A story of how I found RCE in two different “fat client”-server applications (one .NET and one Java). As they used non-HTTP binary protocols to communicate, I re-used parts of the existing application code to quickly implement a custom client that could exploit the vulnerabilities. This talk will both show how to find bugs in applications by decompiling Java and .NET code as well as how to re-use that decompiled code to attack the application.
Presented at Security Fest 2018.Speaker: Olle Segerdahl
Olle is a veteran of the IT security industry, having worked with both “breaking” and “building” security solutions for over 20 years. During that time, he has worked on securing classified systems, critical infrastructure and cryptographic products as well as building software whitelisting solutions used by industrial robots and medical equipment. He is currently a Principal Consultant in F-Secure’s technical security consulting practice.