Explore the unconventional use of Scratch programming language for network exploitation in this 52-minute conference talk from 44CON 2018. Discover how Kev Sheldrake leverages experimental HTTP extensions in Scratch v2 to implement TCP/IP functions, enabling fuzzing and exploitation of vulnerable network services. Learn about the process of creating custom blocks linked to Python functions, overcoming sandbox limitations, and developing proof-of-concept exploits for various vulnerabilities. Gain insights into the intricacies of the Scratch extension API, its limitations, and how to combine simple concepts to create functional exploits. Witness live demonstrations of exploiting stack smash and format string vulnerabilities in echo servers, and understand how this approach can make exploit development accessible to those with basic Scratch programming skills.
Overview
Syllabus
Intro
What is Scratch
Variables
Robot Arms
Python Script
Block Definition
Demo
Socket functions
Scratch sockets
Exploit lab
Live demo
Stack smash
Reconnecting
Sending pattern buffer
Writing down location
Finding jump ESP instruction
Exploit code
Slides
Why bother
How long
Lego
Questions
Taught by
44CON Information Security Conference
