Native Code Crash Course
In this session we’re diving head-first into understanding and hacking native code. This is an extremely advanced topic, but by the time you are done with this video, you will have a great head start on the subject. You’ll learn about the fundamentals of how computers work, several types of memory corruption bugs, the protections in use by modern systems, and how to bypass some of these protections.
What you’ll learn
- Intro
- What is native code?
- Breadth not depth
- System Architecture Crash Course
- Registers
- Memory
- Physical
- Virtual
- Page tables
- Stack
- Endianness
- Instructions
- Program Counter
- Calls
- Syscalls
- Shared Libraries
- Tools
- Debuggers
- Disassemblers
- Decompilers
- Hex editors
- Assemblers
- Bugs
- Buffer overflows
- Out of bounds writes
- Use After Free
- Protections
- Stack canaries
- NX
- W^X
- ASLR
- Bypassing Protections
- JS is an attacker’s best friend
- Information leaks (ASLR)
- ROP
Resources
- Computing Fundamentals
- Tools
- Debuggers
- Disassemblers/Decompilers
- Hex Editors
- Assemblers
- ROP Gadget Hunters
- Emulators
- Fuzzers
- Instrumentation
- Executable Lifters
- Bugs
- Buffer Overflows
- Out of Bounds Writes
- Use After Free
- Speculative Execution Bugs
- Protections
- Bypassing Protections
- JavaScript Engine Exploitation Resources
- Reports
- Controlled address leak due to type confusion - ASLR bypass ($100 bounty)
- Adobe Flash Player Out-of-Bound Read/Write Vulnerability ($5000 bounty)
- RCE on Steam Client via buffer overflow in Server Info ($18000 bounty)
- heap-buffer-overflow in S_pack_rec ($1000 bounty)
- Nintendo Switch nvservices Info Leak
- Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme() ($1000 bounty)
- Use After Free in Flash MessageChannel.send can cause arbitrary code execution ($7500 bounty)
- Virtually Unlimited Memory: Escaping the Chrome Sandbox
- Splitting atoms in XNU
- voucher_swap: Exploiting MIG reference counting in iOS 12
- Technical Analysis of the Pegasus Exploits on iOS