$30 off During Our Annual Pro Sale. View Details »

学内Pwn勉強会

m412u
February 25, 2019
Programming
3
3.5k

 学内Pwn勉強会

学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.

m412u

February 25, 2019
Tweet

More Decks by m412u

See All by m412u
slide.pdf
m412u
5
2.4k
Pwn勉強会
m412u
8
8.5k

Other Decks in Programming

See All in Programming
Modern Web Apps with Spring Boot & Angular
toedter
13
15k
WebAssembly for the Backend
adriancole
0
160
Angular Architecture Workshop: Modulith to Micro Frontends
manfredsteyer
PRO
0
150
Licences open source : entre guerre de clochers et radicalité
pylapp
2
670
redux使うのやめました
hirasa
1
150
オブザーバビリティを高めよう
yuhta28
2
160
GISとDjango GEOS APIの話
mierune
0
320
JavaScript Testing Framework: Under the Hood(JSConfJP2022)
yoshiaki_togami
0
2.3k
Being On Call Does Not Have to Suck.
charity
0
570
Micro Frontends with Module Federation: Beyond the Basics
manfredsteyer
PRO
0
310
Symfony & Hotwire: an efficient combo to quickly develop complex applications
florentdestremau
0
110
클라우드 시대에 맞는 사이트 신뢰성 엔지니어
outsider
0
620

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
37
3.5k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k
How GitHub Uses GitHub to Build GitHub
holman
465
280k
For a Future-Friendly Web
brad_frost
166
7.7k
Building a Scalable Design System with Sketch
lauravandoore
451
30k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
Become a Pro
speakerdeck
PRO
3
3.1k
Side Projects
sachag
451
37k
Statistics for Hackers
jakevdp
782
210k
Code Review Best Practice
trishagee
48
11k
The Cult of Friendly URLs
andyhume
68
5k

Transcript

  1.  Pwn  @ Gm S944y

  2.  • &,$.1 )/ 2 • '#&,-%" * +3 

     • (0x86 ! 2

  3.  •   •   • ! •

       •   • ROP 3

  4.  4

  5.   5    "  ! #CPU

      

  6. # !42 • $ * .'& • text +:509 •

    data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- •   6  text data bss heap ⇩ stack ⇧

  7.   7 text data bss heap ⇩ stack ⇧

    0x0 0 x f f f f f f f f     ebp eflags edi eax esi ebx edx ecx esp eip  

  8.  • 9" • eax, ecx, edx, ebx, esi, edi

    032* • 1)$"   • +8 • esp #,  / )4 • ebp #,  /5 )4 • eip '!   • eflag .72* %()4 (-&6$" ) 8

  9.   9

  10. 30 • ".4  • 6$&'*7 30/  • 5

    #!2. -(%) # ,81+ " etc… 10 ≒  

  11.  •     11 PUSH POP

  12. &% !( •  '  #  &% 

    $" !(  12  main     main     main   func   

  13.  13

  14.   • main  A   14 void

    A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }

  15.   • A   15   

     int main(void) { int a, b; … A(a, b); … return 0; }

  16.   •      1. A

     2.   16   int main(void) { int a, b; … A(a, b); … return 0; }

  17.    •      

    1. A  17 int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  18.  $   • $  ! # "

    1. A  2.  18  int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  19. $, & • $A !( eip '-  • ".+*)

      19 eip    0x00000100 $A ".+ 0x00000104   0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b    int a int b   %#$ %#$

  20.     • A    !

    20 0x00000100 eip    0x00000100 A " 0x00000104   0x00000200 main " 0x00000204 0x00000208 0x0000020b    int a int b    

  21. !  1.   2.    3.

      eip  21  2.3 call" 

  22. " '  • "A  "A $  

    22 0x00000104 eip int z &( ebp  int a int b      0x00000100 "A !)% 0x00000104   0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b   #"

  23.  # • A  • ret "  

    ! 23 eip  int a int b      0x00000100 A $ 0x00000104   0x00000200 main $ 0x00000204 0x00000208 0x0000020b  

  24. ret !# 24 ret = pop eip   "

    eip      

  25.  •     eip   25

    eip  int a int b      0x00000100 A  0x00000104   0x00000200 main  0x00000204 0x00000208 0x0000020b  

  26.  • main  26  eip int a int

    b       0x00000100 A   0x00000104   0x00000200 main    0x00000204 0x00000208 0x0000020b  

  27. (,;# 27 1. (,B +,8 2. call 7? (,B ;

     "!8 3. (,B ; :5 />  1. (,A  ebp 94=  2. (,B %3.* & :5  3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6<  (,A 0) (,B 0)

  28.  28

  29. BOF ,+! & 29 void vuln(void) { char buf[4]; …

    gets(buf); … } • main"vuln")  • ($*# •    4 • BOF ,+!'%

  30. vuln !(" • '& %  30 char buf[4] $)ebp

     int a int b   #! void vuln(void) { char buf[4]; … gets(buf); … } 

  31. !%  • gets(buf) " ! # 31 char buf[4]

    $ ebp  int a int b    AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  32. !%  • gets(buf) " ! # 32 A A

    A A $ ebp  int a int b    AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  33.   • gets(buf)   33 A A A

    A A A A A  int a int b     AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }   

  34. vuln •  34 A A A A A A

    A A A A A A int a int b     void vuln(void) { char buf[4]; … gets(buf); … }   

  35. vuln • leave    35 A A A

    A int a int b     

  36. ret  •   eip  pop  

    36 eip A A A A int a int b    

  37. ret!   •   eip pop  •

    ASCII → A 16 0x41 37 int a int b   0x41414141 eip

  38. ret15 .&4  38 0x41414141 eip   • 0x41414141

    152-  !" • 2- #% +' (.&0/* • ,$)3 

  39.   39

  40.   •       40

     A A A A A A A A int a int b    A A A A A A A A         char buf[4] ebp    int a int b  

  41.   l   1.    2.

         3.   eip   41

  42.   l   1.    2.

         3.   eip   42 OK

  43.   l   1.    2.

         3.   eip   43 OK OK

  44. 44       A A A

    A A A A A                eip

  45.   l   1.    2.

         3.   eip   45 OK OK OK

  46. BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *) 

     '2 • A?( 90;.@'  '2<81  •  @'-3:65 46

  47. ROP 47

  48. ROP  • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F

    A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2  !  48 Meltdown and Spectre (https://meltdownattack.com/)

  49. B2)2>& • )2*>&  5 9,+/  • B2)2> •

    7)2>6.40 • '>& )212  !< • "%$#(?3-C:;A@ =8  49

  50. gadget •   ret;!   •  

         50

  51. pop × N ; ret; •   • pop

      ret   51

  52.   52

  53. gadget  •  gadget   53  A

    A A A A A A A A     A    A A A A A A A A A  0x08048355 A    

  54. gadget  54  A A A A A A

    A A A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  55. gadget   •    (leave!) 55 

    A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  56. gadget  • ret (pop eip)    56

     A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  57. gadget  • ret (pop eip)    57

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  58. gadget   • A    58 

    0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  59. gadget  • A   59  0x08048355 A

        0x08048355: pop ebx 0x08048356: ret    A eip esp

  60. gadget  • ret (pop eip)    60

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  61. gadget  • ret (pop eip)    61

     A    0x08048355: pop ebx 0x08048356: ret    0x08048355 eip esp

  62. gadget   • gadget    62 

    A    0x08048355: pop ebx 0x08048356: ret  0x08048355 eip esp

  63. gadget  •   pop   63 

       0x08048355: pop ebx 0x08048356: ret  0x08048355 eip A ebx esp

  64. gadget  •   ret   64 

       0x08048355: pop ebx 0x08048356: ret  0x08048356 eip esp

  65. gadget  •   eip  pop  

    65     0x08048355: pop ebx 0x08048356: ret  0xdeadbeef eip esp

  66.    66  A  gadget  A

     B  gadget  B  B    pop ebx ret   pop eax pop ecx ret 

  67. ROP '# • pop × N; ret; * gadget &#

     •  !) (%  • Return-oriented Programming (ROP) DEP",  • ROP $+ • ROP Emporium 67

  68. 1/*0 • !  $ • '#$*0.(+ • 23)+ •

    &.  #,x86   •  " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68