Slide 1
Slide 1 text
Slide 2
Slide 2 text
• 2 2 2
•
Slide 3
Slide 3 text
• P
• 1 1 3
•
• F C 3 E C T
Slide 4
Slide 4 text
• ( ) )
4
• 4 )
Slide 5
Slide 5 text
Slide 6
Slide 6 text
6 . .
Slide 7
Slide 7 text
. .
7
Slide 8
Slide 8 text
8 . .
Slide 9
Slide 9 text
9
.
Slide 10
Slide 10 text
0
.
1
0
Slide 11
Slide 11 text
• fi 2 n
g l
l h b3a 1
• ( ./. h 2
• )
•
a
Slide 12
Slide 12 text
• bCFE
• iah
• T h
• ce L
•
•
• iaf
• /0 S
) (
8 0 2 81 1 . 2 1:
Slide 13
Slide 13 text
• 8
• 3 1 6
•
Slide 14
Slide 14 text
4
1
Slide 15
Slide 15 text
• PU U C U
• ( ()
• 1 PU U
•
• C C 5
Slide 16
Slide 16 text
6
1
Slide 17
Slide 17 text
• s p C
• e
• c 36 36
(
2.7
207
217
2 7
254
2 4
253
213
a 9 i8d b 7) P U 4
Slide 18
Slide 18 text
) (
• CDE
• )
• ) S
• )( G E P
• ) D
• ) G Eeb eb
• )( G Eeb eb
• ) X DEFBI L D
• ) X DEFBI L D
• A E
• ) 8 D
• ) CDE
• ) i
)
134 1 42
Slide 19
Slide 19 text
• 8 57
• 4 1 32
Ø 06 57
• 9
•
Ø 06 57
• 9
•
Slide 20
Slide 20 text
• 2 0
• 2
Slide 21
Slide 21 text
• 21
•
mov eax, 0x0
mov DWORD PTR [ebp-0x10], eax
Slide 22
Slide 22 text
( )
• A
• 2 A
cmp eax, 0x1
cmp DWORD PTR [ebp-0x10], eax
Slide 23
Slide 23 text
) (
• 3 C 3 2
•
jmp 0x08048574
je 0x08048574
Slide 24
Slide 24 text
( , )
• ))) 4
• ))) 2 4
2 2 (
call printf@plt
ret
Slide 25
Slide 25 text
, ( ) ,
•
•
add eax, edx
sub eax, edx
Slide 26
Slide 26 text
(( )
•
lea ecx, [esp+0x4]
lea eax, [ebp-0x18]
Slide 27
Slide 27 text
( () (
• s
• n O P e
• \
• O N 7 d s
7 7 2
• l 79 20
•
Slide 28
Slide 28 text
( )
• c b 2
• 82
•
• a
• a
• b c
• a
Slide 29
Slide 29 text
• B :
• B P 9
• 12 12 2
• I SL 9 : O
• B FH : : EH
• B FH : U: EH
Slide 30
Slide 30 text
Slide 31
Slide 31 text
Slide 32
Slide 32 text
Slide 33
Slide 33 text
Slide 34
Slide 34 text
Slide 35
Slide 35 text
Slide 36
Slide 36 text
Slide 37
Slide 37 text
Slide 38
Slide 38 text
Slide 39
Slide 39 text
Slide 40
Slide 40 text
Slide 41
Slide 41 text
Slide 42
Slide 42 text
Slide 43
Slide 43 text
Slide 44
Slide 44 text
Slide 45
Slide 45 text
Slide 46
Slide 46 text
•
Slide 47
Slide 47 text
• U 4
• 1 C 7 4
• I
• +
Slide 48
Slide 48 text
• )
2 .8
(( 4 2
1 3
)
$ git clone https://github.com/m412u/pwn_study.git
$ cd pwn_study/sample
Slide 49
Slide 49 text
• 9) 4 (
•
Slide 50
Slide 50 text
•
•
$ objdump –d –M intel func
Slide 51
Slide 51 text
) (
: 5
: 5
: 1
Slide 52
Slide 52 text
• 2
• 1
•
$ gdb –q ./func
d g
b 5
Slide 53
Slide 53 text
• 3 52 2
2
• 2 3 52
gdb-peda$ break *0x08048535
or
gdb-peda$ b *0x08048535
Slide 54
Slide 54 text
gdb-peda$ run
or
gdb-peda$ r
Slide 55
Slide 55 text
1 .
2 53
.
Slide 56
Slide 56 text
• 6 1
•
• 6 1
• 5
gdb-peda$ nexti
or
gdb-peda$ ni
gdb-peda$ stepi
or
gdb-peda$ si
Slide 57
Slide 57 text
+
mov edx, DWORD PTR [ebp-0x14]
5 3
704
704
Slide 58
Slide 58 text
+
mov eax, DWORD PTR [ebp-0x18]
0
3
4
Slide 59
Slide 59 text
+
sub esp, 0x8
4 3
0 5
Slide 60
Slide 60 text
+
push edx
423
0
56
Slide 61
Slide 61 text
+ 2
2
2
2
2
2
push eax
534
10
6
6
Slide 62
Slide 62 text
+
2
2
2
333
2
2
211110
211110
call 0x080484bb
AB
AB
D 4 8
4 8 5C6
Slide 63
Slide 63 text
22220
888
22220
22220
push ebp
EI
EI
4653
B D AC
1 4
Slide 64
Slide 64 text
22220
22220
22220
mov ebp, esp
CD
CD
346 8B A
E 1 5
Slide 65
Slide 65 text
55553
(0
)0
0
0
) 55553
55553
)
sub esp, 0x10
I
I
P
A8 C
426
AB
133
AB D 8E
Slide 66
Slide 66 text
22220
22220
22220
mov edx, DWORD PTR [ebp+0x8]
CD
CD
8B A
E 1 5
346
Slide 67
Slide 67 text
833331
8
8
8
8
8
833331
833331
mov eax, DWORD PTR [ebp+0xc]
DE
DE
A C B
206
I457
Slide 68
Slide 68 text
+
533331
5
5
5
5
5
533331
533331
add eax, edx
AB
AB
E 11
6
CD 8204
Slide 69
Slide 69 text
8
833331
8
8
8
8
8
833331
833331
mov DWORD PTR [ebp-0x4], eax
DE
DE
A 9C B
206
I45
Slide 70
Slide 70 text
7
722220
7
7
7
7
7
722220
722220
mov eax, DWORD PTR [ebp-0x4]
CD
CD
8B A
E 1 5
34
Slide 71
Slide 71 text
+
4
422220
4
4
4
4
4
422220
422220
leave = D mov esp, ebp
E pop ebp
A
A
D
5
BC 871 3
Slide 72
Slide 72 text
+
7
744442
7
7
7
888
7
7
744442
744442 1
leave = mov esp, ebp
pop ebp
P
P
E IC D
S A 30
5
S 30 B
22 B
Slide 73
Slide 73 text
44442
44442
44442 1
ret
I
X E 308
I A A IB P
I C 57S B D
Slide 74
Slide 74 text
+
2
2
2
555
2
2
211110
211110
add esp, 0x10 I C E
3 X7A
00P 8S 4
8 E DB
Slide 75
Slide 75 text
gdb-peda$ quit
or
gdb-peda$ q