Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
学内Pwn勉強会
Search
m412u
February 25, 2019
Programming
4
4.9k
学内Pwn勉強会
学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.
m412u
February 25, 2019
Tweet
Share
More Decks by m412u
See All by m412u
slide.pdf
m412u
5
2.8k
Pwn勉強会
m412u
8
12k
Other Decks in Programming
See All in Programming
Go言語での実装を通して学ぶLLMファインチューニングの仕組み / fukuokago22-llm-peft
monochromegane
0
120
さようなら Date。 ようこそTemporal! 3年間先行利用して得られた知見の共有
8beeeaaat
2
1.3k
Ruby Parser progress report 2025
yui_knk
1
300
AI時代のUIはどこへ行く?
yusukebe
16
8.2k
rage against annotate_predecessor
junk0612
0
160
Testing Trophyは叫ばない
toms74209200
0
720
アセットのコンパイルについて
ojun9
0
110
JSONataを使ってみよう Step Functionsが楽しくなる実践テクニック #devio2025
dafujii
0
410
もうちょっといいRubyプロファイラを作りたい (2025)
osyoyu
0
320
為你自己學 Python - 冷知識篇
eddie
1
340
CSC305 Summer Lecture 12
javiergs
PRO
0
130
Putting The Genie in the Bottle - A Crash Course on running LLMs on Android
iurysza
0
120
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1032
460k
KATA
mclloyd
32
14k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
187
54k
Code Review Best Practice
trishagee
70
19k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
13k
Scaling GitHub
holman
463
140k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.1k
Done Done
chrislema
185
16k
Site-Speed That Sticks
csswizardry
10
810
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Art, The Web, and Tiny UX
lynnandtonic
302
21k
Transcript
Pwn @ Gm S944y
• &,$.1 )/ 2 • '#&,-%" * +3
• (0x86 ! 2
• • • ! •
• • ROP 3
4
5 " ! #CPU
# !42 • $ * .'& • text +:509 •
data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- • 6 text data bss heap ⇩ stack ⇧
7 text data bss heap ⇩ stack ⇧
0x0 0 x f f f f f f f f ebp eflags edi eax esi ebx edx ecx esp eip
• 9" • eax, ecx, edx, ebx, esi, edi
032* • 1)$" • +8 • esp #, / )4 • ebp #, /5 )4 • eip '! • eflag .72* %()4 (-&6$" ) 8
9
30 • ".4 • 6$&'*7 30/ • 5
#!2. -(%) # ,81+ " etc… 10 ≒
• 11 PUSH POP
&% !( • ' # &%
$" !( 12 main main main func
13
• main A 14 void
A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }
• A 15
int main(void) { int a, b; … A(a, b); … return 0; }
• 1. A
2. 16 int main(void) { int a, b; … A(a, b); … return 0; }
•
1. A 17 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$ • $ ! # "
1. A 2. 18 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$, & • $A !( eip '- • ".+*)
19 eip 0x00000100 $A ".+ 0x00000104 0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b int a int b %#$ %#$
• A !
20 0x00000100 eip 0x00000100 A " 0x00000104 0x00000200 main " 0x00000204 0x00000208 0x0000020b int a int b
! 1. 2. 3.
eip 21 2.3 call"
" ' • "A "A $
22 0x00000104 eip int z &( ebp int a int b 0x00000100 "A !)% 0x00000104 0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b #"
# • A • ret "
! 23 eip int a int b 0x00000100 A $ 0x00000104 0x00000200 main $ 0x00000204 0x00000208 0x0000020b
ret !# 24 ret = pop eip "
eip
• eip 25
eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
• main 26 eip int a int
b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
(,;# 27 1. (,B +,8 2. call 7? (,B ;
"!8 3. (,B ; :5 /> 1. (,A ebp 94= 2. (,B %3.* & :5 3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6< (,A 0) (,B 0)
28
BOF ,+! & 29 void vuln(void) { char buf[4]; …
gets(buf); … } • main"vuln") • ($*# • 4 • BOF ,+!'%
vuln !(" • '& % 30 char buf[4] $)ebp
int a int b #! void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 31 char buf[4]
$ ebp int a int b AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 32 A A
A A $ ebp int a int b AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
• gets(buf) 33 A A A
A A A A A int a int b AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
vuln • 34 A A A A A A
A A A A A A int a int b void vuln(void) { char buf[4]; … gets(buf); … }
vuln • leave 35 A A A
A int a int b
ret • eip pop
36 eip A A A A int a int b
ret! • eip pop •
ASCII → A 16 0x41 37 int a int b 0x41414141 eip
ret15 .&4 38 0x41414141 eip • 0x41414141
152- !" • 2- #% +' (.&0/* • ,$)3
39
• 40
A A A A A A A A int a int b A A A A A A A A char buf[4] ebp int a int b
l 1. 2.
3. eip 41
l 1. 2.
3. eip 42 OK
l 1. 2.
3. eip 43 OK OK
44 A A A
A A A A A eip
l 1. 2.
3. eip 45 OK OK OK
BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *)
'2 • A?( 90;.@' '2<81 • @'-3:65 46
ROP 47
ROP • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F
A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2 ! 48 Meltdown and Spectre (https://meltdownattack.com/)
B2)2>& • )2*>& 5 9,+/ • B2)2> •
7)2>6.40 • '>& )212 !< • "%$#(?3-C:;A@ =8 49
gadget • ret;! •
50
pop × N ; ret; • • pop
ret 51
52
gadget • gadget 53 A
A A A A A A A A A A A A A A A A A A 0x08048355 A
gadget 54 A A A A A A
A A A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • (leave!) 55
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 56
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 57
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 58
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 59 0x08048355 A
0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 60
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 61
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • gadget 62
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • pop 63
0x08048355: pop ebx 0x08048356: ret 0x08048355 eip A ebx esp
gadget • ret 64
0x08048355: pop ebx 0x08048356: ret 0x08048356 eip esp
gadget • eip pop
65 0x08048355: pop ebx 0x08048356: ret 0xdeadbeef eip esp
66 A gadget A
B gadget B B pop ebx ret pop eax pop ecx ret
ROP '# • pop × N; ret; * gadget &#
• !) (% • Return-oriented Programming (ROP) DEP", • ROP $+ • ROP Emporium 67
1/*0 • ! $ • '#$*0.(+ • 23)+ •
&. #,x86 • " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68