NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練

229b1596ce57cd0935a2bacd410d87a0?s=47 馬聖豪
September 29, 2015

NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練

簡易入門基礎逆向需要的觀念
入門解析ROP、Buffer Overflow、CRT、Fuzzing

Slide中的練習題目&Source Code:
https://github.com/aaaddress1/NTUSTxTDOH-Reversing-Game

229b1596ce57cd0935a2bacd410d87a0?s=128

馬聖豪

September 29, 2015
Tweet

Transcript

  1. 2.

    SELF INTRODUCTION ➤ 馬聖豪 (aaaddress1) ➤ 義守大學資訊工程二年級 ➤ Reverse Engineering

    Skills ➤ Windows / Mac OS /Android ➤ TDoHacker Core Member ➤ HITCON 2015 CMT: ➤ AIDS ➤ x86靜態手花詐欺術 ➤ Wooyun WhiteHat: x86手花詐欺 ➤ 逢甲2015行動計算研討會: AIDS ➤ 成功大學2015行動APP競賽
  2. 3.

    SELF INTRODUCTION ➤ Hack BOT ➤ CrackShield / MapleHack ➤

    Tower Of Savior ➤ FaceBook: Adr’s FB ➤ Isu Hack ➤ 競時通防爆PING ➤ CSharp,VB,C/CPlus, x86,Python,Smali,Swift
  3. 4.

    OUTLINE ➤ main() is not the really main ➤ OllyDBG:Baby

    First (Exam) ➤ Return-oriented Programming ➤ Overflow: Revo Wolf(Exam) ➤ Fuzzing ➤ Make a fuzzer in C++ ➤ How to fuzzing with Z3
  4. 16.

    REALLY MAIN ➤ Label “_start” is really main. ➤ CRTStartUp

    is loaded in label “_start”. (To init RTC/new/delete/arg…etc) ➤ Find programmer’s main (normal c plus compile) ➤ Find the address calling GetCommandLine ➤ Find the address calling exit() or cexit() ➤ Programmer’s main function is between them.
  5. 22.

    ROP

  6. 23.

    ROP

  7. 24.

    ROP

  8. 25.

    ROP

  9. 26.

    ROP

  10. 27.

    ROP [EBP+0 ] = Pointer to old EBP [EBP+4 ]

    = Return Address [EBP+8 ] = First Parameter [EBP+C ] = Second Parameter [EBP+10 ] = Third Parameter …etc [EBP+8 + 4*index] = Parameter[index]
  11. 28.

    ROP VOID FUNC() { INT A = 0; INT B

    = 1; INT C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP SUB ESP, LEN
  12. 29.

    ROP VOID FUNC(){ NFUNC(ARG1,ARG2,AR G3…) } push ebp mov ebp,esp

    . . push arg3 push arg2 push arg1 call nFunc
  13. 30.

    ROP

  14. 31.

    ROP

  15. 32.

    ROP

  16. 33.

    ROP

  17. 34.
  18. 35.

    ROP Stack ESP + 0 ESP + 4 ESP +

    8 ESP + C ESP + 10 ESP + 14
  19. 36.

    ROP Stack ESP + 0 Old EBP ESP + 4

    ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP
  20. 37.

    ROP Stack EBP + 0 =ESP Old EBP EBP +

    4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP
  21. 38.

    ROP Stack EBP - 8 =ESP Buffer EBP - 4

    Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP
  22. 39.

    ROP Stack EBP - 8 =ESP 1 EBP - 4

    Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  23. 40.

    ROP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  24. 41.

    ROP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  25. 42.

    ROP Stack EBP - 8 =ESP EBP EBP - 4

    return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP
  26. 43.

    ROP Stack EBP + 0 =ESP EBP EBP + 4

    return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  27. 44.

    ROP Stack EBP + 0 =ESP EBP EBP + 4

    return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  28. 45.

    ROP _______EIP Stack EBP - 8 =ESP return Address EBP

    - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  29. 46.

    ROP _______EIP Stack EBP - 8 =ESP return Address EBP

    - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  30. 47.

    ROP Stack EBP - 4 =ESP 1 EBP + 0

    Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  31. 48.

    ROP Stack EBP + 0 = ESP Buffer EBP +

    4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  32. 51.

    BUFFER OVERFLOW ➤ We just can see , cannot modify

    the application. ➤ For Exploit? ➤ Overflow local variables. (EBP+N are good friend to us) ➤ Do something for get control EIP/RIP.
  33. 63.

    BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP
  34. 64.

    BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “name”
  35. 65.

    BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “data”
  36. 66.

    BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP
  37. 67.

    BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”
  38. 68.

    BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”
  39. 69.

    BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C

    BBBB EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaaBBBB”
  40. 70.

    BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “OVERFLOW”
  41. 72.

    BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 revo EBP - 4 wolf EBP =ESP Old EBP _______EIP If you input “OVERFLOWoverflow ”
  42. 73.

    BUFFER OVERFLOW Stack EBP - 10 AAAA EBP - C

    AAAA EBP - 8 imda EBP - 4 \x00\x00\x00n EBP =ESP Old EBP _______EIP SO, We can input “AAAAAAAAadmin”
  43. 81.

    “Fuzz testing or fuzzing is a software testing technique, often

    automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software. From Wikipedia WHAT IS FUZZING?
  44. 82.

    When we need to fuzz? A.Prove that something is always

    true B.Fuzzing for something unexpected C.Fuckinnnnnnnnnnnnng Crypto D.A lot of choice, find one is correct
  45. 84.
  46. 86.
  47. 87.
  48. 88.
  49. 89.
  50. 91.
  51. 93.
  52. 95.
  53. 96.
  54. 98.
  55. 100.
  56. 104.
  57. 105.
  58. 108.

    Z3 BEGIN ➤Get and Install Python2.7 ✴ Z3.py script environment

    ✴ www.python.org ➤You can use python basically ➤Get Z3.py for Windows ✴ Prove tool ✴ github.com/Z3Prover/z3/wiki/Using-Z3Py-on-Windows
  59. 111.

    FUZZING(Z3) BitVec(“Name” , BitCount) For example: 1.char a => a

    = BitVec(“a”, 8) 2.short b => b = BitVec(“b”, 16) 3.int c => c = BitVec(“C”, 32) => Int(“c”) 4.bool e => e = BitVec(‘e’, 8)
  60. 112.

    FUZZING(Z3) Solve(All rules ), Z3 will auto fuzz all variables,

    and find a result(JUST ONE RESULT!). Then, print all results of variables.
  61. 113.

    FUZZING(Z3) If you have a looooot of rules, you can

    use Solver(). Solver.add() can remember all rules you requested.
  62. 114.

    FUZZING(Z3) If you want to check current whether rules can

    come true, you just use: Solver.check()
  63. 117.

    FUZZING(Z3) Finally, if you get “sat”, you can use: Solver.model()

    It will save a result in it. Use model[Variable Name], and get the answer by String
  64. 119.
  65. 120.