SlideShare uma empresa Scribd logo

Linux binary Exploitation - Basic knowledge

A
Angel Boy

Basic knowledge for Linux binary Exploitation

Tecnologia
1 de 105
Baixar para ler offline
Linux Binary Exploitation Basic Knowledge x86-64 angelboy@chroot.org
Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
Introduction • Reverse Engineering • Exploitation • Useful Tool
Reverse Engineering • 正常情況下我們不容易易取得執⾏行行檔的原始碼,所以我們很常需逆向分析程式 尋找漏洞洞 • Static Analysis • Dynamic Analysis binary source code
Reverse Engineering • Static Analysis • Analyze program without running • e.g. • objdump • Machine code to asm
Reverse Engineering • Dynamic Analysis • Analyze program with running • e.g. • strace • trace all system call • ltrace • trace all library call
Exploitation • 利利⽤用漏洞洞來來達成攻擊者⽬目的 • ⼀一般來來說主要⽬目的在於取得程式控制權 • ⼜又稱 Pwn Vulnerability Control flow
Exploitation • Binary exploitation • 專指與 binary 相關的漏洞洞利利⽤用 • 本課程重點 Vulnerability Control flow
Useful Tool • IDA PRO - a static analysis tool
Useful Tool • GDB - a dynamic analysis tool • The GNU Project Debugger
Useful Tool • Basic command • run - 執⾏行行 • disas function name - 反組譯某個 function • break *0x400566 - 設斷點 • info breakpoint - 查看已設定哪些中斷點 • info register 查看所有 register 狀狀態
Useful Tool • Basic command • x/wx address - 查看 address 中的內容 • w 可換成 b/h/g 分別是取 1/2/8 byte • / 後可接數字 表⽰示⼀一次列列出幾個 • 第⼆二個 x 可換成 u/d/s/i 以不同⽅方式表⽰示 • u : unsigned int • d : 10 進位 • s : 字串串 • i : 指令
Useful Tool • Basic command • x/gx address 查看 address 中的內容 • e.g.
Useful Tool • Basic command • ni - next instruction • si - step into • backtrace - 顯⽰示上層所有 stack frame 的資訊 • continue
Useful Tool • Basic command • set *address=value • 將 address 中的值設成 value ⼀一次設 4 byte • 可將 * 換成 {char/short/long} 分別設定 1/2/8 byte • e.g. • set *0x602040=0xdeadbeef • set {int}0x602040=1337
Useful Tool • Basic command • 在有 debug symbol 下 • list : 列列出 source code • b 可直接接⾏行行號斷點 • info local : 列列出區域變數 • print val : 印出變數 val 的值
Useful Tool • Basic command • attach pid : attach ⼀一個正在運⾏行行的 process • 可以配合 ncat 進⾏行行 exploit 的 debug • ncat -ve ./a.out -kl 8888 • echo 0 > /proc/sys/kernel/yama/ptrace_scope
Useful Tool • GDB - PEDA • Python Exploit Development Assistance for GDB • https://github.com/longld/peda • https://github.com/scwuaptx/peda
GDB - PEDA • Screenshot
GDB - PEDA • Some useful feature • checksec : Check for various security options of binary • elfsymbol : show elf .plt section • vmmap : show memory mapping • readelf : Get headers information from an ELF file • find/searchmem : Search for a pattern in memory • record : record every instruction at runtime
GDB - PEDA • checksec • 查看 binary 中有哪些保護機制
GDB - PEDA • elfsymbol • 查看 function .plt 做 ROP 時非常需要
GDB - PEDA • vmmap • 查看 process mapping • 可觀察到每個 address 中的權限
GDB - PEDA • readelf • 查看 section 位置 • 有些攻擊⼿手法會需要 • e.g. ret2dl_resolve
GDB - PEDA • find (alias searchmem) • search memory 中的 patten • 通常拿來來找字串串 • e.g. /bin/sh
GDB - PEDA • record • 記錄每個 instruction 讓 gdb 可回朔前⾯面的指令,在 PC 被改變後,可利利 ⽤用該功能,追回原本發⽣生問題的地⽅方
Useful Tool • Pwntools • Exploit development library • python
Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
Section • 在⼀一般情況下程式碼會分成 text、data 以及 bss 等 section ,並不會將 code 跟 data 混在⼀一起使⽤用
Section • .text • 存放 code 的 section • .data • 存放有初始值的全域變數 • .bss • 存放沒有初始值的全域變數 • .rodata • 存放唯讀資料的 section
Section .bss .data .rodata
Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
Compilation flow • Preprocessing • Compilation • Assembly • Linking
Compilation flow source code (test.c) header file (stdin.h) Propressing (gcc -E) Preprocessed (test.i) Compilation (gcc -S) Assembly (test.s) Assembly (as/gcc -c) Object File (test.o) Linking (ld) Executable (a.out) Other Object File (test2.o) Static Library (libc.a)
Preprocessing • 展開 Macro • 展開 header file • 刪除所有註解 • 處理理所有 preprocess 指令 • #if 、 #ifnde、#endif … source code (test.c) Preprocessed (test.i)
Compilation • 語法分析 (Syntactic analysis) • 詞法分析 (Lexical analysis) • ⽣生成組合語⾔言 (Generate assembly) Preprocessed (test.i) Assembly (test.s)
Assembly • 組合語⾔言到機械碼的過程 • 最後⽣生出 object file • 此時已是無法⽤用⾁肉眼看懂的 binary Assembly (test.s) Object File (test.o)
Linking • Object file 到執⾏行行檔的過程 ( 組裝 ) • Relocation Object File (test.o) Other Object File (test2.o) Static Library (libc.a) Executable (a.out)
Linking test.o test2.o main(){ hello();} int a ; hello(){ …} int b ; linker hello(){ …} main(){ hello();} int a ; int b ; text data
Relocation • 在 object file ⽣生成後,若若程式中有 call func 之類的指令,並不會⾺馬上將 address 填入,⽽而是將所有 object file 合併之後,重新定位才將正確位置填 入
Static Linking • 將有⽤用到 library 的 code 也⼀一起編進執⾏行行檔中 • 執⾏行行檔較肥⼤大 • ⼀一但 library 的 code 有變動需要整個重編
Dynamic Linking • 所有程式共⽤用⼀一份 library • 在執⾏行行時期才將 library 載入記憶體中 • 因執⾏行行時才去找 function 位置,故執⾏行行時間較多 • 執⾏行行檔較⼩小 • library 變動不需要重編 • 可能會因為 library 版本不同⽽而⾏行行為有所不同
Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
Execution • Binary Format • Segment • Execution Flow
Binary Format • 執⾏行行檔的格式會根據 OS 不同,⽽而有所不同 • Linux - ELF • Windows - PE • 在 Binary 的開頭會有個 magic number 欄欄位,⽅方便便讓 OS 辨認是屬於什什麼 樣類型的檔案 • 在 Linux 下可以使⽤用 file 來來檢視
Segment • 在程式執⾏行行時期才會有的概念念,基本上會根據讀寫執⾏行行權限及特性來來分為數 個 segment • ⼀一般來來說可分為 rodata、data、code、stack、heap 等 segment • data : rw- • code : r-x • stack : rw- • heap : rw-
Execution Flow • What happened when we execute an elf file ? • $ ./hello • 在⼀一般情況下程式會在 disk 中,⽽而 kernel 會通過⼀一連串串的過程來來將程式 mapping 到記憶體中去執⾏行行
Execution Flow ./hello fork() execve(“./hello”,*argv[],*envp[]) sys_execve() do_execve() search_binary_handler() load_elf_binary() _start main kernel mode user mode
Execution Flow ./hello fork() execve(“./hello”,*argv[],*envp[]) sys_execve() do_execve() search_binary_handler() load_elf_binary() ld.so _start __libc_start_main _init kernel mode user mode main
Execution Flow • 我們在 shell 執⾏行行⼀一個 elf 時 • 會先去 fork ⼀一個 process • child 再去使⽤用 execve 執⾏行行 ./hello fork() execve(“./hello”,*argv[],*envp[])
• sys_execve() • 檢查參參數 ex: argv , envp • do_execve() • 搜尋執⾏行行檔位置 • 讀取執⾏行行檔前 128 byte 獲取執⾏行行檔的資訊 • e.g. magic number Execution Flow sys_execve() do_execve()
Execution Flow • search_binary_handler() • 利利⽤用前⾯面所獲取的資訊來來呼叫相對應的 handler • e.g. load_script() 、 load_elf_binary() search_binary_handler()
• load_elf_binary() • 檢查及獲取 program header 資訊 • 如果是 dynamic linking 則利利⽤用 .interp 這個 section 來來確定 loader 路路徑 • 將 program header 紀錄的位置 mapping 到 memory 中,e.g. code segment 位置 • 將 sys_execve 的 return address 改為 loader (ld.so) 的entry point • static linking 下則會是 elf 的 entry point Execution Flow
Execution Flow • How program maps to virtual memory. • 在 program header 中 • 記錄著哪些 segment 應該 mapping 到什什麼位置,以及該 segment 的讀寫 執⾏行行權限 • 記錄哪些 section 屬於哪些 segment • 當 program mapping 記憶體時會根據權限的不同來來分成好幾個 segment • ⼀一個 segment 可以包含 0 個到多個 section
Execution Flow • How program maps to virtual memory. other section .data .bss .got.plt .rodata .text .init ELF Header In disk In memory kernel space CODE VMA DATA VMA HEAP STACK R or RX RW 0x400000 0x601000 0x602000 0x7fffffffe520
Execution Flow • How program maps to virtual memory. • readelf -l binary • 查看 program header • readelf -S binary • 查看 section header • readelf -d binary • 查看 dynamic section 內容
Execution Flow • How program maps to virtual memory. 權限 mapping 位置 segment 中有哪些 section
Execution flow • ld.so • 載入 elf 所需的 shared library • 這部分會記錄在 elf 中的 DT_NEED 中 • 初始化 GOT • 其他相關初始化的動作 • ex : 將 symbol table 合併到 global symbol table 等等 • 對實際運作過程有興趣可參參考 elf/rtld.c
Execution Flow • 在 ld.so 執⾏行行完後會跳到 _start 開始執⾏行行主要程式 _start __libc_start_main .init main .fini exit
Execution Flow • _start • 將下列列項⽬目傳給 libc_start_main • 環境變數起始位置 • main 的位置 (通常在第⼀一個參參數) • .init • 呼叫 main 之前的初始化⼯工作 • .fini • 程式結束前的收尾⼯工作 _start __libc_start_main
Execution Flow • _libc_start_main • 執⾏行行 .init • 執⾏行行 main • 主程式部分 • 執⾏行行 .fini • 執⾏行行 exit 結束程式
Outline • Introduction • Section • Compilation Flow • Execution • x64 assembly
• Registers • General-purpose registers • RAX RBX RCX RDX RSI RDI- 64 bit • EAX EBX ECX EDX ESI EDI - 32 bit • AX BX CX DX SI DI - 16 bit x64 assembly ALAH EAX AX RAX
• Registers • r8 r9 r10 r11 r12 r13 r14 r15 - 64 bit • r8d r9d r10d … - 32 bit • r8w r9w r10w … -16 bit • r8b r9b r10b … - 8 bit x64 assembly
• Registers • Stack Pointer Register • RSP • Base Pointer Register • RBP • Program Counter Register • RIP x64 assembly
x64 assembly • Registers • Stack Pointer • RSP - 64 bit • 指向 stack 頂端 • Base Pointer • RBP - 64 bit • 指向 stack 底端 • RSP 到 function 參參數範圍稱為該 function 的 Stack Frame … … … … variable return address rbp rbp rsp high low extra-arg
x64 assembly • Registers • Stack Pointer • RSP - 64 bit • 指向 stack 頂端 • Base Pointer • RBP - 64 bit • 指向 stack 底端 • RSP 到 function 參參數範圍稱為該 function 的 Stack Frame high low … … … … variable return address rbp rbp rsp extra-arg stack frame
x64 assembly • Registers • Program counter register • RIP • 指向⽬目前程式執⾏行行的位置 • Flag register • eflags • 儲存指令執⾏行行結果 • Segment register • cs ss ds es fs gs
x64 assembly • AT & T • mov %rax,%rbx • Intel • mov rbx,rax
x64 assembly • Basic instruction • mov • add/sub • and/or/xor • push/pop • lea • jmp/call/ret
x64 assembly • mov • mov imm/reg/mem value to reg/mem • mov A,B (move B to A) • A 與 B 的 size 要相等 • ex : • mov rax,rbx (o) • mov rax,bx (x) • mov rax,0xdeadbeef
x64 assembly • add/sub/or/xor/and • add/sub/or/xor/and reg,imm/reg • add/sub/or/xor/and A,B • A 與 B 的 size ⼀一樣要相等 • ex : • add rbp,0x48 • sub rax,rbx
x64 assembly • push/pop • push/pop reg • ex : • push rax = sub rsp,8 ; mov [rsp],eax • pop rbx = mov rbx,[rsp] ; add rsp,8
x64 assembly • lea • ex : • lea rax, [rsp+8]
x64 assembly • lea v.s. mov • lea rax, [rsp+8] v.s mov rax,[rsp+8] • assume • rax = 3 • rsp+8 = 0x7fffffffe4c0 • [rsp+8] = 0xdeadbeef rax = 0x7fffffffe4c0 rax = 0xdeadbeef lea mov
x64 assembly • jmp/call/ret • jmp 跳⾄至程式碼的某處去執⾏行行 • call rax = push rip+8 ;jmp rax • ret = pop rip
x64 assembly • leave • mov rsp,rbp • pop rbp
x64 assembly • nop • ⼀一個 byte 不做任何事 • opcode = 0x90
• System call • Instruction : syscall • SYSCALL NUMBER: RAX • Argument : RDI RSI RDX RCX R8 R9 • Return value : RAX x64 assembly
x64 assembly • system call table • https://w3challs.com/syscalls/?arch=x86_64
x64 assembly • Calling convention • function call • call : push return address to stack then jump • function return • ret : pop return address • function argument • 基本上⽤用 register 傳遞 • 依序為 rdi rsi rdx r10 r8 r9 • 依序放到 register,再去執⾏行行 function call
x64 assembly • Calling convention • function prologue • compiler 在 function 開頭加的指令,主要在保存 rbp 分配區域變數所 需空間 push rbp mov rbp,rsp sub rsp,0x30
x64 assembly • Calling convention • function epilogue • compiler 在 function 結尾加的指令,主要在利利⽤用保存的 rbp 回覆 call function 時的 stack 狀狀態 leave ret
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0 0 Stack
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0 Stack
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0x1337 Stack
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0x1337 Stack
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0x1337 Stack
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rbp/rsp high low foo() : push rbp mov rbp,rsp … leave ret rdi rsi 0xdeadbee 0x1337 Stack
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rbp high low foo() : push rbp mov rbp,rsp … leave ret rdi rsi 0xdeadbee 0x1337 Stack rsp
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rbp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack rsp
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp/rbp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack rbp
x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack rbp
x64 assembly • Hello world • nasm -felf64 hello.s -o hello.o • ld -m elf_x86_64 hello.o -o hello
x64 assembly • Shellcode • 顧名思義,攻擊者主要注入程式碼後的⽬目的為拿到 shell ,故稱 shellcode • 由⼀一系列列的 machine code 組成,最後⽬目的可做任何攻擊者想做的事
• Hello world shellcode x64 assembly shellcode[] = “x48x31xc0x48x31xdbx48x31xc9x48x31xd2xebx17…….x7xx6cx64”
x64 assembly • 產⽣生 shellcode • objcopy -O binary hello.bin shellcode.bin
x64 assembly • Using Pwntool • http://docs.pwntools.com/en/stable/asm.html • Pwntool bunutils • http://docs.pwntools.com/en/stable/install/binutils.html
x64 assembly • pwn.asm
x64 assembly • Test your shellcode • gcc -z execstack test.c -o test
x64 assembly • How to debug your shellcode • gdb ./test
Reference • Glibc cross reference • Linux Cross Reference • 程式設計師的⾃自我修養
Q & A

Recomendados

Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Execution
ExecutionExecution
ExecutionAngel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 

Recomendados

Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Execution
ExecutionExecution
ExecutionAngel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
x86
x86x86
x86Wei-Bo Chen
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxMr. Vengineer
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
千呼萬喚始出來的 Java SE 7
千呼萬喚始出來的 Java SE 7千呼萬喚始出來的 Java SE 7
千呼萬喚始出來的 Java SE 7Justin Lin
 
Win dbg入门
Win dbg入门Win dbg入门
Win dbg入门晓锋 陈
 

Mais conteúdo relacionado

Mais procurados

Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxMr. Vengineer
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 

Mais procurados (20)

Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
x86
x86x86
x86
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
 
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & Linux
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 

Semelhante a Linux binary Exploitation - Basic knowledge

千呼萬喚始出來的 Java SE 7
千呼萬喚始出來的 Java SE 7千呼萬喚始出來的 Java SE 7
千呼萬喚始出來的 Java SE 7Justin Lin
 
Python 于 webgame 的应用
Python 于 webgame 的应用Python 于 webgame 的应用
Python 于 webgame 的应用勇浩 赖
 
COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺hydai
 
COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺宗凡 楊
 
Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509
Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509
Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509tidesq
 
⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨Wen-Tien Chang
 
合久必分,分久必合
合久必分,分久必合合久必分,分久必合
合久必分,分久必合Qiangning Hong
 
DEV305 - ASP.NET 5 開發攻略
DEV305 - ASP.NET 5 開發攻略DEV305 - ASP.NET 5 開發攻略
DEV305 - ASP.NET 5 開發攻略Will Huang
 
Btrace intro(撒迦)
Btrace intro(撒迦)Btrace intro(撒迦)
Btrace intro(撒迦)ykdsg
 
模块一-Go语言特性.pdf
模块一-Go语言特性.pdf模块一-Go语言特性.pdf
模块一-Go语言特性.pdfczzz1
 
ElasticSearch Training#2 (advanced concepts)-ESCC#1
ElasticSearch Training#2 (advanced concepts)-ESCC#1ElasticSearch Training#2 (advanced concepts)-ESCC#1
ElasticSearch Training#2 (advanced concepts)-ESCC#1medcl
 
Elastic stack day-1
Elastic stack day-1Elastic stack day-1
Elastic stack day-1YI-CHING WU
 
Template mb-kao
Template mb-kaoTemplate mb-kao
Template mb-kaoxwcoder
 
使用Dsl改善软件设计
使用Dsl改善软件设计使用Dsl改善软件设计
使用Dsl改善软件设计mingjin
 
常用Mac/Linux命令分享
常用Mac/Linux命令分享常用Mac/Linux命令分享
常用Mac/Linux命令分享Yihua Huang
 
做自己的可可豆夾 @ cocoahead.tw
做自己的可可豆夾 @ cocoahead.tw做自己的可可豆夾 @ cocoahead.tw
做自己的可可豆夾 @ cocoahead.twKai-Yuan Cheng
 
为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)Kris Mok
 

Semelhante a Linux binary Exploitation - Basic knowledge (20)

千呼萬喚始出來的 Java SE 7
千呼萬喚始出來的 Java SE 7千呼萬喚始出來的 Java SE 7
千呼萬喚始出來的 Java SE 7
 
Win dbg入门
Win dbg入门Win dbg入门
Win dbg入门
 
Windbg入门
Windbg入门Windbg入门
Windbg入门
 
Python 于 webgame 的应用
Python 于 webgame 的应用Python 于 webgame 的应用
Python 于 webgame 的应用
 
COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺
 
COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺
 
Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509
Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509
Linux c++ 编程之链接与装载 -基础篇--v0.3--20120509
 
Node分享 展烨
Node分享 展烨Node分享 展烨
Node分享 展烨
 
⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨
 
合久必分,分久必合
合久必分,分久必合合久必分,分久必合
合久必分,分久必合
 
DEV305 - ASP.NET 5 開發攻略
DEV305 - ASP.NET 5 開發攻略DEV305 - ASP.NET 5 開發攻略
DEV305 - ASP.NET 5 開發攻略
 
Btrace intro(撒迦)
Btrace intro(撒迦)Btrace intro(撒迦)
Btrace intro(撒迦)
 
模块一-Go语言特性.pdf
模块一-Go语言特性.pdf模块一-Go语言特性.pdf
模块一-Go语言特性.pdf
 
ElasticSearch Training#2 (advanced concepts)-ESCC#1
ElasticSearch Training#2 (advanced concepts)-ESCC#1ElasticSearch Training#2 (advanced concepts)-ESCC#1
ElasticSearch Training#2 (advanced concepts)-ESCC#1
 
Elastic stack day-1
Elastic stack day-1Elastic stack day-1
Elastic stack day-1
 
Template mb-kao
Template mb-kaoTemplate mb-kao
Template mb-kao
 
使用Dsl改善软件设计
使用Dsl改善软件设计使用Dsl改善软件设计
使用Dsl改善软件设计
 
常用Mac/Linux命令分享
常用Mac/Linux命令分享常用Mac/Linux命令分享
常用Mac/Linux命令分享
 
做自己的可可豆夾 @ cocoahead.tw
做自己的可可豆夾 @ cocoahead.tw做自己的可可豆夾 @ cocoahead.tw
做自己的可可豆夾 @ cocoahead.tw
 
为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)
 

Linux binary Exploitation - Basic knowledge

  • 1. Linux Binary Exploitation Basic Knowledge x86-64 angelboy@chroot.org
  • 2. Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
  • 3. Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
  • 4. Introduction • Reverse Engineering • Exploitation • Useful Tool
  • 6. Reverse Engineering • Static Analysis • Analyze program without running • e.g. • objdump • Machine code to asm
  • 7. Reverse Engineering • Dynamic Analysis • Analyze program with running • e.g. • strace • trace all system call • ltrace • trace all library call
  • 9. Exploitation • Binary exploitation • 專指與 binary 相關的漏洞洞利利⽤用 • 本課程重點 Vulnerability Control flow
  • 10. Useful Tool • IDA PRO - a static analysis tool
  • 11. Useful Tool • GDB - a dynamic analysis tool • The GNU Project Debugger
  • 12. Useful Tool • Basic command • run - 執⾏行行 • disas function name - 反組譯某個 function • break *0x400566 - 設斷點 • info breakpoint - 查看已設定哪些中斷點 • info register 查看所有 register 狀狀態
  • 13. Useful Tool • Basic command • x/wx address - 查看 address 中的內容 • w 可換成 b/h/g 分別是取 1/2/8 byte • / 後可接數字 表⽰示⼀一次列列出幾個 • 第⼆二個 x 可換成 u/d/s/i 以不同⽅方式表⽰示 • u : unsigned int • d : 10 進位 • s : 字串串 • i : 指令
  • 14. Useful Tool • Basic command • x/gx address 查看 address 中的內容 • e.g.
  • 15. Useful Tool • Basic command • ni - next instruction • si - step into • backtrace - 顯⽰示上層所有 stack frame 的資訊 • continue
  • 16. Useful Tool • Basic command • set *address=value • 將 address 中的值設成 value ⼀一次設 4 byte • 可將 * 換成 {char/short/long} 分別設定 1/2/8 byte • e.g. • set *0x602040=0xdeadbeef • set {int}0x602040=1337
  • 17. Useful Tool • Basic command • 在有 debug symbol 下 • list : 列列出 source code • b 可直接接⾏行行號斷點 • info local : 列列出區域變數 • print val : 印出變數 val 的值
  • 18. Useful Tool • Basic command • attach pid : attach ⼀一個正在運⾏行行的 process • 可以配合 ncat 進⾏行行 exploit 的 debug • ncat -ve ./a.out -kl 8888 • echo 0 > /proc/sys/kernel/yama/ptrace_scope
  • 19. Useful Tool • GDB - PEDA • Python Exploit Development Assistance for GDB • https://github.com/longld/peda • https://github.com/scwuaptx/peda
  • 20. GDB - PEDA • Screenshot
  • 21. GDB - PEDA • Some useful feature • checksec : Check for various security options of binary • elfsymbol : show elf .plt section • vmmap : show memory mapping • readelf : Get headers information from an ELF file • find/searchmem : Search for a pattern in memory • record : record every instruction at runtime
  • 22. GDB - PEDA • checksec • 查看 binary 中有哪些保護機制
  • 23. GDB - PEDA • elfsymbol • 查看 function .plt 做 ROP 時非常需要
  • 24. GDB - PEDA • vmmap • 查看 process mapping • 可觀察到每個 address 中的權限
  • 25. GDB - PEDA • readelf • 查看 section 位置 • 有些攻擊⼿手法會需要 • e.g. ret2dl_resolve
  • 26. GDB - PEDA • find (alias searchmem) • search memory 中的 patten • 通常拿來來找字串串 • e.g. /bin/sh
  • 27. GDB - PEDA • record • 記錄每個 instruction 讓 gdb 可回朔前⾯面的指令,在 PC 被改變後,可利利 ⽤用該功能,追回原本發⽣生問題的地⽅方
  • 28. Useful Tool • Pwntools • Exploit development library • python
  • 29. Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
  • 30. Section • 在⼀一般情況下程式碼會分成 text、data 以及 bss 等 section ,並不會將 code 跟 data 混在⼀一起使⽤用
  • 31. Section • .text • 存放 code 的 section • .data • 存放有初始值的全域變數 • .bss • 存放沒有初始值的全域變數 • .rodata • 存放唯讀資料的 section
  • 33. Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
  • 34. Compilation flow • Preprocessing • Compilation • Assembly • Linking
  • 35. Compilation flow source code (test.c) header file (stdin.h) Propressing (gcc -E) Preprocessed (test.i) Compilation (gcc -S) Assembly (test.s) Assembly (as/gcc -c) Object File (test.o) Linking (ld) Executable (a.out) Other Object File (test2.o) Static Library (libc.a)
  • 36. Preprocessing • 展開 Macro • 展開 header file • 刪除所有註解 • 處理理所有 preprocess 指令 • #if 、 #ifnde、#endif … source code (test.c) Preprocessed (test.i)
  • 37. Compilation • 語法分析 (Syntactic analysis) • 詞法分析 (Lexical analysis) • ⽣生成組合語⾔言 (Generate assembly) Preprocessed (test.i) Assembly (test.s)
  • 38. Assembly • 組合語⾔言到機械碼的過程 • 最後⽣生出 object file • 此時已是無法⽤用⾁肉眼看懂的 binary Assembly (test.s) Object File (test.o)
  • 39. Linking • Object file 到執⾏行行檔的過程 ( 組裝 ) • Relocation Object File (test.o) Other Object File (test2.o) Static Library (libc.a) Executable (a.out)
  • 40. Linking test.o test2.o main(){ hello();} int a ; hello(){ …} int b ; linker hello(){ …} main(){ hello();} int a ; int b ; text data
  • 41. Relocation • 在 object file ⽣生成後,若若程式中有 call func 之類的指令,並不會⾺馬上將 address 填入,⽽而是將所有 object file 合併之後,重新定位才將正確位置填 入
  • 42. Static Linking • 將有⽤用到 library 的 code 也⼀一起編進執⾏行行檔中 • 執⾏行行檔較肥⼤大 • ⼀一但 library 的 code 有變動需要整個重編
  • 43. Dynamic Linking • 所有程式共⽤用⼀一份 library • 在執⾏行行時期才將 library 載入記憶體中 • 因執⾏行行時才去找 function 位置,故執⾏行行時間較多 • 執⾏行行檔較⼩小 • library 變動不需要重編 • 可能會因為 library 版本不同⽽而⾏行行為有所不同
  • 44. Outline • Introduction • Section • Compilation Flow • Execution • x86 assembbly
  • 45. Execution • Binary Format • Segment • Execution Flow
  • 46. Binary Format • 執⾏行行檔的格式會根據 OS 不同,⽽而有所不同 • Linux - ELF • Windows - PE • 在 Binary 的開頭會有個 magic number 欄欄位,⽅方便便讓 OS 辨認是屬於什什麼 樣類型的檔案 • 在 Linux 下可以使⽤用 file 來來檢視
  • 47. Segment • 在程式執⾏行行時期才會有的概念念,基本上會根據讀寫執⾏行行權限及特性來來分為數 個 segment • ⼀一般來來說可分為 rodata、data、code、stack、heap 等 segment • data : rw- • code : r-x • stack : rw- • heap : rw-
  • 48. Execution Flow • What happened when we execute an elf file ? • $ ./hello • 在⼀一般情況下程式會在 disk 中,⽽而 kernel 會通過⼀一連串串的過程來來將程式 mapping 到記憶體中去執⾏行行
  • 51. Execution Flow • 我們在 shell 執⾏行行⼀一個 elf 時 • 會先去 fork ⼀一個 process • child 再去使⽤用 execve 執⾏行行 ./hello fork() execve(“./hello”,*argv[],*envp[])
  • 52. • sys_execve() • 檢查參參數 ex: argv , envp • do_execve() • 搜尋執⾏行行檔位置 • 讀取執⾏行行檔前 128 byte 獲取執⾏行行檔的資訊 • e.g. magic number Execution Flow sys_execve() do_execve()
  • 53. Execution Flow • search_binary_handler() • 利利⽤用前⾯面所獲取的資訊來來呼叫相對應的 handler • e.g. load_script() 、 load_elf_binary() search_binary_handler()
  • 54. • load_elf_binary() • 檢查及獲取 program header 資訊 • 如果是 dynamic linking 則利利⽤用 .interp 這個 section 來來確定 loader 路路徑 • 將 program header 紀錄的位置 mapping 到 memory 中,e.g. code segment 位置 • 將 sys_execve 的 return address 改為 loader (ld.so) 的entry point • static linking 下則會是 elf 的 entry point Execution Flow
  • 55. Execution Flow • How program maps to virtual memory. • 在 program header 中 • 記錄著哪些 segment 應該 mapping 到什什麼位置,以及該 segment 的讀寫 執⾏行行權限 • 記錄哪些 section 屬於哪些 segment • 當 program mapping 記憶體時會根據權限的不同來來分成好幾個 segment • ⼀一個 segment 可以包含 0 個到多個 section
  • 56. Execution Flow • How program maps to virtual memory. other section .data .bss .got.plt .rodata .text .init ELF Header In disk In memory kernel space CODE VMA DATA VMA HEAP STACK R or RX RW 0x400000 0x601000 0x602000 0x7fffffffe520
  • 57. Execution Flow • How program maps to virtual memory. • readelf -l binary • 查看 program header • readelf -S binary • 查看 section header • readelf -d binary • 查看 dynamic section 內容
  • 58. Execution Flow • How program maps to virtual memory. 權限 mapping 位置 segment 中有哪些 section
  • 59. Execution flow • ld.so • 載入 elf 所需的 shared library • 這部分會記錄在 elf 中的 DT_NEED 中 • 初始化 GOT • 其他相關初始化的動作 • ex : 將 symbol table 合併到 global symbol table 等等 • 對實際運作過程有興趣可參參考 elf/rtld.c
  • 60. Execution Flow • 在 ld.so 執⾏行行完後會跳到 _start 開始執⾏行行主要程式 _start __libc_start_main .init main .fini exit
  • 61. Execution Flow • _start • 將下列列項⽬目傳給 libc_start_main • 環境變數起始位置 • main 的位置 (通常在第⼀一個參參數) • .init • 呼叫 main 之前的初始化⼯工作 • .fini • 程式結束前的收尾⼯工作 _start __libc_start_main
  • 62. Execution Flow • _libc_start_main • 執⾏行行 .init • 執⾏行行 main • 主程式部分 • 執⾏行行 .fini • 執⾏行行 exit 結束程式
  • 63. Outline • Introduction • Section • Compilation Flow • Execution • x64 assembly
  • 64. • Registers • General-purpose registers • RAX RBX RCX RDX RSI RDI- 64 bit • EAX EBX ECX EDX ESI EDI - 32 bit • AX BX CX DX SI DI - 16 bit x64 assembly ALAH EAX AX RAX
  • 65. • Registers • r8 r9 r10 r11 r12 r13 r14 r15 - 64 bit • r8d r9d r10d … - 32 bit • r8w r9w r10w … -16 bit • r8b r9b r10b … - 8 bit x64 assembly
  • 66. • Registers • Stack Pointer Register • RSP • Base Pointer Register • RBP • Program Counter Register • RIP x64 assembly
  • 67. x64 assembly • Registers • Stack Pointer • RSP - 64 bit • 指向 stack 頂端 • Base Pointer • RBP - 64 bit • 指向 stack 底端 • RSP 到 function 參參數範圍稱為該 function 的 Stack Frame … … … … variable return address rbp rbp rsp high low extra-arg
  • 68. x64 assembly • Registers • Stack Pointer • RSP - 64 bit • 指向 stack 頂端 • Base Pointer • RBP - 64 bit • 指向 stack 底端 • RSP 到 function 參參數範圍稱為該 function 的 Stack Frame high low … … … … variable return address rbp rbp rsp extra-arg stack frame
  • 69. x64 assembly • Registers • Program counter register • RIP • 指向⽬目前程式執⾏行行的位置 • Flag register • eflags • 儲存指令執⾏行行結果 • Segment register • cs ss ds es fs gs
  • 70. x64 assembly • AT & T • mov %rax,%rbx • Intel • mov rbx,rax
  • 71. x64 assembly • Basic instruction • mov • add/sub • and/or/xor • push/pop • lea • jmp/call/ret
  • 72. x64 assembly • mov • mov imm/reg/mem value to reg/mem • mov A,B (move B to A) • A 與 B 的 size 要相等 • ex : • mov rax,rbx (o) • mov rax,bx (x) • mov rax,0xdeadbeef
  • 73. x64 assembly • add/sub/or/xor/and • add/sub/or/xor/and reg,imm/reg • add/sub/or/xor/and A,B • A 與 B 的 size ⼀一樣要相等 • ex : • add rbp,0x48 • sub rax,rbx
  • 74. x64 assembly • push/pop • push/pop reg • ex : • push rax = sub rsp,8 ; mov [rsp],eax • pop rbx = mov rbx,[rsp] ; add rsp,8
  • 75. x64 assembly • lea • ex : • lea rax, [rsp+8]
  • 76. x64 assembly • lea v.s. mov • lea rax, [rsp+8] v.s mov rax,[rsp+8] • assume • rax = 3 • rsp+8 = 0x7fffffffe4c0 • [rsp+8] = 0xdeadbeef rax = 0x7fffffffe4c0 rax = 0xdeadbeef lea mov
  • 77. x64 assembly • jmp/call/ret • jmp 跳⾄至程式碼的某處去執⾏行行 • call rax = push rip+8 ;jmp rax • ret = pop rip
  • 78. x64 assembly • leave • mov rsp,rbp • pop rbp
  • 79. x64 assembly • nop • ⼀一個 byte 不做任何事 • opcode = 0x90
  • 80. • System call • Instruction : syscall • SYSCALL NUMBER: RAX • Argument : RDI RSI RDX RCX R8 R9 • Return value : RAX x64 assembly
  • 81. x64 assembly • system call table • https://w3challs.com/syscalls/?arch=x86_64
  • 82. x64 assembly • Calling convention • function call • call : push return address to stack then jump • function return • ret : pop return address • function argument • 基本上⽤用 register 傳遞 • 依序為 rdi rsi rdx r10 r8 r9 • 依序放到 register,再去執⾏行行 function call
  • 83. x64 assembly • Calling convention • function prologue • compiler 在 function 開頭加的指令,主要在保存 rbp 分配區域變數所 需空間 push rbp mov rbp,rsp sub rsp,0x30
  • 84. x64 assembly • Calling convention • function epilogue • compiler 在 function 結尾加的指令,主要在利利⽤用保存的 rbp 回覆 call function 時的 stack 狀狀態 leave ret
  • 85. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0 0 Stack
  • 86. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0 Stack
  • 87. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0x1337 Stack
  • 88. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0x1337 Stack
  • 89. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp high low foo() : push rbp mov rbp,rsp … leave ret rbp rdi rsi 0xdeadbee 0x1337 Stack
  • 90. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rbp/rsp high low foo() : push rbp mov rbp,rsp … leave ret rdi rsi 0xdeadbee 0x1337 Stack
  • 91. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rbp high low foo() : push rbp mov rbp,rsp … leave ret rdi rsi 0xdeadbee 0x1337 Stack rsp
  • 92. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rbp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack rsp
  • 93. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp/rbp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack
  • 94. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack rbp
  • 95. x64 assembly • Calling convention • call foo(0x1337,0xdeadbee) 0x1000 mov rsi,0xdeadbee 0x100a mov rsi,0x1337 0x1014 call foo() 0x101d mov rbx,rax … 0x101d old rbp rsp high low foo() : push rbp mov rbp,rsp … mov rsp,rbp pop rbp ret rdi rsi 0xdeadbee 0x1337 Stack rbp
  • 96. x64 assembly • Hello world • nasm -felf64 hello.s -o hello.o • ld -m elf_x86_64 hello.o -o hello
  • 97. x64 assembly • Shellcode • 顧名思義,攻擊者主要注入程式碼後的⽬目的為拿到 shell ,故稱 shellcode • 由⼀一系列列的 machine code 組成,最後⽬目的可做任何攻擊者想做的事
  • 98. • Hello world shellcode x64 assembly shellcode[] = “x48x31xc0x48x31xdbx48x31xc9x48x31xd2xebx17…….x7xx6cx64”
  • 99. x64 assembly • 產⽣生 shellcode • objcopy -O binary hello.bin shellcode.bin
  • 100. x64 assembly • Using Pwntool • http://docs.pwntools.com/en/stable/asm.html • Pwntool bunutils • http://docs.pwntools.com/en/stable/install/binutils.html
  • 102. x64 assembly • Test your shellcode • gcc -z execstack test.c -o test
  • 103. x64 assembly • How to debug your shellcode • gdb ./test
  • 104. Reference • Glibc cross reference • Linux Cross Reference • 程式設計師的⾃自我修養
  • 105. Q & A