Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
学内Pwn勉強会
Search
m412u
February 25, 2019
Programming
4
4.8k
学内Pwn勉強会
学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.
m412u
February 25, 2019
Tweet
Share
More Decks by m412u
See All by m412u
slide.pdf
m412u
5
2.7k
Pwn勉強会
m412u
8
12k
Other Decks in Programming
See All in Programming
Blueskyのプラグインを作ってみた
hakkadaikon
1
290
型安全なDrag and Dropの設計を考える
yudppp
5
660
クラシルリワードにおける iOSアプリ開発の取り組み
funzin
1
810
〜可視化からアクセス制御まで〜 BigQuery×Looker Studioで コスト管理とデータソース認証制御する方法
cuebic9bic
2
270
TypeScriptのmoduleオプションを改めて整理する
bicstone
4
430
TSConfigからTypeScriptの世界を覗く
planck16
2
1.3k
【TSkaigi 2025】これは型破り?型安全? 真実はいつもひとつ!(じゃないかもしれない)TypeScript クイズ〜〜〜〜!!!!!
kimitashoichi
1
300
REST API設計の実践 – ベストプラクティスとその落とし穴
kentaroutakeda
2
320
Rails産でないDBを Railsに引っ越すHACK - Omotesando.rb #110
lnit
1
100
TypeScript だけを書いて Tauri でデスクトップアプリを作ろう / Tauri with only TypeScript
tris5572
2
540
Passkeys for Java Developers
ynojima
1
210
ソフトウェア品質特性、意識してますか?AIの真の力を引き出す活用事例 / ai-and-software-quality
minodriven
19
6.7k
Featured
See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Building Better People: How to give real-time feedback that sticks.
wjessup
368
19k
GitHub's CSS Performance
jonrohan
1031
460k
A Tale of Four Properties
chriscoyier
159
23k
Six Lessons from altMBA
skipperchong
28
3.8k
Automating Front-end Workflow
addyosmani
1370
200k
A better future with KSS
kneath
239
17k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.7k
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.6k
Transcript
Pwn @ Gm S944y
• &,$.1 )/ 2 • '#&,-%" * +3
• (0x86 ! 2
• • • ! •
• • ROP 3
4
5 " ! #CPU
# !42 • $ * .'& • text +:509 •
data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- • 6 text data bss heap ⇩ stack ⇧
7 text data bss heap ⇩ stack ⇧
0x0 0 x f f f f f f f f ebp eflags edi eax esi ebx edx ecx esp eip
• 9" • eax, ecx, edx, ebx, esi, edi
032* • 1)$" • +8 • esp #, / )4 • ebp #, /5 )4 • eip '! • eflag .72* %()4 (-&6$" ) 8
9
30 • ".4 • 6$&'*7 30/ • 5
#!2. -(%) # ,81+ " etc… 10 ≒
• 11 PUSH POP
&% !( • ' # &%
$" !( 12 main main main func
13
• main A 14 void
A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }
• A 15
int main(void) { int a, b; … A(a, b); … return 0; }
• 1. A
2. 16 int main(void) { int a, b; … A(a, b); … return 0; }
•
1. A 17 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$ • $ ! # "
1. A 2. 18 int a int b int main(void) { int a, b; … A(a, b); … return 0; }
$, & • $A !( eip '- • ".+*)
19 eip 0x00000100 $A ".+ 0x00000104 0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b int a int b %#$ %#$
• A !
20 0x00000100 eip 0x00000100 A " 0x00000104 0x00000200 main " 0x00000204 0x00000208 0x0000020b int a int b
! 1. 2. 3.
eip 21 2.3 call"
" ' • "A "A $
22 0x00000104 eip int z &( ebp int a int b 0x00000100 "A !)% 0x00000104 0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b #"
# • A • ret "
! 23 eip int a int b 0x00000100 A $ 0x00000104 0x00000200 main $ 0x00000204 0x00000208 0x0000020b
ret !# 24 ret = pop eip "
eip
• eip 25
eip int a int b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
• main 26 eip int a int
b 0x00000100 A 0x00000104 0x00000200 main 0x00000204 0x00000208 0x0000020b
(,;# 27 1. (,B +,8 2. call 7? (,B ;
"!8 3. (,B ; :5 /> 1. (,A ebp 94= 2. (,B %3.* & :5 3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6< (,A 0) (,B 0)
28
BOF ,+! & 29 void vuln(void) { char buf[4]; …
gets(buf); … } • main"vuln") • ($*# • 4 • BOF ,+!'%
vuln !(" • '& % 30 char buf[4] $)ebp
int a int b #! void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 31 char buf[4]
$ ebp int a int b AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
!% • gets(buf) " ! # 32 A A
A A $ ebp int a int b AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
• gets(buf) 33 A A A
A A A A A int a int b AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }
vuln • 34 A A A A A A
A A A A A A int a int b void vuln(void) { char buf[4]; … gets(buf); … }
vuln • leave 35 A A A
A int a int b
ret • eip pop
36 eip A A A A int a int b
ret! • eip pop •
ASCII → A 16 0x41 37 int a int b 0x41414141 eip
ret15 .&4 38 0x41414141 eip • 0x41414141
152- !" • 2- #% +' (.&0/* • ,$)3
39
• 40
A A A A A A A A int a int b A A A A A A A A char buf[4] ebp int a int b
l 1. 2.
3. eip 41
l 1. 2.
3. eip 42 OK
l 1. 2.
3. eip 43 OK OK
44 A A A
A A A A A eip
l 1. 2.
3. eip 45 OK OK OK
BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *)
'2 • A?( 90;.@' '2<81 • @'-3:65 46
ROP 47
ROP • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F
A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2 ! 48 Meltdown and Spectre (https://meltdownattack.com/)
B2)2>& • )2*>& 5 9,+/ • B2)2> •
7)2>6.40 • '>& )212 !< • "%$#(?3-C:;A@ =8 49
gadget • ret;! •
50
pop × N ; ret; • • pop
ret 51
52
gadget • gadget 53 A
A A A A A A A A A A A A A A A A A A 0x08048355 A
gadget 54 A A A A A A
A A A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • (leave!) 55
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 56
A 0x08048355 A 0x08048355: pop ebx 0x08048356: ret esp
gadget • ret (pop eip) 57
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 58
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • A 59 0x08048355 A
0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 60
0x08048355 A 0x08048355: pop ebx 0x08048356: ret A eip esp
gadget • ret (pop eip) 61
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • gadget 62
A 0x08048355: pop ebx 0x08048356: ret 0x08048355 eip esp
gadget • pop 63
0x08048355: pop ebx 0x08048356: ret 0x08048355 eip A ebx esp
gadget • ret 64
0x08048355: pop ebx 0x08048356: ret 0x08048356 eip esp
gadget • eip pop
65 0x08048355: pop ebx 0x08048356: ret 0xdeadbeef eip esp
66 A gadget A
B gadget B B pop ebx ret pop eax pop ecx ret
ROP '# • pop × N; ret; * gadget &#
• !) (% • Return-oriented Programming (ROP) DEP", • ROP $+ • ROP Emporium 67
1/*0 • ! $ • '#$*0.(+ • 23)+ •
&. #,x86 • " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68