Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Binary Exploitation - Basic 補充篇
Search
LJP-TW
May 26, 2021
Technology
1
53
Binary Exploitation - Basic 補充篇
2021/05/26 台科資安社 社課
直播記錄檔:
https://www.youtube.com/watch?v=I3X69ADZOnw
- TLS
LJP-TW
May 26, 2021
Tweet
Share
More Decks by LJP-TW
See All by LJP-TW
Reverse Engineering - 1
ljptw
0
1.7k
Reverse Engineering - 2
ljptw
0
740
Reverse Engineering - 3
ljptw
0
600
Re:0 從零開始的逆向工程
ljptw
1
1.2k
Linux 極入門篇
ljptw
1
300
Fuzzing 101
ljptw
1
200
Binary Exploitation - File Structure
ljptw
1
290
Binary Exploitation - Heap
ljptw
1
160
Binary Exploitation - Basic
ljptw
1
120
Other Decks in Technology
See All in Technology
[JAWSDAYS2026]Who is responsible for IAM
mizukibbb
0
720
S3はフラットである –AWS公式SDKにも存在した、 署名付きURLにおけるパストラバーサル脆弱性– / JAWS DAYS 2026
flatt_security
0
1.8k
AWS CDK「読めるけど書けない」を脱却するファーストステップ
smt7174
3
140
Agent ServerはWeb Serverではない。ADKで考えるAgentOps
akiratameto
0
110
Scrumは歪む — 組織設計の原理原則
dashi
0
190
進化するBits AI SREと私と組織
nulabinc
PRO
0
190
AI実装による「レビューボトルネック」を解消する仕様駆動開発(SDD)/ ai-sdd-review-bottleneck
rakus_dev
0
140
PMとしての意思決定とAI活用状況について
lycorptech_jp
PRO
0
130
VPCエンドポイント意外とお金かかるなぁ。せや、共有したろ!
tommy0124
1
630
情シスのための生成AI実践ガイド2026 / Generative AI Practical Guide for Business Technology 2026
glidenote
0
260
スクリプトの先へ!AIエージェントと組み合わせる モバイルE2Eテスト
error96num
0
180
決済サービスを支えるElastic Cloud - Elastic Cloudの導入と推進、決済サービスのObservability
suzukij
2
650
Featured
See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.3k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
180
jQuery: Nuts, Bolts and Bling
dougneiner
65
8.4k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
The Cost Of JavaScript in 2023
addyosmani
55
9.8k
The Power of CSS Pseudo Elements
geoffreycrofte
82
6.2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
22k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.2k
Code Reviewing Like a Champion
maltzj
528
40k
Code Review Best Practice
trishagee
74
20k
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.1k
The Mindset for Success: Future Career Progression
greggifford
PRO
0
280
Transcript
2021/5/26 NTUSTISC Binary Exploitation aka Pwn Basic 補充篇
# whoami - LJP / LJP-TW - Pwn / Rev
- NTUST / NCTU / NYCU - 10sec CTF Team 1
Outline - TLS 2
TLS 3
TLS - TLS 全名 Thread-Local Storage - Linux x64 使用
fs 暫存器記著 TLS 的位置 - Stack Canary 就是存在 TLS 中 4
TLS - fs 為 Segment Register - 計算方式 reg:offset =
ref + offset - 這時候你用 gdb 想看一下 fs 等於多少卻發現 - 難道 Canary 從 [0+0x28] 拿來的?? 5
TLS - GDB 也是 Process, fs = 0 是指 GDB
自己的 fs - 所以要怎麼拿到觀測中的 Process 的 fs? - 呼叫 arch_prctl 6 Ref: https://fasterthanli.me/series/making-our-own-executable-packer/part-13
TLS - Pwngdb 有實作取得 TLS 的功能 - 閱讀一下怎麼實作的, 發現其實一樣 -
https://github.com/scwuaptx/Pwngdb/blob/master/pwndbg/pwngdb.py#L77 7
TLS Demo 8
ljptw
mizukibbb
flatt_security
smt7174
akiratameto
.jpg){kind=avatar}
dashi
nulabinc
rakus_dev
lycorptech_jp
tommy0124
glidenote
error96num
suzukij
tammyeverts
dugsong
dougneiner
smashingmag
addyosmani
geoffreycrofte
danielanewman
irinanazarova
maltzj
trishagee
ipullrank
greggifford
