Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
学内Pwn勉強会
Search
m412u
February 25, 2019
Programming
4
4.7k
学内Pwn勉強会
学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.
m412u
February 25, 2019
Tweet
Share
More Decks by m412u
See All by m412u
slide.pdf
m412u
5
2.7k
Pwn勉強会
m412u
8
11k
Other Decks in Programming
See All in Programming
Pulsar2 を雰囲気で使ってみよう
anoken
0
230
Honoをフロントエンドで使う 3つのやり方
yusukebe
4
2.1k
データの整合性を保つ非同期処理アーキテクチャパターン / Async Architecture Patterns
mokuo
41
15k
Lottieアニメーションをカスタマイズしてみた
tahia910
0
120
『品質』という言葉が嫌いな理由
korimu
0
160
密集、ドキュメントのコロケーション with AWS Lambda
satoshi256kbyte
0
170
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
670
Amazon Q Developer Proで効率化するAPI開発入門
seike460
PRO
0
110
SwiftUI Viewの責務分離
elmetal
PRO
0
140
なぜイベント駆動が必要なのか - CQRS/ESで解く複雑系システムの課題 -
j5ik2o
7
2.5k
Grafana Loki によるサーバログのコスト削減
mot_techtalk
1
110
Amazon ECS とマイクロサービスから考えるシステム構成
hiyanger
2
490
Featured
See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.5k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Visualization
eitanlees
146
15k
Practical Orchestrator
shlominoach
186
10k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Optimizing for Happiness
mojombo
376
70k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Designing for Performance
lara
604
68k
Gamification - CAS2011
davidbonilla
80
5.1k
Measuring & Analyzing Core Web Vitals
bluesmoon
6
240
Transcript
Pwn @ Gm S944y
• &,$.1 )/ 2 • '#&,-%" * +3
• (0x86 ! 2
• • • ! •
• • ROP 3
4
5 " ! #CPU
# !42 • $ * .'& • text +:509 •
data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- • 6 text data bss heap ⇩ stack ⇧
7 text data bss heap ⇩ stack ⇧
0x0 0 x f f f f f f f f ebp eflags edi eax esi ebx edx ecx esp eip
• 9" • eax, ecx, edx, ebx, esi, edi
032* • 1)$" • +8 • esp #, / )4 • ebp #, /5 )4 • eip '! • eflag .72* %()4 (-&6$" ) 8
9
30 • ".4 • 6$&'*7 30/ • 5
#!2. -(%) # ,81+ " etc… 10 ≒
• 11 PUSH POP
&% !( • ' # &%
$" !( 12 main main main func
13
• main A 14 void
A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }
• A 15
int main(void) { int a, b; … A(a, b); … return 0; }
• 1. A
2. 16 int main(void) { int a, b; … A(a, b); … return 0; }
•
1. A 17 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$ • $ ! # "
1. A 2. 18 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$, & • $A !( eip '- • ".+*)
19 eip 0x00000100 $A ".+ 0x00000104 0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b int a int b %#$ %#$
• A !
20 0x00000100 eip 0x00000100 A " 0x00000104 0x00000200 main " 0x00000204 0x00000208 0x0000020b int a int b
! 1. 2. 3.
eip 21 2.3 call"
" ' • "A "A $
22 0x00000104 eip int z &( ebp int a int b 0x00000100 "A !)% 0x00000104 0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b #"
# • A • ret "
! 23 eip int a int b 0x00000100 A $ 0x00000104 0x00000200 main $ 0x00000204 0x00000208 0x0000020b
ret !# 24 ret = pop eip "
eip
• eip 25
eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
• main 26 eip int a int
b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
(,;# 27 1. (,B +,8 2. call 7? (,B ;
"!8 3. (,B ; :5 /> 1. (,A ebp 94= 2. (,B %3.* & :5 3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6< (,A 0) (,B 0)
28
BOF ,+! & 29 void vuln(void) { char buf[4]; …
gets(buf); … } • main"vuln") • ($*# • 4 • BOF ,+!'%
vuln !(" • '& % 30 char buf[4] $)ebp
int a int b #! void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 31 char buf[4]
$ ebp int a int b AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 32 A A
A A $ ebp int a int b AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
• gets(buf) 33 A A A
A A A A A int a int b AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
vuln • 34 A A A A A A
A A A A A A int a int b void vuln(void) { char buf[4]; … gets(buf); … }
vuln • leave 35 A A A
A int a int b
ret • eip pop
36 eip A A A A int a int b
ret! • eip pop •
ASCII → A 16 0x41 37 int a int b 0x41414141 eip
ret15 .&4 38 0x41414141 eip • 0x41414141
152- !" • 2- #% +' (.&0/* • ,$)3
39
• 40
A A A A A A A A int a int b A A A A A A A A char buf[4] ebp int a int b
l 1. 2.
3. eip 41
l 1. 2.
3. eip 42 OK
l 1. 2.
3. eip 43 OK OK
44 A A A
A A A A A eip
l 1. 2.
3. eip 45 OK OK OK
BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *)
'2 • A?( 90;.@' '2<81 • @'-3:65 46
ROP 47
ROP • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F
A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2 ! 48 Meltdown and Spectre (https://meltdownattack.com/)
B2)2>& • )2*>& 5 9,+/ • B2)2> •
7)2>6.40 • '>& )212 !< • "%$#(?3-C:;A@ =8 49
gadget • ret;! •
50
pop × N ; ret; • • pop
ret 51
52
gadget • gadget 53 A
A A A A A A A A A A A A A A A A A A 0x08048355 A
gadget 54 A A A A A A
A A A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • (leave!) 55
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 56
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 57
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 58
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 59 0x08048355 A
0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 60
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 61
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • gadget 62
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • pop 63
0x08048355: pop ebx 0x08048356: ret 0x08048355 eip A ebx esp
gadget • ret 64
0x08048355: pop ebx 0x08048356: ret 0x08048356 eip esp
gadget • eip pop
65 0x08048355: pop ebx 0x08048356: ret 0xdeadbeef eip esp
66 A gadget A
B gadget B B pop ebx ret pop eax pop ecx ret
ROP '# • pop × N; ret; * gadget &#
• !) (% • Return-oriented Programming (ROP) DEP", • ROP $+ • ROP Emporium 67
1/*0 • ! $ • '#$*0.(+ • 23)+ •
&. #,x86 • " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68