NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練

Transcript

1. TEEMO KNOWS BINARY TDOH x TAIWAN TECH 2015/11/29 aaaddress1

2. SELF INTRODUCTION ➤ 馬聖豪 (aaaddress1) ➤ 義守大學資訊工程二年級 ➤ Reverse Engineering

   Skills ➤ Windows / Mac OS /Android ➤ TDoHacker Core Member ➤ HITCON 2015 CMT: ➤ AIDS ➤ x86靜態手花詐欺術 ➤ Wooyun WhiteHat: x86手花詐欺 ➤ 逢甲2015行動計算研討會: AIDS ➤ 成功大學2015行動APP競賽

3. SELF INTRODUCTION ➤ Hack BOT ➤ CrackShield / MapleHack ➤

   Tower Of Savior ➤ FaceBook: Adr’s FB ➤ Isu Hack ➤ 競時通防爆PING ➤ CSharp,VB,C/CPlus, x86,Python,Smali,Swift

4. OUTLINE ➤ main() is not the really main ➤ OllyDBG:Baby

   First (Exam) ➤ Return-oriented Programming ➤ Overflow: Revo Wolf(Exam) ➤ Fuzzing ➤ Make a fuzzer in C++ ➤ How to fuzzing with Z3

5. SWEET REMINDER 5PPM
   IUUQTHPPHMT+3U# &YBN IUUQTHPPHMY6:LP[

6. REALLYMAIN

7. REALLY MAIN

8. REALLY MAIN

9. REALLY MAIN

10. REALLY MAIN

11. REALLY MAIN

12. REALLY MAIN

13. REALLY MAIN _Start

14. REALLY MAIN

15. REALLY MAIN Parameter Data

16. REALLY MAIN ➤ Label “_start” is really main. ➤ CRTStartUp

    is loaded in label “_start”. (To init RTC/new/delete/arg…etc) ➤ Find programmer’s main (normal c plus compile) ➤ Find the address calling GetCommandLine ➤ Find the address calling exit() or cexit() ➤ Programmer’s main function is between them.

17. DEMO Olly Debugger:Really Main

18. EXAM Olly Debugger: Baby First & Take a break!

19. ROP Return-oriented-Programming

20. WE NEED TO KNOW MORE BEFORE ROP

21. X86 CALLING COVENTION & STACK FRAMES

22. ROP

23. ROP

24. ROP

25. ROP

26. ROP

27. ROP [EBP+0 ] = Pointer to old EBP [EBP+4 ]

    = Return Address [EBP+8 ] = First Parameter [EBP+C ] = Second Parameter [EBP+10 ] = Third Parameter …etc [EBP+8 + 4*index] = Parameter[index]

28. ROP VOID FUNC() { INT A = 0; INT B

    = 1; INT C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP SUB ESP, LEN

29. ROP VOID FUNC(){ NFUNC(ARG1,ARG2,AR G3…) } push ebp mov ebp,esp

    . . push arg3 push arg2 push arg1 call nFunc

30. ROP

31. ROP

32. ROP

33. ROP

34. WHY?

35. ROP Stack ESP + 0 ESP + 4 ESP +

    8 ESP + C ESP + 10 ESP + 14

36. ROP Stack ESP + 0 Old EBP ESP + 4

    ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP

37. ROP Stack EBP + 0 =ESP Old EBP EBP +

    4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP

38. ROP Stack EBP - 8 =ESP Buffer EBP - 4

    Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP

39. ROP Stack EBP - 8 =ESP 1 EBP - 4

    Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP

40. ROP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP

41. ROP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

42. ROP Stack EBP - 8 =ESP EBP EBP - 4

    return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP

43. ROP Stack EBP + 0 =ESP EBP EBP + 4

    return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP

44. ROP Stack EBP + 0 =ESP EBP EBP + 4

    return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP

45. ROP _______EIP Stack EBP - 8 =ESP return Address EBP

    - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

46. ROP _______EIP Stack EBP - 8 =ESP return Address EBP

    - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

47. ROP Stack EBP - 4 =ESP 1 EBP + 0

    Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP

48. ROP Stack EBP + 0 = ESP Buffer EBP +

    4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP

49. LET’S PLAY WITH BEEF OVERFLOW

50. BOF OVERFLOW AND RIP…

51. BUFFER OVERFLOW ➤ We just can see , cannot modify

    the application. ➤ For Exploit? ➤ Overflow local variables. (EBP+N are good friend to us) ➤ Do something for get control EIP/RIP.

52. BUFFER OVERFLOW [EBP-8] [EBP-10]

53. BUFFER OVERFLOW

54. BUFFER OVERFLOW

55. BUFFER OVERFLOW

56. BUFFER OVERFLOW

57. BUFFER OVERFLOW

58. BUFFER OVERFLOW How to let data == “admin”?

59. BUFFER OVERFLOW [EBP-8] [EBP-10]

60. BUFFER OVERFLOW Stack

61. BUFFER OVERFLOW Stack ESP Old EBP _______EIP

62. BUFFER OVERFLOW Stack EBP =ESP Old EBP _______EIP

63. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP

64. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “name”

65. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “data”

66. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP

67. BUFFER OVERFLOW Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”

68. BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”

69. BUFFER OVERFLOW Stack EBP - 10 aaaa EBP - C

    BBBB EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaaBBBB”

70. BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “OVERFLOW”

71. IF WE INPUT MORE WORDS…? MAGIC!

72. BUFFER OVERFLOW Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 revo EBP - 4 wolf EBP =ESP Old EBP _______EIP If you input “OVERFLOWoverflow ”

73. BUFFER OVERFLOW Stack EBP - 10 AAAA EBP - C

    AAAA EBP - 8 imda EBP - 4 \x00\x00\x00n EBP =ESP Old EBP _______EIP SO, We can input “AAAAAAAAadmin”

74. BUFFER OVERFLOW

75. DANGER FUNCTION #include <iostream> printf, fprintf, snprintf, vprintf, …etc

76. DEMO Overflow

77. EXAM Overflow: Revo wolf & Take a break!

78. EXAM Overflow: 7$BUY TICKETS & Take a break!

79. EXAM Overflow: Lee Sin can Read & Take a break!

80. FUZZING Fuzzing the key with Z3.py

81. “Fuzz testing or fuzzing is a software testing technique, often

    automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software. From Wikipedia WHAT IS FUZZING?

82. When we need to fuzz? A.Prove that something is always

    true B.Fuzzing for something unexpected C.Fuckinnnnnnnnnnnnng Crypto D.A lot of choice, find one is correct

83. FUZZING FOR WHAT?

84. None

85. Your said : Get the key is easy?

86. None
87. None
88. None
89. None

90. YOU THINK REVERSING IS: SOLVING PROBLEMS? BRAIN FUCKING (O)

91. FUZZING

92. FUZZING Key= adr ‘a’ = 0x61,’d’ = 0x64, r =

    0x72

93. FUZZING

94. FUZZING Key= adr 0x00726461 = \x00\x72\x64\x61 = \x00adr

95. FUZZING

96. None

97. FUZZING How to find the key matching the factors?

98. None

99. MAKE A MINI FUZZER IN C PLUS PLUS

100. None

101. Check Current Temp Key

102. 0x20 to 0x7E, Visible ASCII Char Range

103. Display to us.

104. None
105. None

106. BUT… IF LENGT OF THE KEY ISN’T JUST 3 WORDS?

107. Z3 Prove Tool

108. Z3 BEGIN ➤Get and Install Python2.7 ✴ Z3.py script environment

     ✴ www.python.org ➤You can use python basically ➤Get Z3.py for Windows ✴ Prove tool ✴ github.com/Z3Prover/z3/wiki/Using-Z3Py-on-Windows

109. 猜謎 ➤ 無腦 ➤ 很軟 ➤ 手有毒

110. FUZZING(Z3) Include Z3 function to your python script like you

     use #include <iostream> in C++

111. FUZZING(Z3) BitVec(“Name” , BitCount) For example: 1.char a => a

     = BitVec(“a”, 8) 2.short b => b = BitVec(“b”, 16) 3.int c => c = BitVec(“C”, 32) => Int(“c”) 4.bool e => e = BitVec(‘e’, 8)

112. FUZZING(Z3) Solve(All rules ), Z3 will auto fuzz all variables,

     and find a result(JUST ONE RESULT!). Then, print all results of variables.

113. FUZZING(Z3) If you have a looooot of rules, you can

     use Solver(). Solver.add() can remember all rules you requested.

114. FUZZING(Z3) If you want to check current whether rules can

     come true, you just use: Solver.check()

115. FUZZING(Z3) If Z3 cannot find any result, check() will reply

     you “unsat”.

116. FUZZING(Z3) If Z3 can find any result, check() will reply

     you “sat”.

117. FUZZING(Z3) Finally, if you get “sat”, you can use: Solver.model()

     It will save a result in it. Use model[Variable Name], and get the answer by String

118. FUZZING(Z3) So,How to fuzz the key with z3?

119. None
120. None

121. DEMO Fuzzing with z3.py

122. EXAM Fuzzing: ShacoBuysCrusts & Take a Break!

123. EXAM Fuzzing: AIS3 Final Exam Binary

124. Q&A [email protected]