Exploiting Java Memory Corruption Vulnerabilities

Presented at DerbyCon 1.0 (2011), Oct. 2, 2011, 2 p.m. (50 minutes)

The Oracle/Sun Java Runtime Environment (JRE) is widely viewed by security researchers as one of the weakest links in the proverbial chain. That said, the exploitation of memory corruption vulnerabilities within the JRE is not always straight-forward. This talk will focus on a collection of techniques to overcome potential issues that one may face while developing exploits against memory corruption vulnerabilities within the JRE. The talk concludes with a demonstration of the techniques as used on a selection of contrived and real-world vulnerabilities.

Presenters:

• Joshua Drake
  Joshua J. Drake, a senior research consultant with Accuvant LABS, focuses on original research in areas such as vulnerability discovery and analysis, exploitation technologies, and reverse engineering. Joshua has over 10 years of experience in the information security field. Prior to joining Accuvant, Joshua served as the lead exploit developer for the Metasploit team at Rapid7. In that role, he analyzed and successfully exploited numerous publicly disclosed vulnerabilities in widely deployed software such as Exim, Samba, Microsoft Windows, Office, and Internet Explorer. Prior to that, Joshua spent four years at VeriSign’s iDefense Labs conducting research, analysis, and coordinated disclosure of hundreds of unpublished vulnerabilities.

Similar Presentations:

• Black Hat USA 2012 / Recent Java Exploitation Trends and Malware
• DEF CON 21 (2013) / Java Every-Days: Exploiting Software Running on 3 Billion Devices
• Black Hat USA 2013 / Java Every-Days: Exploiting Software Running on 3 Billion Devices