Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
学内Pwn勉強会
Search
m412u
February 25, 2019
Programming
4
4.6k
学内Pwn勉強会
学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.
m412u
February 25, 2019
Tweet
Share
More Decks by m412u
See All by m412u
slide.pdf
m412u
5
2.7k
Pwn勉強会
m412u
8
11k
Other Decks in Programming
See All in Programming
Keeping it Ruby: Why Your Product Needs a Ruby SDK - RubyWorld 2024
envek
0
190
採用事例の少ないSvelteを選んだ理由と それを正解にするためにやっていること
oekazuma
2
1k
Effective Signals in Angular 19+: Rules and Helpers @ngbe2024
manfredsteyer
PRO
0
140
tidymodelsによるtidyな生存時間解析 / Japan.R2024
dropout009
1
790
PHPで学ぶプログラミングの教訓 / Lessons in Programming Learned through PHP
nrslib
3
300
わたしの星のままで一番星になる ~ 出産を機にSIerからEC事業会社に転職した話 ~
kimura_m_29
0
180
ドメインイベント増えすぎ問題
h0r15h0
2
350
どうして手を動かすよりもチーム内のコードレビューを優先するべきなのか
okashoi
3
130
rails stats で紐解く ANDPAD のイマを支える技術たち
andpad
1
290
PHPUnitしか使ってこなかった 一般PHPerがPestに乗り換えた実録
mashirou1234
0
220
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
390
これでLambdaが不要に?!Step FunctionsのJSONata対応について
iwatatomoya
2
3.7k
Featured
See All Featured
Music & Morning Musume
bryan
46
6.2k
Why Our Code Smells
bkeepers
PRO
335
57k
Documentation Writing (for coders)
carmenintech
66
4.5k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
RailsConf 2023
tenderlove
29
940
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Designing for Performance
lara
604
68k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2k
A Philosophy of Restraint
colly
203
16k
Transcript
Pwn @ Gm S944y
• &,$.1 )/ 2 • '#&,-%" * +3
• (0x86 ! 2
• • • ! •
• • ROP 3
4
5 " ! #CPU
# !42 • $ * .'& • text +:509 •
data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- • 6 text data bss heap ⇩ stack ⇧
7 text data bss heap ⇩ stack ⇧
0x0 0 x f f f f f f f f ebp eflags edi eax esi ebx edx ecx esp eip
• 9" • eax, ecx, edx, ebx, esi, edi
032* • 1)$" • +8 • esp #, / )4 • ebp #, /5 )4 • eip '! • eflag .72* %()4 (-&6$" ) 8
9
30 • ".4 • 6$&'*7 30/ • 5
#!2. -(%) # ,81+ " etc… 10 ≒
• 11 PUSH POP
&% !( • ' # &%
$" !( 12 main main main func
13
• main A 14 void
A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }
• A 15
int main(void) { int a, b; … A(a, b); … return 0; }
• 1. A
2. 16 int main(void) { int a, b; … A(a, b); … return 0; }
•
1. A 17 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$ • $ ! # "
1. A 2. 18 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$, & • $A !( eip '- • ".+*)
19 eip 0x00000100 $A ".+ 0x00000104 0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b int a int b %#$ %#$
• A !
20 0x00000100 eip 0x00000100 A " 0x00000104 0x00000200 main " 0x00000204 0x00000208 0x0000020b int a int b
! 1. 2. 3.
eip 21 2.3 call"
" ' • "A "A $
22 0x00000104 eip int z &( ebp int a int b 0x00000100 "A !)% 0x00000104 0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b #"
# • A • ret "
! 23 eip int a int b 0x00000100 A $ 0x00000104 0x00000200 main $ 0x00000204 0x00000208 0x0000020b
ret !# 24 ret = pop eip "
eip
• eip 25
eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
• main 26 eip int a int
b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
(,;# 27 1. (,B +,8 2. call 7? (,B ;
"!8 3. (,B ; :5 /> 1. (,A ebp 94= 2. (,B %3.* & :5 3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6< (,A 0) (,B 0)
28
BOF ,+! & 29 void vuln(void) { char buf[4]; …
gets(buf); … } • main"vuln") • ($*# • 4 • BOF ,+!'%
vuln !(" • '& % 30 char buf[4] $)ebp
int a int b #! void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 31 char buf[4]
$ ebp int a int b AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 32 A A
A A $ ebp int a int b AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
• gets(buf) 33 A A A
A A A A A int a int b AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
vuln • 34 A A A A A A
A A A A A A int a int b void vuln(void) { char buf[4]; … gets(buf); … }
vuln • leave 35 A A A
A int a int b
ret • eip pop
36 eip A A A A int a int b
ret! • eip pop •
ASCII → A 16 0x41 37 int a int b 0x41414141 eip
ret15 .&4 38 0x41414141 eip • 0x41414141
152- !" • 2- #% +' (.&0/* • ,$)3
39
• 40
A A A A A A A A int a int b A A A A A A A A char buf[4] ebp int a int b
l 1. 2.
3. eip 41
l 1. 2.
3. eip 42 OK
l 1. 2.
3. eip 43 OK OK
44 A A A
A A A A A eip
l 1. 2.
3. eip 45 OK OK OK
BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *)
'2 • A?( 90;.@' '2<81 • @'-3:65 46
ROP 47
ROP • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F
A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2 ! 48 Meltdown and Spectre (https://meltdownattack.com/)
B2)2>& • )2*>& 5 9,+/ • B2)2> •
7)2>6.40 • '>& )212 !< • "%$#(?3-C:;A@ =8 49
gadget • ret;! •
50
pop × N ; ret; • • pop
ret 51
52
gadget • gadget 53 A
A A A A A A A A A A A A A A A A A A 0x08048355 A
gadget 54 A A A A A A
A A A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • (leave!) 55
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 56
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 57
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 58
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 59 0x08048355 A
0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 60
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 61
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • gadget 62
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • pop 63
0x08048355: pop ebx 0x08048356: ret 0x08048355 eip A ebx esp
gadget • ret 64
0x08048355: pop ebx 0x08048356: ret 0x08048356 eip esp
gadget • eip pop
65 0x08048355: pop ebx 0x08048356: ret 0xdeadbeef eip esp
66 A gadget A
B gadget B B pop ebx ret pop eax pop ecx ret
ROP '# • pop × N; ret; * gadget &#
• !) (% • Return-oriented Programming (ROP) DEP", • ROP $+ • ROP Emporium 67
1/*0 • ! $ • '#$*0.(+ • 23)+ •
&. #,x86 • " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68