Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NTUSTxTDOH - Pwn基礎 2015/12/27

4,778 views

Published on

BOF基礎教學 & windows上SEH BOF利用 By.aaaddress1

Live Demo的檔案與相關資料:
https://github.com/aaaddress1/NTUSTXTDOH_EasyBofBasic

Published in: Education
  • Be the first to comment

NTUSTxTDOH - Pwn基礎 2015/12/27

  1. 1. PWN BASIC
  2. 2. ➤ ⾺聖豪 (aaaddress1) ➤ 義守⼤學資訊⼯程⼆年級 ➤ Reverse Engineering Skills ➤ Windows / Mac OS /Android ➤ TDoHacker Core Member ➤ HITCON 2015 CMT: ➤ AIDS ➤ x86靜態⼿花詐欺術 ➤ Wooyun WhiteHat: x86⼿花詐欺 ➤ 逢甲2015⾏動計算研討會: AIDS ➤ 成功⼤學2015⾏動APP競賽
  3. 3. ➤ Hack BOT ➤ CrackShield / MapleHack ➤ Tower Of Savior ➤ FaceBook: Adr’s FB ➤ Isu Hack ➤ 競時通防爆PING
 ➤ CSharp,VB,C/CPlus,
 x86,Python,Smali,Swift
  4. 4. PWN, What?
  5. 5. PWN = MAGIC!
  6. 6. PWN = MAGIC!
  7. 7. PWN = P & Own
  8. 8. PWN = P & Own
  9. 9. PWN = P & Own
  10. 10. PWN 
 pOWN 
 PWN 2 OWN
  11. 11. PWN = 未經擁有者同意下 獲取或者拿下特定/部分權限
  12. 12. PWN = 未經擁有者同意下 獲取或者拿下特定/部分權限
  13. 13. PWN = Input to Script
  14. 14. PWN, When?
  15. 15. Today you’re on the NET
  16. 16. USER GET BROWSER RESPONSE
  17. 17. OUTPUT RESULT BROWSER Html,JS,VBScript(IE)…etc RESPONSE
  18. 18. OUTPUT RESULT BROWSER Html,JS,VBScript(IE)…etc RESPONSE BOF, Heap Overflow, SEH …blabla
  19. 19. Socket/HTTP
  20. 20. RESPONSE& Socket/HTTP
  21. 21. RESPONSE& Socket/HTTP BOF, Heap Overflow, SEH …blabla
  22. 22. RESPONSE& Socket/HTTP BOF, Heap Overflow, SEH …blabla
  23. 23. IOT
  24. 24. IOT RESPONSE&
  25. 25. IOT RESPONSE& BOF
  26. 26. PWN in CTF?
  27. 27. PWN in CTF?
  28. 28. PWN in CTF?
  29. 29. PWN in CTF?
  30. 30. CTF PWN Type?
  31. 31.
  32. 32.
  33. 33. Find a exploit?
  34. 34. Use the exploit?
  35. 35. Use the exploit? -> Control RIP (BOF,Heap,SEH,Sigreturn…)
  36. 36. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode
  37. 37. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode
  38. 38. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode
  39. 39.
  40. 40. [EBP+0 ] = Pointer to old EBP [EBP+4 ] = Return Address [EBP+8 ] = First Parameter [EBP+C ] = Second Parameter [EBP+10 ] = Third Parameter …etc [EBP+8 + 4*index] = Parameter[index]
  41. 41. VOID FUNC() { INT A = 0; INT B = 1; INT C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP SUB ESP, LEN
  42. 42. VOID FUNC() { NFUNC(ARG1,ARG2,ARG3…) } push ebp mov ebp,esp . . push arg3 push arg2 push arg1 call nFunc
  43. 43. Stack ESP + 0 ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14
  44. 44. Stack ESP + 0 Old EBP ESP + 4 ESP + 8 ESP + C ESP + 10 ESP + 14 _______EIP
  45. 45. Stack EBP + 0 =ESP Old EBP EBP + 4 EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP
  46. 46. Stack EBP - 8 =ESP Buffer EBP - 4 Buffer EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP
  47. 47. Stack EBP - 8 =ESP 1 EBP - 4 Buffer EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  48. 48. Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  49. 49. Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  50. 50. Stack EBP - 8 =ESP EBP EBP - 4 return Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP
  51. 51. Stack EBP + 0 =ESP EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  52. 52. Stack EBP + 0 =ESP EBP EBP + 4 return Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  53. 53. _______EIP Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  54. 54. _______EIP Stack EBP - 8 =ESP return Address EBP - 4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  55. 55. Stack EBP - 4 =ESP 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  56. 56. Stack EBP + 0 = ESP Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  57. 57. EBP+n EBP+8 EBP+4 EBP+0 EBP-X EBP-Y
  58. 58. EBP+4+4*k EBP+8 EBP+4 EBP+0 EBP-X EBP-Y
  59. 59. [EBP-8] [EBP-0x10]
  60. 60. How to let data == “admin”?
  61. 61. [EBP-8] [EBP-0x10]
  62. 62. Buffer overflow Stack
  63. 63. Buffer overflow Stack ESP Old EBP _______EIP
  64. 64. Buffer overflow Stack EBP =ESP Old EBP _______EIP
  65. 65. Buffer overflow Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP
  66. 66. Buffer overflow Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP Variable “name”
  67. 67. Buffer overflow Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP Variable “data”
  68. 68. Buffer overflow Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP
  69. 69. Buffer overflow Stack EBP - 10 Buffer EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”
  70. 70. Buffer overflow Stack EBP - 10 aaaa EBP - C Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”
  71. 71. Buffer overflow Stack EBP - 10 aaaa EBP - C BBBB EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP If you input “aaaaBBBB”
  72. 72. Buffer overflow Stack EBP - 10 REVO EBP - C WOLF EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =x00x00!o EBP =ESP Old EBP _______EIP If you input “OVERFLOW” Little Endian
  73. 73. if we input more words…? Magic!
  74. 74. Buffer overflow Stack EBP - 10 REVO EBP - C WOLF EBP - 8 revo EBP - 4 wolf EBP =ESP Old EBP _______EIP If you input “OVERFLOWoverflow”
  75. 75. Buffer overflow Stack EBP - 10 AAAA EBP - C AAAA EBP - 8 imda EBP - 4 x00x00x00n EBP =ESP Old EBP _______EIP SO, We can input “AAAAAAAAadmin”
  76. 76. Danger function #include <iostream> printf, fprintf, snprintf, vprintf, …etc
  77. 77. DEMO
  78. 78.
  79. 79.
  80. 80.
  81. 81. DEMO

×