Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
学内Pwn勉強会
Search
m412u
February 25, 2019
Programming
4
4.2k
学内Pwn勉強会
学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.
m412u
February 25, 2019
Tweet
Share
More Decks by m412u
See All by m412u
slide.pdf
m412u
5
2.6k
Pwn勉強会
m412u
8
11k
Other Decks in Programming
See All in Programming
PHPはいつから死んでいるかの調査
chiroruxx
1
390
Hanami and htmx
bkuhlmann
0
210
Goのエラースタックトレースの歴史と今後
sonatard
7
1.1k
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
900
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
120
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
ゆるい個人開発のススメ
kuroppe1819
10
990
Git Rebase
bkuhlmann
11
1.6k
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
130
Featured
See All Featured
4 Signs Your Business is Dying
shpigford
175
21k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Happy Clients
brianwarren
92
6.4k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Building a Modern Day E-commerce SEO Strategy
aleyda
17
6.4k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
The Cost Of JavaScript in 2023
addyosmani
16
3.8k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Debugging Ruby Performance
tmm1
70
11k
Making Projects Easy
brettharned
108
5.5k
Transcript
Pwn @ Gm S944y
• &,$.1 )/ 2 • '#&,-%" * +3
• (0x86 ! 2
• • • ! •
• • ROP 3
4
5 " ! #CPU
# !42 • $ * .'& • text +:509 •
data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- • 6 text data bss heap ⇩ stack ⇧
7 text data bss heap ⇩ stack ⇧
0x0 0 x f f f f f f f f ebp eflags edi eax esi ebx edx ecx esp eip
• 9" • eax, ecx, edx, ebx, esi, edi
032* • 1)$" • +8 • esp #, / )4 • ebp #, /5 )4 • eip '! • eflag .72* %()4 (-&6$" ) 8
9
30 • ".4 • 6$&'*7 30/ • 5
#!2. -(%) # ,81+ " etc… 10 ≒
• 11 PUSH POP
&% !( • ' # &%
$" !( 12 main main main func
13
• main A 14 void
A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }
• A 15
int main(void) { int a, b; … A(a, b); … return 0; }
• 1. A
2. 16 int main(void) { int a, b; … A(a, b); … return 0; }
•
1. A 17 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$ • $ ! # "
1. A 2. 18 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$, & • $A !( eip '- • ".+*)
19 eip 0x00000100 $A ".+ 0x00000104 0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b int a int b %#$ %#$
• A !
20 0x00000100 eip 0x00000100 A " 0x00000104 0x00000200 main " 0x00000204 0x00000208 0x0000020b int a int b
! 1. 2. 3.
eip 21 2.3 call"
" ' • "A "A $
22 0x00000104 eip int z &( ebp int a int b 0x00000100 "A !)% 0x00000104 0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b #"
# • A • ret "
! 23 eip int a int b 0x00000100 A $ 0x00000104 0x00000200 main $ 0x00000204 0x00000208 0x0000020b
ret !# 24 ret = pop eip "
eip
• eip 25
eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
• main 26 eip int a int
b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
(,;# 27 1. (,B +,8 2. call 7? (,B ;
"!8 3. (,B ; :5 /> 1. (,A ebp 94= 2. (,B %3.* & :5 3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6< (,A 0) (,B 0)
28
BOF ,+! & 29 void vuln(void) { char buf[4]; …
gets(buf); … } • main"vuln") • ($*# • 4 • BOF ,+!'%
vuln !(" • '& % 30 char buf[4] $)ebp
int a int b #! void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 31 char buf[4]
$ ebp int a int b AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 32 A A
A A $ ebp int a int b AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
• gets(buf) 33 A A A
A A A A A int a int b AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
vuln • 34 A A A A A A
A A A A A A int a int b void vuln(void) { char buf[4]; … gets(buf); … }
vuln • leave 35 A A A
A int a int b
ret • eip pop
36 eip A A A A int a int b
ret! • eip pop •
ASCII → A 16 0x41 37 int a int b 0x41414141 eip
ret15 .&4 38 0x41414141 eip • 0x41414141
152- !" • 2- #% +' (.&0/* • ,$)3
39
• 40
A A A A A A A A int a int b A A A A A A A A char buf[4] ebp int a int b
l 1. 2.
3. eip 41
l 1. 2.
3. eip 42 OK
l 1. 2.
3. eip 43 OK OK
44 A A A
A A A A A eip
l 1. 2.
3. eip 45 OK OK OK
BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *)
'2 • A?( 90;.@' '2<81 • @'-3:65 46
ROP 47
ROP • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F
A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2 ! 48 Meltdown and Spectre (https://meltdownattack.com/)
B2)2>& • )2*>& 5 9,+/ • B2)2> •
7)2>6.40 • '>& )212 !< • "%$#(?3-C:;A@ =8 49
gadget • ret;! •
50
pop × N ; ret; • • pop
ret 51
52
gadget • gadget 53 A
A A A A A A A A A A A A A A A A A A 0x08048355 A
gadget 54 A A A A A A
A A A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • (leave!) 55
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 56
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 57
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 58
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 59 0x08048355 A
0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 60
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 61
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • gadget 62
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • pop 63
0x08048355: pop ebx 0x08048356: ret 0x08048355 eip A ebx esp
gadget • ret 64
0x08048355: pop ebx 0x08048356: ret 0x08048356 eip esp
gadget • eip pop
65 0x08048355: pop ebx 0x08048356: ret 0xdeadbeef eip esp
66 A gadget A
B gadget B B pop ebx ret pop eax pop ecx ret
ROP '# • pop × N; ret; * gadget &#
• !) (% • Return-oriented Programming (ROP) DEP", • ROP $+ • ROP Emporium 67
1/*0 • ! $ • '#$*0.(+ • 23)+ •
&. #,x86 • " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68