Upgrade to Pro — share decks privately, control downloads, hide ads and more …

別pwn那裡.pdf

terrynini
December 16, 2018
440

 別pwn那裡.pdf

terrynini

December 16, 2018
Tweet

Transcript

  1. Before learning the ancient pwn, Make sure that you understand

    the concept of stack frame. If your answer is negative, there is an ancient material for you from 2018/12/14. All the example code are at the end of this material.
  2. ancient pwn $ gcc -fno-stack-protector pwn_01.c -o pwn_01
 $ ./pwn_01


    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 [1] 19730 segmentation fault (core dumped) ./pwn_01 These are some ancient tricks, so we have to turn off some modern feature.
  3. ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

    address high address name[0]~name[7] name[8]~name[15] name[16]~name[23]
  4. ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

    address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] aaaaaaaa aaaaaaaa
  5. ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

    address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] aaaaaaaa aaaaaaaa STACK Overflow ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  6. ancient pwn 0 Previous RBP Return Address \00\00\00\00\00\00\00\00 low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value
  7. ancient pwn 0 Previous RBP Return Address aaaaaaaa low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value
  8. ancient pwn 0 Previous RBP Return Address aaaaaaaa low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value 0x6161616161616161
  9. ancient pwn 0 Previous RBP Return Address aaaaaaaa low address

    high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value Buffer Overflow! 0x6161616161616161 /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  10. ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address

    name[0]~name[7] name[8]~name[15] Previous RBP
  11. ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address

    name[0]~name[7] name[8]~name[15] Previous RBP aaaaaaaa 0x0400577 0000000000400577 <cheat>: 400577: push rbp 400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 <puts@plt> 400587: nop 400588: pop rbp 400589: ret .--------------------------------------. | | | | | | | | | | | | | | | | '--------------------------------------'
  12. .--------------------------------------. | | | | | | | | |

    | | | | | | | '--------------------------------------' ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] Previous RBP aaaaaaaa 0x0400577 Control Flow Hijack ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 0000000000400577 <cheat>: 400577: push rbp 400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 <puts@plt> 400587: nop 400588: pop rbp 400589: ret
  13. ancient pwn Controlling the return address, and jump to a

    piece of code. It was named ret2text.
  14. Return Address shellcode shellcode note[0x90]~note[0x97] Previous RBP Shellcode push 0x68

    mov rax, 0x732f2f2f6e69622f push rax mov rdi, rsp push 0x1010101 ^ 0x6873 xor dword ptr [rsp], 0x1010101 xor esi, esi push rsi push 8 pop rsi add rsi, rsp push rsi mov rsi, rsp xor edx, edx push SYS_execve pop rax syscall note[0x97]~note[0x9e] .------------------------------------. | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '------------------------------------' | | | asm() '---------------------------->
  15. Return Address shellcode shellcode 0x7ffcbe83d7c0 high address Previous RBP Shellcode

    Garbage 0x7ffcbe83d7c0 note[0x90]~note[0x97] note[0x97]~note[0x9e]
  16. Return Address shellcode shellcode 0x7ffcbe83d7c0 high address Previous RBP Shellcode

    Garbage 0x7ffcbe83d7c0 note[0x90]~note[0x97] note[0x97]~note[0x9e] retturn to shellcode! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  17. Stack Guard Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low

    address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary
  18. Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high

    address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary aaaaaaaa aaaaaaaa aaaaaaaa Stack Guard
  19. Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high

    address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary aaaaaaaa aaaaaaaa aaaaaaaa stack smashing detected /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Stack Guard
  20. ASLR Address Space Layout Randomization It’s a feature of kernel,

    Linux kernel enable it by default. To randomize the .text, a binary have to be compiled with PIE.
  21. ASLR Address Space Layout Randomization 0000000000400577 <cheat>: 400577: push rbp

    400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 <puts@plt> 400587: nop 400588: pop rbp 400589: ret 00000000000006ca <cheat>: 6ca: push rbp 6cb: mov rbp,rsp 6ce: lea rdi,[rip+0xd3] 6d5: call 580 <puts@plt> 6da: nop 6db: pop rbp 6dc: ret .---------------------------------------. .----------------------------------. | | | | | | | | | | | | | | PIE | | | |>>>>>>>>>>>>>>>>>>>>>>| | | | | | | | | |
 | | | | | | | |
 | | | | '---------------------------------------' '----------------------------------'
  22. DEP Data execution prevention Need hardware support which called CPU

    NX bit. NX bit, no execute bit, marks certain areas of memory as non-executable.
  23. $ gcc -fno-stack-protector pwn_04.c -o pwn_04 DEP Data execution prevention

    The shellcode on stack and heap would become unexecutable.
  24. PLT&GOT Procedure Linkage Table & Global offset Table A dynamic

    link binary has to relocate library function calls during execution. $ gcc -c pwn_05.c -o pwn_05.o
  25. PLT&GOT Procedure Linkage Table & Global offset Table A dynamic

    link binary has to relocate library function calls during execution. $ gcc -c pwn_04.c -o pwn_04.o
  26. PLT&GOT Procedure Linkage Table & Global offset Table External functions

    are unknown during the link stage, and we shouldn’t modify the instruction after compilation. 0000000000000000 <main>: ... 30: e8 00 00 00 00 call 35 <main+0x35> 35: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]
  27. PLT&GOT Procedure Linkage Table & Global offset Table To solve

    that, we have GOT, global offset table. ld is response to resolve xxxx@GLIBC during loading. <main>: call printf@GOT GOT 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------.
 | scanf@GLIBC | '---------------' .---------------.
 | printf@GLIBC | '---------------' .---------------.
 | read@GLIBC | '---------------' .---------------.
 | exit@GLIBC | '---------------' .------------> ---' .-------> | ---'
  28. PLT&GOT Procedure Linkage Table & Global offset Table When a

    binary is too big, it takes lots of time to fill out GOT. Sometimes, some functions won’t be called during execution, we don’t need to resolve them each time.
  29. PLT&GOT Procedure Linkage Table & Global offset Table To solve

    that, we have PLT, procedure linkage table, and a mechanism named Lazy binding. <main>: call printf@plt GOT .---------------.
 | printf@GLIBC | '---------------' .-------> ---' .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------' .----------> | | first call | -----------' ------------. second call | | | | '----> .----. | ld | '----' | | | | resolve | | | v
  30. ret2plt Return Address aaaaaaaa aaaaaaaa low address high address Previous

    RBP .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------'
  31. ret2plt Return Address aaaaaaaa aaaaaaaa low address high address Previous

    RBP Garbage printf@plt .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------'
  32. Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP

    Garbage printf@plt .-----------------------------------. |<printf@plt>: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------' Return to plt ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ret2plt
  33. $ gcc -zlazy pwn_04.c -o pwn_04 GOT Hijack If the

    Lazy Binding is applied, GOT must be writable.
  34. .---------------.
 | call puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC

    | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack
  35. .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' .---------------.
 | call

    puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack
  36. .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' |

    | | v Over Write .---------------.
 | call puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack
  37. .------------.
 | call puts | '------------' GOT+0x20 .-------------------------------.
 | __libc_system@@GLIBC_PRIVATE

    | '-------------------------------' ---> .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' | | | v Over Write ---> .-------------------.
 | system(“/bin/sh”) | '-------------------' GOT Hijack
  38. GOT Hijack .------------.
 | call puts | '------------' GOT+0x20 .-------------------------------.


    | __libc_system@@GLIBC_PRIVATE | '-------------------------------' ---> .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' | | | v Over Write ---> .-------------------.
 | system(“/bin/sh”) | '-------------------' GOT Hijack ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  39. .------------. | | | | | | | | '------------'

    ROP Return Oriented Programming xor rax, rax ret inc rax ret mov rcx, rax ret .------------. | | | | | | | | '------------' .--------------. | | | | | | | | '--------------' 0x8010AB0 0x8010CD0 0x8010EF0 + +
  40. .----------------------------------------------------------------------------. | | | | | | | | |

    | | | | | | | ‘----------------------------------------------------------------------------' .------------. | | | | | | | | '------------' ROP Return Oriented Programming xor rax, rax ret inc rax ret mov rcx, rax ret .------------. | | | | | | | | '------------' .--------------. | | | | | | | | '--------------' 0x8010AB0 0x8010CD0 0x8010EF0 + + .------------. | | | | | | | | '------------' xor rax, rax inc rax mov rcx, rax .------------. | | | | | | | | '------------' rcx = 1 = =
  41. .------------. | | | | | | | | '------------'

    .--------------. | | | | | | | | '--------------' Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP .------------. | | | | | | | | '------------' xor rax, rax ret inc rax ret mov rcx, rax ret 0x8010AB0 0x8010CD0 0x8010EF0 0x8010CD0 0x8010AB0 0x8010EF0 ROP aaaaaaaa
  42. Example pwn_02.c #include <stdio.h> #include <unistd.h> typedef struct{ char name[8];

    long int Taiwan_value; }passport; int main(){ passport visitor; visitor.Taiwan_value = 0; read(0, visitor.name, 18); if( visitor.Taiwan_value > 0){ printf(" %s !? welcome, Taiwanese.", visitor.name); printf("Value : %d",visitor.Taiwan_value); }else{ printf(" %s ?? Get off, outlander.",visitor.name); } return 0; }
  43. Example pwn_03.c #include <stdio.h> #include <unistd.h> void cheat(){ puts("My grandpa

    taught me this in Hawaii "); } int main(){ char name[0x10]; read(0, name, 0x20); printf("%s", name); return 0; }
  44. Example pwn_04.c #include <stdio.h> #include <unistd.h> int main(){ char note[0x100];

    printf("the address is : %p \n",note); read(0, note, 0x120); return 0; }
  45. Example pwn_05.c #include <stdio.h> #include <unistd.h> int main(){ char note[0x100];

    puts("So... where is the system ?"); system("echo 'here'"); printf("printf is at %p\nsystem is at %p\noffset = %d\n", printf, system, (int) (system)-(int)(printf)); return 0; }