Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Binary Exploitation - Basic

LJP-TW
May 18, 2021
Technology
1
74

Binary Exploitation - Basic

2021/05/19 台科資安社 社課
直播記錄檔: https://www.youtube.com/watch?v=H52LnWjcC_A
- Stack-Based Buffer Overflow
- Shellcode
- GOT Hijack
- One Gadget
- ROP

LJP-TW

May 18, 2021
Tweet

More Decks by LJP-TW

See All by LJP-TW
Reverse Engineering - 1
ljptw
0
990
Reverse Engineering - 2
ljptw
0
460
Reverse Engineering - 3
ljptw
0
370
Re:0 從零開始的逆向工程
ljptw
1
530
Linux 極入門篇
ljptw
1
250
Fuzzing 101
ljptw
1
140
Binary Exploitation - File Structure
ljptw
1
220
Binary Exploitation - Basic 補充篇
ljptw
1
33
Binary Exploitation - Heap
ljptw
1
110

Other Decks in Technology

See All in Technology
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
7
4k
Improve Your Development Workflow with Gemini Code Assist
meteatamel
0
130
成長をサポートするピープルマネジメントのやり方
sioncojp
9
1.2k
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
5
18k
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
3
410
生成AIの変革の時代に、 直近1年で直面した課題とその解決策
ktc_wada
0
690
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
1
120
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
340
Cypress or Playwright?
rainerhahnekamp
0
170
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
35k
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
2.7k
コードや知識を組み込む / Incorporate Code and knowledge
ks91
PRO
0
150

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
26
2.3k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
A better future with KSS
kneath
231
16k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k
Facilitating Awesome Meetings
lara
43
5.6k
Unsuck your backbone
ammeep
663
57k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
In The Pink: A Labor of Love
frogandcode
138
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
Building Applications with DynamoDB
mza
88
5.6k
How STYLIGHT went responsive
nonsquared
92
4.8k

Transcript

  1. 2021/5/18 NTUSTISC Binary Exploitation aka Pwn Basic

  2. # whoami - LJP / LJP-TW - Pwn / Rev

    - NTUST / NCTU / NYCU - 10sec CTF Team 1

  3. 先來個小調查 - 略懂 C - 略懂 任何一種組合語言 - 略懂 逆向工程

    - 略懂 怎用 GDB - 略懂 Pwn - 略懂 ROP - 略懂 Heap Exploitation 2

  4. Outline - What’s PWN? - 基礎知識 – x86 Assembly -

    基礎知識 – Stack Frame - 基礎知識 – GDB - 基礎知識 – Pwntools - Stack-Based Buffer Overflow - Shellcode - 基礎知識 – Lazy Binding 3 - GOT Hijack - One Gadget - ROP

  5. What is Pwn ? 4

  6. What is Pwn ? 5 我都念胖 圖片來源: https://en.wikipedia.org/wiki/PWN

  7. What is Pwn ? 6

  8. What is Pwn ? 7

  9. What is Pwn ? 8

  10. What is Pwn ? 9

  11. What is Pwn ? - 利用程序的漏洞 - 竄改程序執行流程 - 執行特定行為

    10

  12. What is Pwn ? 11 來個栗子 Server:

  13. What is Pwn ? 12 Service 原始碼:

  14. What is Pwn ? 13 漏洞:

  15. What is Pwn ? 14 漏洞:

  16. What is Pwn ? 15 其他能被利用的程式碼: Leak Canary Hijack Return

    Address Leak Text Base Execute Gadget

  17. What is Pwn ? 16 攻擊腳本:

  18. What is Pwn ? 17 正常使用/攻擊:

  19. Basic Knowledge x86 Assembly 18

  20. x86 Assembly 19 mov rax, 1 add rax, 5 sub

    rbx, rax inc rax dec rax ASM rax = 1 rax = rax + 5 rbx = rbx – rax rax++ rax-- C ✕ ✕

  21. x86 Assembly 20 mov rax, 0 jmp BEGIN LOOP: inc

    rax BEGIN: cmp rax, 5 jle LOOP ASM rax = 0 while (rax <= 5) rax++ C ✕ ✕

  22. Basic Knowledge Stack Frame 21

  23. Stack Frame - 不同區域會有不同的 Stack Frame - 裡面存放著區域變數 - 在

    Function 的頭部和尾部, 會有一些用來處理 Stack Frame 的 指令 - 頭部: Prologue - 尾部: Epilogue 22 push rbp mov rbp, rsp … leave ret main

  24. Stack Frame 23 Stack RSP 0x00007fffffffe5c8 push rbp mov rbp,

    rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1

  25. push rbp mov rbp, rsp sub rsp, 20h … call

    function1 leave ret Stack Frame 24 Stack RSP 0x00007fffffffe5c8 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1

  26. push rbp mov rbp, rsp sub rsp, 20h … call

    function1 leave ret Stack Frame 25 Stack RSP 0x00007fffffffe5c8 RBP 原本的值 0x00007fffffffe5c0 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1

  27. push rbp mov rbp, rsp sub rsp, 20h … call

    function1 leave ret Stack Frame 26 Stack RSP 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1

  28. push rbp mov rbp, rsp sub rsp, 20h … call

    function1 leave ret Stack Frame 27 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x00007fffffffe5a0 0x401234 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1

  29. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack Frame 28 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe598 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  30. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack Frame 29 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  31. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack Frame 30 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  32. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack Frame 31 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 leave = mov rsp, rbp pop rbp push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  33. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack Frame 32 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 leave = mov rsp, rbp pop rbp RBP push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  34. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 33 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 leave = mov rsp, rbp pop rbp RBP main function1

  35. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 34 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 leave = mov rsp, rbp pop rbp RSP main function1

  36. Basic Knowledge GDB 35

  37. GDB - 推薦套件: gef - https://github.com/hugsy/gef - 推薦套件: pwngdb -

    https://github.com/scwuaptx/Pwngdb - 常用指令 - b *[Address expression]:設定中斷點 (break point) - c:繼續執行 (continue) - ni:執行一個指令 (不步入) - si:執行一個指令 (步入) - x/[Length][Format] [Address expression]:顯示記憶體內容 36

  38. GDB Demo 37

  39. Basic Knowledge Pwntools 38

  40. Pwntools - Python 模組 - 方便寫 exploit - 常用 function

    - process() - remote() - send()、sendline() - sendafter()、sendlineafter() - recv()、recvline() - recvuntil() 39

  41. Pwntools Demo 40

  42. Stack-Based Buffer Overflow 41

  43. Stack-Based Buffer Overflow - 在區域變數上越界寫入 - 導致其他區域變數被改掉 - 導致 Return

    Address 被改掉 42

  44. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack-Based Buffer Overflow 43 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  45. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack-Based Buffer Overflow 44 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  46. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack-Based Buffer Overflow 45 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA AAAAAAAA … push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  47. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret RBP Stack-Based Buffer Overflow 46 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA AAAAAAAA … push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  48. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret RBP Stack-Based Buffer Overflow 47 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA … AAAAAAAA push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  49. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Stack-Based Buffer Overflow 48 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 AAAAAAAA AAAAAAAA … push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  50. push rbp mov rbp, rsp sub rsp, 20h … call

    function1 leave ret push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack-Based Buffer Overflow 49 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 AAAAAAAA AAAAAAAA … main function1

  51. Stack Canary 50

  52. Stack Canary - 在函數的頭部, 往 Stack 上寫入一個值 (Canary) - 在函數的尾部,

    驗證 Canary 的值是否還是一樣 - 不一樣就表示發生了 BOF, 呼叫 __stack_chk_fail - 至於為何叫做 Canary? 51

  53. Stack Canary 52 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 0x401234 0x7fffffffe5a0 0x401234 0x00007fffffffe5c0 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560

  54. Stack Canary 53 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 0x401234 0x7fffffffe5a0 0x401234 0x00007fffffffe5c0 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560

  55. Stack Canary 54 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 0x401234 0x7fffffffe5a0 0x401234 0x00007fffffffe5c0 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 0xd32a99e5e7cd3300 0x7fffffffe588

  56. Stack Canary 55 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …

  57. Stack Canary 56 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …

  58. Stack Canary 57 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …

  59. Stack Canary 58 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …

  60. Stack Canary 59 push rbp mov rbp, rsp sub rsp,

    20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …

  61. Stack Canary - 繞過方式 - 想辦法洩漏出 Canary 的值 - 想蓋

    Return Address 時, 把 Canary 的值寫回去, 就能繞過 60

  62. Stack-Based Buffer Overflow Demo 61

  63. Shellcode 62

  64. Shellcode - 攻擊者在記憶體中寫入一段用來執行的指令 - 之後想辦法讓執行流程跳到這些指令上 - 至於為何叫做 shellcode - 因為通常是拿來開

    shell - 現在就算不是拿來開 shell, 你跟我說 shellcode 也通啦 63

  65. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Shellcode 64 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1

  66. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret Shellcode 65 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode

  67. RBP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret Shellcode 66 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode

  68. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret Shellcode 67 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode

  69. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret Shellcode 68 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode

  70. NX (No-eXecute) 69

  71. NX (No-eXecute) - NX aka DEP (Data Execution Prevention) -

    從剛剛的例子, 你會發現, 我們是執行位於 Stack 上的指令 - Stack 上的咚咚能執行?! 超怪 - 給每個記憶體區段設立三種權限 r(Read) w(Write) x(eXecute) - 設定 NX 就沒有 rwx 的區段 70

  72. Shellcode Demo 71

  73. Basic Knowledge Lazy Binding 72

  74. Lazy Binding - 由於 Library 在執行時期才被 Load 上來, 位址不固定 -

    因此程式需要將引用的 Library Call 連結到 Library - But 1. 在程式一開始就解析所有用到的 Library Call 會讓程式很晚執行 2. 其實不是所有引用的 Library Call 都會被呼叫到 - 於是有了 Lazy Binding - 簡單來說就是在程式第一次呼叫到 Library Call 才開始解析其位 址 73

  75. Lazy Binding 74 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  76. Lazy Binding 75 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec 第一次呼叫 puts

  77. Lazy Binding 76 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  78. Lazy Binding 77 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  79. Lazy Binding 78 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec 跳至 .plt 中

  80. Lazy Binding 79 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  81. Lazy Binding 80 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec 推入 index

  82. Lazy Binding 81 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  83. Lazy Binding 82 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  84. Lazy Binding 83 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  85. Lazy Binding 84 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  86. Lazy Binding 85 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec 跳到解析函數

  87. Lazy Binding 86 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x00007ffff7e505a0 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec 解析後回填真正地址

  88. Lazy Binding 87 <main> call <puts@plt> call <puts@plt> <0x555555555020> push

    [<link_map>] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x00007ffff7e505a0 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  89. Lazy Binding 88 <main> call <puts@plt> call <puts@plt> <0x555555555020> push

    [<link_map>] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x00007ffff7e505a0 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec 之後再度呼叫 puts

  90. Lazy Binding 89 <main> call <puts@plt> call <puts@plt> <0x555555555020> push

    [<link_map>] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x00007ffff7e505a0 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  91. Lazy Binding 90 <main> call <puts@plt> call <puts@plt> <0x555555555020> push

    [<link_map>] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x00007ffff7e505a0 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  92. Lazy Binding 91 <main> call <puts@plt> call <puts@plt> <0x555555555020> push

    [<link_map>] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x00007ffff7e505a0 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec 跳到 puts 真正位址

  93. GOT Hijack 92

  94. GOT Hijack - 假設程式存在任意寫漏洞 - 將 GOT 表寫成我們想執行的位址即可控制執行流 93

  95. GOT Hijack 94 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x0000555555555030 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  96. GOT Hijack 95 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x4141414141414141 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec Overwrite GOT Table

  97. GOT Hijack 96 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x4141414141414141 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  98. GOT Hijack 97 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x4141414141414141 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  99. GOT Hijack 98 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x4141414141414141 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec

  100. GOT Hijack 99 <main> call <puts@plt> <0x555555555020> push [<link_map>] bnd

    jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> ([email protected]) 0x4141414141414141 <+0x20> ([email protected]) 0x0000555555555040 .got.plt <puts@plt> endbr64 bnd jmp [<[email protected]>] nop <setvbuf@plt> endbr64 bnd jmp [<[email protected]>] nop .plt.sec Hijack Control Flow

  101. GOT Hijack Demo 100

  102. One Gadget 101

  103. One Gadget - Gadget 是指一些可利用的指令片段 - libc 中有一些位址, 跳過去就會開 shell

    了 - 這個 Gadget 就是 One Gadget, 一發入魂 - https://github.com/david942j/one_gadget - libc 2.31: https://qiita.com/kusano_k/items/4a6f285cca613fcf9c9e#gl ibc-231の場合 102 圖片來源: https://ithelp.ithome.com.tw/articles/10226977

  104. One Gadget Demo 103

  105. ROP 104

  106. ROP - ROP 全名 Return-Oriented Programming - 找結尾是 ret 的

    Gadgets - 並在 Stack 上安排這些 Gadgets - 就能依序執行到所有在 Stack 上的 Gadgets 的指令片段 105

  107. push rbp mov rbp, rsp sub rsp, 30h … leave

    ret ROP 106 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x405566 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3

  108. RBP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 107 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 Overwrite Stack

  109. RBP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 108 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8

  110. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 109 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 Return to Gadget1

  111. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 110 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8

  112. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 111 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) Return to Gadget2

  113. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 112 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”)

  114. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 113 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0

  115. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 114 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0

  116. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 115 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0 rax: 59 Return to Gadget3

  117. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 116 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0 rax: 59

  118. RSP push rbp mov rbp, rsp sub rsp, 30h …

    leave ret ROP 117 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0 rax: 59

  119. ROP DEMO 118

  120. Q & A 119

  121. Thanks 疫情期間少出門勤洗手 120