TA Lesson Binary Exploitation (Pwn)
•
0 likes•244 views
This document discusses binary exploitation techniques, specifically buffer overflows. It begins with an overview of program memory sections like the stack, heap, data, and text. It then covers security options like RELRO, stack canaries, and ASLR that aim to prevent exploits. Finally, it dives into buffer overflows, explaining how overflowing a buffer can overwrite the return address on the stack to redirect program flow and potentially execute shellcode to get remote code execution. The goal of "pwn" techniques is to leverage program vulnerabilities to gain control of the target system.
More Related Content
More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan. (10)
Recently uploaded
Recently uploaded (20)
TA Lesson Binary Exploitation (Pwn)
- 1. redhung@hung.red TA-LESSON @ INFORMATION SECURITY — BINARY EXPLOITATION ( PWN )
- 2. >_ ECHO `WHOAMI` Interning at CHT Security Co., Ltd. CTF Player Woof Woof Pwning dog 🐶 Focusing on Reversing, Pwning
- 3. >_ CAT ./OVERVIEW What Is Pwn Program Section Security Options Buffer Overflow 0x0 0x1 0x2 0x3
- 4. What is Pwn
- 5. >_ WHAT IS PWN Start EndInput Output 簡單來說,控制程式流程,進而達到我們的目的,稱之為Pwn 藉由使用者輸入(Input)的地方來輸入偽造好的Payload 藉由螢幕輸出(Output)的地方來Leak程式資訊
- 6. >_ WHAT IS PWN Start Segmetation FaultInput Output 藉由惡意的輸入來導致程式Crash 則代表此程式有⼈人為疏漏的地⽅方,例例如陣列列邊界超越、指標釋放後未清除 攻擊者則藉由這些漏洞洞來來構造完整的Payload進⾏行行攻擊
- 7. >_ WHAT IS PWN Start Get Shell !! Input Output 攻擊者想要的並不只是讓程式Crash 攻擊者的最終⽬目的是藉由程式漏洞洞來來獲取運⾏行行程式的主機控制權 經由⼀一個漏洞洞來來讓我們串串起攻擊鍊鍊,從運⾏行行程式突破到主機內部
- 14. >_ PROGRAM SECTION Stack Heap BSS Data Text Stack 存放區域變數、 參參數、return address 由⾼高位址往低位址長
- 15. >_ PROGRAM SECTION Stack Frame Local variables saved rbp canary return address Stack存放了了許多重要資訊 因此在Pwn的領域中 玩轉Stack是⼀一項非常重要 的技術
- 16. >_ PROGRAM SECTION Stack Frame 0x0 (num)
- 17. >_ PROGRAM SECTION Stack Frame 0x0 (num) return address (num = num+1)
- 18. >_ PROGRAM SECTION Stack Frame 0x0 (num) return address (num = num+1) saved rbp canary
- 19. >_ PROGRAM SECTION Stack Frame 0x0 (num) return address (num = num+1) saved rbp canary
- 20. >_ PROGRAM SECTION Stack Frame 0x0 (num)
- 21. Security Options
- 22. >_ SECURITY OPTIONS RELRO Stack Canary NX ( No-Execute ) PIE ASLR
- 23. >_ SECURITY OPTIONS RELRO — RELocation Read Only Level : No / Partial / Full No RELRO — Link map 可寫 、 GOT 可寫 Partial RELRO — Link map 不可寫、GOT可寫 Full RELRO — Link map 不可寫、GOT不可寫
- 24. >_ SECURITY OPTIONS Stack Canary 在 SAVED RBP 之前塞⼀一個隨機的值, 在 return 前檢查是否⼀一致, 不⼀一致的話則將此次 input abort,並結束程式
- 25. >_ SECURITY OPTIONS NX — No execute ⼜又稱 DEP (Data Execution Prevention) 可寫的不可執⾏行行,可執⾏行行的不可寫
- 26. >_ SECURITY OPTIONS PIE — Position Independent Executable 開啟時,Data段以及Text段位址隨機化 關閉時,Data段以及Text段位址固定
- 27. >_ SECURITY OPTIONS ASLR — Address Space Layout Randomization 記憶體位址隨機變化 每次執⾏行行時,Stack、Heap、libc的位址都不⼀一樣 ASLR是系統設定,並不是程式設定
- 28. Buffer Overflow
- 30. >_ BUFFER OVERFLOW Local variables saved rbp canary return address
- 31. >_ BUFFER OVERFLOW AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA saved rbp canary return address
- 36. LAB
- 37. THANK YOU! redhung@hung.red r3dhun9 @r3dhun9 Philip Chen