22C3 - 2.2

22nd Chaos Communication Congress
Private Investigations

Day 1
Room Saal 2
Start time 18:00
Duration 01:00
ID 553
Event type Lecture
Track Hacking
Language English

Syscall proxying fun and applications

Introduction to syscall proxying and applications for in the wild exploitations

This talk is about how using syscall proxying technique for envolved attacks or other distributed applications. It includes source code examples like shellcodes, tools and a poc rootkit using this technique. This talk will be submited first at 0sec, a private security event we organize in switzerland in october.

Since long time hackers are searching way to execute code on hosts through different types of vulnerabilities. The shellcode is one of the master part of a successfull exploitation. Making reliable exploit working in the wild with "universal" payload is the goal of every exploit writer.

Syscall proxying is a technique which was introduced by Maximiliano Caceres (CORE SDI) which can provide a real remote interface to the host's kernel. The goal is writing universal "agents" to create all you can imagine locally but running it remotly. The best part of the syscall proxying technique is the attacker tools are locally stored but remotely executed through the payload.

During this talk Casek will introduce this technique and his own implementation of syscall proxy shellcodes and tools. Different type of payloads, a library, tools and a proof of concept lightweight rootkit will be presented. He will discuss exploiting vulnerabilities with this goal: exploiting, privilege escalation if needed, rootkiting (remotly infecting processes or patching on the fly the kernel), covering traces etc... all in one time.