SlideShare a Scribd company logo
WCTF 2019 Seminar
zsh for beginners
by hama from TokyoWesterns
Firstly…
● Many many unintended solutions exist in published challenge
● Of course, we know it and want to fix/patch it.
○ We couldn’t make it.
● The fixed version is here:
https://github.com/hama7230/zsh_for_beginners
● I’ll explain about the fixed version
Challenge Overview
● zsh shell with restricted mode
● You can send a tar file
○ The contents are extracted from the file before starting your
zsh shell
● (Maybe) you can use only builtin commands of zsh shell
● You have to find a vulnerability and exploit zsh builtins
zsh with restricted mode
● You can’t …
○ set environment variable ex) PATH, MODULE_PATH
○ execute binaries and scripts
○ change directory
○ create a file
$ echo hogefuga > /tmp/piyo
zsh: writing redirection not allowed in restricted mode
$ cd /tmp
cd: restricted
$ export PATH="/bin/"
export: PATH: restricted
$ export MODULE_PATH="/tmp/"
export: MODULE_PATH: restricted
$ /tmp/_your_tar_file_is_extracted_here_plz_enjoy/bash
zsh: /tmp/_your_tar_file_is_extracted_here_plz_enjoy/bash: restricted
Stack Buffer Overflow
● Stack Buffer Overflow
○ In some builtin commands:
whence, which, where
● ‘print_if_link’ uses ‘strcpy’
○ But src buffer size and dst
buffer size are NOT same :)
● ‘print_if_link’ will be call when
you use that builtin commands
with ‘-S’
https://github.com/zsh-users/zsh/blob/master/Src/utils.c#L1045
Proof of Concept
● PoC code is in my repo
○ https://github.com/hama7230/zsh_for_beginners/poc.sh
To become CTF challenge
● This challenge’s zsh binary is
○ disable FORTIFY
○ disable SSP
○ disable PIE
● You can overwrite return address by stack overflow
● Furthermore we prepare ‘get_flag’ function to make more
more easy
○ The function does read flag and write it to stdout
Exploit
1. Prepare symbolic link with crafted path
2. Run ‘whence -S’ to the path
3. Fire!
● You have to locate the crafted symbolic link to payload tar file
● The payload will be extracted at
‘/tmp/_your_tar_file_is_extracted_here_plz_enjoy/’
● Since overflow is caused by the realpath, you have to create
symbolic link whose name contains the return address.
● The exploit is fired by command `whence -S /tmp/~~~~~~~`
Exploit
0day?
● I think this bug don’t lead RCE and DoS
○ Ordinary compiler options are...
■ enable FORTIFY check
● strcpy -> strcpy_chk
■ enable SSP
■ enable PIE (high probably)
○ Some mitigations block to lead RCE and DoS
● BTW, I found this bug about 30 minutes so it’s for beginners :)
Summary
● The builtin command of zsh `whence` has stack BOF on latest
version 5.7.1
● Run the command to the crafted symbolic link, and the stack
BOF is fired
● It's too hard to exploit, so some mitigations are disabled
● Special Thanks to pwnable.tw organizers
○ inspired from ‘Bash’ and ‘Bash Revenge’
https://github.com/hama7230/zsh_for_beginners
Thank you!
Did you enjoy your shell?

More Related Content

What's hot

WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装
MITSUNARI Shigeo
 
unique_ptrにポインタ以外のものを持たせるとき
unique_ptrにポインタ以外のものを持たせるときunique_ptrにポインタ以外のものを持たせるとき
unique_ptrにポインタ以外のものを持たせるとき
Shintarou Okada
 
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNT
takesako
 
色々なダイクストラ高速化
色々なダイクストラ高速化色々なダイクストラ高速化
色々なダイクストラ高速化
yosupo
 
Rust Primer
Rust PrimerRust Primer
Rust Primer
Knoldus Inc.
 
F#入門 ~関数プログラミングとは何か~
F#入門 ~関数プログラミングとは何か~F#入門 ~関数プログラミングとは何か~
F#入門 ~関数プログラミングとは何か~
Nobuhisa Koizumi
 
JIT のコードを読んでみた
JIT のコードを読んでみたJIT のコードを読んでみた
JIT のコードを読んでみた
y-uti
 
Introduction to Polyhedral Compilation
Introduction to Polyhedral CompilationIntroduction to Polyhedral Compilation
Introduction to Polyhedral Compilation
Akihiro Hayashi
 
F#によるFunctional Programming入門
F#によるFunctional Programming入門F#によるFunctional Programming入門
F#によるFunctional Programming入門
bleis tift
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門
Kimikazu Kato
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
Akihiro Suda
 
Understanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage EngineUnderstanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage Engine
InfluxData
 
プログラムを高速化する話
プログラムを高速化する話プログラムを高速化する話
プログラムを高速化する話
京大 マイコンクラブ
 
Container Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, NetflixContainer Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, Netflix
Docker, Inc.
 
組み込みでこそC++を使う10の理由
組み込みでこそC++を使う10の理由組み込みでこそC++を使う10の理由
組み込みでこそC++を使う10の理由kikairoya
 
組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門Norishige Fukushima
 
MySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいことMySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいこと
yoku0825
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
Motohiro KOSAKI
 
QEMUでARM64bitベアメタルプログラミング
QEMUでARM64bitベアメタルプログラミングQEMUでARM64bitベアメタルプログラミング
QEMUでARM64bitベアメタルプログラミング
Yuma Ohgami
 

What's hot (20)

WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装
 
unique_ptrにポインタ以外のものを持たせるとき
unique_ptrにポインタ以外のものを持たせるときunique_ptrにポインタ以外のものを持たせるとき
unique_ptrにポインタ以外のものを持たせるとき
 
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNT
 
色々なダイクストラ高速化
色々なダイクストラ高速化色々なダイクストラ高速化
色々なダイクストラ高速化
 
Rust Primer
Rust PrimerRust Primer
Rust Primer
 
F#入門 ~関数プログラミングとは何か~
F#入門 ~関数プログラミングとは何か~F#入門 ~関数プログラミングとは何か~
F#入門 ~関数プログラミングとは何か~
 
JIT のコードを読んでみた
JIT のコードを読んでみたJIT のコードを読んでみた
JIT のコードを読んでみた
 
Introduction to Polyhedral Compilation
Introduction to Polyhedral CompilationIntroduction to Polyhedral Compilation
Introduction to Polyhedral Compilation
 
F#によるFunctional Programming入門
F#によるFunctional Programming入門F#によるFunctional Programming入門
F#によるFunctional Programming入門
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
SSH力をつけよう
SSH力をつけようSSH力をつけよう
SSH力をつけよう
 
Understanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage EngineUnderstanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage Engine
 
プログラムを高速化する話
プログラムを高速化する話プログラムを高速化する話
プログラムを高速化する話
 
Container Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, NetflixContainer Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, Netflix
 
組み込みでこそC++を使う10の理由
組み込みでこそC++を使う10の理由組み込みでこそC++を使う10の理由
組み込みでこそC++を使う10の理由
 
組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門
 
MySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいことMySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいこと
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
 
QEMUでARM64bitベアメタルプログラミング
QEMUでARM64bitベアメタルプログラミングQEMUでARM64bitベアメタルプログラミング
QEMUでARM64bitベアメタルプログラミング
 

Similar to zsh for beginners WCTF 2019 Seminar

A "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosA "Box" Full of Tools and Distros
A "Box" Full of Tools and Distros
Dario Faggioli
 
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Jano Suchal
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
iamumr
 
WPSessions Composer for WordPress Plugin Development
WPSessions Composer for WordPress Plugin DevelopmentWPSessions Composer for WordPress Plugin Development
WPSessions Composer for WordPress Plugin Development
Caldera Labs
 
Let's Talk Locks!
Let's Talk Locks!Let's Talk Locks!
Let's Talk Locks!
C4Media
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
Nitish Jadia
 
Debian packaging howto
Debian packaging howtoDebian packaging howto
Debian packaging howto
Ding Zhou
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
Docker session III: Dockerfile
Docker session III: DockerfileDocker session III: Dockerfile
Docker session III: Dockerfile
Degendra Sivakoti
 
Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.
Deepanshu Gajbhiye
 
Sharding for Mere Mortals
Sharding for Mere MortalsSharding for Mere Mortals
Sharding for Mere Mortals
MongoDB
 
Deep dive - Concourse CI/CD and Pipelines
Deep dive  - Concourse CI/CD and PipelinesDeep dive  - Concourse CI/CD and Pipelines
Deep dive - Concourse CI/CD and Pipelines
Syed Imam
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
Docker, Inc.
 
Android on Intel Architecture: ROM Cooking Tutorial
Android on Intel Architecture: ROM Cooking TutorialAndroid on Intel Architecture: ROM Cooking Tutorial
Android on Intel Architecture: ROM Cooking Tutorial
Ron Munitz
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
Jeremy Brown
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
Linux shell ggsipu-lug
Linux shell ggsipu-lugLinux shell ggsipu-lug
Linux shell ggsipu-lug
Aashish Sawhney
 
The hacker choice
The hacker choiceThe hacker choice
The hacker choice
Flavio Castelli
 

Similar to zsh for beginners WCTF 2019 Seminar (20)

A "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosA "Box" Full of Tools and Distros
A "Box" Full of Tools and Distros
 
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
 
WPSessions Composer for WordPress Plugin Development
WPSessions Composer for WordPress Plugin DevelopmentWPSessions Composer for WordPress Plugin Development
WPSessions Composer for WordPress Plugin Development
 
Let's Talk Locks!
Let's Talk Locks!Let's Talk Locks!
Let's Talk Locks!
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
Debian packaging howto
Debian packaging howtoDebian packaging howto
Debian packaging howto
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Docker session III: Dockerfile
Docker session III: DockerfileDocker session III: Dockerfile
Docker session III: Dockerfile
 
Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.Linux Privilege Escalation with Lin Security.
Linux Privilege Escalation with Lin Security.
 
Sharding for Mere Mortals
Sharding for Mere MortalsSharding for Mere Mortals
Sharding for Mere Mortals
 
Deep dive - Concourse CI/CD and Pipelines
Deep dive  - Concourse CI/CD and PipelinesDeep dive  - Concourse CI/CD and Pipelines
Deep dive - Concourse CI/CD and Pipelines
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
 
Android on Intel Architecture: ROM Cooking Tutorial
Android on Intel Architecture: ROM Cooking TutorialAndroid on Intel Architecture: ROM Cooking Tutorial
Android on Intel Architecture: ROM Cooking Tutorial
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
Linux shell ggsipu-lug
Linux shell ggsipu-lugLinux shell ggsipu-lug
Linux shell ggsipu-lug
 
The hacker choice
The hacker choiceThe hacker choice
The hacker choice
 

Recently uploaded

一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理
一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理
一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理
hedonxu
 
From Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal EnvironmentsFrom Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal Environments
ssusera97a2f
 
It's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of InterestIt's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of Interest
Parsons Behle & Latimer
 
Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?
RoseZubler1
 
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
onduyv
 
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
woywevt
 
Business Laws Sunita saha
Business Laws Sunita sahaBusiness Laws Sunita saha
Business Laws Sunita saha
sunitasaha5
 
一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理
一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理
一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理
ooqzo
 
一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理
一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理
一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理
uhsox
 
suture removal ppt.pptx medical surgical
suture removal ppt.pptx medical surgicalsuture removal ppt.pptx medical surgical
suture removal ppt.pptx medical surgical
AlanSudhan
 
San Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at SeaSan Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at Sea
Justin Ordoyo
 
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations DemystifiedSafeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
PROF. PAUL ALLIEU KAMARA
 
一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理
一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理
一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理
mecyyn
 
一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理
一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理
一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理
qevye
 
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
ubype
 
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
aypxuyw
 
Integrating Advocacy and Legal Tactics to Tackle Online Consumer Complaints
Integrating Advocacy and Legal Tactics to Tackle Online Consumer ComplaintsIntegrating Advocacy and Legal Tactics to Tackle Online Consumer Complaints
Integrating Advocacy and Legal Tactics to Tackle Online Consumer Complaints
seoglobal20
 
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
ayvace
 
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
ymefneb
 
Capital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptxCapital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptx
OmGod1
 

Recently uploaded (20)

一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理
一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理
一比一原版新加坡南洋理工大学毕业证(本硕)ntu学位证书如何办理
 
From Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal EnvironmentsFrom Promise to Practice. Implementing AI in Legal Environments
From Promise to Practice. Implementing AI in Legal Environments
 
It's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of InterestIt's the Law: Recent Court and Administrative Decisions of Interest
It's the Law: Recent Court and Administrative Decisions of Interest
 
Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?Should AI hold Intellectual Property Rights?
Should AI hold Intellectual Property Rights?
 
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
一比一原版朴次茅斯大学毕业证(uop毕业证)如何办理
 
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
一比一原版多伦多都会大学毕业证(TMU毕业证书)学历如何办理
 
Business Laws Sunita saha
Business Laws Sunita sahaBusiness Laws Sunita saha
Business Laws Sunita saha
 
一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理
一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理
一比一原版(glasgow毕业证书)格拉斯哥大学毕业证如何办理
 
一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理
一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理
一比一原版(uottawa毕业证书)加拿大渥太华大学毕业证如何办理
 
suture removal ppt.pptx medical surgical
suture removal ppt.pptx medical surgicalsuture removal ppt.pptx medical surgical
suture removal ppt.pptx medical surgical
 
San Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at SeaSan Remo Manual on International Law Applicable to Armed Conflict at Sea
San Remo Manual on International Law Applicable to Armed Conflict at Sea
 
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations DemystifiedSafeguarding Against Financial Crime: AML Compliance Regulations Demystified
Safeguarding Against Financial Crime: AML Compliance Regulations Demystified
 
一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理
一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理
一比一原版(trent毕业证书)加拿大特伦特大学毕业证如何办理
 
一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理
一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理
一比一原版(uwlc毕业证书)美国威斯康星大学拉克罗斯分校毕业证如何办理
 
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
一比一原版(ua毕业证书)加拿大阿尔伯塔大学毕业证如何办理
 
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证书)利物浦大学毕业证如何办理
 
Integrating Advocacy and Legal Tactics to Tackle Online Consumer Complaints
Integrating Advocacy and Legal Tactics to Tackle Online Consumer ComplaintsIntegrating Advocacy and Legal Tactics to Tackle Online Consumer Complaints
Integrating Advocacy and Legal Tactics to Tackle Online Consumer Complaints
 
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
一比一原版(ual毕业证书)伦敦艺术大学毕业证如何办理
 
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
一比一原版伯恩茅斯大学毕业证(bu毕业证)如何办理
 
Capital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptxCapital Punishment by Saif Javed (LLM)ppt.pptx
Capital Punishment by Saif Javed (LLM)ppt.pptx
 

zsh for beginners WCTF 2019 Seminar

  • 1. WCTF 2019 Seminar zsh for beginners by hama from TokyoWesterns
  • 2. Firstly… ● Many many unintended solutions exist in published challenge ● Of course, we know it and want to fix/patch it. ○ We couldn’t make it. ● The fixed version is here: https://github.com/hama7230/zsh_for_beginners ● I’ll explain about the fixed version
  • 3. Challenge Overview ● zsh shell with restricted mode ● You can send a tar file ○ The contents are extracted from the file before starting your zsh shell ● (Maybe) you can use only builtin commands of zsh shell ● You have to find a vulnerability and exploit zsh builtins
  • 4. zsh with restricted mode ● You can’t … ○ set environment variable ex) PATH, MODULE_PATH ○ execute binaries and scripts ○ change directory ○ create a file $ echo hogefuga > /tmp/piyo zsh: writing redirection not allowed in restricted mode $ cd /tmp cd: restricted $ export PATH="/bin/" export: PATH: restricted $ export MODULE_PATH="/tmp/" export: MODULE_PATH: restricted $ /tmp/_your_tar_file_is_extracted_here_plz_enjoy/bash zsh: /tmp/_your_tar_file_is_extracted_here_plz_enjoy/bash: restricted
  • 5. Stack Buffer Overflow ● Stack Buffer Overflow ○ In some builtin commands: whence, which, where ● ‘print_if_link’ uses ‘strcpy’ ○ But src buffer size and dst buffer size are NOT same :) ● ‘print_if_link’ will be call when you use that builtin commands with ‘-S’ https://github.com/zsh-users/zsh/blob/master/Src/utils.c#L1045
  • 6. Proof of Concept ● PoC code is in my repo ○ https://github.com/hama7230/zsh_for_beginners/poc.sh
  • 7. To become CTF challenge ● This challenge’s zsh binary is ○ disable FORTIFY ○ disable SSP ○ disable PIE ● You can overwrite return address by stack overflow ● Furthermore we prepare ‘get_flag’ function to make more more easy ○ The function does read flag and write it to stdout
  • 8. Exploit 1. Prepare symbolic link with crafted path 2. Run ‘whence -S’ to the path 3. Fire! ● You have to locate the crafted symbolic link to payload tar file ● The payload will be extracted at ‘/tmp/_your_tar_file_is_extracted_here_plz_enjoy/’ ● Since overflow is caused by the realpath, you have to create symbolic link whose name contains the return address. ● The exploit is fired by command `whence -S /tmp/~~~~~~~`
  • 10. 0day? ● I think this bug don’t lead RCE and DoS ○ Ordinary compiler options are... ■ enable FORTIFY check ● strcpy -> strcpy_chk ■ enable SSP ■ enable PIE (high probably) ○ Some mitigations block to lead RCE and DoS ● BTW, I found this bug about 30 minutes so it’s for beginners :)
  • 11. Summary ● The builtin command of zsh `whence` has stack BOF on latest version 5.7.1 ● Run the command to the crafted symbolic link, and the stack BOF is fired ● It's too hard to exploit, so some mitigations are disabled ● Special Thanks to pwnable.tw organizers ○ inspired from ‘Bash’ and ‘Bash Revenge’ https://github.com/hama7230/zsh_for_beginners
  • 12. Thank you! Did you enjoy your shell?