SlideShare una empresa de Scribd logo

An Intro on Data-oriented Attacks

Aj MaChInE
Aj MaChInE

DOA是一個令人驚豔的技術,因此在若渴分享。

Educación
1 de 18
Descargar para leer sin conexión
An Intro on Data-oriented Attacks @ 若渴 2020.1.19 <ajblane0612@gmail.com> AjMaChInE
Reference ● [0] 2019, Exploitation Techniques and Defenses for Data- Oriented Attacks ● [1] 2018, Block Oriented Programming - Automating Data-Only Attacks ● [2] 2016, Data-Oriented Programming - On the Expressiveness of Non-Control Data Attacks ● [3] BOPC, https://github.com/HexHive/BOPC
DOA Overview [0][1][2]
The ProFTPd DOP Attack [0]
Array mons starts at 0x80cf6e0 send(fd, &mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
Action: Get main_server 2. read operator & 1. copy operator : AWP(&mons, ARP(&main_server), size) → AWP(0x80cf6e0, 0x871ae3c, size) structure* main_server at 0x80d6314 send(fd,&mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
Action: Get main_server->ServerName main_server->ServerName = main_server + offset = 0x871ae3c + 0x10 = 0x871ae4c offset we known & .bss section * main_server * mons * resp_buf * ssl_ctx
3. copy operator: AWP(main_server->ServerName, &ssl_ctx, size) → AWP(0x871ae4c, 0x80de0c8, size) Action: Get ssl_ctx - 1 step .bss section * main_server * mons * resp_buf * ssl_ctx
4. dereference operator: resp_buf = *(main_server->ServerName) resp_buf = *(0x80de0c8) resp_buf = 0x874d7b8 = ssl_ctx copy operator: AWP(main_server->ServerName, ssl_ctx, size) Action: Get ssl_ctx - 2 step .bss section * main_server * mons * resp_buf * ssl_ctx
cert = main_server->ServerName + offset cert = 0x874d7b8 + offset cert = 0x874d868 Action: Get cert and Derference 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
5. read operator: AWP(&mons, ARP(main_server->ServerName), size) Action: Get PK after dereferencing 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
BOPC – Block-oriented Programming Compiler [2][3] ● AWP (hard requirement) ● Python 2 ● Angr
The basic block "abstractions" [3] ● absblk.py ● Transition form a basic block to abstraction.(regwr, splmemwr,..)
CFG -> For basic blocks -> abstractions [3]
Angr ● Block-oriented symbolic execution ● status.history.actions – action.type == 'reg' and action.action == 'write' – action.type == 'mem' and action.action == 'read – action.type == 'exit' and action.exit_type == 'conditional' ● blk.vex.jumpkind == "Ijk_Sys_syscall" – BYPASS_UNSUPPORTED_SYSCALL ● state.se.constraints (AST) – <Bool packet_0_stdin_6_480[471:464] != 13> ● state.posix.dumps(0) ● Initial .bss/ .data section ● project.inspect.make_breakpoint('mem_read', ...)
On the Fly to Resolve the Constraints [2]
Constraint Issues [2]
simulate.py [3]

Recomendados

(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
Positive Hack Days
 
opentsdb in a real enviroment
opentsdb in a real enviromentopentsdb in a real enviroment
opentsdb in a real enviroment
Chen Robert
 
Distributed Data Processing Workshop - SBU
Distributed Data Processing Workshop - SBUDistributed Data Processing Workshop - SBU
Distributed Data Processing Workshop - SBU
Amir Sedighi
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDB
Hengki Sihombing
 
Elasticsearch 1.x Cluster Installation (VirtualBox)
Elasticsearch 1.x Cluster Installation (VirtualBox)Elasticsearch 1.x Cluster Installation (VirtualBox)
Elasticsearch 1.x Cluster Installation (VirtualBox)
Amir Sedighi
 
Fluent plugin-dstat
Fluent plugin-dstatFluent plugin-dstat
Fluent plugin-dstat
shunsuke Mikami
 
Lazy evaluation drupal camp moscow 2014
Lazy evaluation drupal camp moscow 2014Lazy evaluation drupal camp moscow 2014
Lazy evaluation drupal camp moscow 2014
Evgeny Nikitin
 
Gnocchi v3
Gnocchi v3Gnocchi v3
Gnocchi v3
Gordon Chung
 

Recomendados

(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data Retrieval
Positive Hack Days
 
opentsdb in a real enviroment
opentsdb in a real enviromentopentsdb in a real enviroment
opentsdb in a real enviroment
Chen Robert
 
Distributed Data Processing Workshop - SBU
Distributed Data Processing Workshop - SBUDistributed Data Processing Workshop - SBU
Distributed Data Processing Workshop - SBU
Amir Sedighi
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDB
Hengki Sihombing
 
Elasticsearch 1.x Cluster Installation (VirtualBox)
Elasticsearch 1.x Cluster Installation (VirtualBox)Elasticsearch 1.x Cluster Installation (VirtualBox)
Elasticsearch 1.x Cluster Installation (VirtualBox)
Amir Sedighi
 
Fluent plugin-dstat
Fluent plugin-dstatFluent plugin-dstat
Fluent plugin-dstat
shunsuke Mikami
 
Lazy evaluation drupal camp moscow 2014
Lazy evaluation drupal camp moscow 2014Lazy evaluation drupal camp moscow 2014
Lazy evaluation drupal camp moscow 2014
Evgeny Nikitin
 
Gnocchi v3
Gnocchi v3Gnocchi v3
Gnocchi v3
Gordon Chung
 
New kid on the block node.js
New kid on the block node.jsNew kid on the block node.js
New kid on the block node.js
Joel Divekar
 
1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning
MongoDB
 
To Hire, or to train, that is the question (Percona Live 2014)
To Hire, or to train, that is the question (Percona Live 2014)To Hire, or to train, that is the question (Percona Live 2014)
To Hire, or to train, that is the question (Percona Live 2014)
Geoffrey Anderson
 
Gnocchi v3 brownbag
Gnocchi v3 brownbagGnocchi v3 brownbag
Gnocchi v3 brownbag
Gordon Chung
 
Mysql参数-GDB
Mysql参数-GDBMysql参数-GDB
Mysql参数-GDB
zhaolinjnu
 
Gnocchi Profiling v2
Gnocchi Profiling v2Gnocchi Profiling v2
Gnocchi Profiling v2
Gordon Chung
 
Gnocchi v4 (preview)
Gnocchi v4 (preview)Gnocchi v4 (preview)
Gnocchi v4 (preview)
Gordon Chung
 
Multi-core Node.pdf
Multi-core Node.pdfMulti-core Node.pdf
Multi-core Node.pdf
Ahmed Hassan
 
Social Analytics with MongoDB
Social Analytics with MongoDBSocial Analytics with MongoDB
Social Analytics with MongoDB
Patrick Stokes
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Arian Gutierrez
 
Postgres connections at scale
Postgres connections at scalePostgres connections at scale
Postgres connections at scale
Mydbops
 
Performance evaluation of apache tajo
Performance evaluation of apache tajoPerformance evaluation of apache tajo
Performance evaluation of apache tajo
Jihoon Son
 
Introduce leo-redundant-manager
Introduce leo-redundant-managerIntroduce leo-redundant-manager
Introduce leo-redundant-manager
Paras Patel
 
MongoDB Drivers And High Availability: Deep Dive
MongoDB Drivers And High Availability: Deep DiveMongoDB Drivers And High Availability: Deep Dive
MongoDB Drivers And High Availability: Deep Dive
emptysquare
 
Introduction to MongoDB with PHP
Introduction to MongoDB with PHPIntroduction to MongoDB with PHP
Introduction to MongoDB with PHP
fwso
 
MongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetMongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-Set
Vivek Parihar
 
Nsq.io on Node.js and Shell
Nsq.io on Node.js and ShellNsq.io on Node.js and Shell
Nsq.io on Node.js and Shell
Luis Faustino
 
Troubleshooting Cassandra
Troubleshooting CassandraTroubleshooting Cassandra
Troubleshooting Cassandra
Jeremy Hanna
 
Using MMS to Build New Environments
Using MMS to Build New EnvironmentsUsing MMS to Build New Environments
Using MMS to Build New Environments
MongoDB
 
introtomongodb
introtomongodbintrotomongodb
introtomongodb
saikiran
 
Let the Tiger Roar! - MongoDB 3.0 + WiredTiger
Let the Tiger Roar! - MongoDB 3.0 + WiredTigerLet the Tiger Roar! - MongoDB 3.0 + WiredTiger
Let the Tiger Roar! - MongoDB 3.0 + WiredTiger
Jon Rangel
 

Más contenido relacionado

La actualidad más candente

1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning
MongoDB
 
To Hire, or to train, that is the question (Percona Live 2014)
To Hire, or to train, that is the question (Percona Live 2014)To Hire, or to train, that is the question (Percona Live 2014)
To Hire, or to train, that is the question (Percona Live 2014)
Geoffrey Anderson
 
Social Analytics with MongoDB
Social Analytics with MongoDBSocial Analytics with MongoDB
Social Analytics with MongoDB
Patrick Stokes
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Arian Gutierrez
 
Introduce leo-redundant-manager
Introduce leo-redundant-managerIntroduce leo-redundant-manager
Introduce leo-redundant-manager
Paras Patel
 
MongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetMongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-Set
Vivek Parihar
 
Using MMS to Build New Environments
Using MMS to Build New EnvironmentsUsing MMS to Build New Environments
Using MMS to Build New Environments
MongoDB
 

La actualidad más candente (20)

New kid on the block node.js
New kid on the block node.jsNew kid on the block node.js
New kid on the block node.js
 
1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning
 
To Hire, or to train, that is the question (Percona Live 2014)
To Hire, or to train, that is the question (Percona Live 2014)To Hire, or to train, that is the question (Percona Live 2014)
To Hire, or to train, that is the question (Percona Live 2014)
 
Gnocchi v3 brownbag
Gnocchi v3 brownbagGnocchi v3 brownbag
Gnocchi v3 brownbag
 
Mysql参数-GDB
Mysql参数-GDBMysql参数-GDB
Mysql参数-GDB
 
Gnocchi Profiling v2
Gnocchi Profiling v2Gnocchi Profiling v2
Gnocchi Profiling v2
 
Gnocchi v4 (preview)
Gnocchi v4 (preview)Gnocchi v4 (preview)
Gnocchi v4 (preview)
 
Multi-core Node.pdf
Multi-core Node.pdfMulti-core Node.pdf
Multi-core Node.pdf
 
Social Analytics with MongoDB
Social Analytics with MongoDBSocial Analytics with MongoDB
Social Analytics with MongoDB
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
 
Postgres connections at scale
Postgres connections at scalePostgres connections at scale
Postgres connections at scale
 
Performance evaluation of apache tajo
Performance evaluation of apache tajoPerformance evaluation of apache tajo
Performance evaluation of apache tajo
 
Introduce leo-redundant-manager
Introduce leo-redundant-managerIntroduce leo-redundant-manager
Introduce leo-redundant-manager
 
MongoDB Drivers And High Availability: Deep Dive
MongoDB Drivers And High Availability: Deep DiveMongoDB Drivers And High Availability: Deep Dive
MongoDB Drivers And High Availability: Deep Dive
 
Introduction to MongoDB with PHP
Introduction to MongoDB with PHPIntroduction to MongoDB with PHP
Introduction to MongoDB with PHP
 
MongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetMongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-Set
 
Nsq.io on Node.js and Shell
Nsq.io on Node.js and ShellNsq.io on Node.js and Shell
Nsq.io on Node.js and Shell
 
Troubleshooting Cassandra
Troubleshooting CassandraTroubleshooting Cassandra
Troubleshooting Cassandra
 
Using MMS to Build New Environments
Using MMS to Build New EnvironmentsUsing MMS to Build New Environments
Using MMS to Build New Environments
 

Similar a An Intro on Data-oriented Attacks

introtomongodb
introtomongodbintrotomongodb
introtomongodb
saikiran
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
Doris Chen
 
오픈 소스 프로그래밍 - NoSQL with Python
오픈 소스 프로그래밍 - NoSQL with Python오픈 소스 프로그래밍 - NoSQL with Python
오픈 소스 프로그래밍 - NoSQL with Python
Ian Choi
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
Severalnines
 
Performance Tuning Cheat Sheet for MongoDB
Performance Tuning Cheat Sheet for MongoDBPerformance Tuning Cheat Sheet for MongoDB
Performance Tuning Cheat Sheet for MongoDB
Severalnines
 

Similar a An Intro on Data-oriented Attacks (20)

introtomongodb
introtomongodbintrotomongodb
introtomongodb
 
Let the Tiger Roar! - MongoDB 3.0 + WiredTiger
Let the Tiger Roar! - MongoDB 3.0 + WiredTigerLet the Tiger Roar! - MongoDB 3.0 + WiredTiger
Let the Tiger Roar! - MongoDB 3.0 + WiredTiger
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
 
Building Your First App with Shawn Mcarthy
Building Your First App with Shawn Mcarthy Building Your First App with Shawn Mcarthy
Building Your First App with Shawn Mcarthy
 
Large Scale Log collection using LogStash & mongoDB
Large Scale Log collection using LogStash & mongoDB Large Scale Log collection using LogStash & mongoDB
Large Scale Log collection using LogStash & mongoDB
 
Exploiting GPU's for Columnar DataFrrames by Kiran Lonikar
Exploiting GPU's for Columnar DataFrrames by Kiran LonikarExploiting GPU's for Columnar DataFrrames by Kiran Lonikar
Exploiting GPU's for Columnar DataFrrames by Kiran Lonikar
 
Lessons Learned: Running InfluxDB Cloud and Other Cloud Services at Scale | T...
Lessons Learned: Running InfluxDB Cloud and Other Cloud Services at Scale | T...Lessons Learned: Running InfluxDB Cloud and Other Cloud Services at Scale | T...
Lessons Learned: Running InfluxDB Cloud and Other Cloud Services at Scale | T...
 
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
 
Bio bigdata
Bio bigdata Bio bigdata
Bio bigdata
 
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAsFOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
오픈 소스 프로그래밍 - NoSQL with Python
오픈 소스 프로그래밍 - NoSQL with Python오픈 소스 프로그래밍 - NoSQL with Python
오픈 소스 프로그래밍 - NoSQL with Python
 
Lessons Learned Running InfluxDB Cloud and Other Cloud Services at Scale by T...
Lessons Learned Running InfluxDB Cloud and Other Cloud Services at Scale by T...Lessons Learned Running InfluxDB Cloud and Other Cloud Services at Scale by T...
Lessons Learned Running InfluxDB Cloud and Other Cloud Services at Scale by T...
 
Fullstack LX - Improving your application performance
Fullstack LX - Improving your application performanceFullstack LX - Improving your application performance
Fullstack LX - Improving your application performance
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
 
Boost Development With Java EE7 On EAP7 (Demitris Andreadis)
Boost Development With Java EE7 On EAP7 (Demitris Andreadis)Boost Development With Java EE7 On EAP7 (Demitris Andreadis)
Boost Development With Java EE7 On EAP7 (Demitris Andreadis)
 
PostgreSQL 9.5 - Major Features
PostgreSQL 9.5 - Major FeaturesPostgreSQL 9.5 - Major Features
PostgreSQL 9.5 - Major Features
 
Performance Tuning Cheat Sheet for MongoDB
Performance Tuning Cheat Sheet for MongoDBPerformance Tuning Cheat Sheet for MongoDB
Performance Tuning Cheat Sheet for MongoDB
 

Más de Aj MaChInE

[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE
 

Más de Aj MaChInE (19)

A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 

Último

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Último (20)

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 

An Intro on Data-oriented Attacks

  • 1. An Intro on Data-oriented Attacks @ 若渴 2020.1.19 <ajblane0612@gmail.com> AjMaChInE
  • 2. Reference ● [0] 2019, Exploitation Techniques and Defenses for Data- Oriented Attacks ● [1] 2018, Block Oriented Programming - Automating Data-Only Attacks ● [2] 2016, Data-Oriented Programming - On the Expressiveness of Non-Control Data Attacks ● [3] BOPC, https://github.com/HexHive/BOPC
  • 4. The ProFTPd DOP Attack [0]
  • 5. Array mons starts at 0x80cf6e0 send(fd, &mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 6. Action: Get main_server 2. read operator & 1. copy operator : AWP(&mons, ARP(&main_server), size) → AWP(0x80cf6e0, 0x871ae3c, size) structure* main_server at 0x80d6314 send(fd,&mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 7. Action: Get main_server->ServerName main_server->ServerName = main_server + offset = 0x871ae3c + 0x10 = 0x871ae4c offset we known & .bss section * main_server * mons * resp_buf * ssl_ctx
  • 8. 3. copy operator: AWP(main_server->ServerName, &ssl_ctx, size) → AWP(0x871ae4c, 0x80de0c8, size) Action: Get ssl_ctx - 1 step .bss section * main_server * mons * resp_buf * ssl_ctx
  • 9. 4. dereference operator: resp_buf = *(main_server->ServerName) resp_buf = *(0x80de0c8) resp_buf = 0x874d7b8 = ssl_ctx copy operator: AWP(main_server->ServerName, ssl_ctx, size) Action: Get ssl_ctx - 2 step .bss section * main_server * mons * resp_buf * ssl_ctx
  • 10. cert = main_server->ServerName + offset cert = 0x874d7b8 + offset cert = 0x874d868 Action: Get cert and Derference 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 11. 5. read operator: AWP(&mons, ARP(main_server->ServerName), size) Action: Get PK after dereferencing 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 12. BOPC – Block-oriented Programming Compiler [2][3] ● AWP (hard requirement) ● Python 2 ● Angr
  • 13. The basic block "abstractions" [3] ● absblk.py ● Transition form a basic block to abstraction.(regwr, splmemwr,..)
  • 14. CFG -> For basic blocks -> abstractions [3]
  • 15. Angr ● Block-oriented symbolic execution ● status.history.actions – action.type == 'reg' and action.action == 'write' – action.type == 'mem' and action.action == 'read – action.type == 'exit' and action.exit_type == 'conditional' ● blk.vex.jumpkind == "Ijk_Sys_syscall" – BYPASS_UNSUPPORTED_SYSCALL ● state.se.constraints (AST) – <Bool packet_0_stdin_6_480[471:464] != 13> ● state.posix.dumps(0) ● Initial .bss/ .data section ● project.inspect.make_breakpoint('mem_read', ...)
  • 16. On the Fly to Resolve the Constraints [2]