RECON2010

esi = <input>

cmp esi, 0x30

jg elsewhere

mov byte [ebp+esi-0x2a], 0

...

elsewhere:

....

======> *[anywhere] = 0x00.

mov esi, <attacker input>

cmp esi, 0x30

jg error:

mov byte [ebp+esi-0x2a], 0x00

error:

...

=======>

$$$

What did we have to do?

Exploitability is like generality.

Can we leverage this boundary condition

to acheive an arbitrary computation?

But beyond completeness, can

this execution compromise some security

boundary that we pretend is there?

1. Plug in a USB from DVLabs (scary idea)

2. Observe some crashes

3. Determine exploitability

None of my tools are here. Oh well. Maybe next time....

I'm gonna just try anyway.

You never know

By the way man. Install <x>

and <y> on there.

We're one talk in and I'm pretty stoaked for "Applying Taint Analysis

and Theorem Proving to Exploit Development" when DVLabs comes up

on stage.

"Logan wrote a bit flipper and we generated >9,000 crashes.

We picked 15 files. We will give you $2,000.00 for each of

these that you can prove exploitable."

I look back at that guy...

We arrived in Montreal around

4 AM. Soon after I woke up to

move my car. And RECON started at 9AM.

RECON is the IN crowd for

Reverse Engineers. No vendors.

No hats. No cyber.

And soon enough........

Which happened to inspire these guys.....

I've done this before

1 hour later, the challenges are released....

Did you get the targets installed? Good. Gimme your laptop!

I've done this before!

But it's okay

I've done this before

Aaaaah all these exception messages are in Korean!

I've done this before

And my laptop is 374 miles south

of here.

But crap man, we're still at RECON.

They'll probably be done in 5min.

The competition couldn't be more

vicious than here.

Here's the story of how

The loller skaterz dropping from rofl copters!

won $10,000 at RECON 2010!!!

I drove 374 miles North to Montreal.

One day

With this guy:

Hey man, that sounds easy!

To win the other $8,000.00