Upgrade to Pro — share decks privately, control downloads, hide ads and more …

学内Pwn勉強会

m412u
February 25, 2019

 学内Pwn勉強会

学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.

m412u

February 25, 2019
Tweet

More Decks by m412u

Other Decks in Programming

Transcript

  1. Pwn
    @
    Gm
    S944y

    View full-size slide


  2. • &,$.1)/ 2
    • '#&,-%"
    *+3
    • (0x86 !
    2

    View full-size slide





  3. • !




    • ROP
    3

    View full-size slide

  4. # !42
    • $ *
    .'&
    • text +:509
    • data /,83-
    • bss /,83-
    • heap )% 1( 76
    • stack #"3-


    6

    text
    data
    bss
    heap ⇩
    stack ⇧

    View full-size slide



  5. 7
    text
    data
    bss
    heap ⇩
    stack ⇧
    0x0
    0 x f f f f f f f f


    ebp
    eflags
    edi
    eax esi
    ebx
    edx
    ecx esp
    eip


    View full-size slide


  6. • 9"
    • eax, ecx, edx, ebx, esi, edi 032*
    • 1)$"

    • +8
    • esp #, / )4
    • ebp #, /5 )4
    • eip '!

    • eflag .72* %()4 (-&6$" )
    8

    View full-size slide

  7. 30
    • ".4
    • 6$&'*7 30/

    • 5 #!2.
    -(%)
    # ,81+ " etc…
    10


    View full-size slide




  8. 11
    PUSH POP

    View full-size slide

  9. &%!(
    • '
    # &%
    $"!(

    12

    main



    main



    main

    func


    View full-size slide


  10. • mainA

    14
    void A(int x, int y) {
    int z;

    }
    int main(void) {
    int a, b;

    A(a, b);

    return 0;
    }

    View full-size slide


  11. • A
    15




    int main(void) {
    int a, b;

    A(a, b);

    return 0;
    }

    View full-size slide




  12. 1. A
    2.
    16


    int main(void) {
    int a, b;

    A(a, b);

    return 0;
    }

    View full-size slide





  13. 1. A
    17
    int a
    int b




    int main(void) {
    int a, b;

    A(a, b);

    return 0;
    }

    View full-size slide

  14. $
    • $ !
    #"
    1. A
    2.
    18

    int a
    int b




    int main(void) {
    int a, b;

    A(a, b);

    return 0;
    }

    View full-size slide

  15. $,&
    • $A !( eip '-
    • ".+*)

    19
    eip


    0x00000100 $A
    ".+
    0x00000104

    0x00000200
    main $
    ".+
    0x00000204
    0x00000208
    0x0000020b


    int a
    int b


    %#$
    %#$

    View full-size slide


  16. • A
    !
    20
    0x00000100
    eip


    0x00000100 A
    "
    0x00000104

    0x00000200
    main
    "
    0x00000204
    0x00000208
    0x0000020b


    int a
    int b




    View full-size slide

  17. !

    1.
    2.

    3. eip
    21
    2.3 call"

    View full-size slide

  18. "
    '
    • "A
    "A
    $
    22
    0x00000104
    eip
    int z
    &( ebp

    int a
    int b




    0x00000100 "A

    !)%
    0x00000104

    0x00000200
    main"

    !)%
    0x00000204
    0x00000208
    0x0000020b

    #"

    View full-size slide


  19. #
    • A

    • ret "
    !
    23
    eip

    int a
    int b




    0x00000100 A

    $
    0x00000104

    0x00000200
    main

    $
    0x00000204
    0x00000208
    0x0000020b

    View full-size slide

  20. ret !#
    24
    ret = pop eip
    " eip


    View full-size slide


  21. • eip

    25
    eip

    int a
    int b




    0x00000100 A

    0x00000104

    0x00000200
    main

    0x00000204
    0x00000208
    0x0000020b

    View full-size slide


  22. • main
    26

    eip int a
    int b




    0x00000100 A


    0x00000104

    0x00000200
    main


    0x00000204
    0x00000208
    0x0000020b

    View full-size slide

  23. (,;#
    27
    1. (,B +,8
    2. call 7? (,B ; "!8
    3. (,B ;:5/>

    1. (,A ebp 94=

    2. (,B %3.* &:5
    3. (,B %30)$
    4. leave 7? (,B ;#'126-
    5. ret 7? (,A 0)6<

    (,A 0)
    (,B 0)

    View full-size slide

  24. BOF ,+!&
    29
    void vuln(void) {
    char buf[4];

    gets(buf);

    }
    • main"vuln")

    • ($*#
    • 4
    • BOF ,+!'%

    View full-size slide

  25. vuln !("
    • '& %

    30
    char buf[4]
    $)ebp

    int a
    int b


    #!
    void vuln(void) {
    char buf[4];

    gets(buf);

    }

    View full-size slide

  26. !%
    • gets(buf) "
    !#
    31
    char buf[4]
    $ebp

    int a
    int b



    AAAAAAAAAAAA¥n
    void vuln(void) {
    char buf[4];

    gets(buf);

    }

    View full-size slide

  27. !%
    • gets(buf) "
    !#
    32
    A A A A
    $ebp

    int a
    int b



    AAAAAAAA¥n
    void vuln(void) {
    char buf[4];

    gets(buf);

    }

    View full-size slide


  28. • gets(buf)
    33
    A A A A
    A A A A

    int a
    int b



    AAAA¥n
    void vuln(void) {
    char buf[4];

    gets(buf);

    }


    View full-size slide

  29. vuln

    34
    A A A A
    A A A A
    A A A A
    int a
    int b




    void vuln(void) {
    char buf[4];

    gets(buf);

    }

    View full-size slide

  30. vuln
    • leave
    35
    A A A A
    int a
    int b




    View full-size slide

  31. ret


    eip pop
    36
    eip A A A A
    int a
    int b



    View full-size slide

  32. ret!
    • eip pop
    • ASCII

    → A 16 0x41
    37
    int a
    int b


    0x41414141
    eip

    View full-size slide

  33. ret15.&4

    38
    0x41414141
    eip


    • 0x41414141 152- !"
    • 2-
    #%
    +' (.&0/*
    • ,$)3

    View full-size slide




  34. 40

    A A A A
    A A A A
    int a
    int b



    A A A A
    A A A A






    char buf[4]
    ebp


    int a
    int b


    View full-size slide


  35. l

    1.
    2.

    3. eip
    41

    View full-size slide


  36. l

    1.
    2.

    3. eip
    42
    OK

    View full-size slide


  37. l

    1.
    2.

    3. eip
    43
    OK
    OK

    View full-size slide

  38. 44





    A A A A
    A A A A










    eip

    View full-size slide


  39. l

    1.
    2.

    3. eip
    45
    OK
    OK
    OK

    View full-size slide

  40. BOF 4/
    • BOF !"#=>-3@' 7,+=>
    • &$%"CB*)
    '2
    • A?( 90;.@' '2<81
    • @'-3:65
    46

    View full-size slide

  41. ROP

    • ROP(Return-Oriented Programming)
    • =G+#.<9'-"*(."
    • ret;>7H?@CB 6F A035
    • 2018
    /
    1
    1I:;JD8
    Specture
    46
    • CVE-2017-5715
    • ROP

    )$,&.%
    • E2 !
    48
    Meltdown and Spectre
    (https://meltdownattack.com/)

    View full-size slide

  42. B2)2>&
    • )2*>& 59,+/

    • B2)2>
    • 7)2>6.40
    • '>& )212 !<
    • "%$#(?3-C:;A@ =8
    49

    View full-size slide

  43. gadget

    ret;!

    50

    View full-size slide

  44. pop × N ; ret;

    • pop
    ret
    51

    View full-size slide

  45. gadget
    • gadget

    53

    A A A A
    A A A A
    A


    A



    A A A A
    A A A A
    A
    0x08048355
    A




    View full-size slide

  46. gadget

    54

    A A A A
    A A A A
    A
    0x08048355
    A




    0x08048355: pop ebx
    0x08048356: ret


    esp

    View full-size slide

  47. gadget

    • (leave!)
    55

    A
    0x08048355
    A




    0x08048355: pop ebx
    0x08048356: ret


    esp

    View full-size slide

  48. gadget
    • ret (pop eip)

    56

    A
    0x08048355
    A




    0x08048355: pop ebx
    0x08048356: ret


    esp

    View full-size slide

  49. gadget
    • ret (pop eip)

    57

    0x08048355
    A




    0x08048355: pop ebx
    0x08048356: ret


    A
    eip
    esp

    View full-size slide

  50. gadget
    • A

    58

    0x08048355
    A




    0x08048355: pop ebx
    0x08048356: ret


    A
    eip
    esp

    View full-size slide

  51. gadget

    • A
    59

    0x08048355
    A




    0x08048355: pop ebx
    0x08048356: ret


    A
    eip
    esp

    View full-size slide

  52. gadget
    • ret (pop eip)

    60

    0x08048355
    A




    0x08048355: pop ebx
    0x08048356: ret


    A
    eip
    esp

    View full-size slide

  53. gadget
    • ret (pop eip)

    61

    A



    0x08048355: pop ebx
    0x08048356: ret


    0x08048355
    eip
    esp

    View full-size slide

  54. gadget

    • gadget
    62

    A



    0x08048355: pop ebx
    0x08048356: ret

    0x08048355
    eip
    esp

    View full-size slide

  55. gadget

    • pop
    63




    0x08048355: pop ebx
    0x08048356: ret

    0x08048355
    eip
    A
    ebx
    esp

    View full-size slide

  56. gadget


    ret

    64




    0x08048355: pop ebx
    0x08048356: ret

    0x08048356
    eip
    esp

    View full-size slide

  57. gadget
    • eip pop

    65




    0x08048355: pop ebx
    0x08048356: ret

    0xdeadbeef
    eip
    esp

    View full-size slide



  58. 66

    A

    gadget

    A
    B

    gadget

    B
    B


    pop ebx
    ret


    pop eax
    pop ecx
    ret

    View full-size slide

  59. ROP '#
    • pop × N; ret;* gadget

    • !) (%
    • Return-oriented Programming (ROP) DEP",
    • ROP $+
    • ROP Emporium
    67

    View full-size slide

  60. 1/*0
    • !$
    • '#$*0.(+
    • 23)+
    • &. #,x86
    • "
    $#$
    • katagaitai CTF5-% #2 pwnables4
    • CTF Pwn - A painter and a black cat
    68

    View full-size slide