Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, September 19 • 1:00pm - 1:45pm
When you can't afford 0days: Client-side exploitation for the masses

Sign up or log in to save this to your schedule and see who's attending!

 A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.

Speakers
avatar for Michele Orrù

Michele Orrù

Senior Security Consultant, Trustwave SpiderLAbs
Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on application security and related exploitation techniques. He is a frequent speaker at hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra, Semafor, Just4Meeting, OWASP, 44Con, EUSecWest, Ruxcon and more we just can't disclose. Besides having a passion for hacking... Read More →



Friday September 19, 2014 1:00pm - 1:45pm
Colorado Ballroom F [Breakers] Denver Marriott City Center