Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Binary Exploitation - Basic 補充篇

Avatar for LJP-TW LJP-TW
May 26, 2021
Technology
1
50

Binary Exploitation - Basic 補充篇

2021/05/26 台科資安社 社課
直播記錄檔: https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS

Avatar for LJP-TW

LJP-TW

May 26, 2021
Tweet

More Decks by LJP-TW

See All by LJP-TW
Reverse Engineering - 1
Avatar for LJP-TW ljptw
0
1.7k
Reverse Engineering - 2
Avatar for LJP-TW ljptw
0
730
Reverse Engineering - 3
Avatar for LJP-TW ljptw
0
590
Re:0 從零開始的逆向工程
Avatar for LJP-TW ljptw
1
1.2k
Linux 極入門篇
Avatar for LJP-TW ljptw
1
290
Fuzzing 101
Avatar for LJP-TW ljptw
1
180
Binary Exploitation - File Structure
Avatar for LJP-TW ljptw
1
280
Binary Exploitation - Heap
Avatar for LJP-TW ljptw
1
150
Binary Exploitation - Basic
Avatar for LJP-TW ljptw
1
120

Other Decks in Technology

See All in Technology
FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE
Avatar for maaaato maaaato
0
130
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
4
17k
【Oracle Cloud ウェビナー】[Oracle AI Database + AWS] Oracle Database@AWSで広がるクラウドの新たな選択肢とAI時代のデータ戦略
Avatar for oracle4engineer oracle4engineer
PRO
1
120
データの整合性を保ちたいだけなんだ
Avatar for ShoheiMitani shoheimitani
8
3.1k
Context Engineeringが企業で不可欠になる理由
Avatar for Hirosato Gamo hirosatogamo
PRO
3
530
プロポーザルに込める段取り八分
Avatar for ShoheiMitani shoheimitani
1
190
変化するコーディングエージェントとの現実的な付き合い方 〜Cursor安定択説と、ツールに依存しない「資産」〜
Avatar for empitsu empitsu
4
1.3k
CDKで始めるTypeScript開発のススメ
Avatar for つくぼし tsukuboshi
1
370
名刺メーカーDevグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
1k
AI駆動開発を事業のコアに置く
Avatar for 鬼澤輔 tasukuonizawa
1
130
SREじゃなかった僕らがenablingを通じて「SRE実践者」になるまでのリアル / SRE Kaigi 2026
Avatar for AEON aeonpeople
6
2.2k
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
Avatar for SansanTech sansantech
PRO
3
2.3k

Featured

See All Featured
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
Avatar for Andy Polaine apolaine
0
170
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
5
880
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1371
200k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
133
19k
Writing Fast Ruby
Avatar for Erik Berlin sferik
630
62k
Groundhog Day: Seeking Process in Gaming for Health
Avatar for Sebastian Deterding codingconduct
0
92
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.1k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.4k
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
430
The Language of Interfaces
Avatar for Des Traynor destraynor
162
26k
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
380
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
3
3.9k

Transcript

  1. 2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇

  2. # whoami - LJP / LJP-TW - Pwn / Rev

    - NTUST / NCTU / NYCU - 10sec CTF Team 1

  3. Outline - TLS 2

  4. TLS 3

  5. TLS - TLS 全名 Thread-Local Storage - Linux x64 使用

    fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4

  6. TLS - fs 為 Segment Register - 計算方式 reg:offset =

    ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5

  7. TLS - GDB 也是 Process, fs = 0 是指 GDB

    自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13

  8. TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -

    https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7

  9. TLS Demo 8