Slide 1
Slide 1 text
Pwn
@
Gm
S944y
Slide 2
Slide 2 text
• &,$.1)/ 2
• '#&,-%"
*+3
• (0x86 !
2
Slide 3
Slide 3 text
•
•
• !
•
•
• ROP
3
Slide 4
Slide 4 text
4
Slide 5
Slide 5 text
5
"
!
#CPU
Slide 6
Slide 6 text
# !42
• $
*
.'&
• text +:509
• data /,83-
• bss /,83-
• heap )%
1( 76
• stack #"3-
•
6
text
data
bss
heap ⇩
stack ⇧
Slide 7
Slide 7 text
7
text
data
bss
heap ⇩
stack ⇧
0x0
0 x f f f f f f f f
ebp
eflags
edi
eax esi
ebx
edx
ecx esp
eip
Slide 8
Slide 8 text
• 9"
• eax, ecx, edx, ebx, esi, edi 032*
• 1)$"
• +8
• esp #, / )4
• ebp #, /5 )4
• eip '!
• eflag .72* %()4 (-&6$"
)
8
Slide 9
Slide 9 text
9
Slide 10
Slide 10 text
30
• ".4
• 6$&'*7 30/
• 5 #!2.
-(%)
# ,81+
" etc…
10
≒
Slide 11
Slide 11 text
•
11
PUSH POP
Slide 12
Slide 12 text
&%!(
• '
#
&%
$"!(
12
main
main
main
func
Slide 13
Slide 13 text
13
Slide 14
Slide 14 text
• mainA
14
void A(int x, int y) {
int z;
…
}
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 15
Slide 15 text
•
A
15
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 16
Slide 16 text
•
1. A
2.
16
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 17
Slide 17 text
•
1. A
17
int a
int b
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 18
Slide 18 text
$
• $
!
#"
1. A
2.
18
int a
int b
int main(void) {
int a, b;
…
A(a, b);
…
return 0;
}
Slide 19
Slide 19 text
$,&
• $A !( eip '-
• ".+*)
19
eip
0x00000100 $A
".+
0x00000104
0x00000200
main $
".+
0x00000204
0x00000208
0x0000020b
int a
int b
%#$
%#$
Slide 20
Slide 20 text
• A
!
20
0x00000100
eip
0x00000100 A
"
0x00000104
0x00000200
main
"
0x00000204
0x00000208
0x0000020b
int a
int b
Slide 21
Slide 21 text
!
1.
2.
3.
eip
21
2.3 call"
Slide 22
Slide 22 text
"
'
• "A
"A
$
22
0x00000104
eip
int z
&(
ebp
int a
int b
0x00000100 "A
!)%
0x00000104
0x00000200
main"
!)%
0x00000204
0x00000208
0x0000020b
#"
Slide 23
Slide 23 text
#
• A
• ret "
!
23
eip
int a
int b
0x00000100 A
$
0x00000104
0x00000200
main
$
0x00000204
0x00000208
0x0000020b
Slide 24
Slide 24 text
ret !#
24
ret = pop eip
" eip
Slide 25
Slide 25 text
•
eip
25
eip
int a
int b
0x00000100 A
0x00000104
0x00000200
main
0x00000204
0x00000208
0x0000020b
Slide 26
Slide 26 text
• main
26
eip int a
int b
0x00000100
A
0x00000104
0x00000200
main
0x00000204
0x00000208
0x0000020b
Slide 27
Slide 27 text
(,;#
27
1. (,B +,8
2. call 7?
(,B ; "!8
3. (,B ;:5/>
1. (,A ebp 94=
2. (,B %3.* &:5
3. (,B %30)$
4. leave 7?
(,B ;#'126-
5. ret 7?
(,A 0)6<
(,A 0)
(,B 0)
Slide 28
Slide 28 text
28
Slide 29
Slide 29 text
BOF ,+!&
29
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
• main"vuln")
• ($*#
• 4
• BOF ,+!'%
Slide 30
Slide 30 text
vuln !("
• '&
%
30
char buf[4]
$)ebp
int a
int b
#!
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 31
Slide 31 text
!%
• gets(buf) "
!#
31
char buf[4]
$ebp
int a
int b
AAAAAAAAAAAA¥n
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 32
Slide 32 text
!%
• gets(buf) "
!#
32
A A A A
$ebp
int a
int b
AAAAAAAA¥n
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 33
Slide 33 text
• gets(buf)
33
A A A A
A A A A
int a
int b
AAAA¥n
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 34
Slide 34 text
vuln
•
34
A A A A
A A A A
A A A A
int a
int b
void vuln(void) {
char buf[4];
…
gets(buf);
…
}
Slide 35
Slide 35 text
vuln
• leave
35
A A A A
int a
int b
Slide 36
Slide 36 text
ret
•
eip pop
36
eip A A A A
int a
int b
Slide 37
Slide 37 text
ret!
• eip pop
• ASCII
→ A
16 0x41
37
int a
int b
0x41414141
eip
Slide 38
Slide 38 text
ret15.&4
38
0x41414141
eip
• 0x41414141
152- !"
• 2-
#%
+' (.&0/*
• ,$)3
Slide 39
Slide 39 text
39
Slide 40
Slide 40 text
•
40
A A A A
A A A A
int a
int b
A A A A
A A A A
char buf[4]
ebp
int a
int b
Slide 41
Slide 41 text
l
1.
2.
3.
eip
41
Slide 42
Slide 42 text
l
1.
2.
3.
eip
42
OK
Slide 43
Slide 43 text
l
1.
2.
3.
eip
43
OK
OK
Slide 44
Slide 44 text
44
A A A A
A A A A
eip
Slide 45
Slide 45 text
l
1.
2.
3.
eip
45
OK
OK
OK
Slide 46
Slide 46 text
BOF 4/
• BOF !"#=>-3@'
7,+=>
• &$%"CB*)
'2
• A?( 90;.@' '2<81
•
@'-3:65
46
Slide 47
Slide 47 text
ROP
47
Slide 48
Slide 48 text
ROP
• ROP(Return-Oriented Programming)
• =G+#.<9'-"*(."
• ret;>7H?@CB 6F
A035
• 2018
/
1
1I:;JD8
Specture
46
• CVE-2017-5715
• ROP
)$,&.%
• E2 !
48
Meltdown and Spectre
(https://meltdownattack.com/)
Slide 49
Slide 49 text
B2)2>&
• )2*>&
59,+/
• B2)2>
• 7)2>6.40
• '>&
)212 !<
• "%$#(?3-C:;A@ =8
49
Slide 50
Slide 50 text
gadget
•
ret;!
•
50
Slide 51
Slide 51 text
pop × N ; ret;
•
• pop
ret
51
Slide 52
Slide 52 text
52
Slide 53
Slide 53 text
gadget
• gadget
53
A A A A
A A A A
A
A
A A A A
A A A A
A
0x08048355
A
Slide 54
Slide 54 text
gadget
54
A A A A
A A A A
A
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
esp
Slide 55
Slide 55 text
gadget
•
(leave!)
55
A
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
esp
Slide 56
Slide 56 text
gadget
• ret (pop eip)
56
A
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
esp
Slide 57
Slide 57 text
gadget
• ret (pop eip)
57
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 58
Slide 58 text
gadget
• A
58
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 59
Slide 59 text
gadget
• A
59
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 60
Slide 60 text
gadget
• ret (pop eip)
60
0x08048355
A
0x08048355: pop ebx
0x08048356: ret
A
eip
esp
Slide 61
Slide 61 text
gadget
• ret (pop eip)
61
A
0x08048355: pop ebx
0x08048356: ret
0x08048355
eip
esp
Slide 62
Slide 62 text
gadget
• gadget
62
A
0x08048355: pop ebx
0x08048356: ret
0x08048355
eip
esp
Slide 63
Slide 63 text
gadget
•
pop
63
0x08048355: pop ebx
0x08048356: ret
0x08048355
eip
A
ebx
esp
Slide 64
Slide 64 text
gadget
•
ret
64
0x08048355: pop ebx
0x08048356: ret
0x08048356
eip
esp
Slide 65
Slide 65 text
gadget
•
eip pop
65
0x08048355: pop ebx
0x08048356: ret
0xdeadbeef
eip
esp
Slide 66
Slide 66 text
66
A
gadget
A
B
gadget
B
B
pop ebx
ret
pop eax
pop ecx
ret
Slide 67
Slide 67 text
ROP '#
• pop × N; ret;* gadget
• !)
(%
• Return-oriented Programming (ROP) DEP",
• ROP $+
• ROP Emporium
67
Slide 68
Slide 68 text
1/*0
• !$
• '#$*0.(+
• 23)+
• &. #,x86
•
"
$#$
• katagaitai CTF5-% #2 pwnables4
• CTF Pwn - A painter and a black cat
68