Submit Search
Upload
TA Lesson Binary Exploitation (Pwn)
•
0 likes
•
243 views
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Follow
TA Lesson Binary Exploitation (Pwn) @ National Chung Cheng University
Read less
Read more
Software
Report
Share
Report
Share
1 of 37
Download now
Download to read offline
Recommended
Windows Offender_ Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender_ Reverse Engineering Windows Defender's Antivirus Emulator
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
AEG_ Automatic Exploit Generation
AEG_ Automatic Exploit Generation
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Unleashing MAYHEM On Binary Code
Unleashing MAYHEM On Binary Code
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Firmadyne
Firmadyne
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Fintech Newebpay API using Flask and VueJS
Fintech Newebpay API using Flask and VueJS
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TA-java-method-109
TA-java-method-109
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TA Lesson Web-109
TA Lesson Web-109
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Java - TA課 - Array
Java - TA課 - Array
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Recommended
Windows Offender_ Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender_ Reverse Engineering Windows Defender's Antivirus Emulator
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
AEG_ Automatic Exploit Generation
AEG_ Automatic Exploit Generation
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Unleashing MAYHEM On Binary Code
Unleashing MAYHEM On Binary Code
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Firmadyne
Firmadyne
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Fintech Newebpay API using Flask and VueJS
Fintech Newebpay API using Flask and VueJS
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TA-java-method-109
TA-java-method-109
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TA Lesson Web-109
TA Lesson Web-109
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Java - TA課 - Array
Java - TA課 - Array
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Reverse Engineering - Assembly & Introduction
Reverse Engineering - Assembly & Introduction
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TA Lesson3 - Method
TA Lesson3 - Method
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Web Introduction
Web Introduction
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Java - TA課 - Let's Begin
Java - TA課 - Let's Begin
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Java - TA課 - 開發環境
Java - TA課 - 開發環境
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
IoT Penetration Talk
IoT Penetration Talk
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Introduction to computer network
Introduction to computer network
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Assembly Language Redhung ( x86 ) @ TDOH
Assembly Language Redhung ( x86 ) @ TDOH
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TP-Link SR20 Zero-day attack
TP-Link SR20 Zero-day attack
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
滲透測試入門 Penetration test - white hat hacking introduction
滲透測試入門 Penetration test - white hat hacking introduction
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
masabamasaba
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
masabamasaba
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
masabamasaba
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
masabamasaba
More Related Content
More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Reverse Engineering - Assembly & Introduction
Reverse Engineering - Assembly & Introduction
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TA Lesson3 - Method
TA Lesson3 - Method
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Web Introduction
Web Introduction
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Java - TA課 - Let's Begin
Java - TA課 - Let's Begin
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Java - TA課 - 開發環境
Java - TA課 - 開發環境
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
IoT Penetration Talk
IoT Penetration Talk
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Introduction to computer network
Introduction to computer network
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Assembly Language Redhung ( x86 ) @ TDOH
Assembly Language Redhung ( x86 ) @ TDOH
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
TP-Link SR20 Zero-day attack
TP-Link SR20 Zero-day attack
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
滲透測試入門 Penetration test - white hat hacking introduction
滲透測試入門 Penetration test - white hat hacking introduction
Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
(10)
Reverse Engineering - Assembly & Introduction
Reverse Engineering - Assembly & Introduction
TA Lesson3 - Method
TA Lesson3 - Method
Web Introduction
Web Introduction
Java - TA課 - Let's Begin
Java - TA課 - Let's Begin
Java - TA課 - 開發環境
Java - TA課 - 開發環境
IoT Penetration Talk
IoT Penetration Talk
Introduction to computer network
Introduction to computer network
Assembly Language Redhung ( x86 ) @ TDOH
Assembly Language Redhung ( x86 ) @ TDOH
TP-Link SR20 Zero-day attack
TP-Link SR20 Zero-day attack
滲透測試入門 Penetration test - white hat hacking introduction
滲透測試入門 Penetration test - white hat hacking introduction
Recently uploaded
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
masabamasaba
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
masabamasaba
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
masabamasaba
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
masabamasaba
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
AnnaArtyushina1
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
SelfMade bd
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
masabamasaba
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
WSO2
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
Recently uploaded
(20)
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
TA Lesson Binary Exploitation (Pwn)
1.
redhung@hung.red TA-LESSON @ INFORMATION
SECURITY — BINARY EXPLOITATION ( PWN )
2.
>_ ECHO `WHOAMI` Interning
at CHT Security Co., Ltd. CTF Player Woof Woof Pwning dog 🐶 Focusing on Reversing, Pwning
3.
>_ CAT ./OVERVIEW What
Is Pwn Program Section Security Options Buffer Overflow 0x0 0x1 0x2 0x3
4.
What is Pwn
5.
>_ WHAT IS
PWN Start EndInput Output 簡單來說,控制程式流程,進而達到我們的目的,稱之為Pwn 藉由使用者輸入(Input)的地方來輸入偽造好的Payload 藉由螢幕輸出(Output)的地方來Leak程式資訊
6.
>_ WHAT IS
PWN Start Segmetation FaultInput Output 藉由惡意的輸入來導致程式Crash 則代表此程式有⼈人為疏漏的地⽅方,例例如陣列列邊界超越、指標釋放後未清除 攻擊者則藉由這些漏洞洞來來構造完整的Payload進⾏行行攻擊
7.
>_ WHAT IS
PWN Start Get Shell !! Input Output 攻擊者想要的並不只是讓程式Crash 攻擊者的最終⽬目的是藉由程式漏洞洞來來獲取運⾏行行程式的主機控制權 經由⼀一個漏洞洞來來讓我們串串起攻擊鍊鍊,從運⾏行行程式突破到主機內部
8.
Program Section
9.
>_ PROGRAM SECTION Stack Heap BSS Data Text Stack Heap BSS Data Text
10.
>_ PROGRAM SECTION Stack Heap BSS Data Text Text 存放程式碼 可讀、不可寫、可執⾏行行 (
r - x )
11.
>_ PROGRAM SECTION Stack Heap BSS Data Text Data 存放初始化過的 全域變數或區域靜態變數 E.g.
int i = 1;
12.
>_ PROGRAM SECTION Stack Heap BSS Data Text BSS 存放未初始化過的 全域變數或區域靜態變數 E.g.
int i;
13.
>_ PROGRAM SECTION Stack Heap BSS Data Text Heap 動態分配的記憶體空間 Malloc()、Free() 由低位址往⾼高位址長
14.
>_ PROGRAM SECTION Stack Heap BSS Data Text Stack 存放區域變數、 參參數、return
address 由⾼高位址往低位址長
15.
>_ PROGRAM SECTION Stack
Frame Local variables saved rbp canary return address Stack存放了了許多重要資訊 因此在Pwn的領域中 玩轉Stack是⼀一項非常重要 的技術
16.
>_ PROGRAM SECTION Stack
Frame 0x0 (num)
17.
>_ PROGRAM SECTION Stack
Frame 0x0 (num) return address (num = num+1)
18.
>_ PROGRAM SECTION Stack
Frame 0x0 (num) return address (num = num+1) saved rbp canary
19.
>_ PROGRAM SECTION Stack
Frame 0x0 (num) return address (num = num+1) saved rbp canary
20.
>_ PROGRAM SECTION Stack
Frame 0x0 (num)
21.
Security Options
22.
>_ SECURITY OPTIONS RELRO Stack
Canary NX ( No-Execute ) PIE ASLR
23.
>_ SECURITY OPTIONS RELRO
— RELocation Read Only Level : No / Partial / Full No RELRO — Link map 可寫 、 GOT 可寫 Partial RELRO — Link map 不可寫、GOT可寫 Full RELRO — Link map 不可寫、GOT不可寫
24.
>_ SECURITY OPTIONS Stack
Canary 在 SAVED RBP 之前塞⼀一個隨機的值, 在 return 前檢查是否⼀一致, 不⼀一致的話則將此次 input abort,並結束程式
25.
>_ SECURITY OPTIONS NX
— No execute ⼜又稱 DEP (Data Execution Prevention) 可寫的不可執⾏行行,可執⾏行行的不可寫
26.
>_ SECURITY OPTIONS PIE
— Position Independent Executable 開啟時,Data段以及Text段位址隨機化 關閉時,Data段以及Text段位址固定
27.
>_ SECURITY OPTIONS ASLR
— Address Space Layout Randomization 記憶體位址隨機變化 每次執⾏行行時,Stack、Heap、libc的位址都不⼀一樣 ASLR是系統設定,並不是程式設定
28.
Buffer Overflow
29.
>_ BUFFER OVERFLOW 當程式沒有限制使⽤用者輸入, ⽽而使⽤用者輸入超出字元陣列列的範圍, 即造成Buffer
Overflow
30.
>_ BUFFER OVERFLOW Local
variables saved rbp canary return address
31.
>_ BUFFER OVERFLOW AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA saved
rbp canary return address
32.
>_ BUFFER OVERFLOW AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA
33.
>_ BUFFER OVERFLOW AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA CRASHED
34.
>_ BUFFER OVERFLOW AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA System(/bin/sh)
35.
>_ BUFFER OVERFLOW AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA System(/bin/sh) GET
SHELL !!
36.
LAB
37.
THANK YOU! redhung@hung.red r3dhun9 @r3dhun9
Philip Chen
Download now