Slide 1
Slide 1 text
Pwn
@
Gm
S944y
Slide 2
Slide 2 text
• &,$.1
)/ 2
• '#&,-%"
*
+3
• (0x86
!
2
Slide 3
Slide 3 text
•
•
• !
•
•
• ROP
3
Slide 4
Slide 4 text
4
Slide 5
Slide 5 text
5
"
!
#CPU
Slide 6
Slide 6 text
#
!42
• $
*
.'&
• text +:509
• data /,83-
• bss /,8
3-
• heap )%
1( 76
• stack #"3-
•
6
text
data
bss
heap ⇩
stack ⇧
Slide 7
Slide 7 text
7
text
data
bss
heap ⇩
stack ⇧
0x0
0 x f f f f f f f f
ebp
eflags
edi
eax esi
ebx
edx
ecx esp
eip
Slide 8
Slide 8 text
• 9"
• eax, ecx, edx, ebx, esi, edi 032*
• 1)$"
• +8
• esp #, / )4
• ebp #, /5 )4
• eip '!
• eflag .72* %()4 (-&
6$"
)
8
Slide 9
Slide 9 text
9
Slide 10
Slide 10 text
30
• ".4
•
6$&'*7
30/
• 5 #!2.
-(%)
# ,81+
" etc…
10
≒
Slide 11
Slide 11 text
•
11
PUSH POP
Slide 12
Slide 12 text
&%
!(
•
'
#
&%
$
"
!(
12
main
main
main
func
Slide 13
Slide 13 text
13
Slide 14
Slide 14 text
• main
A
14
void A(int x, int y) {
int z;
…
}
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 15
Slide 15 text
•
A
15
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 16
Slide 16 text
•
1. A
2.
16
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 17
Slide 17 text
•
1. A
17
int a
int b
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 18
Slide 18 text
$
• $
!
#
"
1.
A
2.
18
int a
int b
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 19
Slide 19 text
$,
&
• $A !(
eip '-
• ".+
*)
19
eip
0x00000100 $A
".+
0x00000104
0x00000200
main $
".+
0x00000204
0x00000208
0x0000020b
int a
int b
%#$
%#$
Slide 20
Slide 20 text
• A
!
20
0x00000100
eip
0x00000100 A
"
0x00000104
0x00000200
main
"
0x00000204
0x00000208
0x0000020b
int a
int b
Slide 21
Slide 21 text
!
1.
2.
3.
eip
21
2.3 call "
Slide 22
Slide 22 text
"
'
• "A
"A
$
22
0x00000104
eip
int z
&(
ebp
int a
int b
0x00000100 "A
!)%
0x00000104
0x00000200
main "
!)%
0x00000204
0x00000208
0x0000020b
#"
Slide 23
Slide 23 text
#
• A
• ret "
!
23
eip
int a
int b
0x00000100 A
$
0x00000104
0x00000200
main
$
0x00000204
0x00000208
0x0000020b
Slide 24
Slide 24 text
ret !#
24
ret = pop eip
" eip
Slide 25
Slide 25 text
•
eip
25
eip
int a
int b
0x00000100 A
0x00000104
0x00000200
main
0x00000204
0x00000208
0x0000020b
Slide 26
Slide 26 text
• main
26
eip int a
int b
0x00000100
A
0x00000104
0x00000200
main
0x00000204
0x00000208
0x0000020b
Slide 27
Slide 27 text
(,;#
27
1. (,B +,
8
2. call 7?
(,B ;
" !
8
3. (,B ;
:5
/>
1. (,A ebp 9
4=
2. (,B %3.* &
:5
3. (,B %30)$
4. leave 7?
(,B ;#'126-
5. ret 7?
(,A 0)6<
(,A 0)
(,B 0)
Slide 28
Slide 28 text
28
Slide 29
Slide 29 text
BOF ,+!
&
29
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
• main
"vuln
")
• ($
*#
•
4
• BOF
,+!'%
Slide 30
Slide 30 text
vuln !(
"
• '&
%
30
char buf[4]
$)ebp
int a
int b
#!
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 31
Slide 31 text
!%
• gets(buf) "
!
#
31
char buf[4]
$
ebp
int a
int b
AAAAAAAAAAAA¥n
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 32
Slide 32 text
!%
• gets(buf) "
!
#
32
A A A A
$
ebp
int a
int b
AAAAAAAA¥n
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 33
Slide 33 text
• gets(buf)
33
A A A A
A A A A
int a
int b
AAAA¥n
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 34
Slide 34 text
vuln
•
34
A A A A
A A A A
A A A A
int a
int b
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 35
Slide 35 text
vuln
• leave
35
A A A A
int a
int b
Slide 36
Slide 36 text
ret
•
eip pop
36
eip A A A A
int a
int b
Slide 37
Slide 37 text
ret
!
•
eip
pop
• ASCII
→
A
16 0x41
37
int a
int b
0x41414141
eip
Slide 38
Slide 38 text
ret15
.&4
38
0x41414141
eip
• 0x41414141
152-
!"
• 2-
#%
+' (.&0
/*
• ,$)3
Slide 39
Slide 39 text
39
Slide 40
Slide 40 text
•
40
A A A A
A A A A
int a
int b
A A A A
A A A A
char buf[4]
ebp
int a
int b
Slide 41
Slide 41 text
l
1.
2.
3.
eip
41
Slide 42
Slide 42 text
l
1.
2.
3.
eip
42
OK
Slide 43
Slide 43 text
l
1.
2.
3.
eip
43
OK
OK
Slide 44
Slide 44 text
44
A A A A
A A A A
eip
Slide 45
Slide 45 text
l
1.
2.
3.
eip
45
OK
OK
OK
Slide 46
Slide 46 text
BOF 4/
• BOF !"# =>
-3@'
7,+=>
• &$%"CB
*)
'2
• A?( 90;.
@'
'2
<81
•
@'
-3:65
46
Slide 47
Slide 47 text
ROP
47
Slide 48
Slide 48 text
ROP
• ROP(Return-Oriented Programming)
• =G
+#.<9'-"*(."
• ret;>
7H?@CB 6F
A035
• 2018
/
1
1I:;JD8
Specture
46
• CVE-2017-5715
• ROP
)$,&.%
• E
2
!
48
Meltdown and Spectre
(https://meltdownattack.com/)
Slide 49
Slide 49 text
B2)2>&
• )2
*>&
5
9,+/
• B2)2
>
• 7)2
>6.40
• '>&
)212 !
<
• "%
$#(?3-C:;A@ =8
49
Slide 50
Slide 50 text
gadget
•
ret;!
•
50
Slide 51
Slide 51 text
pop × N ; ret;
•
• pop
ret
51
Slide 52
Slide 52 text
52
Slide 53
Slide 53 text
gadget
• gadget
53
A A A A
A A A A
A
A
A A A A
A A A A
A
0x08048355
A
Slide 54
Slide 54 text
gadget
54
A A A A
A A A A
A
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
esp
Slide 55
Slide 55 text
gadget
•
(leave !)
55
A
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
esp
Slide 56
Slide 56 text
gadget
• ret (pop eip)
56
A
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
esp
Slide 57
Slide 57 text
gadget
• ret (pop eip)
57
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 58
Slide 58 text
gadget
• A
58
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 59
Slide 59 text
gadget
• A
59
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 60
Slide 60 text
gadget
• ret (pop eip)
60
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 61
Slide 61 text
gadget
• ret (pop eip)
61
A
0x08048355: pop ebx
0x08048356: ret
0x08048355
eip
esp
Slide 62
Slide 62 text
gadget
• gadget
62
A
0x08048355: pop ebx
0x08048356: ret
0x08048355
eip
esp
Slide 63
Slide 63 text
gadget
•
pop
63
0x08048355: pop ebx
0x08048356: ret
0x08048355
eip
A
ebx
esp
Slide 64
Slide 64 text
gadget
•
ret
64
0x08048355: pop ebx
0x08048356: ret
0x08048356
eip
esp
Slide 65
Slide 65 text
gadget
•
eip pop
65
0x08048355: pop ebx
0x08048356: ret
0xdeadbeef
eip
esp
Slide 66
Slide 66 text
66
A
gadget
A
B
gadget
B
B
pop ebx
ret
pop eax
pop ecx
ret
Slide 67
Slide 67 text
ROP '#
• pop × N; ret;
* gadget &#
• !)
(%
• Return-oriented Programming (ROP) DEP",
• ROP $+
• ROP Emporium
67
Slide 68
Slide 68 text
1/*0
• !
$
• '
#$*0.(+
• 23)+
• &.
#,x86
•
"
$ #$
• katagaitai CTF5-% #2 pwnables4
• CTF Pwn - A painter and a black cat
68