Upgrade to Pro — share decks privately, control downloads, hide ads and more …

学内Pwn勉強会

m412u
February 25, 2019
Programming
4
4.7k

 学内Pwn勉強会

学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.

m412u

February 25, 2019
Tweet

More Decks by m412u

See All by m412u
slide.pdf
m412u
5
2.7k
Pwn勉強会
m412u
8
11k

Other Decks in Programming

See All in Programming
ファインディLT_ポケモン対戦の定量的分析
fufufukakaka
0
920
Honoとフロントエンドの 型安全性について
yodaka
7
1.4k
技術を改善し続ける
gumioji
0
120
pylint custom ruleで始めるレビュー自動化
shogoujiie
0
150
DRFを少しずつ オニオンアーキテクチャに寄せていく DjangoCongress JP 2025
nealle
2
260
Ça bouge du côté des animations CSS !
goetter
2
150
Domain-Driven Transformation
hschwentner
2
1.9k
Multi Step Form, Decentralized Autonomous Organization
pumpkiinbell
1
860
Rails 1.0 のコードで学ぶ find_by* と method_missing の仕組み / Learn how find_by_* and method_missing work in Rails 1.0 code
maimux2x
1
150
なぜイベント駆動が必要なのか - CQRS/ESで解く複雑系システムの課題 -
j5ik2o
14
4.6k
Datadog Workflow Automation で圧倒的価値提供
showwin
1
160
sappoRo.R #12 初心者セッション
kosugitti
0
270

Featured

See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.5k
The Language of Interfaces
destraynor
156
24k
Site-Speed That Sticks
csswizardry
4
400
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Testing 201, or: Great Expectations
jmmastey
42
7.2k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.3k
Docker and Python
trallard
44
3.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
570
Why Our Code Smells
bkeepers
PRO
336
57k
KATA
mclloyd
29
14k

Transcript

  1.  Pwn  @ Gm S944y

  2.  • &,$.1 )/ 2 • '#&,-%" * +3 

     • (0x86 ! 2

  3.  •   •   • ! •

       •   • ROP 3

  4.  4

  5.   5    "  ! #CPU

      

  6. # !42 • $ * .'& • text +:509 •

    data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- •   6  text data bss heap ⇩ stack ⇧

  7.   7 text data bss heap ⇩ stack ⇧

    0x0 0 x f f f f f f f f     ebp eflags edi eax esi ebx edx ecx esp eip  

  8.  • 9" • eax, ecx, edx, ebx, esi, edi

    032* • 1)$"   • +8 • esp #,  / )4 • ebp #,  /5 )4 • eip '!   • eflag .72* %()4 (-&6$" ) 8

  9.   9

  10. 30 • ".4  • 6$&'*7 30/  • 5

    #!2. -(%) # ,81+ " etc… 10 ≒  

  11.  •     11 PUSH POP

  12. &% !( •  '  #  &% 

    $" !(  12  main     main     main   func   

  13.  13

  14.   • main  A   14 void

    A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }

  15.   • A   15   

     int main(void) { int a, b; … A(a, b); … return 0; }

  16.   •      1. A

     2.   16   int main(void) { int a, b; … A(a, b); … return 0; }

  17.    •      

    1. A  17 int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  18.  $   • $  ! # "

    1. A  2.  18  int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  19. $, & • $A !( eip '-  • ".+*)

      19 eip    0x00000100 $A ".+ 0x00000104   0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b    int a int b   %#$ %#$

  20.     • A    !

    20 0x00000100 eip    0x00000100 A " 0x00000104   0x00000200 main " 0x00000204 0x00000208 0x0000020b    int a int b    

  21. !  1.   2.    3.

      eip  21  2.3 call" 

  22. " '  • "A  "A $  

    22 0x00000104 eip int z &( ebp  int a int b      0x00000100 "A !)% 0x00000104   0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b   #"

  23.  # • A  • ret "  

    ! 23 eip  int a int b      0x00000100 A $ 0x00000104   0x00000200 main $ 0x00000204 0x00000208 0x0000020b  

  24. ret !# 24 ret = pop eip   "

    eip      

  25.  •     eip   25

    eip  int a int b      0x00000100 A  0x00000104   0x00000200 main  0x00000204 0x00000208 0x0000020b  

  26.  • main  26  eip int a int

    b       0x00000100 A   0x00000104   0x00000200 main    0x00000204 0x00000208 0x0000020b  

  27. (,;# 27 1. (,B +,8 2. call 7? (,B ;

     "!8 3. (,B ; :5 />  1. (,A  ebp 94=  2. (,B %3.* & :5  3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6<  (,A 0) (,B 0)

  28.  28

  29. BOF ,+! & 29 void vuln(void) { char buf[4]; …

    gets(buf); … } • main"vuln")  • ($*# •    4 • BOF ,+!'%

  30. vuln !(" • '& %  30 char buf[4] $)ebp

     int a int b   #! void vuln(void) { char buf[4]; … gets(buf); … } 

  31. !%  • gets(buf) " ! # 31 char buf[4]

    $ ebp  int a int b    AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  32. !%  • gets(buf) " ! # 32 A A

    A A $ ebp  int a int b    AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  33.   • gets(buf)   33 A A A

    A A A A A  int a int b     AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }   

  34. vuln •  34 A A A A A A

    A A A A A A int a int b     void vuln(void) { char buf[4]; … gets(buf); … }   

  35. vuln • leave    35 A A A

    A int a int b     

  36. ret  •   eip  pop  

    36 eip A A A A int a int b    

  37. ret!   •   eip pop  •

    ASCII → A 16 0x41 37 int a int b   0x41414141 eip

  38. ret15 .&4  38 0x41414141 eip   • 0x41414141

    152-  !" • 2- #% +' (.&0/* • ,$)3 

  39.   39

  40.   •       40

     A A A A A A A A int a int b    A A A A A A A A         char buf[4] ebp    int a int b  

  41.   l   1.    2.

         3.   eip   41

  42.   l   1.    2.

         3.   eip   42 OK

  43.   l   1.    2.

         3.   eip   43 OK OK

  44. 44       A A A

    A A A A A                eip

  45.   l   1.    2.

         3.   eip   45 OK OK OK

  46. BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *) 

     '2 • A?( 90;.@'  '2<81  •  @'-3:65 46

  47. ROP 47

  48. ROP  • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F

    A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2  !  48 Meltdown and Spectre (https://meltdownattack.com/)

  49. B2)2>& • )2*>&  5 9,+/  • B2)2> •

    7)2>6.40 • '>& )212  !< • "%$#(?3-C:;A@ =8  49

  50. gadget •   ret;!   •  

         50

  51. pop × N ; ret; •   • pop

      ret   51

  52.   52

  53. gadget  •  gadget   53  A

    A A A A A A A A     A    A A A A A A A A A  0x08048355 A    

  54. gadget  54  A A A A A A

    A A A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  55. gadget   •    (leave!) 55 

    A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  56. gadget  • ret (pop eip)    56

     A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  57. gadget  • ret (pop eip)    57

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  58. gadget   • A    58 

    0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  59. gadget  • A   59  0x08048355 A

        0x08048355: pop ebx 0x08048356: ret    A eip esp

  60. gadget  • ret (pop eip)    60

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  61. gadget  • ret (pop eip)    61

     A    0x08048355: pop ebx 0x08048356: ret    0x08048355 eip esp

  62. gadget   • gadget    62 

    A    0x08048355: pop ebx 0x08048356: ret  0x08048355 eip esp

  63. gadget  •   pop   63 

       0x08048355: pop ebx 0x08048356: ret  0x08048355 eip A ebx esp

  64. gadget  •   ret   64 

       0x08048355: pop ebx 0x08048356: ret  0x08048356 eip esp

  65. gadget  •   eip  pop  

    65     0x08048355: pop ebx 0x08048356: ret  0xdeadbeef eip esp

  66.    66  A  gadget  A

     B  gadget  B  B    pop ebx ret   pop eax pop ecx ret 

  67. ROP '# • pop × N; ret; * gadget &#

     •  !) (%  • Return-oriented Programming (ROP) DEP",  • ROP $+ • ROP Emporium 67

  68. 1/*0 • !  $ • '#$*0.(+ • 23)+ •

    &.  #,x86   •  " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68