BOF基礎教學 & windows上SEH BOF利用 By.aaaddress1 Live Demo的檔案與相關資料： https://github.com/aaaddress1/NTUSTXTDOH_EasyBofBasic

1. PWN BASIC

2. ➤ ⾺聖豪 (aaaddress1)
➤ 義守⼤學資訊⼯程⼆年級
➤ Reverse Engineering Skills
➤ Windows / Mac OS /Android
➤ TDoHacker Core Member
➤ HITCON 2015 CMT:
➤ AIDS
➤ x86靜態⼿花詐欺術
➤ Wooyun WhiteHat: x86⼿花詐欺
➤ 逢甲2015⾏動計算研討會: AIDS
➤ 成功⼤學2015⾏動APP競賽

3. ➤ Hack BOT
➤ CrackShield / MapleHack
➤ Tower Of Savior
➤ FaceBook: Adr’s FB
➤ Isu Hack
➤ 競時通防爆PING
➤ CSharp,VB,C/CPlus,
x86,Python,Smali,Swift

15. PWN, What?

16. PWN = MAGIC!

17. PWN = MAGIC!

18. PWN = P & Own

19. PWN = P & Own

20. PWN = P & Own

21. PWN
pOWN
PWN 2 OWN

26. PWN = 未經擁有者同意下
獲取或者拿下特定/部分權限

27. PWN = 未經擁有者同意下
獲取或者拿下特定/部分權限

28. PWN =
Input to Script

29. PWN, When?

30. Today you’re on the NET

31. USER
GET
BROWSER
RESPONSE

32. OUTPUT RESULT
BROWSER
Html,JS,VBScript(IE)…etc
RESPONSE

33. OUTPUT RESULT
BROWSER
Html,JS,VBScript(IE)…etc
RESPONSE
BOF, Heap Overflow, SEH …blabla

36. Socket/HTTP

37. RESPONSE&
Socket/HTTP

38. RESPONSE&
Socket/HTTP
BOF, Heap Overflow, SEH …blabla

39. RESPONSE&
Socket/HTTP
BOF, Heap Overflow, SEH …blabla

41. IOT

42. IOT
RESPONSE&

43. IOT
RESPONSE&
BOF

48. PWN in CTF?

49. PWN in CTF?

50. PWN in CTF?

51. PWN in CTF?

52. CTF PWN Type?

57. Find a exploit?

65. Use the exploit?

66. Use the exploit?
-> Control RIP (BOF,Heap,SEH,Sigreturn…)

67. Use the exploit?
-> RIP (BOF,Heap, SEH, Sigreturn…)
-> Shellcode

68. Use the exploit?
-> RIP (BOF,Heap, SEH, Sigreturn…)
-> Shellcode

69. Use the exploit?
-> RIP (BOF,Heap, SEH, Sigreturn…)
-> Shellcode

81. [EBP+0 ] = Pointer to old EBP
[EBP+4 ] = Return Address
[EBP+8 ] = First Parameter
[EBP+C ] = Second Parameter
[EBP+10 ] = Third Parameter
…etc
[EBP+8 + 4*index] = Parameter[index]

82. VOID FUNC()
{
INT A = 0;
INT B = 1;
INT C = 2;
}
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP
mov EBP,ESP
SUB ESP, LEN

83. VOID FUNC()
{
NFUNC(ARG1,ARG2,ARG3…)
}
push ebp
mov ebp,esp
.
.
push arg3
push arg2
push arg1
call nFunc

89. Stack
ESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14

90. Stack
ESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP

91. Stack
EBP + 0
=ESP
Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP

92. Stack
EBP - 8
=ESP
Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP

93. Stack
EBP - 8
=ESP
1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP

94. Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP

95. Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C

96. Stack
EBP - 8
=ESP
EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP

97. Stack
EBP + 0
=ESP
EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP

98. Stack
EBP + 0
=ESP
EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP

99. _______EIP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C

100. _______EIP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C

101. Stack
EBP - 4
=ESP
1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP

102. Stack
EBP + 0
= ESP
Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP

103. EBP+n
EBP+8
EBP+4
EBP+0
EBP-X
EBP-Y

104. EBP+4+4*k
EBP+8
EBP+4
EBP+0
EBP-X
EBP-Y

106. [EBP-8]
[EBP-0x10]

112. How to let data == “admin”?

113. [EBP-8]
[EBP-0x10]

114. Buffer overflow
Stack

115. Buffer overflow
Stack
ESP Old EBP
_______EIP

116. Buffer overflow
Stack
EBP
=ESP
Old EBP
_______EIP

117. Buffer overflow
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP

118. Buffer overflow
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
Variable “name”

119. Buffer overflow
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
Variable “data”

120. Buffer overflow
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP

121. Buffer overflow
Stack
EBP - 10 Buffer
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
“aaaa”

122. Buffer overflow
Stack
EBP - 10 aaaa
EBP - C Buffer
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
“aaaa”

123. Buffer overflow
Stack
EBP - 10 aaaa
EBP - C BBBB
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
“aaaaBBBB”

124. Buffer overflow
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
“OVERFLOW”
Little Endian

125. if we input more words…?
Magic!

126. Buffer overflow
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8 revo
EBP - 4 wolf
EBP
=ESP
Old EBP
_______EIP
If you input
“OVERFLOWoverflow”

127. Buffer overflow
Stack
EBP - 10 AAAA
EBP - C AAAA
EBP - 8 imda
EBP - 4 x00x00x00n
EBP
=ESP
Old EBP
_______EIP
SO, We can input
“AAAAAAAAadmin”

132. Danger function
#include <iostream>
printf, fprintf, snprintf, vprintf, …etc

133. DEMO

198. DEMO