Exploit Writing Using Injectable Virtual Machines

Presented at DEF CON 14 (2006), Aug. 6, 2006, 3 p.m. (50 minutes)

Mosquito is a secure remote execution framework available via LGPL that combines high-grade cryptography and a small efficient virtual machine on both ends to ensure that intellectual property is protected. It also presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation. The virtual machine was written from scratch for this purpose, with a built in cryptography library, and was optimized for size with an eye towards being able to inject it. The virtual machine's native programming environment is a Scheme-derived Lisp-family language, with an optimizing bytecode compiler. It is also cross-platform using ANSI C and GCC, currently running on OpenBSD, Darwin, Linux, and Win32. Compiled bytecode is portable between these platforms, much like Java except it fits within 150K on some platforms. This talk will demonstrate the use of Mosquito to write exploits on the fly while the audience watches; the advantages and flexibility of using a virtual machine will be leveraged to implement a second stage puddle-hop exploit into another host. The cross-platform advantages of writing exploits in a portable virtual machine will also be demonstrated. There will be some discussion of Mosquito itself to give context and understanding.

Presenters:

• Wes Brown - Founder
  Wes Brown is a long-time network security practitioner who specializes in code reviews, web application assessments, penetration testing, and tools development. Prior to joining Accuvant as a senior security consultant, Wes worked for Internet Security System's X-Force Consulting team. He conducted hundreds of penetration tests and web application assessments for ISS clients ranging from the smallest to Fortune 500 companies. He was also responsible for many of the in-house tools that helped the external assessment consulting practice succeed. He also can be frequently seen at industry conferences, having spoken at Defcon in the past. In founding Ephemeral Security, Wes hopes to advance the state of the art in network security by doing innovative and original research work. When not conducting consulting work, he has spent the last year and half on the Mosquito Environment along with other members of his company. Currently, he is hard at work as one of Accuvant's lead consultants which gives him an opportunity to test the tools and environments that is developed as part of Ephemeral Security's research efforts. He does the majority of the automation and tools that streamlines the assessment practice's engagements, increasing quality while reducing turnaround time. Of course, Wes also does conventional consulting with a keen focus on code reviews and application assessments.
• Scott Dunlop - Developer

Links:

• https://defcon.org/html/defcon-14/dc-14-speakers.html#BrownW
• https://infocon.org/cons/DEF CON/DEF CON 14/DEF CON 14 video/DEF CON 14 - Brown and Dunlop - Exploit Writing VM - Video.mp4
• https://www.youtube.com/watch?v=5_V_LACqKek

Similar Presentations:

• DeepSec 2020 „The Masquerade“ / Exploiting Interfaces of Secure Encrypted Virtual Machines
• ToorCamp 2014 / Virtual Machine Detection Using OS Status Changes
• 31C3 (2014) / Virtual Machine Introspection: From the Outside Looking In