Matt Posted July 10, 2013 Report Posted July 10, 2013 Description : A series of targeted attacks, now known as "Duqu", was discovered in 2011. The initial vector for these attacks was a Windows TrueType Font 0-day vulnerability [CVE-2011-3402]. A year later, this exploit begins to appear in Russian exploit kits. These exploit kits use the *exact* same exploit code as "Duqu". (Right down to the metadata.) This presentation explains the technical details of this exploit. It is not about "Duqu" nor Russian exploit kits. The vulnerability itself only allows the attacker to perform an "OR" operation on a value of their choice, at a memory location of their choice. This exploit leverages the functionality of the TrueType Font Finite State Machine itself to manipulate memory to provide for a reliable execution of the shellcode. > Reason why this material is innovative or significant or an important tutorial. It's an advanced kernel exploit, used in a real world targeted attack against a certain unnamed commercial or government entity. And now that very same kernel exploit is being used by criminals. The exploit technique is unique as well. I believe that it is the only exploit which uses the TrueType graphics operators to manipulate kernel memory into reliable, multi-platform, shellcode execution. (It even does sanity checks on itself to avoid a blue-screen of death.) The current draft of the presentation is already over 200 slides, but most of those are code walkthrouh animations. I still need to add information about the similarities and differences between the original Duqu sample, and the current exploit kit. And details about the kernel shellcode. There are a bunch of slides about how to reverse engineer a kernel exploit, which I'll probably cut out for time. (And safe to assume audience already knows how?) For More Information please visit : - https://www.hackinparis.com 1 Quote
Matt Posted July 10, 2013 Author Report Posted July 10, 2013 Da, l-am vazut, this is the real shit!Uite-l pe asta. Quote
