Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
2021/5/18 NTUSTISC Binary Exploitation aka Pwn Basic
Slide 2
Slide 2 text
# whoami - LJP / LJP-TW - Pwn / Rev - NTUST / NCTU / NYCU - 10sec CTF Team 1
Slide 3
Slide 3 text
先來個小調查 - 略懂 C - 略懂 任何一種組合語言 - 略懂 逆向工程 - 略懂 怎用 GDB - 略懂 Pwn - 略懂 ROP - 略懂 Heap Exploitation 2
Slide 4
Slide 4 text
Outline - What’s PWN? - 基礎知識 – x86 Assembly - 基礎知識 – Stack Frame - 基礎知識 – GDB - 基礎知識 – Pwntools - Stack-Based Buffer Overflow - Shellcode - 基礎知識 – Lazy Binding 3 - GOT Hijack - One Gadget - ROP
Slide 5
Slide 5 text
What is Pwn ? 4
Slide 6
Slide 6 text
What is Pwn ? 5 我都念胖 圖片來源: https://en.wikipedia.org/wiki/PWN
Slide 7
Slide 7 text
What is Pwn ? 6
Slide 8
Slide 8 text
What is Pwn ? 7
Slide 9
Slide 9 text
What is Pwn ? 8
Slide 10
Slide 10 text
What is Pwn ? 9
Slide 11
Slide 11 text
What is Pwn ? - 利用程序的漏洞 - 竄改程序執行流程 - 執行特定行為 10
Slide 12
Slide 12 text
What is Pwn ? 11 來個栗子 Server:
Slide 13
Slide 13 text
What is Pwn ? 12 Service 原始碼:
Slide 14
Slide 14 text
What is Pwn ? 13 漏洞:
Slide 15
Slide 15 text
What is Pwn ? 14 漏洞:
Slide 16
Slide 16 text
What is Pwn ? 15 其他能被利用的程式碼: Leak Canary Hijack Return Address Leak Text Base Execute Gadget
Slide 17
Slide 17 text
What is Pwn ? 16 攻擊腳本:
Slide 18
Slide 18 text
What is Pwn ? 17 正常使用/攻擊:
Slide 19
Slide 19 text
Basic Knowledge x86 Assembly 18
Slide 20
Slide 20 text
x86 Assembly 19 mov rax, 1 add rax, 5 sub rbx, rax inc rax dec rax ASM rax = 1 rax = rax + 5 rbx = rbx – rax rax++ rax-- C ✕ ✕
Slide 21
Slide 21 text
x86 Assembly 20 mov rax, 0 jmp BEGIN LOOP: inc rax BEGIN: cmp rax, 5 jle LOOP ASM rax = 0 while (rax <= 5) rax++ C ✕ ✕
Slide 22
Slide 22 text
Basic Knowledge Stack Frame 21
Slide 23
Slide 23 text
Stack Frame - 不同區域會有不同的 Stack Frame - 裡面存放著區域變數 - 在 Function 的頭部和尾部, 會有一些用來處理 Stack Frame 的 指令 - 頭部: Prologue - 尾部: Epilogue 22 push rbp mov rbp, rsp … leave ret main
Slide 24
Slide 24 text
Stack Frame 23 Stack RSP 0x00007fffffffe5c8 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1
Slide 25
Slide 25 text
push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 24 Stack RSP 0x00007fffffffe5c8 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1
Slide 26
Slide 26 text
push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 25 Stack RSP 0x00007fffffffe5c8 RBP 原本的值 0x00007fffffffe5c0 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1
Slide 27
Slide 27 text
push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 26 Stack RSP 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1
Slide 28
Slide 28 text
push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 27 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x00007fffffffe5a0 0x401234 main push rbp mov rbp, rsp sub rsp, 30h … leave ret function1
Slide 29
Slide 29 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack Frame 28 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe598 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 30
Slide 30 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack Frame 29 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 31
Slide 31 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack Frame 30 Stack RBP 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 32
Slide 32 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack Frame 31 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 leave = mov rsp, rbp pop rbp push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 33
Slide 33 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack Frame 32 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 leave = mov rsp, rbp pop rbp RBP push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 34
Slide 34 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 33 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 leave = mov rsp, rbp pop rbp RBP main function1
Slide 35
Slide 35 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret Stack Frame 34 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 leave = mov rsp, rbp pop rbp RSP main function1
Slide 36
Slide 36 text
Basic Knowledge GDB 35
Slide 37
Slide 37 text
GDB - 推薦套件: gef - https://github.com/hugsy/gef - 推薦套件: pwngdb - https://github.com/scwuaptx/Pwngdb - 常用指令 - b *[Address expression]:設定中斷點 (break point) - c:繼續執行 (continue) - ni:執行一個指令 (不步入) - si:執行一個指令 (步入) - x/[Length][Format] [Address expression]:顯示記憶體內容 36
Slide 38
Slide 38 text
GDB Demo 37
Slide 39
Slide 39 text
Basic Knowledge Pwntools 38
Slide 40
Slide 40 text
Pwntools - Python 模組 - 方便寫 exploit - 常用 function - process() - remote() - send()、sendline() - sendafter()、sendlineafter() - recv()、recvline() - recvuntil() 39
Slide 41
Slide 41 text
Pwntools Demo 40
Slide 42
Slide 42 text
Stack-Based Buffer Overflow 41
Slide 43
Slide 43 text
Stack-Based Buffer Overflow - 在區域變數上越界寫入 - 導致其他區域變數被改掉 - 導致 Return Address 被改掉 42
Slide 44
Slide 44 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack-Based Buffer Overflow 43 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 45
Slide 45 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack-Based Buffer Overflow 44 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 46
Slide 46 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack-Based Buffer Overflow 45 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA AAAAAAAA … push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 47
Slide 47 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret RBP Stack-Based Buffer Overflow 46 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA AAAAAAAA … push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 48
Slide 48 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret RBP Stack-Based Buffer Overflow 47 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 AAAAAAAA … AAAAAAAA push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 49
Slide 49 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack-Based Buffer Overflow 48 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 AAAAAAAA AAAAAAAA … push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 50
Slide 50 text
push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret push rbp mov rbp, rsp sub rsp, 30h … leave ret Stack-Based Buffer Overflow 49 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RSP RBP 原本的值 AAAAAAAA 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 AAAAAAAA AAAAAAAA … main function1
Slide 51
Slide 51 text
Stack Canary 50
Slide 52
Slide 52 text
Stack Canary - 在函數的頭部, 往 Stack 上寫入一個值 (Canary) - 在函數的尾部, 驗證 Canary 的值是否還是一樣 - 不一樣就表示發生了 BOF, 呼叫 __stack_chk_fail - 至於為何叫做 Canary? 51
Slide 53
Slide 53 text
Stack Canary 52 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 0x401234 0x7fffffffe5a0 0x401234 0x00007fffffffe5c0 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560
Slide 54
Slide 54 text
Stack Canary 53 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 0x401234 0x7fffffffe5a0 0x401234 0x00007fffffffe5c0 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560
Slide 55
Slide 55 text
Stack Canary 54 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 0x401234 0x7fffffffe5a0 0x401234 0x00007fffffffe5c0 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 0xd32a99e5e7cd3300 0x7fffffffe588
Slide 56
Slide 56 text
Stack Canary 55 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …
Slide 57
Slide 57 text
Stack Canary 56 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …
Slide 58
Slide 58 text
Stack Canary 57 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …
Slide 59
Slide 59 text
Stack Canary 58 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …
Slide 60
Slide 60 text
Stack Canary 59 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main push rbp mov rbp, rsp sub rsp, 30h mov rax, fs:28h mov [rbp-8], rax … mov rcx, [rbp-8] xor rcx, fs:28h jz OK call __stack_chk_fail OK: leave ret function1 Stack 0x7fffffffe5c8 0x7fffffffe5c0 RBP RBP 原本的值 AAAAAAAA 0x7fffffffe5a0 0x401234 AAAAAAAA 0x7fffffffe598 0x7fffffffe590 RSP 0x7fffffffe560 AAAAAAAA 0x7fffffffe588 AAAAAAAA …
Slide 61
Slide 61 text
Stack Canary - 繞過方式 - 想辦法洩漏出 Canary 的值 - 想蓋 Return Address 時, 把 Canary 的值寫回去, 就能繞過 60
Slide 62
Slide 62 text
Stack-Based Buffer Overflow Demo 61
Slide 63
Slide 63 text
Shellcode 62
Slide 64
Slide 64 text
Shellcode - 攻擊者在記憶體中寫入一段用來執行的指令 - 之後想辦法讓執行流程跳到這些指令上 - 至於為何叫做 shellcode - 因為通常是拿來開 shell - 現在就算不是拿來開 shell, 你跟我說 shellcode 也通啦 63
Slide 65
Slide 65 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Shellcode 64 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x401234 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1
Slide 66
Slide 66 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret Shellcode 65 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode
Slide 67
Slide 67 text
RBP push rbp mov rbp, rsp sub rsp, 30h … leave ret Shellcode 66 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode
Slide 68
Slide 68 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret Shellcode 67 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode
Slide 69
Slide 69 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret Shellcode 68 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP 原本的值 0x00007fffffffe560 0x00007fffffffe5a0 0x401234 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 push rbp mov rbp, rsp sub rsp, 20h … call function1 leave ret main function1 Shellcode
Slide 70
Slide 70 text
NX (No-eXecute) 69
Slide 71
Slide 71 text
NX (No-eXecute) - NX aka DEP (Data Execution Prevention) - 從剛剛的例子, 你會發現, 我們是執行位於 Stack 上的指令 - Stack 上的咚咚能執行?! 超怪 - 給每個記憶體區段設立三種權限 r(Read) w(Write) x(eXecute) - 設定 NX 就沒有 rwx 的區段 70
Slide 72
Slide 72 text
Shellcode Demo 71
Slide 73
Slide 73 text
Basic Knowledge Lazy Binding 72
Slide 74
Slide 74 text
Lazy Binding - 由於 Library 在執行時期才被 Load 上來, 位址不固定 - 因此程式需要將引用的 Library Call 連結到 Library - But 1. 在程式一開始就解析所有用到的 Library Call 會讓程式很晚執行 2. 其實不是所有引用的 Library Call 都會被呼叫到 - 於是有了 Lazy Binding - 簡單來說就是在程式第一次呼叫到 Library Call 才開始解析其位 址 73
Slide 75
Slide 75 text
Lazy Binding 74 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 76
Slide 76 text
Lazy Binding 75 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec 第一次呼叫 puts
Slide 77
Slide 77 text
Lazy Binding 76 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 78
Slide 78 text
Lazy Binding 77 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 79
Slide 79 text
Lazy Binding 78 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec 跳至 .plt 中
Slide 80
Slide 80 text
Lazy Binding 79 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 81
Slide 81 text
Lazy Binding 80 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec 推入 index
Slide 82
Slide 82 text
Lazy Binding 81 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 83
Slide 83 text
Lazy Binding 82 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 84
Slide 84 text
Lazy Binding 83 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 85
Slide 85 text
Lazy Binding 84 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 86
Slide 86 text
Lazy Binding 85 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec 跳到解析函數
Slide 87
Slide 87 text
Lazy Binding 86 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x00007ffff7e505a0 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec 解析後回填真正地址
Slide 88
Slide 88 text
Lazy Binding 87 call call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x00007ffff7e505a0 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 89
Slide 89 text
Lazy Binding 88 call call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x00007ffff7e505a0 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec 之後再度呼叫 puts
Slide 90
Slide 90 text
Lazy Binding 89 call call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x00007ffff7e505a0 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 91
Slide 91 text
Lazy Binding 90 call call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x00007ffff7e505a0 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 92
Slide 92 text
Lazy Binding 91 call call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x00007ffff7e505a0 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec 跳到 puts 真正位址
Slide 93
Slide 93 text
GOT Hijack 92
Slide 94
Slide 94 text
GOT Hijack - 假設程式存在任意寫漏洞 - 將 GOT 表寫成我們想執行的位址即可控制執行流 93
Slide 95
Slide 95 text
GOT Hijack 94 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x0000555555555030 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 96
Slide 96 text
GOT Hijack 95 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x4141414141414141 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec Overwrite GOT Table
Slide 97
Slide 97 text
GOT Hijack 96 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x4141414141414141 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 98
Slide 98 text
GOT Hijack 97 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x4141414141414141 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 99
Slide 99 text
GOT Hijack 98 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x4141414141414141 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec
Slide 100
Slide 100 text
GOT Hijack 99 call <0x555555555020> push [] bnd jmp [<_dl_runtime_resolve>] nop <0x555555555030> endbr64 push 0x0 bnd jmp 0x555555555020 nop <0x555555555040> endbr64 push 0x1 bnd jmp 0x555555555020 nop main .plt <+0x0> (.dynamic) 0x3df8 <+0x8> (link_map) 0x00007ffff7ffe190 <+0x10> (_dl_runtime_resolve) 0x00007ffff7fe7bb0 <+0x18> (
[email protected]
) 0x4141414141414141 <+0x20> (
[email protected]
) 0x0000555555555040 .got.plt endbr64 bnd jmp [] nop endbr64 bnd jmp [] nop .plt.sec Hijack Control Flow
Slide 101
Slide 101 text
GOT Hijack Demo 100
Slide 102
Slide 102 text
One Gadget 101
Slide 103
Slide 103 text
One Gadget - Gadget 是指一些可利用的指令片段 - libc 中有一些位址, 跳過去就會開 shell 了 - 這個 Gadget 就是 One Gadget, 一發入魂 - https://github.com/david942j/one_gadget - libc 2.31: https://qiita.com/kusano_k/items/4a6f285cca613fcf9c9e#gl ibc-231の場合 102 圖片來源: https://ithelp.ithome.com.tw/articles/10226977
Slide 104
Slide 104 text
One Gadget Demo 103
Slide 105
Slide 105 text
ROP 104
Slide 106
Slide 106 text
ROP - ROP 全名 Return-Oriented Programming - 找結尾是 ret 的 Gadgets - 並在 Stack 上安排這些 Gadgets - 就能依序執行到所有在 Stack 上的 Gadgets 的指令片段 105
Slide 107
Slide 107 text
push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 106 Stack 0x00007fffffffe5c8 0x00007fffffffe5c0 RBP RBP 原本的值 0x401234 0x00007fffffffe5a0 0x405566 0x00007fffffffe5c0 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3
Slide 108
Slide 108 text
RBP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 107 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 Overwrite Stack
Slide 109
Slide 109 text
RBP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 108 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 RSP 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8
Slide 110
Slide 110 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 109 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 Return to Gadget1
Slide 111
Slide 111 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 110 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8
Slide 112
Slide 112 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 111 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) Return to Gadget2
Slide 113
Slide 113 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 112 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”)
Slide 114
Slide 114 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 113 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0
Slide 115
Slide 115 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 114 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0
Slide 116
Slide 116 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 115 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0 rax: 59 Return to Gadget3
Slide 117
Slide 117 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 116 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0 rax: 59
Slide 118
Slide 118 text
RSP push rbp mov rbp, rsp sub rsp, 30h … leave ret ROP 117 Stack 0x405566 0x00007fffffffe5a0 0x405566 AAAAAAAA 0x00007fffffffe598 0x00007fffffffe590 0x00007fffffffe560 pop rdi ret Gadget1 function1 0x00007fffffffe560 0x407777 0 0 59 0x00007fffffffe5a8 0x00007fffffffe5b0 0x00007fffffffe5b8 0x00007fffffffe5c0 /bin/sh\0 AAAAAAAA … AAAAAAAA 0x407777 pop rsi pop rdx pop rax ret Gadget2 0x408888 syscall Gadget3 0x408888 0x00007fffffffe5c8 rdi: 0x00007fffffffe560 (“/bin/sh”) rsi: 0 rdx: 0 rax: 59
Slide 119
Slide 119 text
ROP DEMO 118
Slide 120
Slide 120 text
Q & A 119
Slide 121
Slide 121 text
Thanks 疫情期間少出門勤洗手 120