0 BOF 기초부터 응용까지~! Feat. LoB

1

BOF 기초부터 응용까지 ~!

Feat. LoBhttp://symnoisy.tistory.com/

2

INDEX.

LOB?

1

BOF! 기초 디버깅(feat. gdb)

2

BOF! 난 정말 잘하고 있는 걸까(feat. Level)

3

3

RTL? What The...(feat. Level 13)

4

Remote BOF? 리모콘 ? (feat. Level 20)

5

INDEX.

4

LOB?.1• LORD OF BOF = 워게임

• 해커스쿨

5

BOF! 기초 디버깅

Feat.gdb2환경변수 .STACK

.HEAP

.DATA

.CODE

• 스택 프레임

– SFP– RET

• 레지스터

– ESP– EBP– EIP

• 페이로드

– NOP– 쉘코드

6


Feat.gdb2 CALLING CONVENTION

– CDECL printf()

– STD CALL SUB

– FAST CALL( 생략 )

7


Feat.gdb2[gate@localhost kucis]$ cat basic.c#include<stdio.h>int main(int argc, char* argv[]){char buffer[1024];strcpy(buffer,argv[1]);puts(buffer);}

8


Feat.gdb2

디버깅 & 공격 GO!

9

3BOF! 난 정말 잘하고 있는 걸까 ?Feat. Level 1

[gate@localhost gate]$ cat gremlin.c/*

The Lord of the BOF : The Fellowship of the BOF - simple BOF

*/ int main(int argc, char *argv[]){ char buffer[256]; if(argc < 2){ printf("argv error\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer);}

10


int main(int argc, char *argv[])

EX)./test ``perl –e ‘print “ABCD”`’` ``perl –e ‘print “EFGH”’``

Argc: 3Argv: [0],[1],[2]

11


BUF 256

SFP

RET

12


풀이

RET 에 넣을 주소를 직접 구하는 방법

소스에 추가해서 뱉어주게 하는 방법

( 단 , 소스를 건들 수 있다면 )

13


디버깅 & 공격 GO!

14

4 RTL?WHAT THE.....

15

4RTL? WHAT THE.......Feat. Level 13

• Canary

• DEP/NX

• ASCII Armor

• ASLR

16

#include <stdio.h>#include <stdlib.h>

main(int argc, char *argv[])

{char buffer[40];int i;

if(argc < 2){printf("argv er-

ror\n");exit(0);

}

if(argv[1][47] == '\xbf'){

printf("stack betrayed you!!\n");

exit(0);}

strcpy(buffer, argv[1]); printf("%s\n", buffer);

}

if(argc < 2){printf("argv error\n");exit(0);

}

4 Feat. Level 13RTL? WHAT THE.......

17

if(argv[1][47] == '\xbf'){

printf("stack betrayed you!!\n");exit(0);

}

strcpy(buffer, argv[1]); printf("%s\n", buffer);

}


18


공격 GO!

19


buf | SFP | &system | &exit | &sh

20

5 Remote BOF?리모콘 .....??

21

#include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/wait.h> #include <dumpcode.h>

main(){

char buffer[40];

int server_fd, client_fd; struct sockaddr_in

server_addr; struct sockaddr_in

client_addr; int sin_size;

if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){

perror("socket");exit(1);

}

server_addr.sin_family = AF_INET; server_addr.sin_port = htons(6666);

5 Feat. Level 20Remote BOF?

리모콘 .......

22

server_addr.sin_addr.s_addr = INADDR_ANY;

bzero(&(server_addr.sin_zero), 8);

if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){

perror("bind");exit(1);

}

if(listen(server_fd, 10) == -1){

perror("listen");exit(1);

}

while(1) { sin_size =

sizeof(struct sockaddr_in);if((client_fd = ac-

cept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){

perror("accept");continue;

}


리모콘 .......

23

if (!fork()){

send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

send(client_fd, "You : ", 6, 0);

recv(client_fd, buffer, 256, 0);

close(client_fd);break;

}

close(client_fd); while(waitpid(-

1,NULL,WNOHANG) > 0);}close(server_fd);


리모콘 .......

24

공격 GO!


리모콘 .......

25

THANK YOU!

Q&Asymnoisy.tistory.-

com

Documents

0 BOF 기초부터 응용까지~! Feat. LoB