afternoon everyone my name is Damian Gomez I’m from Argentina I’ve been working at the immunity for almost two years as a security researcher I focused on burner with the analysis and exploitive element I’m the leader project of the visual exploit framework among my current projects it’s I’m the main developer of immunity de valor’ which is the subject of this talk a while anyone who has ever called an exploit will tell you that 90% of their development time was suspended Sider de valor’ like we thought the software engineering that exists today the octo language implementation is somewhat irrelevant let’s say as soon as you can graph a think it’s more likely you are going to be able to call an exploit immunity like you’re introduced our wish for a graphical language for sport development called visual sport which was based in the concept of dragon wrote in his blog component from a tool word to our panel unhappiness or assault or a little exploit so you can see the programming language is not something that will mother at the end since Android is merely a solution to a problem that was solved using your debugger of choice a problem that requires intelligent understanding on concepts like input crafting of keep analysis memory manipulation it’s okay let’s say inside whether you should be able to get the first untracked approach of your back and the last concrete goal the shell code execution so what do you want from a value for a poll for vulnerability development development development dividing framework we want a simple understandable interface and we want to be able to scrape things so we want a powerful scripting language named and we want it to be fast unfortunately there is no imperfect interface perfectly interface model for every development situations but there are some characteristics that will help us achieve what we want and thus are a GUI a common line under the scripting language so while we are going the graphical interface would make us a pharaoh like it will be easy to see to have a visualization of the Scipio context of the stack let’s say it’s easy to see world EAX point or any resistor and a graphical interface is faster to know for complex comments you just don’t have to learn the context comment that you click them but it has a downside and is this lower usage can become a line and that’s why we love become online the command line is a faster way to interact with the divider but let’s say there are some complete comments that will be hard to remember at least you are a full time debugger user so you have to be checking the manual every time you want to type this completes comments and we don’t like this and love think we are looking in add this kind of debugger is the scripting language but forget about the sold-out words keep the language for the logic debugging we want a real scripting language and immunity divider has fightin fightin like the scripting language Python is familiar and easy to learn I mean it’s really easy so these characteristics William and sorry admitted with a mediaeval go integrate this free characteristic his own vulnerability development sploit oriented develop we have been using the material for some time at in unity we have great results during of dating there is a screenshot of immunity devour session which you can see there is a by common a Python common at the common bar dump in the hip in a custom log window right the other side of the structure the material API the unity value API is

simple in its it runs like a castle structures of the spirit experience that means it’s pretty useful for example for certain functions when you are doing some memory deep searches in school together to have some catcher of them the Newton weather API it cannot only perform drawing tasks but it can also interact with the current GUI like you will have all the different tasks like stepping execution on assembly assembly but also you will be able to control the GUI and the recent Electra to say that is keep in mind that when you are running at by column the information will generate one time so every school prom is ephemeral but holy can can read up like with our API well most we can do almost everything for example we can do assembly and disassembly methods to my principal writing in memory searching execution and step in an analysis with it as I said before interacting with a GUI what offers loud to us well great new custom windows for displaying your data mmm all tables dialog boxes input boxes combo boxes please script financially idea script that has a whistle that will guide you through the execution of the script but the best way to show how interaction with the GUI is possible is with the Python orthography the photographer is a a graphic library that will make a graph of the function or an internal representation of it and it’s entirely covered with a minute evaluate the I mum in the URL methods which will come freedom right into memory like when you’re calling an unalloyed is more likely you are going to be manipulating memory all the time so there a lot of metals for reading and writing memory and something else you will be doing while developing and sport is searching searching for patterns in memory so the relative our API has a lot of searching levels like the simple search will route which will search in memory or for example searching comments comments of certain comments which you can for example search regular expressions with it and if you want a deeper search you can even use the assembled model you can assembler and go home and then search it in memory okay getting colder a cross-reference from data and cold it’s also possible from the unit in valor device and this is the negative other knowledge as I said as I said before when you run a script inside unity debugger that the script is run aloft and also there is a way to save into a native other memory the information that of that script the acknowledged method will do it like for example would you have you can cite the spear context inside a Python object and save it into a unit evaluation without knowledge so you can get that bill conti stuff later we have an knowledge methods there are three ways to script immunity either the PI commands the pipe hooks and by script I’m going to talk about the first two ones in this talk my comments are Python scripts will help you develop a education they develop in time these scripts are no caching so that means you can run modifying a script and we run it without the need to restore the divider so that’s pretty useful the Python commands are accessible by a comment box or from the GUI and you can integrate the Python

comments to develop futures waiting a Python command CC used to just have to create a file import the library and define a main function where you can instantiate delay the API and start using it then we will just place that file into a PI common territory and we’re ready to roll and pike hooks hooks are object that runs on devour silence like a civilizational and play and our personalities hold each other a routing of of cooking is like is that you can hook that event and place in immunity rollers session memory some code that will be executed when that even happens so you can create a hook on an axis relation to save with CPU context at this riot moment and will be executed with when the axis relation happens a creating hook is easy also it’s almost like creating a Python command with a difference that you have to define a ramp function but if the one that will be executed when the hook type happens this run function will receive the CPU context as argument just to avoid problem three problems sin who TC is very related to 3 there is some easy way to identify a common delay the primitive with working let’s see an example for example this stream line copy where the size argument is the same as I saw a wave size the size of the source argument just with minor modifications of this scope you can find primitives and other functions so let’s see this example of of hook first of all we start interceding the debugger calls and we’re setting a breakpoint in the stream line copy function then we are creating a hook and adding to adding to the immediate mother memory and inside our class overall hook class will find one where well if they believe and base it on the CPU context will receive it we are going to read the arguments that are passed to the stream and copy function on we have at once we have all the arguments we’re going to ask if the length of the rated argument is the same of the size argument in that case we are going to get the cold start unload it the screen shot of the script running tape how the college studies load at the source when the sauce argument is the same length of the size argument argument this another type of fujian which is in the protein and the in the proteins our lowly cook there are much faster seems it doesn’t use the debugger you can insert call a single call directly in the function and it’s related to your call the information is log in the same memory page so it’s pretty much faster the hip analysis tool used to be a future for integer Huggins has some drawbacks since she’s now you can only report this to result and we come not the conditional with it chip in this example were creating the scenes of cooking and we are using the unknown which method to cite the information to annuity burger memory and later with another script we are usually get not which model to get that first cooking allowing the result we have was lying there is a lot of things were in the wire and how the hip the hip lives since given is is not is one of the most important task force plug development we haven’t worry I said that lives for to help about this lead allow us to bring the state of memory origin in the hip or saving our story in the heap for example we can get all the current heaps or we can get a single of the hip since when you all got doing some

exploit burner a pro development you may want to focus just in one single hip where you can get from the single hip the for the free list of the free lifting youth in the same way you can get the chunks of a brief of every hip or from a single hip object and again these chunks are objects itself which has a lot of information of it and it is attractive information you can salt inside chunks like okay you can search inside inside tanks and you’re going to specify if you want like an optional hip argument to further to filter recent time by hip results the recent other libraries the latter type discovery libraries which help you find that a types of data in memory that’s pretty useful when Colin an exploit to know where and what is memory for example you can go and do a discovery of memory of what of a pointer and that will return an object and you can ask in that object in future function pointer or a normal pointer a lot the point is that pointer and so on o result simply well the this slide should talk by itself will suffer he be speak he be trying to use PI Connors and pike hooks which use the Python RB to analyse force search discover and most important understand what is going on inside the Devourer to create an exploit during the during the past month material in a team has been going some script that we was holding us in while developing Floyd’s which scripts include verily a vulnerability analysis hips protocol certain female and combined memory there are some examples escapes created for example safe say that we saw her in a custom window all the other section handles in the process that are registered with safe thing to find aunty VIP script which was fine analysis to bypass it so cordial pain this is great what is in running of designing and that’s why it has a result on it where the first combobox ask for the first address then you have an input box for inserting the assembly code to search and lastly you have another combo box that will search a for the seller return address and you can see the local screen that shows our offer that will help you bypass the LP risa another script that will find memory leaks in a function it’s a hook will it will hook a function then you will be fastened up function and you will be getting the legs so the riddle check the red line where another leak is detected detective in that function which was hook it by the neck Smith I’m finding that the types in memory is another script that will help discover what kind of data is inside the memory users have to specify an address and decides to read and in belonging in the will appear what kind of data discovery is formed and the hip by common with zip code by comment you can all you can make analysis how to keep damp it until God is like differential shows for example check the doubling of leads that they heap by Common Fund there is an oral script the chunk chunk analyzed that is an old hook well you defy the others of the verb mode and you run the you place it into a memory and you stop forcing if you check the log window you will be able what of your fashion is over writing a function pointer of W little lifts

aw do we get our PC together PC will access to our PC information and will give function pointers of ABR LPC call the quality script the polity script will look for at manual pages another that can be transformed into a pods this body discrete will be discovered more later in the dog in the case Astoria after day not pointer from a script this tool will do some data recognition looking for function pointers and it will overwrite them waiting for an access duration of one of nine of these pointers of writing and when the exponential course it will trigger the hook and we’ll start learning for further analysis and the search Cape the third tip is a simple script that will search for crystal cryptography proteins in a given branch look at the screenshot hole a lot of different algorithm was formed in a library with a case of style here it’s a simple stack overflow insolent web server when you send along that request to eat it would touch with a stack overflow however there are some details you need for example when you send a long buffer they stuck a some stock arguments over right and when allow us to reach ELP to the screenshot the lines in show you how an argument a readable average is above writing and get in an isolation well Randy when writing this address so we need to turn readable address to place as they argument there in they are in the right offset also we find this which is pretty easy will be fastened will be facing as the second argument Poland a readable hours that’s that’s almost CCS that the first one we just need to find a vertical others so the patient to hip EAP we need are available others that will table hours and the argument offset in our screen thing finding the options to Lisa so we got that addresses and the outset we can craft an offer that if if the others we found are right we’ll be able to hit EAP like the screenshot solves from any Bolin so once we hit EAP independent half controller give away a piragua what ESP point to which is one of the arguments and with ESP + 4 + 2 which is other arguments and we have more of of 200 bytes of a controlled buffer this this varies the context I was talking right here and the first thing I could think of with this context is jumping back but how and that’s a second problem check where a what ESP is pointing to since we since we are controlling what ESP point to what if we confine an address to place to place and they were right in argument which first of all needs to be writable because of the first problem and second it can be transformed into objects that would be of used here like let’s say Adam back to land into all control buffer but finding an average with these characteristics not might be pretty serious and pretty hard so there is with immunity valid got that we talk somewhere to go out that would help cure the world is discrete the directly script is easy to use you just have to place the government’s argument in script you are looking for and called well it works well it creates a mask of the subject code in this case example my main stem and all the memory benches and we try to finally sees that natural mascot circles and we can see in the screenshot the

load result though is a analyst market with what one that may may be of use here so before finishing casting our stain with a brand new always transcendental average we need to find a jump sp3 for a be the circle discrete we’ll do that real fast you just have to write search goal and the comment you are will do the search so assuming we have bypassed the arguments Portland we have hit EAP we have searched for a writable others they can be transformed into an alcohol and we have searched for example ESP with a craft the string so if everything goes well we’ll be Harlan or in in Philly so the the the right the right red balls where esps which is pointing to an alice that in the disassembly window is some form to a short jump back to run into all control it buffer okay now I’m going to send you native Alabama I’ll change okay now I’m into your event okay let’s go for the conclusion bang so multi-value won’t give you and a notice of the boxes Floyd but it will speed up the time dividing because of the GUI graphical interface on the command line and it will help you finding the bug with the API on the labor is unlimited and the immunity script that I provided with and within the debugger and we help you custody after your sploit making it no real able we have been using meeting rather for month well know that with good result and something’s drying some ahead right now is an APL server to connect a community level to be soft white canvas officers or whichever application that work that could be of use when doing some reality a development no effin stuff like interaction with adults so we can manage a vertices and move them around and even click on them them to modify the assemble and so on enough so a lot of my comments that comes every day when we need it we call them and you’re straight does something like were single I think about also enmity value is pretty curious about what you can do what you can do with amid the weather API so we have launched a little contest for the most useful discreet where the first prize will be a Selita unit I think up to October 10th or something like that so if you’re willing to call some script of use just doping out let me align later you can boom Watanuki rider to the free comet script idea of a ghost police email email me I’m willing to answer any questions and questions you might have but I think that in the question and answer form so that’s it