Script Engine Hacking For Fun And Profit

WorkShop Duration: 3 Hours.

More and more applications are allowing execution of untrusted code in their context to extend themselves. Whether it’s Javascript in a web browser, Lua plugins in video game or ruby to customize business rules, it is important to keep your infrastructure secure when running them.

This workshop is an hands-on approach to introduces the participants to the basic exploitation techniques of scripting engines. The exercise will focus on real world examples around mruby, a lightweight Ruby interpreter easily customizable to limit or completely remove I/O operation and act as a sandbox. Through successful exploitation, the participants will be able to execute arbitrary native code from a ruby script, bypassing any restriction to the ruby APIs.

The participants will be guided to look for common vulnerability patterns, successfully set up their exploit and ultimately, get control of the instruction pointer to escape the mruby virtual machine. Finally, some defensive measure will be seen to harden the vulnerable engine and limit the side-effects of a successful exploit.


Topics covered:

  • An overview of the mruby engine internals
  • Common vulnerability patterns in native code employed by script engines
  • Specific use case of a use after free vulnerability
  • Heap grooming
  • Exploiting the use after free to get code execution
  • Hardening the application and script engine

What students should know:

  • If you want to make sure you will follow the whole workshop, we suggest to be familiar with the following:
  • Programming in C (and optionally Ruby)
  • Debugging with GDB
  • Basic exploitation knowledge (memory layout, buffer overflow, etc)
  • Basic Linux shell skills

What students should bring:
Laptop with a Linux system and the tools to build mruby from source: git, gcc, ar, bison, ruby 1.8 or 1.9 and gdb for debugging.

Jean-Marc Le Blanc

Currently working as a reverse engineer, Jean-Marc has worked for multiple respected security enterprises for past 5 years. On top of his professional security research, he has done allot of personal vulnerability research on large popular applications. His most recent project has been the mruby bug bounty by shopify.

Israël Hallé

Israël Hallé has been exploiting challenges in security CTFs for the past years as part of the DCIETS while he was an undergraduate student, taking the first place at the two last edition of the NorthSec CTFs. Recently, he’s been contracting for Google where he served as a reverse engineer for the SafeBrowsing team. With the other trainers, Israël has been working on the mruby-engine bug bounty by Shopify where he found a few critical vulnerabilities that lead to remote code execution. When not in front of his computer, he’s likely busy either drinking craft beer or climbing rocks and boulders.