The State Of the Art in R2Land
radare2 is almost a 14yo open-source project focused on providing tools
for doing several talks related to reverse engineering, initially
designed for Forensics it quickly evolved into a disassembler and
debugger to solve crackmes and help on exploiting, bugfinding as well.
The author of this tool is nowadays the project leader as well as the main developer and maintainer (which is me), and keeps introducing new features every day at a pace no other projects can cope with the help of a very active and vibrant community that makes the whole ecosystem a perfect place for learning, improving your skills or solving your daily needs at work or at home. (Yes, you can order pizzas with it).
This talk will present the tool with a quick overview of the project history and show several powerful features and capabilities, describing the current state of the project with its strengths and weaknesses.
He is currently working at NowSecure as a Mobile Security Analyst in the RD team writing tools to automate the analysis of mobile apps. In the past it has worked as a sysadmin, package maintainer, forensic analyst, firmware developer, bluetooth hacking, wrote audio codec optimizations for arm, mips as well as porting software to sparc, solaris, gnu/hurd.
Reverse RDP Attack - Pwning RDP Clients
A pentester's main goal is to move inside the network, gaining privileges on the way until the ultimate goal is reached:
full control of the corporate network. Would you believe me If I tell you there is a shortcut? That one can simply wait in
place, ambushing a privileged users, until he will unknowingly let us take over his account / computer?
And the answer is simple: Remote Desktop Protocol (RDP).
In this talk, we demonstrate exactly how we did it. We show the numerous vulnerabilities we found in the popular open source RDP clients, and thereafter move on to the main target: Mstsc.exe. Together we take a deep dive into the main synchronized resource between the client and the server, the Clipboard. On the end of our journey we would see the inherent design problem in this synchronization. Chained together with an additional vulnerability, we will show a Live Demo of how we took over the computer of the unsuspecting Mstsc.exe user.
But wait there is more. Given the initial vendor response of "doesn't meet the bar for servicing", we dug in a bit deeper and found a target that no one will be able to ignore this time: Hyper-V.
Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.
Can You Escape This?
In this session we will attempt to mimic some of the escapes performed by the Great Houdini, an American magician noted for his sensational escape acts, this time, from a real, live container web site: Play-with-Docker, the Docker training website, using novel, never attempted before, escape techniques.@n1mr0d5
Nimrod holds an LLB in law and BA in economics.