Post Exploitation Process Continuation presented at SysCan 2012

by Brett Moore,

Tags: Buffer Overflows Heap Overflows Post Exploitation Use After Free

URL : http://www.syscan.org/index.php/download/get/f690875cbffc210ad727295f321ca970/Day2-8Brett_Moore.zip

Summary : With the value of 0 day bugs, and the methods to exploit them and bypass current security protections, increasing; the last thing an exploit writer wants is for the target process to crash and alert the victim that something has happened.
Previously it was common to see discussions about fixing the heap, but this is not so anymore and the solution appears to be process migration. This talk will discuss various post exploitation methods that can be used to clean up the target process state, after shellcode execution has been obtained and increase the likelihood of a successful recovery from crash state. There are more options than just terminating the current thread or process, and while some vulnerabilities are relatively easy to recover from others may require more in-depth techniques to recreate the required process state.

Brett Moore: Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.