Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
39
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.2k
Reverse Engineering - 2
ljptw
0
540
Reverse Engineering - 3
ljptw
0
450
Re:0 從零開始的逆向工程
ljptw
1
750
Linux 極入門篇
ljptw
1
270
Fuzzing 101
ljptw
1
150
Binary Exploitation - File Structure
ljptw
1
250
Binary Exploitation - Heap
ljptw
1
120
Binary Exploitation - Basic
ljptw
1
94
Other Decks in Technology
See All in Technology
Lambdaと地方とコミュニティ
miu_crescent
2
370
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
250
Lexical Analysis
shigashiyama
1
150
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
990
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
380
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
いざ、BSC討伐の旅
nikinusu
2
780
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
620
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
強いチームと開発生産性
onk
PRO
34
11k
Featured
See All Featured
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Automating Front-end Workflow
addyosmani
1366
200k
A designer walks into a library…
pauljervisheath
204
24k
How GitHub (no longer) Works
holman
310
140k
Practical Orchestrator
shlominoach
186
10k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Faster Mobile Websites
deanohume
305
30k
Designing for humans not robots
tammielis
250
25k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
miu_crescent
tsumita
shigashiyama
nobutomurata
hiyanger
tacck
kamina_zzz
nikinusu
kakehashi
10xinc
.jpeg){kind=avatar}
arthur1
onk
jlugia
addyosmani
pauljervisheath
holman
shlominoach
eileencodes
deanohume
tammielis
csswizardry
dougneiner
rocio
bluesmoon
