学内Pwn勉強会 - Speaker Deck

Slide 1

Slide 1 text

Pwn @ Gm S944y

Slide 2

Slide 2 text

• &,$.1)/ 2 • '#&,-%" *+3 • (0x86 ! 2

Slide 3

Slide 3 text

• • • ! • • • ROP 3

Slide 4

Slide 4 text

Slide 5

Slide 5 text

5 " ! #CPU

Slide 6

Slide 6 text

# !42 • $ * .'& • text +:509 • data /,83- • bss /,83- • heap )% 1( 76 • stack #"3- • 6 text data bss heap ⇩ stack ⇧

Slide 7

Slide 7 text

7 text data bss heap ⇩ stack ⇧ 0x0 0 x f f f f f f f f ebp eflags edi eax esi ebx edx ecx esp eip

Slide 8

Slide 8 text

• 9" • eax, ecx, edx, ebx, esi, edi 032* • 1)$" • +8 • esp #, / )4 • ebp #, /5 )4 • eip '! • eflag .72* %()4 (-&6$" ) 8

Slide 9

Slide 9 text

Slide 10

Slide 10 text

30 • ".4 • 6$&'*7 30/ • 5 #!2. -(%) # ,81+ " etc… 10 ≒

Slide 11

Slide 11 text

• 11 PUSH POP

Slide 12

Slide 12 text

&%!( • ' # &% $"!( 12 main main main func

Slide 13

Slide 13 text

Slide 14

Slide 14 text

• mainA 14 void A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }

Slide 15

Slide 15 text

• A 15 int main(void) { int a, b; … A(a, b); … return 0; }

Slide 16

Slide 16 text

• 1. A 2. 16 int main(void) { int a, b; … A(a, b); … return 0; }

Slide 17

Slide 17 text

• 1. A 17 int a int b int main(void) { int a, b; … A(a, b); … return 0; }

Slide 18

Slide 18 text

$ • $ ! #" 1. A 2. 18 int a int b int main(void) { int a, b; … A(a, b); … return 0; }

Slide 19

Slide 19 text

$,& • $A !( eip '- • ".+*) 19 eip 0x00000100 $A ".+ 0x00000104 0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b int a int b %#$ %#$

Slide 20

Slide 20 text

• A ! 20 0x00000100 eip 0x00000100 A " 0x00000104 0x00000200 main " 0x00000204 0x00000208 0x0000020b int a int b

Slide 21

Slide 21 text

! 1. 2. 3. eip 21 2.3 call"

Slide 22

Slide 22 text

" ' • "A "A $ 22 0x00000104 eip int z &( ebp int a int b 0x00000100 "A !)% 0x00000104 0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b #"

Slide 23

Slide 23 text

# • A • ret " ! 23 eip int a int b 0x00000100 A $ 0x00000104 0x00000200 main $ 0x00000204 0x00000208 0x0000020b

Slide 24

Slide 24 text

ret !# 24 ret = pop eip " eip

Slide 25

Slide 25 text

• eip 25 eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b

Slide 26

Slide 26 text

• main 26 eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b

Slide 27

Slide 27 text

(,;# 27 1. (,B +,8 2. call 7? (,B ; "!8 3. (,B ;:5/> 1. (,A ebp 94= 2. (,B %3.* &:5 3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6< (,A 0) (,B 0)

Slide 28

Slide 28 text

Slide 29

Slide 29 text

BOF ,+!& 29 void vuln(void) { char buf[4]; … gets(buf); … } • main"vuln") • ($*# • 4 • BOF ,+!'%

Slide 30

Slide 30 text

vuln !(" • '& % 30 char buf[4] $)ebp int a int b #! void vuln(void) { char buf[4]; … gets(buf); … }

Slide 31

Slide 31 text

!% • gets(buf) " !# 31 char buf[4] $ebp int a int b AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }

Slide 32

Slide 32 text

!% • gets(buf) " !# 32 A A A A $ebp int a int b AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }

Slide 33

Slide 33 text

• gets(buf) 33 A A A A A A A A int a int b AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }

Slide 34

Slide 34 text

vuln • 34 A A A A A A A A A A A A int a int b void vuln(void) { char buf[4]; … gets(buf); … }

Slide 35

Slide 35 text

vuln • leave 35 A A A A int a int b

Slide 36

Slide 36 text

ret • eip pop 36 eip A A A A int a int b

Slide 37

Slide 37 text

ret! • eip pop • ASCII → A 16 0x41 37 int a int b 0x41414141 eip

Slide 38

Slide 38 text

ret15.&4 38 0x41414141 eip • 0x41414141 152- !" • 2- #% +' (.&0/* • ,$)3

Slide 39

Slide 39 text

Slide 40

Slide 40 text

• 40 A A A A A A A A int a int b A A A A A A A A char buf[4] ebp int a int b

Slide 41

Slide 41 text

l 1. 2. 3. eip 41

Slide 42

Slide 42 text

l 1. 2. 3. eip 42 OK

Slide 43

Slide 43 text

l 1. 2. 3. eip 43 OK OK

Slide 44

Slide 44 text

44 A A A A A A A A eip

Slide 45

Slide 45 text

l 1. 2. 3. eip 45 OK OK OK

Slide 46

Slide 46 text

BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB*) '2 • A?( 90;.@' '2<81 • @'-3:65 46

Slide 47

Slide 47 text

ROP 47

Slide 48

Slide 48 text

ROP • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E2 ! 48 Meltdown and Spectre (https://meltdownattack.com/)

Slide 49

Slide 49 text

B2)2>& • )2*>& 59,+/ • B2)2> • 7)2>6.40 • '>& )212 !< • "%$#(?3-C:;A@ =8 49

Slide 50

Slide 50 text

gadget • ret;! • 50

Slide 51

Slide 51 text

pop × N ; ret; • • pop ret 51

Slide 52

Slide 52 text

Slide 53

Slide 53 text

gadget • gadget 53 A A A A A A A A A A A A A A A A A A A 0x08048355 A

Slide 54

Slide 54 text

gadget 54 A A A A A A A A A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp

Slide 55

Slide 55 text

gadget • (leave!) 55 A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp

Slide 56

Slide 56 text

gadget • ret (pop eip) 56 A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp

Slide 57

Slide 57 text

gadget • ret (pop eip) 57 0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp

Slide 58

Slide 58 text

gadget • A 58 0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp

Slide 59

Slide 59 text

gadget • A 59 0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp

Slide 60

Slide 60 text

gadget • ret (pop eip) 60 0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp

Slide 61

Slide 61 text

gadget • ret (pop eip) 61 A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp

Slide 62

Slide 62 text

gadget • gadget 62 A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp

Slide 63

Slide 63 text

gadget • pop 63 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip A ebx esp

Slide 64

Slide 64 text

gadget • ret 64 0x08048355: pop ebx 0x08048356: ret 0x08048356 eip esp

Slide 65

Slide 65 text

gadget • eip pop 65 0x08048355: pop ebx 0x08048356: ret 0xdeadbeef eip esp

Slide 66

Slide 66 text

66 A gadget A B gadget B B pop ebx ret pop eax pop ecx ret

Slide 67

Slide 67 text

ROP '# • pop × N; ret;* gadget • !) (% • Return-oriented Programming (ROP) DEP", • ROP $+ • ROP Emporium 67

Slide 68

Slide 68 text

1/*0 • !$ • '#$*0.(+ • 23)+ • &. #,x86 • " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68