research, e.g. binaryplanting.com – Interns must do research, too • Real world targetted attacks: CVE-2011-1980, CVE-2011- 1991, CVE-2011-2100 – They work • MS12-046 vbe6.dll – They still exist! • OS behaviour undocumented – There is place for research
  • 6.
    Research focus • Top,clean platforms – Windows 7 – Windows XP – Office 2010 – Office 2007 – Adobe Acrobat/Reader • Find a new remote delivery vector – Not a “.dll” in e-mail attachment – Not a “.dll” in a network share • Find something yet unfound
  • 7.
    Tech recap • Exe-> dll by relative path • DLL Search Order • Current Directory (CD) – MS DOS rudiment • Default: app path • File open: file path • Some other changes • Exploitation profit: Bypass restrictions, LPE, RCE • Vectors: local, local network, client-side
  • 8.
    Advantages • 100% stableexploit • 100% silent execution on non-supported targets • Very little overhead • No mess with protections • ! Not fixable globally with simple measures like DEP/ASLR – Only developers education can help – Will reappear in new software forever
  • 9.
    Challenges • Search – “Trivial => already found” myth • Exploitation – Nobody ever tried to manipulate CD • User interaction – Triggered by clicking menus… now what? • Masking / delivery – Document + DLL binding looks suspicious
  • 10.
  • 11.
  • 12.
    20+ Mb filteredlog per app
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
    CD internals • 0:005> dt _PEB @$peb -r • ntdll!_PEB • ... • +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS • ... • +0x024 CurrentDirectory : _CURDIR • +0x000 DosPath : _UNICODE_STRING "C:Documents and SettingshMy Documents" • +0x008 Handle : 0x00000b50 Void • • // получение адреса CurrentDirectory (первый dword - размеры, второй – указатель на строку) • 0:005> dd poi(@$peb+0x010)+0x024 • 00020024 02080052 00020290 00000b50 01840182 • 00020034 00020498 006e006c 0002061c 00740072 • // проверка адреса CD • 0:005> du 0x20290 • 00020290 "C:Documents and SettingshMy D" • 000202d0 "ocuments" • • // точка останова • 0:005> ba w 4 0x20290
  • 18.
    CD internals -2 • MSDN: “it is the directory in which the active application started, unless it has been explicitly changed“ – actually no • Way of starting an app affects CD – App exec default: app dir – App exec: SoftwareMicrosoftWindowsCurrentVersionApp Paths – Exec by lnk: lnk dir – Document open: document dir – CreateProcess(): lpCurrentDirectory • CD set internally by some API – GetOpenFileName() / GetSaveFileName() – FindFirstFile() / FindNextFile() (presumably) • Many file system APIs depend on CD – So developers call SetCurrentDirectory() every now and then
  • 19.
  • 20.
    Local exploitation • Bypassrestrictions/LPE: place exploit DLL into unrestricted location • Consider %PATH%
  • 21.
  • 22.
    Remote exploitation • Justopen a document (the lucky case) • Make user Open/Save/Import/Export files, then trigger • Or automate file operations with a script • Induce an app state with CD changed by developer • Set CD explicitly • Find an app that CreateProcess()-es vulnerable app with good CD
  • 23.
  • 24.
  • 25.
    A needle inthe haystack
  • 26.
  • 27.
    Browser UI redressing •IE9 on Windows 7 • Context: Local directory, network shared directory, WebDAV • Explorer dir underneath a website • Demo • Also works in Chrome on Windows 7, but restricted to file download operations
  • 28.
    Browser UI redressing(2) • Chrome on Windows 7 • Context: remote • Web server directory underneath a website • Click-jacking game to silently download necessary files one-by-one • Until all files are saved in %Downloads% • Open exploit document
  • 29.
    Set CD macro(MS Office) • Context: local dir, network shared dir • You can just execute arbitrary DLL from a macro • But better to execute a kernel32!SetCurrentDirectory() API to fool forensic analysts • Demo
  • 30.
    MHT • Single filein e-mail attachment • Can contain any types of files, incl. binary • Browser extracts files to %INET_TMP% • Open exploit document by clicking <a href=“.filesdocument.txt” • Exploit DLL will be executed from the same directory • IE9 on Windows 7
  • 31.
    Archives • Any archivesfor Windows that extract all files by default? Not SFX of course • WinRAR (latest): browse archive, double- click a HTML document only – Will extract ALL files into %TMP% – Including exploit DLL – Local browser context already
  • 32.
  • 33.
    Multistage • Case: DLLtriggered by manual file import, no registered extension handler – unexploitable? • Stage 1: User gets an e-mail from admin (fake) instructing to install the attached reg-file (looks innocent) • In two weeks, stage 2: user gets an e-mail from a friend with a RAR-ed html game • Click-jacked open file -> exploit • Or open file via network share • As simple as the user is
  • 34.
    So, what dowe have? • Some 0-day vulnerabilities in up-to-date top platforms – Think of non-top software • Ways to manipulate CD • Ways to hide DLL • Remote DLL Hijacking exploitation looks like normal client-side exploitation • What else?
  • 35.
    Conclusions • Is thisa good vector for mass attacks? – Authors of CVE-2011-1991, 1980, 2100 could tell us for sure – I say no – 0-day exploits are not necessary for mass attacks anyway • Excellent vector for rapid targeted/onsite attacks – Plenty of vulnerabilities everywhere – Easy ‘n fast to find in arbitrary environment – Ease ‘n fast to exploit (after this presentation  ) • Even the most trivial bug can be worked down to a good exploit
  • 36.
    Questions? Thanks to myteam and interns Thank you for attention @alisaesage