Black Hat USA 2018 - Mainframe [z/OS] Reverse Engineering and Exploit Development
Speak with any Fortune 500 running mainframe and they'll tell you two things: (1) without their mainframes they'd be out of business (2) they do not conduct any security research on them, let alone vulnerability scans. The most infuriating part is that mainframes are simply computers, they're different from what you're used to, but that doesn't mean they can't be hacked. Previous talks about this topic have covered the platform from a high level, imploring you to do the basics. This talk continues this series of talks, given by others, around mainframe hacking. Previously covered topics included network penetration testing and privilege escalation. To complement those talks, this talk will expose attendees to the various tools that exist on the platform to help you do your own reverse engineering, followed by detailed steps on how to start your own exploit development. Attendees will learn what debuggers are available on the platform, such as dbx and ASMIDF, as well as the challenges you'll have using them. After learning how to RE, attendees will then learn how to develop their own exploits and buffer overflows on the platform using C, assembler and JCL. A demo program will be used to teach all these items so people can follow along. Topics included in this discussion are APF authorization, bypassing RACF/ACEE, TSO, Unix System Services. ... https://www.youtube.com/watch?v=opBLBYAR8tU
Jmaxxz Hacker
As our homes become smarter and more connected we come up with new ways of reasoning about our privacy and security. Vendors promise security, but provide little technical information to back up their claims. Further complicating the matter, many of these devices are closed systems which can be difficult to assess. This talk will explore the validity of claims made by one smart lock manufacturer about the security of their product. The entire solution will be deconstructed and examined all the way from web services to the lock itself. By exploiting multiple vulnerabilities Jmaxxz will demonstrate not only how to backdoor a front door, but also how to utilize these same techniques to protect your privacy.
Jmaxxz works as a software engineer for a Fortune 100 company, and is a security researcher for pleasure. His FlashHacker program was featured in Lifehacker's most popular free downloads of 2010. More recently he has contributed to the node_pcap project which allows interfacing with libpcap from node. His other interests include lock picking and taking things apart.
Twitter: @jmaxxz
...
https://www.youtube.com/watch?v=oBTl-jCtNDA
Everyone knows that databases are the crown jewels from a hacker's point of view, but what if you could use a database as the hacking tool itself? We discovered that simply querying a malicious SQLite database - can lead to Remote Code Execution. We used undocumented SQLite3 behavior and memory corruption vulnerabilities to take advantage of the assumption that querying a database is safe.
How? We created a rogue SQLite database that exploits the software used to open it.Exploring only a few of the possibilities this presents we’ll pwn password stealer backends while they parse credentials files and achieve iOS persistency by replacing its Contacts database…
The landscape is endless (Hint: Did someone say Windows 10 0-day?). This is extremely terrifying since SQLite3 is now practically built-in to any modern system.
In our talk we also discuss the SQLite internals and our novel approach for abusing them. We had to invent our own ROP chain technique using nothing but SQL CREATE statements. We used JOIN statements for Heap Spray and SELECT subqueries for x64 pointer unpacking and arithmetics. It's a new world of using the familiar Structured Query Language for exploitation primitives,laying the foundations for a generic leverage of memory corruption issues in database engines.
...
https://www.youtube.com/watch?v=JokZUjwGj4M
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=mYAiiOUhH8E
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=8g6gF8b2kT8
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=oBSOXMv38d4
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=6tsJ0J4OfEA
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=IVq7epnJYa4
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=brLjYw7tgKk