Más contenido relacionado
La actualidad más candente (20)
Similar a An Intro on Data-oriented Attacks (20)
An Intro on Data-oriented Attacks
- 1. An Intro on Data-oriented Attacks @ 若渴
2020.1.19
<ajblane0612@gmail.com>
AjMaChInE
- 2. Reference
● [0] 2019, Exploitation Techniques and Defenses for Data-
Oriented Attacks
● [1] 2018, Block Oriented Programming - Automating
Data-Only Attacks
● [2] 2016, Data-Oriented Programming - On the
Expressiveness of Non-Control Data Attacks
● [3] BOPC, https://github.com/HexHive/BOPC
- 5. Array mons starts at 0x80cf6e0
send(fd, &mons, size)
.bss section
* main_server
* mons
* resp_buf
* ssl_ctx
- 6. Action: Get main_server
2. read operator & 1. copy operator :
AWP(&mons, ARP(&main_server), size)
→ AWP(0x80cf6e0, 0x871ae3c, size)
structure* main_server at 0x80d6314
send(fd,&mons, size)
.bss section
* main_server
* mons
* resp_buf
* ssl_ctx
- 9. 4. dereference operator:
resp_buf = *(main_server->ServerName)
resp_buf = *(0x80de0c8)
resp_buf = 0x874d7b8 = ssl_ctx
copy operator:
AWP(main_server->ServerName, ssl_ctx, size)
Action: Get ssl_ctx - 2 step .bss section
* main_server
* mons
* resp_buf
* ssl_ctx
- 10. cert = main_server->ServerName + offset
cert = 0x874d7b8 + offset
cert = 0x874d868
Action: Get cert and Derference 7 times (D1-D7) .bss section
* main_server
* mons
* resp_buf
* ssl_ctx
- 11. 5. read operator:
AWP(&mons, ARP(main_server->ServerName), size)
Action: Get PK after dereferencing 7 times (D1-D7) .bss section
* main_server
* mons
* resp_buf
* ssl_ctx
- 13. The basic block "abstractions" [3]
● absblk.py
● Transition form a basic block to abstraction.(regwr,
splmemwr,..)
- 15. Angr
● Block-oriented symbolic execution
● status.history.actions
– action.type == 'reg' and action.action == 'write'
– action.type == 'mem' and action.action == 'read
– action.type == 'exit' and action.exit_type == 'conditional'
● blk.vex.jumpkind == "Ijk_Sys_syscall"
– BYPASS_UNSUPPORTED_SYSCALL
● state.se.constraints (AST)
– <Bool packet_0_stdin_6_480[471:464] != 13>
● state.posix.dumps(0)
● Initial .bss/ .data section
● project.inspect.make_breakpoint('mem_read', ...)