Upgrade to Pro — share decks privately, control downloads, hide ads and more …

学内Pwn勉強会

Avatar for m412u m412u
February 25, 2019
Programming
4
5k

 学内Pwn勉強会

学内で開催した勉強会で使用したスライドです.
プログラムの実行手順からBOFを用いたROPのイメージを説明しています.

Avatar for m412u

m412u

February 25, 2019
Tweet

More Decks by m412u

See All by m412u
slide.pdf
Avatar for m412u m412u
5
2.8k
Pwn勉強会
Avatar for m412u m412u
8
12k

Other Decks in Programming

See All in Programming
Denoのセキュリティに関する仕組みの紹介 (toranoana.deno #23)
Avatar for uki00a uki00a
0
230
20251212 AI 時代的 Legacy Code 營救術 2025 WebConf
Avatar for mouson(墨嗓) mouson
0
240
Basic Architectures
Avatar for Denys Poltorak denyspoltorak
0
190
QAフローを最適化し、品質水準を満たしながらリリースまでの期間を最短化する #RSGT2026
Avatar for shibayu36 shibayu36
0
1.9k
AI Agent の開発と運用を支える Durable Execution #AgentsInProd
Avatar for izumin5210 izumin5210
7
1.5k
公共交通オープンデータ × モバイルUX 複雑な運行情報を 『直感』に変換する技術
Avatar for Tsubasa SEKIGUCHI tinykitten
PRO
0
180
大規模Cloud Native環境におけるFalcoの運用
Avatar for Chihiro Hasegawa owlinux1000
0
250
メルカリのリーダビリティチームが取り組む、AI時代のスケーラブルな品質文化
Avatar for osari.k cloverrose
2
460
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
Avatar for ahu ahuglajbclajep
4
740
re:Invent 2025 トレンドからみる製品開発への AI Agent 活用
Avatar for Kohei Yoshikawa yoskoh
0
620
Go コードベースの構成と AI コンテキスト定義
Avatar for ANDPAD inc andpad
0
160
実はマルチモーダルだった。ブラウザの組み込みAI🧠でWebの未来を感じてみよう #jsfes #gemini
Avatar for n0bisuke n0bisuke2
3
1.4k

Featured

See All Featured
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
37
7.1k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
51k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
7k
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
0
400
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.3k
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
97
The #1 spot is gone: here's how to win anyway
Avatar for Tamara Novitovic tamaranovitovic
1
890
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
210
24k
So, you think you're a good person
Avatar for Per Axbom axbom
PRO
1
1.9k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
Avatar for konakalab konakalab
0
330
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
98

Transcript

  1.  Pwn  @ Gm S944y

  2.  • &,$.1 )/ 2 • '#&,-%" * +3 

     • (0x86 ! 2

  3.  •   •   • ! •

       •   • ROP 3

  4.  4

  5.   5    "  ! #CPU

      

  6. # !42 • $ * .'& • text +:509 •

    data /,83- • bss /,8 3- • heap )% 1( 76 • stack #"3- •   6  text data bss heap ⇩ stack ⇧

  7.   7 text data bss heap ⇩ stack ⇧

    0x0 0 x f f f f f f f f     ebp eflags edi eax esi ebx edx ecx esp eip  

  8.  • 9" • eax, ecx, edx, ebx, esi, edi

    032* • 1)$"   • +8 • esp #,  / )4 • ebp #,  /5 )4 • eip '!   • eflag .72* %()4 (-&6$" ) 8

  9.   9

  10. 30 • ".4  • 6$&'*7 30/  • 5

    #!2. -(%) # ,81+ " etc… 10 ≒  

  11.  •     11 PUSH POP

  12. &% !( •  '  #  &% 

    $" !(  12  main     main     main   func   

  13.  13

  14.   • main  A   14 void

    A(int x, int y) { int z; … } int main(void) { int a, b; … A(a, b); … return 0; }

  15.   • A   15   

     int main(void) { int a, b; … A(a, b); … return 0; }

  16.   •      1. A

     2.   16   int main(void) { int a, b; … A(a, b); … return 0; }

  17.    •      

    1. A  17 int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  18.  $   • $  ! # "

    1. A  2.  18  int a int b     int main(void) { int a, b; … A(a, b); … return 0; }

  19. $, & • $A !( eip '-  • ".+*)

      19 eip    0x00000100 $A ".+ 0x00000104   0x00000200 main $ ".+ 0x00000204 0x00000208 0x0000020b    int a int b   %#$ %#$

  20.     • A    !

    20 0x00000100 eip    0x00000100 A " 0x00000104   0x00000200 main " 0x00000204 0x00000208 0x0000020b    int a int b    

  21. !  1.   2.    3.

      eip  21  2.3 call" 

  22. " '  • "A  "A $  

    22 0x00000104 eip int z &( ebp  int a int b      0x00000100 "A !)% 0x00000104   0x00000200 main" !)% 0x00000204 0x00000208 0x0000020b   #"

  23.  # • A  • ret "  

    ! 23 eip  int a int b      0x00000100 A $ 0x00000104   0x00000200 main $ 0x00000204 0x00000208 0x0000020b  

  24. ret !# 24 ret = pop eip   "

    eip      

  25.  •     eip   25

    eip  int a int b      0x00000100 A  0x00000104   0x00000200 main  0x00000204 0x00000208 0x0000020b  

  26.  • main  26  eip int a int

    b       0x00000100 A   0x00000104   0x00000200 main    0x00000204 0x00000208 0x0000020b  

  27. (,;# 27 1. (,B +,8 2. call 7? (,B ;

     "!8 3. (,B ; :5 />  1. (,A  ebp 94=  2. (,B %3.* & :5  3. (,B %30)$ 4. leave 7? (,B ;#'126- 5. ret 7? (,A 0)6<  (,A 0) (,B 0)

  28.  28

  29. BOF ,+! & 29 void vuln(void) { char buf[4]; …

    gets(buf); … } • main"vuln")  • ($*# •    4 • BOF ,+!'%

  30. vuln !(" • '& %  30 char buf[4] $)ebp

     int a int b   #! void vuln(void) { char buf[4]; … gets(buf); … } 

  31. !%  • gets(buf) " ! # 31 char buf[4]

    $ ebp  int a int b    AAAAAAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  32. !%  • gets(buf) " ! # 32 A A

    A A $ ebp  int a int b    AAAAAAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }  

  33.   • gets(buf)   33 A A A

    A A A A A  int a int b     AAAA¥n void vuln(void) { char buf[4]; … gets(buf); … }   

  34. vuln •  34 A A A A A A

    A A A A A A int a int b     void vuln(void) { char buf[4]; … gets(buf); … }   

  35. vuln • leave    35 A A A

    A int a int b     

  36. ret  •   eip  pop  

    36 eip A A A A int a int b    

  37. ret!   •   eip pop  •

    ASCII → A 16 0x41 37 int a int b   0x41414141 eip

  38. ret15 .&4  38 0x41414141 eip   • 0x41414141

    152-  !" • 2- #% +' (.&0/* • ,$)3 

  39.   39

  40.   •       40

     A A A A A A A A int a int b    A A A A A A A A         char buf[4] ebp    int a int b  

  41.   l   1.    2.

         3.   eip   41

  42.   l   1.    2.

         3.   eip   42 OK

  43.   l   1.    2.

         3.   eip   43 OK OK

  44. 44       A A A

    A A A A A                eip

  45.   l   1.    2.

         3.   eip   45 OK OK OK

  46. BOF 4/ • BOF !"#=>-3@' 7,+=> • &$%"CB *) 

     '2 • A?( 90;.@'  '2<81  •  @'-3:65 46

  47. ROP 47

  48. ROP  • ROP(Return-Oriented Programming) • =G+#.<9'-"*(." • ret;>7H?@CB 6F

    A035 • 2018 / 1 1I:;JD8 Specture 46 • CVE-2017-5715 • ROP )$,&.% • E 2  !  48 Meltdown and Spectre (https://meltdownattack.com/)

  49. B2)2>& • )2*>&  5 9,+/  • B2)2> •

    7)2>6.40 • '>& )212  !< • "%$#(?3-C:;A@ =8  49

  50. gadget •   ret;!   •  

         50

  51. pop × N ; ret; •   • pop

      ret   51

  52.   52

  53. gadget  •  gadget   53  A

    A A A A A A A A     A    A A A A A A A A A  0x08048355 A    

  54. gadget  54  A A A A A A

    A A A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  55. gadget   •    (leave!) 55 

    A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  56. gadget  • ret (pop eip)    56

     A 0x08048355 A     0x08048355: pop ebx 0x08048356: ret    esp

  57. gadget  • ret (pop eip)    57

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  58. gadget   • A    58 

    0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  59. gadget  • A   59  0x08048355 A

        0x08048355: pop ebx 0x08048356: ret    A eip esp

  60. gadget  • ret (pop eip)    60

     0x08048355 A     0x08048355: pop ebx 0x08048356: ret    A eip esp

  61. gadget  • ret (pop eip)    61

     A    0x08048355: pop ebx 0x08048356: ret    0x08048355 eip esp

  62. gadget   • gadget    62 

    A    0x08048355: pop ebx 0x08048356: ret  0x08048355 eip esp

  63. gadget  •   pop   63 

       0x08048355: pop ebx 0x08048356: ret  0x08048355 eip A ebx esp

  64. gadget  •   ret   64 

       0x08048355: pop ebx 0x08048356: ret  0x08048356 eip esp

  65. gadget  •   eip  pop  

    65     0x08048355: pop ebx 0x08048356: ret  0xdeadbeef eip esp

  66.    66  A  gadget  A

     B  gadget  B  B    pop ebx ret   pop eax pop ecx ret 

  67. ROP '# • pop × N; ret; * gadget &#

     •  !) (%  • Return-oriented Programming (ROP) DEP",  • ROP $+ • ROP Emporium 67

  68. 1/*0 • !  $ • '#$*0.(+ • 23)+ •

    &.  #,x86   •  " $#$ • katagaitai CTF5-% #2 pwnables4 • CTF Pwn - A painter and a black cat 68