Secuinside CTF 2012 QualPwning Pwnablespwn3r (WiseGuyz)www.CodeEngn.comCodeEngn ReverseEngineering Conference
Outline- Secuinside- Style of Qualification- Kielbesa (Challenge)- Tribute (Challenge)- Karate (Challenge)- Classico (Chal...
Secuinside ?- The information security conference- CTF for Events- CTF was operated by INETCOP , BEISTLAB
Style of challenges- 17 challenges are opened !- Almost challenges ( 90% ) are vulnerability challenges- Hell pwnables !
Types of Remote pwnable services- ELF executable binary running on Xinetd service- ELF executable binary running on Apache...
Challenges- 1 ~ 11 , 20Remote pwnables- 12 ~ 17Web- 18 ~ 19Crypto
Kielbasanickname: kielbasaHINT: http://61.42.25.20/captcha/captcha.cgi?q=captchabinary: http://61.42.25.20/captcha/captcha...
KielbasaHow to debug cgi ?- Patch the cgi binary code as “jmp $” (infinitive loop)- Attach process to debugger- Recover co...
KielbasaMain function
KielbasaSaving real serial to log/%d.logWe can bypass captcha check by reading itGenerate serialPrint to file
Kielbasa- 1byte overflow!- We can overwrite localvariable “v_size”“0”“1”~~~~~~~“3”“9” (0x39)0x00x00x0T_Sv_size
Kielbasa- Copying for v_size variable- 1 byte overflow leads to0x19 bytes stack overflow!- We can’t overwrite ReturnAddres...
Kielbasa- When we passedcaptcha auth , it checkslocal variables are nullor not- If not , programallocates new memoryby cal...
Kielbasa- Copying data to new memory by calling sprintf(We can controll three pointers that arguments for sprintf)- If *T_...
Kielbasa- NX is enabled on challenge server- But challenge binary is enabled execstack option !- Stack , heap and allocate...
KielbasaHow to exploit ?- When program jump to memory 0x0 , ESI points startof captcha string at environment variable- Cop...
Kielbasa
Tributenickname: tributeHINT: http://61.42.25.18/banking/binary: http://61.42.25.18/banking/secureKey.tgzCentOS 6.2 / rand...
Tribute- Set content type.- Checking length of clientip , port (meaningless)- Check Method is GET orPOST. Else will call e...
Tribute- Set local variable v14 to 1- If argument d doesn’texist in QUERY_STRINGand v14 is 0 , Change espto environment va...
TributesecureKey.cgi?n=[BACK]&k=- If length of argument k=0=> K[-1] = 0=> v14 = 0
TributePayloadGET[pop ebx]….[pop ebx][jmp esp] /secureKey.cgi?aba: [RET]……..[RET] [getenv@plt] [call eax][“REQUEST_METHOD”...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........po...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........po...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........po...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........po...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........po...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx...........
Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ...
Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ...
Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (p...
Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (p...
Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (p...
Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (p...
Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (p...
Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (p...
Karatenickname: karateHINT:http://61.42.25.19/OTP/onetimepass.cgi?query=otp_inputbinary: http://61.42.25.19/OTP/onetimepas...
KarateOne time password service
Karate- Call this function forcounts of arguments- Allocate heap andcopy arguments toheap- We can use this forheap spray !aa
Karate- If length of argument“bank” is longer than0xff , change esp to0x084F4F4F and RET- We can controll value inmemory 0...
KaratePayload- Send many GET argument sets (“a=b&” * 11xx)+ NOP + SHELLCODE+ Address of SHELLCODE- You should take care of...
Karate“a=b”“a=b”~~~~~~~NOPNOP + SHELLCODES~~~~~~~0x084f4c070x084f4c070x084f4c07~~~~~~~0x0804A0080x084F4F4F0x084F4C07Low ad...
Karate
Classiconickname: classicoHINT: 61.42.25.24:8080(8181,8282,8383,8484,8585,8686,8787,8888,8989)binary: http://61.42.25.24/c...
Classico- First , get client inputand check the inputvalues- Checks time stamp ,random hash , etc…..
Classico- Check routines- Get input from clientand check inputvalues
Classico- If you passed checkroutines , programgets input for functiontable index from client- Index range must be0x0 <= I...
Classico- Jump to table[index]- Each index calls itsown handler function
ClassicoIndex 0x3 handler- If allocated heapaddress is higher than0x08282828 , jumpsto 0xbfc8c8c8= if(*0xbfc8c8c8 != 0)
ClassicoIndex 0x9 handler- If esp is lower then0xbfc8c8c8 , callmprotect to make0xbfc8c000 rwxmemory
ClassicoIndex 0xF handler- Get user input andcheck about input- If you passed it , Youcan call sub mainfunction as many as...
ClassicoHow to exploit?- Jump to index 0xF enough times to reach esp to0xbfc8c8c8- Jump to index 0x9 to make stack rwx mem...
Classico
Roadienickname: roadieHINT: 61.42.25.26:8080(8181,8282,8383,8484,8585,8686,8787,8888,8989)binary: http://61.42.25.26/roadi...
Roadie- main calls sub functioninfinitely
Roadie- Sub main functionallocates heap and setsmemory permission rwx- Makes function table
Roadie- After input , anothersub function checksinput values- Use input values forfunction table index- If you passed all ...
Roadie- Call the function intable[index]- We can’t controll valueson function table- So we just need to usefunctions that ...
Roadie- 4 functions in table- Index 0 , Index 1 is notuseful- Index 30 allocates rwxmemory at 0x00000000- Index 31 can cal...
RoadieIndex 30 function- Allocates rwx memoryat 0x00000000- You can write values on0x0 , 0x1 , 0x2(1byte in one time)
RoadieIndex 31 function- You can jump tomemory lower than0x0804000(signed int)
RoadieHow to exploit?- When index 31 function jump to user controlledaddress , ESI points start of input values in heap.- ...
Roadie
Reusing dynamic linker for ExploitationDynamic linker- It loaded into memory with shared library when theprogram uses dyna...
Reusing dynamic linker for ExploitationDynamic linker- When main binary calls libc function , they callfunction@plt first-...
Reusing dynamic linker for Exploitation
Reusing dynamic linker for ExploitationIf you changes the function name that _dl_lookup_symbol_xfunction ‘s argument , ano...
Reusing dynamic linker for ExploitationExploitation- Write address of read & writable memory onDYNAMIC + 36- Write new fun...
Reusing dynamic linker for Exploitation
Dethstarrnickname: dethstarrHINT: 61.42.25.25:8080(8181,8282,8383,8484,8585,8686,8787,8888,8989)binary: http://61.42.25.25...
DethstarrDamn trash routines- Half of functionsjust allocate heap ,set data and justprint them.- Other functionsjust get u...
DethstarrThere’s vulnerability in one of input_check functions.We can overwrite 4byte on any memory we want !
DethstarrBut (where & what) we should overwrite to controll EIP?- Overwrite GOT to [add XX , esp ; ret ;] for lifting ESPt...
Dethstarrfreespace2 – 4RetRetRetread@plt&(leave ; ret)0Freespace260read@pltpppr0&strtab_ptr (.DYNAMIC+36)4atoi@plt + 60xde...
Dethstarr
Conclusion- Secuinside was Lovely pwnable party!- Tip for pwnable :- Find unnatural function in binary- Catch the trap! Do...
Q & A
Quiz Time!1) 문제서버에 NX가 켜져있음에도 Kielbasa문제와Classico문제에서 스택의 쉘코드 실행이 가능했던 이유는?2) 리모트 공격으로 쉘을 획득했을때 표준 출력이 정상적으로 되지않는 있는 방법은?(...
Upcoming SlideShare
Loading in …5
×

[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이

1,516 views

Published on

2012 CodeEngn Conference 06

Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.

http://codeengn.com/conference/06

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,516
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이

  1. 1. Secuinside CTF 2012 QualPwning Pwnablespwn3r (WiseGuyz)www.CodeEngn.comCodeEngn ReverseEngineering Conference
  2. 2. Outline- Secuinside- Style of Qualification- Kielbesa (Challenge)- Tribute (Challenge)- Karate (Challenge)- Classico (Challenge)- Roadie (Challenge)- Exploitation reusing dynamic linker- Dethstarr (Challenge)
  3. 3. Secuinside ?- The information security conference- CTF for Events- CTF was operated by INETCOP , BEISTLAB
  4. 4. Style of challenges- 17 challenges are opened !- Almost challenges ( 90% ) are vulnerability challenges- Hell pwnables !
  5. 5. Types of Remote pwnable services- ELF executable binary running on Xinetd service- ELF executable binary running on Apache as cgiservice
  6. 6. Challenges- 1 ~ 11 , 20Remote pwnables- 12 ~ 17Web- 18 ~ 19Crypto
  7. 7. Kielbasanickname: kielbasaHINT: http://61.42.25.20/captcha/captcha.cgi?q=captchabinary: http://61.42.25.20/captcha/captcha.tgzrandomize_va_space 2 / exec-shield 1
  8. 8. KielbasaHow to debug cgi ?- Patch the cgi binary code as “jmp $” (infinitive loop)- Attach process to debugger- Recover code- Start debugging !
  9. 9. KielbasaMain function
  10. 10. KielbasaSaving real serial to log/%d.logWe can bypass captcha check by reading itGenerate serialPrint to file
  11. 11. Kielbasa- 1byte overflow!- We can overwrite localvariable “v_size”“0”“1”~~~~~~~“3”“9” (0x39)0x00x00x0T_Sv_size
  12. 12. Kielbasa- Copying for v_size variable- 1 byte overflow leads to0x19 bytes stack overflow!- We can’t overwrite ReturnAddress but almost stackvariables
  13. 13. Kielbasa- When we passedcaptcha auth , it checkslocal variables are nullor not- If not , programallocates new memoryby calling malloc ormmap(default)
  14. 14. Kielbasa- Copying data to new memory by calling sprintf(We can controll three pointers that arguments for sprintf)- If *T_S_ptr is null and *v18 is not null , program jumps to0x00000000We can controll these pointers
  15. 15. Kielbasa- NX is enabled on challenge server- But challenge binary is enabled execstack option !- Stack , heap and allocated memory are excutable !- So you should copy bytes code to 0x0 by sprintf andjump to 0x0.
  16. 16. KielbasaHow to exploit ?- When program jump to memory 0x0 , ESI points startof captcha string at environment variable- Copy “push esi” , “ret” to 0x00000000- Captcha + Jmp ($ + 0x80)- NOP + SHELLCODE in another Environment variable
  17. 17. Kielbasa
  18. 18. Tributenickname: tributeHINT: http://61.42.25.18/banking/binary: http://61.42.25.18/banking/secureKey.tgzCentOS 6.2 / randomize_va_space 2 / exec-shield 0
  19. 19. Tribute- Set content type.- Checking length of clientip , port (meaningless)- Check Method is GET orPOST. Else will call exit().- Call real client handler
  20. 20. Tribute- Set local variable v14 to 1- If argument d doesn’texist in QUERY_STRINGand v14 is 0 , Change espto environment variablesspace , then RET- We just need to controllv14 to 0
  21. 21. TributesecureKey.cgi?n=[BACK]&k=- If length of argument k=0=> K[-1] = 0=> v14 = 0
  22. 22. TributePayloadGET[pop ebx]….[pop ebx][jmp esp] /secureKey.cgi?aba: [RET]……..[RET] [getenv@plt] [call eax][“REQUEST_METHOD”] [NOP + SHELLCODE]………………………………………………………………..………………………………………………………………..abh: [RET]……..[RET] [getenv@plt] [call eax][“REQUEST_METHOD”] [NOP + SHELLCODE]
  23. 23. Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp
  24. 24. Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp
  25. 25. Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp
  26. 26. Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp
  27. 27. Tribute&RET…..&RET&(getenv @ plt)&(call_eax)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp
  28. 28. Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressGETpop ebx........pop ebxJmp esp“ “/….Low addressHigh addressespeip
  29. 29. Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressespeip
  30. 30. Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressespeip
  31. 31. Tribute&RET…..&RET&(getenv @ plt)&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressespeip
  32. 32. Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp eip
  33. 33. Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp eip
  34. 34. Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp eip
  35. 35. Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp eip
  36. 36. Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressesp eip
  37. 37. Tribute&RET…..&RETesp - 4&(call_eax+2)&“REQUEST_METHOD”NopNopSHELLCODE…….Low addressHigh addressG (inc edi)E (inc ebp)T (push esp)pop ebx........pop ebxJmp esp“ “/….Low addressHigh addressespeip
  38. 38. Karatenickname: karateHINT:http://61.42.25.19/OTP/onetimepass.cgi?query=otp_inputbinary: http://61.42.25.19/OTP/onetimepass.tgzCentOS 6.2 / randomize_va_space 0 / exec-shield 0
  39. 39. KarateOne time password service
  40. 40. Karate- Call this function forcounts of arguments- Allocate heap andcopy arguments toheap- We can use this forheap spray !aa
  41. 41. Karate- If length of argument“bank” is longer than0xff , change esp to0x084F4F4F and RET- We can controll value inmemory 0x084F4F4F byheap spraying !- No ASLR. First allocatedof heap address fixed at0x0804a008
  42. 42. KaratePayload- Send many GET argument sets (“a=b&” * 11xx)+ NOP + SHELLCODE+ Address of SHELLCODE- You should take care of the limit length of GETmethod argument
  43. 43. Karate“a=b”“a=b”~~~~~~~NOPNOP + SHELLCODES~~~~~~~0x084f4c070x084f4c070x084f4c07~~~~~~~0x0804A0080x084F4F4F0x084F4C07Low addressHigh address
  44. 44. Karate
  45. 45. Classiconickname: classicoHINT: 61.42.25.24:8080(8181,8282,8383,8484,8585,8686,8787,8888,8989)binary: http://61.42.25.24/classicoCentOS 6.2 / randomize_va_space 0 / exec-shield 1
  46. 46. Classico- First , get client inputand check the inputvalues- Checks time stamp ,random hash , etc…..
  47. 47. Classico- Check routines- Get input from clientand check inputvalues
  48. 48. Classico- If you passed checkroutines , programgets input for functiontable index from client- Index range must be0x0 <= Index <= 0xf
  49. 49. Classico- Jump to table[index]- Each index calls itsown handler function
  50. 50. ClassicoIndex 0x3 handler- If allocated heapaddress is higher than0x08282828 , jumpsto 0xbfc8c8c8= if(*0xbfc8c8c8 != 0)
  51. 51. ClassicoIndex 0x9 handler- If esp is lower then0xbfc8c8c8 , callmprotect to make0xbfc8c000 rwxmemory
  52. 52. ClassicoIndex 0xF handler- Get user input andcheck about input- If you passed it , Youcan call sub mainfunction as many asyou want
  53. 53. ClassicoHow to exploit?- Jump to index 0xF enough times to reach esp to0xbfc8c8c8- Jump to index 0x9 to make stack rwx memory- Jump to index 0x3 to change eip to point stack
  54. 54. Classico
  55. 55. Roadienickname: roadieHINT: 61.42.25.26:8080(8181,8282,8383,8484,8585,8686,8787,8888,8989)binary: http://61.42.25.26/roadieCentOS 6.2 / randomize_va_space 2 / exec-shield 1
  56. 56. Roadie- main calls sub functioninfinitely
  57. 57. Roadie- Sub main functionallocates heap and setsmemory permission rwx- Makes function table
  58. 58. Roadie- After input , anothersub function checksinput values- Use input values forfunction table index- If you passed all ofcheck routines ,program calls subfunction
  59. 59. Roadie- Call the function intable[index]- We can’t controll valueson function table- So we just need to usefunctions that already intable
  60. 60. Roadie- 4 functions in table- Index 0 , Index 1 is notuseful- Index 30 allocates rwxmemory at 0x00000000- Index 31 can call functionwhich address is lower than0x08040000
  61. 61. RoadieIndex 30 function- Allocates rwx memoryat 0x00000000- You can write values on0x0 , 0x1 , 0x2(1byte in one time)
  62. 62. RoadieIndex 31 function- You can jump tomemory lower than0x0804000(signed int)
  63. 63. RoadieHow to exploit?- When index 31 function jump to user controlledaddress , ESI points start of input values in heap.- Write jmp *esi in memory 0x0,0x1 by calling index 30function- Jump to memory 0x00000000 by calling index 31function. Make input values contain jmp $+0x7f nearstart and NOP+SHELLCODE near start + 0x7f .
  64. 64. Roadie
  65. 65. Reusing dynamic linker for ExploitationDynamic linker- It loaded into memory with shared library when theprogram uses dynamic linking method- Links program and shared library in run-time
  66. 66. Reusing dynamic linker for ExploitationDynamic linker- When main binary calls libc function , they callfunction@plt first- function@plt jumps to *GOT.- If first call of function , GOT points next instruction’saddress. Next instructions get into dynamic linker andget libc address of function. Write the address on GOTand call it.
  67. 67. Reusing dynamic linker for Exploitation
  68. 68. Reusing dynamic linker for ExploitationIf you changes the function name that _dl_lookup_symbol_xfunction ‘s argument , another function will be called.system( ) worked!
  69. 69. Reusing dynamic linker for ExploitationExploitation- Write address of read & writable memory onDYNAMIC + 36- Write new function name(“system” , “execl” , ….) onread & writable memory + offset (&function name -&.strtab)- Return to function@plt + 6
  70. 70. Reusing dynamic linker for Exploitation
  71. 71. Dethstarrnickname: dethstarrHINT: 61.42.25.25:8080(8181,8282,8383,8484,8585,8686,8787,8888,8989)binary: http://61.42.25.25/dethstarrCentOS 6.2 / randomize_va_space 2 / exec-shield 1
  72. 72. DethstarrDamn trash routines- Half of functionsjust allocate heap ,set data and justprint them.- Other functionsjust get user inputand check them
  73. 73. DethstarrThere’s vulnerability in one of input_check functions.We can overwrite 4byte on any memory we want !
  74. 74. DethstarrBut (where & what) we should overwrite to controll EIP?- Overwrite GOT to [add XX , esp ; ret ;] for lifting ESPto ROP !- But small buffer …. So call recv@plt to get newpayload on memory and move stack frame !- Send dynamic linker reusing payload which leads tocall system(“sh”) to bypass ASLR & NX
  75. 75. Dethstarrfreespace2 – 4RetRetRetread@plt&(leave ; ret)0Freespace260read@pltpppr0&strtab_ptr (.DYNAMIC+36)4atoi@plt + 60xdeadbeef&“sh”“system00” “sh00”RetRetRetRetFreespace1&(leave ; ret)Stage 1 Stage 2 Stage 3
  76. 76. Dethstarr
  77. 77. Conclusion- Secuinside was Lovely pwnable party!- Tip for pwnable :- Find unnatural function in binary- Catch the trap! Don’t be fished :p- There’s lots of useful gadgets already in memory- Check about binary execstack bit before start!- Try to solve the challenges Although CTF was finished(It is helpful for us to study HARD exploit :)
  78. 78. Q & A
  79. 79. Quiz Time!1) 문제서버에 NX가 켜져있음에도 Kielbasa문제와Classico문제에서 스택의 쉘코드 실행이 가능했던 이유는?2) 리모트 공격으로 쉘을 획득했을때 표준 출력이 정상적으로 되지않는 있는 방법은?(쉘의 기능을 이용해야함 )www.CodeEngn.comCodeEngn ReverseEngineering Conference

×