Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pwn勉強会

A880681173976dd5d89c44956c170083?s=47 m412u
November 27, 2018
Programming
8
7.4k

 Pwn勉強会

・学内で開催したPwn入門勉強会で使用したスライドです。

A880681173976dd5d89c44956c170083?s=128

m412u

November 27, 2018
Tweet

More Decks by m412u

See All by m412u
A880681173976dd5d89c44956c170083?s=48 m412u
5
2.3k
A880681173976dd5d89c44956c170083?s=48 m412u
3
2.9k

Other Decks in Programming

See All in Programming
9f2edd3fb2cc8feb20221138ca91d9fc?s=48 kuriko
0
270
C400a6dc29b681f0284fd33c468e396e?s=48 shimotaroo
0
120
A56269ca269966f71293d08b32ad53b3?s=48 utaani
0
130
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
4
420
91b03a57e0ef56fee59fbddc66a7f6fd?s=48 takasehideki
0
150
Cf337591106e061c317b6e103c80e961?s=48 brn
0
140
640727b1a8120669de9b6d7f1d469893?s=48 ch6noota
0
260
4bcb32bcb73d1ead993a6ad55b189e9e?s=48 rluisr
1
120
D1c03114361714e1175dae60d115d19c?s=48 ryotori1024
0
210
E10ba38646a905c8cd2c893c84d5c520?s=48 suzushin54
0
270
922f51d458d6ffee8578b9d3ab0a52b6?s=48 ug
1
180
35e08efcf39d692f540047fb756eb4e3?s=48 konifar
0
1.9k

Featured

See All Featured
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
19
2.6k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
228
9.1k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
210
20k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
240k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
21
5.2k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
3.9k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
106
12k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
336
17k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
56
4.1k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.3k
2bb923c57a1fdc3a2eb484bb8d565fd2?s=48 ufuk
61
7.4k
245cee81a9c424266e5e401d844ea881?s=48 lara
27
3.6k

Transcript

  1.   

  2.  • 2 2 2 •

  3.  • P • 1 1 3 • • F

    C 3 E C T

  4.  • ( ) ) 4 • 4 )

  5.     

  6.   6 . .

  7.   . . 7

  8.   8 . .

  9.   9 .

  10.   0 . 1 0

  11.   • fi 2 n g l l h

    b3a 1 • ( ./. h 2 • ) • a

  12.    • bCFE • iah • T h

    • ce L • • • iaf • /0 S ) ( 8 0 2 81 1 . 2 1:

  13.  • 8 • 3 1 6 •

  14.    4 1

  15.  • PU U C U • ( () •

    1 PU U • • C C 5

  16.  6 1

  17.  • s p C • e • c 36

    36 ( 2.7 207 217 2 7 254 2 4 253 213 a 9 i8d b 7) P U 4

  18. ) ( • CDE • ) • ) S •

    )( G E P • ) D • ) G Eeb eb • )( G Eeb eb • ) X DEFBI L D • ) X DEFBI L D • A E • ) 8 D • ) CDE • ) i ) 134 1 42

  19.  • 8 57 • 4 1 32 Ø 06

    57 • 9 • Ø 06 57 • 9 •

  20.    • 2 0 • 2

  21.   • 21 • mov eax, 0x0 mov DWORD

    PTR [ebp-0x10], eax

  22. ( ) • A • 2 A cmp eax, 0x1

    cmp DWORD PTR [ebp-0x10], eax

  23. ) ( • 3 C 3 2 • jmp 0x08048574

    je 0x08048574

  24. ( , ) • ))) 4 • ))) 2 4

    2 2 ( call printf@plt ret

  25. , ( ) , •  •   add

    eax, edx sub eax, edx

  26. (( ) •       lea

    ecx, [esp+0x4] lea eax, [ebp-0x18]

  27. ( () ( • s • n O P e

    • \ • O N 7 d s 7 7 2 • l 79 20 •

  28. ( ) • c b 2 • 82 • •

    a • a • b c • a

  29.  • B : • B P 9 • 12

    12 2 • I SL 9 : O • B FH : : EH • B FH : U: EH

  30.    

  31.      

  32.     

  33.        

  34.      

  35.      

  36.        

  37.     

  38.        

  39.      

  40.      

  41.       

  42.     

  43.     

  44.      

  45.    

  46.   •      

  47.    • U 4 • 1 C 7

    4 • I • +

  48.   • ) 2 .8 (( 4 2 1

    3 ) $ git clone https://github.com/m412u/pwn_study.git $ cd pwn_study/sample

  49.  • 9) 4 ( •

  50.     •   •  

    $ objdump –d –M intel func

  51. ) ( : 5 : 5 : 1

  52.  • 2 • 1 • $ gdb –q ./func

    d g b 5

  53.      • 3 52 2 2

    • 2 3 52 gdb-peda$ break *0x08048535 or gdb-peda$ b *0x08048535

  54.   gdb-peda$ run or gdb-peda$ r

  55.  1 . 2 53 .

  56.     • 6 1 •  •

    6 1 • 5 gdb-peda$ nexti or gdb-peda$ ni gdb-peda$ stepi or gdb-peda$ si

  57. + mov edx, DWORD PTR [ebp-0x14] 5 3 704 704

  58. + mov eax, DWORD PTR [ebp-0x18] 0 3 4

  59. + sub esp, 0x8 4 3 0 5

  60. + push edx 423 0 56

  61. + 2 2 2 2 2 2 push eax 534

    10 6 6

  62. + 2 2 2 333 2 2 211110 211110 call

    0x080484bb <add> AB AB D 4 8 4 8 5C6

  63. 22220 888 22220 22220 push ebp EI EI 4653 B

    D AC 1 4

  64. 22220 22220 22220 mov ebp, esp CD CD 346 8B

    A E 1 5

  65. 55553 (0 )0 0 0 ) 55553 55553 ) sub

    esp, 0x10 I I P A8 C 426 AB 133 AB D 8E

  66. 22220 22220 22220 mov edx, DWORD PTR [ebp+0x8] CD CD

    8B A E 1 5 346

  67. 833331 8 8 8 8 8 833331 833331 mov eax,

    DWORD PTR [ebp+0xc] DE DE A C B 206 I457

  68. + 533331 5 5 5 5 5 533331 533331 add

    eax, edx AB AB E 11 6 CD 8204

  69. 8 833331 8 8 8 8 8 833331 833331 mov

    DWORD PTR [ebp-0x4], eax DE DE A 9C B 206 I45

  70. 7 722220 7 7 7 7 7 722220 722220 mov

    eax, DWORD PTR [ebp-0x4] CD CD 8B A E 1 5 34

  71. + 4 422220 4 4 4 4 4 422220 422220

    leave = D mov esp, ebp E pop ebp A A D 5 BC 871 3

  72. + 7 744442 7 7 7 888 7 7 744442

    744442 1 leave = mov esp, ebp pop ebp P P E IC D S A 30 5 S 30 B 22 B

  73. 44442 44442 44442 1 ret I X E 308 I

    A A IB P I C 57S B D

  74. + 2 2 2 555 2 2 211110 211110 add

    esp, 0x10 I C E 3 X7A 00P 8S 4 8 E DB

  75.   gdb-peda$ quit or gdb-peda$ q