Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, July 29 • 10:00am - 11:00am
Utilizing Code Reuse/Return Oriented Programming in PHP Web Application Exploits

Sign up or log in to save this to your schedule and see who's attending!

In 2009 one of the hottest topics has been code reuse and return oriented programming as means to bypass exploitation mitigation features in modern operating systems. We have seen ROP being applied to x86, SPARC, ARM and even election machines. Time has come to take ROP into the world of web application security.

 

This presentation consists of two parts that will apply code reuse and ROP techniques to modern PHP exploits. The first part will show how ROP is applied entirely at the PHP level, reusing code parts of the already running PHP application to eventually achieve arbitrary code execution. It will be detailed how different PHP vulnerability classes can be used for these attacks, demonstrating some lesser known facts and tricks in PHP exploitation on the way.

 

The second part of the presentation will go below the PHP level and feature a previously unknown memory corruption in PHP itself that is exposed to remote attackers through several widespread PHP applications. It will be demonstrated step by step how it is possible to develop a remote exploit for this vulnerability, defeating ASLR and NX/DEP on the way, by utilizing an information leak and returning into the PHP interpreter to execute arbitrary PHP code.


Thursday July 29, 2010 10:00am - 11:00am
Day 2 - Web Apps

Attendees (15)

  • Profile image