Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
LJP-TW
May 26, 2021
Technology
1
53
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
740
Reverse Engineering - 3
ljptw
0
600
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
300
Fuzzing 101
ljptw
1
200
Binary Exploitation - File Structure
ljptw
1
290
Binary Exploitation - Heap
ljptw
1
160
Binary Exploitation - Basic
ljptw
1
120
Other Decks in Technology
See All in Technology
頼れる Agentic AI を支える Datadog のオブザーバビリティ / Powering Reliable Agentic AI with Datadog Observability
aoto
PRO
0
210
AI時代のSaaSとETL
shoe116
1
190
猫でもわかるKiro CLI(AI 駆動開発への道編)
kentapapa
0
270
Mitigating geopolitical risks with local-first software and atproto
ept
0
120
実践 Datadog MCP Server
nulabinc
PRO
2
240
Google系サービスで文字起こしから勝手にカレンダーを埋めるエージェントを作った話
risatube
0
190
大規模ECサイトのあるバッチのパフォーマンスを改善するために僕たちのチームがしてきたこと
panda_program
1
110
ReactのdangerouslySetInnerHTMLは“dangerously”だから危険 / Security.any #09 卒業したいセキュリティLT
flatt_security
0
320
AWS CDK「読めるけど書けない」を脱却するファーストステップ
smt7174
3
190
Lambda Web AdapterでLambdaをWEBフレームワーク利用する
sahou909
0
180
Goのerror型がシンプルであることの恩恵について理解する
yamatai1212
1
250
生成AIで速度と品質を両立する、QAエンジニア・開発者連携のAI協調型テストプロセス
shota_kusaba
0
210
Featured
See All Featured
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.1k
How STYLIGHT went responsive
nonsquared
100
6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.7k
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
190
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.5k
Marketing to machines
jonoalderson
1
5k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.2k
Producing Creativity
orderedlist
PRO
348
40k
For a Future-Friendly Web
brad_frost
183
10k
Building Applications with DynamoDB
mza
96
7k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
61k
The Language of Interfaces
destraynor
162
26k
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
aoto
shoe116
kentapapa
ept
nulabinc
risatube
panda_program
flatt_security
smt7174
sahou909
yamatai1212
.jpg){kind=avatar}
shota_kusaba
charlesmeaden
nonsquared
marktimemedia
427marketing
tammyeverts
jonoalderson
kastner
orderedlist
brad_frost
mza
lemiorhan
destraynor
