学内Pwn勉強会

Pwn @ Gm S944y

• &,$.1 )/ 2 • '#&,-%" * +3
• (0x86 ! 2

• • • ! •
• • ROP 3

5 " ! #CPU

# !42 • $ * .'& • text +:509 •
data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- • 6 text data bss heap ⇩ stack ⇧

7 text data bss heap ⇩ stack ⇧
0x0 0 x f f f f f f f f ebp eflags edi eax esi ebx edx ecx esp eip

• 9" • eax, ecx, edx, ebx, esi, edi
032* • 1)$" • +8 • esp #, / )4 • ebp #, /5 )4 • eip '! • eflag .72* %()4 (-&6$" ) 8

30 • ".4 • 6$&'*7 30/ • 5
#!2. -(%) # ,81+ " etc… 10 ≒

• 11 PUSH POP

&% !( • ' # &%
$" !( 12 main main main func

• main A 14 void
A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }

• A 15
int main(void) { int a, b; … A(a, b); … return 0; }

• 1. A
2. 16 int main(void) { int a, b; … A(a, b); … return 0; }

•
1. A 17 int a int b int main(void) { int a, b; … A(a, b); … return 0; }

$ • $ ! # "
1. A 2. 18 int a int b int main(void) { int a, b; … A(a, b); … return 0; }

$, & • $A !( eip '- • ".+*)
19 eip 0x00000100 $A ".+ 0x00000104 0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b int a int b %#$ %#$

• A !
20 0x00000100 eip 0x00000100 A " 0x00000104 0x00000200 main " 0x00000204 0x00000208 0x0000020b int a int b

! 1. 2. 3.
eip 21 2.3 call"

" ' • "A "A $
22 0x00000104 eip int z &( ebp int a int b 0x00000100 "A !)% 0x00000104 0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b #"

# • A • ret "
! 23 eip int a int b 0x00000100 A $ 0x00000104 0x00000200 main $ 0x00000204 0x00000208 0x0000020b

ret !# 24 ret = pop eip "
eip

• eip 25
eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b

• main 26 eip int a int
b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b

(,;# 27 1. (,B +,8 2. call 7? (,B ;
"!8 3. (,B ; :5 /> 1. (,A ebp 94= 2. (,B %3.* & :5 3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6< (,A 0) (,B 0)

BOF ,+! & 29 void vuln(void) { char buf[4]; …
gets(buf); … } • main"vuln") • ($*# • 4 • BOF ,+!'%

vuln !(" • '& % 30 char buf[4] $)ebp
int a int b #! void vuln(void) { char buf[4]; … gets(buf); … }

!% • gets(buf) " ! # 31 char buf[4]
$ ebp int a int b AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }

!% • gets(buf) " ! # 32 A A
A A $ ebp int a int b AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }

• gets(buf) 33 A A A
A A A A A int a int b AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }

vuln • 34 A A A A A A
A A A A A A int a int b void vuln(void) { char buf[4]; … gets(buf); … }

vuln • leave 35 A A A
A int a int b

ret • eip pop
36 eip A A A A int a int b

ret! • eip pop •
ASCII → A 16 0x41 37 int a int b 0x41414141 eip

ret15 .&4 38 0x41414141 eip • 0x41414141
152- !" • 2- #% +' (.&0/* • ,$)3

• 40
A A A A A A A A int a int b A A A A A A A A char buf[4] ebp int a int b

l 1. 2.
3. eip 41

l 1. 2.
3. eip 42 OK

l 1. 2.
3. eip 43 OK OK

44 A A A
A A A A A eip

l 1. 2.
3. eip 45 OK OK OK

BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *)
'2 • A?( 90;.@' '2<81 • @'-3:65 46

ROP 47

ROP • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F
A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2 ! 48 Meltdown and Spectre (https://meltdownattack.com/)

B2)2>& • )2*>& 5 9,+/ • B2)2> •
7)2>6.40 • '>& )212 !< • "%$#(?3-C:;A@ =8 49

gadget • ret;! •
50

pop × N ; ret; • • pop
ret 51

gadget • gadget 53 A
A A A A A A A A A A A A A A A A A A 0x08048355 A

gadget 54 A A A A A A
A A A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp

gadget • (leave!) 55
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp

gadget • ret (pop eip) 56
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp

0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp

gadget • A 58

gadget • A 59 0x08048355 A
0x08048355: pop ebx 0x08048356: ret A eip esp

A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp

gadget • gadget 62
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp

gadget • pop 63
0x08048355: pop ebx 0x08048356: ret 0x08048355 eip A ebx esp

gadget • ret 64
0x08048355: pop ebx 0x08048356: ret 0x08048356 eip esp

gadget • eip pop
65 0x08048355: pop ebx 0x08048356: ret 0xdeadbeef eip esp

66 A gadget A
B gadget B B pop ebx ret pop eax pop ecx ret

ROP '# • pop × N; ret; * gadget &#
• !) (% • Return-oriented Programming (ROP) DEP", • ROP $+ • ROP Emporium 67

1/*0 • ! $ • '#$*0.(+ • 23)+ •
&. #,x86 • " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68

学内Pwn勉強会

学内Pwn勉強会

More Decks by m412u

Other Decks in Programming

Featured

Transcript