Upgrade to Pro — share decks privately, control downloads, hide ads and more …

学内Pwn勉強会

Avatar for m412u m412u
February 25, 2019
Programming
4
4.9k

 学内Pwn勉強会

学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.

Avatar for m412u

m412u

February 25, 2019
Tweet

More Decks by m412u

See All by m412u
slide.pdf
Avatar for m412u m412u
5
2.8k
Pwn勉強会
Avatar for m412u m412u
8
12k

Other Decks in Programming

See All in Programming
JSONataを使ってみよう Step Functionsが楽しくなる実践テクニック #devio2025
Avatar for dafujii dafujii
1
510
Swift Updates - Learn Languages 2025
Avatar for Yuta Koshizawa koher
2
470
testingを眺める
Avatar for matumoto matumoto
1
140
Oracle Database Technology Night 92 Database Connection control FAN-AC
Avatar for oracle4engineer oracle4engineer
PRO
1
440
テストカバレッジ100%を10年続けて得られた学びと品質
Avatar for もっち mottyzzz
2
560
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
330
詳解!defer panic recover のしくみ / Understanding defer, panic, and recover
Avatar for convto convto
0
230
機能追加とリーダー業務の類似性
Avatar for Rinchoku rinchoku
2
1.2k
奥深くて厄介な「改行」と仲良くなる20分
Avatar for おぐえもん oguemon
1
510
私の後悔をAWS DMSで解決した話
Avatar for 平目 hiramax
4
210
「手軽で便利」に潜む罠。 Popover API を WCAG 2.2の視点で安全に使うには
Avatar for Taito Tanaka taitotnk
0
830
ユーザーも開発者も悩ませない TV アプリ開発 ~Compose の内部実装から学ぶフォーカス制御~
Avatar for Daichi Takeya taked137
0
140

Featured

See All Featured
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.9k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
53
7.8k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
3.1k
Making Projects Easy
Avatar for Brett Harned brettharned
117
6.4k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
840
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.4k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
23
3.7k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k

Transcript

  1.  Pwn  @ Gm S944y

  2.  • &,$.1 )/ 2 • '#&,-%" * +3 

     • (0x86 ! 2

  3.  •   •   • ! •

       •   • ROP 3

  4.  4

  5.   5    "  ! #CPU

      

  6. # !42 • $ * .'& • text +:509 •

    data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- •   6  text data bss heap ⇩ stack ⇧

  7.   7 text data bss heap ⇩ stack ⇧

    0x0 0 x f f f f f f f f     ebp eflags edi eax esi ebx edx ecx esp eip  

  8.  • 9" • eax, ecx, edx, ebx, esi, edi

    032* • 1)$"   • +8 • esp #,  / )4 • ebp #,  /5 )4 • eip '!   • eflag .72* %()4 (-&6$" ) 8

  9.   9

  10. 30 • ".4  • 6$&'*7 30/  • 5

    #!2. -(%) # ,81+ " etc… 10 ≒  

  11.  •     11 PUSH POP

  12. &% !( •  '  #  &% 

    $" !(  12  main     main     main   func   

  13.  13

  14.   • main  A   14 void

    A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }

  15.   • A   15   

     int main(void) { int a, b; … A(a, b); … return 0; }

  16.   •      1. A

     2.   16   int main(void) { int a, b; … A(a, b); … return 0; }

  17.    •      

    1. A  17 int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  18.  $   • $  ! # "

    1. A  2.  18  int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  19. $, & • $A !( eip '-  • ".+*)

      19 eip    0x00000100 $A ".+ 0x00000104   0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b    int a int b   %#$ %#$

  20.     • A    !

    20 0x00000100 eip    0x00000100 A " 0x00000104   0x00000200 main " 0x00000204 0x00000208 0x0000020b    int a int b    

  21. !  1.   2.    3.

      eip  21  2.3 call" 

  22. " '  • "A  "A $  

    22 0x00000104 eip int z &( ebp  int a int b      0x00000100 "A !)% 0x00000104   0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b   #"

  23.  # • A  • ret "  

    ! 23 eip  int a int b      0x00000100 A $ 0x00000104   0x00000200 main $ 0x00000204 0x00000208 0x0000020b  

  24. ret !# 24 ret = pop eip   "

    eip      

  25.  •     eip   25

    eip  int a int b      0x00000100 A  0x00000104   0x00000200 main  0x00000204 0x00000208 0x0000020b  

  26.  • main  26  eip int a int

    b       0x00000100 A   0x00000104   0x00000200 main    0x00000204 0x00000208 0x0000020b  

  27. (,;# 27 1. (,B +,8 2. call 7? (,B ;

     "!8 3. (,B ; :5 />  1. (,A  ebp 94=  2. (,B %3.* & :5  3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6<  (,A 0) (,B 0)

  28.  28

  29. BOF ,+! & 29 void vuln(void) { char buf[4]; …

    gets(buf); … } • main"vuln")  • ($*# •    4 • BOF ,+!'%

  30. vuln !(" • '& %  30 char buf[4] $)ebp

     int a int b   #! void vuln(void) { char buf[4]; … gets(buf); … } 

  31. !%  • gets(buf) " ! # 31 char buf[4]

    $ ebp  int a int b    AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  32. !%  • gets(buf) " ! # 32 A A

    A A $ ebp  int a int b    AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  33.   • gets(buf)   33 A A A

    A A A A A  int a int b     AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }   

  34. vuln •  34 A A A A A A

    A A A A A A int a int b     void vuln(void) { char buf[4]; … gets(buf); … }   

  35. vuln • leave    35 A A A

    A int a int b     

  36. ret  •   eip  pop  

    36 eip A A A A int a int b    

  37. ret!   •   eip pop  •

    ASCII → A 16 0x41 37 int a int b   0x41414141 eip

  38. ret15 .&4  38 0x41414141 eip   • 0x41414141

    152-  !" • 2- #% +' (.&0/* • ,$)3 

  39.   39

  40.   •       40

     A A A A A A A A int a int b    A A A A A A A A         char buf[4] ebp    int a int b  

  41.   l   1.    2.

         3.   eip   41

  42.   l   1.    2.

         3.   eip   42 OK

  43.   l   1.    2.

         3.   eip   43 OK OK

  44. 44       A A A

    A A A A A                eip

  45.   l   1.    2.

         3.   eip   45 OK OK OK

  46. BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *) 

     '2 • A?( 90;.@'  '2<81  •  @'-3:65 46

  47. ROP 47

  48. ROP  • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F

    A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2  !  48 Meltdown and Spectre (https://meltdownattack.com/)

  49. B2)2>& • )2*>&  5 9,+/  • B2)2> •

    7)2>6.40 • '>& )212  !< • "%$#(?3-C:;A@ =8  49

  50. gadget •   ret;!   •  

         50

  51. pop × N ; ret; •   • pop

      ret   51

  52.   52

  53. gadget  •  gadget   53  A

    A A A A A A A A     A    A A A A A A A A A  0x08048355 A    

  54. gadget  54  A A A A A A

    A A A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  55. gadget   •    (leave!) 55 

    A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  56. gadget  • ret (pop eip)    56

     A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  57. gadget  • ret (pop eip)    57

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  58. gadget   • A    58 

    0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  59. gadget  • A   59  0x08048355 A

        0x08048355: pop ebx 0x08048356: ret    A eip esp

  60. gadget  • ret (pop eip)    60

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  61. gadget  • ret (pop eip)    61

     A    0x08048355: pop ebx 0x08048356: ret    0x08048355 eip esp

  62. gadget   • gadget    62 

    A    0x08048355: pop ebx 0x08048356: ret  0x08048355 eip esp

  63. gadget  •   pop   63 

       0x08048355: pop ebx 0x08048356: ret  0x08048355 eip A ebx esp

  64. gadget  •   ret   64 

       0x08048355: pop ebx 0x08048356: ret  0x08048356 eip esp

  65. gadget  •   eip  pop  

    65     0x08048355: pop ebx 0x08048356: ret  0xdeadbeef eip esp

  66.    66  A  gadget  A

     B  gadget  B  B    pop ebx ret   pop eax pop ecx ret 

  67. ROP '# • pop × N; ret; * gadget &#

     •  !) (%  • Return-oriented Programming (ROP) DEP",  • ROP $+ • ROP Emporium 67

  68. 1/*0 • !  $ • '#$*0.(+ • 23)+ •

    &.  #,x86   •  " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68