Upgrade to Pro — share decks privately, control downloads, hide ads and more …

学内Pwn勉強会

m412u
February 25, 2019
Programming
4
4.2k

 学内Pwn勉強会

学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.

m412u

February 25, 2019
Tweet

More Decks by m412u

See All by m412u
slide.pdf
m412u
5
2.6k
Pwn勉強会
m412u
8
11k

Other Decks in Programming

See All in Programming
PHPはいつから死んでいるかの調査
chiroruxx
1
390
Hanami and htmx
bkuhlmann
0
210
Goのエラースタックトレースの歴史と今後
sonatard
7
1.1k
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
900
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
120
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
ゆるい個人開発のススメ
kuroppe1819
10
990
Git Rebase
bkuhlmann
11
1.6k
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
130

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
175
21k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Happy Clients
brianwarren
92
6.4k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
17
6.4k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
The Cost Of JavaScript in 2023
addyosmani
16
3.8k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Debugging Ruby Performance
tmm1
70
11k
Making Projects Easy
brettharned
108
5.5k

Transcript

  1.  Pwn  @ Gm S944y

  2.  • &,$.1 )/ 2 • '#&,-%" * +3 

     • (0x86 ! 2

  3.  •   •   • ! •

       •   • ROP 3

  4.  4

  5.   5    "  ! #CPU

      

  6. # !42 • $ * .'& • text +:509 •

    data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- •   6  text data bss heap ⇩ stack ⇧

  7.   7 text data bss heap ⇩ stack ⇧

    0x0 0 x f f f f f f f f     ebp eflags edi eax esi ebx edx ecx esp eip  

  8.  • 9" • eax, ecx, edx, ebx, esi, edi

    032* • 1)$"   • +8 • esp #,  / )4 • ebp #,  /5 )4 • eip '!   • eflag .72* %()4 (-&6$" ) 8

  9.   9

  10. 30 • ".4  • 6$&'*7 30/  • 5

    #!2. -(%) # ,81+ " etc… 10 ≒  

  11.  •     11 PUSH POP

  12. &% !( •  '  #  &% 

    $" !(  12  main     main     main   func   

  13.  13

  14.   • main  A   14 void

    A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }

  15.   • A   15   

     int main(void) { int a, b; … A(a, b); … return 0; }

  16.   •      1. A

     2.   16   int main(void) { int a, b; … A(a, b); … return 0; }

  17.    •      

    1. A  17 int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  18.  $   • $  ! # "

    1. A  2.  18  int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  19. $, & • $A !( eip '-  • ".+*)

      19 eip    0x00000100 $A ".+ 0x00000104   0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b    int a int b   %#$ %#$

  20.     • A    !

    20 0x00000100 eip    0x00000100 A " 0x00000104   0x00000200 main " 0x00000204 0x00000208 0x0000020b    int a int b    

  21. !  1.   2.    3.

      eip  21  2.3 call" 

  22. " '  • "A  "A $  

    22 0x00000104 eip int z &( ebp  int a int b      0x00000100 "A !)% 0x00000104   0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b   #"

  23.  # • A  • ret "  

    ! 23 eip  int a int b      0x00000100 A $ 0x00000104   0x00000200 main $ 0x00000204 0x00000208 0x0000020b  

  24. ret !# 24 ret = pop eip   "

    eip      

  25.  •     eip   25

    eip  int a int b      0x00000100 A  0x00000104   0x00000200 main  0x00000204 0x00000208 0x0000020b  

  26.  • main  26  eip int a int

    b       0x00000100 A   0x00000104   0x00000200 main    0x00000204 0x00000208 0x0000020b  

  27. (,;# 27 1. (,B +,8 2. call 7? (,B ;

     "!8 3. (,B ; :5 />  1. (,A  ebp 94=  2. (,B %3.* & :5  3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6<  (,A 0) (,B 0)

  28.  28

  29. BOF ,+! & 29 void vuln(void) { char buf[4]; …

    gets(buf); … } • main"vuln")  • ($*# •    4 • BOF ,+!'%

  30. vuln !(" • '& %  30 char buf[4] $)ebp

     int a int b   #! void vuln(void) { char buf[4]; … gets(buf); … } 

  31. !%  • gets(buf) " ! # 31 char buf[4]

    $ ebp  int a int b    AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  32. !%  • gets(buf) " ! # 32 A A

    A A $ ebp  int a int b    AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  33.   • gets(buf)   33 A A A

    A A A A A  int a int b     AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }   

  34. vuln •  34 A A A A A A

    A A A A A A int a int b     void vuln(void) { char buf[4]; … gets(buf); … }   

  35. vuln • leave    35 A A A

    A int a int b     

  36. ret  •   eip  pop  

    36 eip A A A A int a int b    

  37. ret!   •   eip pop  •

    ASCII → A 16 0x41 37 int a int b   0x41414141 eip

  38. ret15 .&4  38 0x41414141 eip   • 0x41414141

    152-  !" • 2- #% +' (.&0/* • ,$)3 

  39.   39

  40.   •       40

     A A A A A A A A int a int b    A A A A A A A A         char buf[4] ebp    int a int b  

  41.   l   1.    2.

         3.   eip   41

  42.   l   1.    2.

         3.   eip   42 OK

  43.   l   1.    2.

         3.   eip   43 OK OK

  44. 44       A A A

    A A A A A                eip

  45.   l   1.    2.

         3.   eip   45 OK OK OK

  46. BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *) 

     '2 • A?( 90;.@'  '2<81  •  @'-3:65 46

  47. ROP 47

  48. ROP  • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F

    A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2  !  48 Meltdown and Spectre (https://meltdownattack.com/)

  49. B2)2>& • )2*>&  5 9,+/  • B2)2> •

    7)2>6.40 • '>& )212  !< • "%$#(?3-C:;A@ =8  49

  50. gadget •   ret;!   •  

         50

  51. pop × N ; ret; •   • pop

      ret   51

  52.   52

  53. gadget  •  gadget   53  A

    A A A A A A A A     A    A A A A A A A A A  0x08048355 A    

  54. gadget  54  A A A A A A

    A A A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  55. gadget   •    (leave!) 55 

    A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  56. gadget  • ret (pop eip)    56

     A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  57. gadget  • ret (pop eip)    57

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  58. gadget   • A    58 

    0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  59. gadget  • A   59  0x08048355 A

        0x08048355: pop ebx 0x08048356: ret    A eip esp

  60. gadget  • ret (pop eip)    60

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  61. gadget  • ret (pop eip)    61

     A    0x08048355: pop ebx 0x08048356: ret    0x08048355 eip esp

  62. gadget   • gadget    62 

    A    0x08048355: pop ebx 0x08048356: ret  0x08048355 eip esp

  63. gadget  •   pop   63 

       0x08048355: pop ebx 0x08048356: ret  0x08048355 eip A ebx esp

  64. gadget  •   ret   64 

       0x08048355: pop ebx 0x08048356: ret  0x08048356 eip esp

  65. gadget  •   eip  pop  

    65     0x08048355: pop ebx 0x08048356: ret  0xdeadbeef eip esp

  66.    66  A  gadget  A

     B  gadget  B  B    pop ebx ret   pop eax pop ecx ret 

  67. ROP '# • pop × N; ret; * gadget &#

     •  !) (%  • Return-oriented Programming (ROP) DEP",  • ROP $+ • ROP Emporium 67

  68. 1/*0 • !  $ • '#$*0.(+ • 23)+ •

    &.  #,x86   •  " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68