buffer overflow
If you can't read please download the document
Embed Size (px)
TRANSCRIPT
9@ionis_h
IT e-wordshttp://e-words.jp/w/E38390E38383E38395E382A1E382AAE383BCE38390E383BCE38395E383ADE383BC.html
Hacking
(vuln.c)
#include
int main (int arg, char* argv[]){ char buffer[500]; strcpy (buffer, argv[1]); return 0;}
(vuln.c)
$ vi vuln.c$ gcc -o vuln vuln.c$ ./vuln test
gcc version 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.1.00)
Mac OS X 10.6.8
(vuln.c)
$ ./vuln `ruby -e "print 'a'*500"`$ ./vuln `ruby -e "print 'a'*501"`Abort trap
buffer
(vuln.c)
Segmentation faultubuntu12.04
strcpystrncpy
fault
abort trapsegmentation fault
fault
fault
segmentation fault
segmentation
bss
bss
bss
Block Started by Symbol
EIPExtended Instruction Pointer:
segmentation
bss
EIP
EIP
EI
1
EIP:
SFPSaved Frame Pointer:
EBPFP, LB
void function (int a, int b, int c, int d) { char flag; char buffer[10];}
void main (void) { function(1, 2, 3, 4);}
mainfunction
callcall3EIP
EBPSFP
ESPEBP
buffer
flag
SFP)
a
b
c
d
(EBP)
EIP, EBP, E...
EIP : Extended Instruction Pointer
EBP : Extended Base Pointer
ESP : Extended Stack Pointer
http://www.asahi-net.or.jp/~vp5m-snd/sec/tech/Phrack49-14.html
500600
(vuln.c)
#include
int main (int arg, char* argv[]){ char buffer[500]; strcpy (buffer, argv[1]); return 0;}
$ ./vuln `ruby -e "print 'A'*600"`Abort trap
$ ./vuln `ruby -e "print 'A'*600"`
buffer[500]
SFP)
RET)
buffer
"ARET
0x41,0x41,0x41...
(A
EIPRET0x41414141
RETOK
OK
wikipediahttp://ja.wikipedia.org/wiki/%E3%82%B7%E3%82%A7%E3%83%AB%E3%82%B3%E3%83%BC%E3%83%89
NOP sledNOPRETNOP sled
NOP
NOP sled
NOP sled
RET
vuln.cbuffer
http://d.hatena.ne.jp/tomitake_flash/20100411/1270996605
56HACKING 2005
OS
NX NoExecuteBit
AMDIntelXD
http://ja.wikipedia.org/wiki/NX%E3%83%93%E3%83%83%E3%83%88
ASLR Address Space Layout Randomization
http://ja.wikipedia.org/wiki/%E3%82%A2%E3%83%89%E3%83%AC%E3%82%B9%E7%A9%BA%E9%96%93%E9%85%8D%E7%BD%AE%E3%81%AE%E3%83%A9%E3%83%B3%E3%83%80%E3%83%A0%E5%8C%96
stack-protectorgcc
3NX/XD
ASLR
stack-protector
10 : #5 http://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/c905.html
segmentation fault
JailBreak
Pod2giOS5.1ASLR2012422http://jailbreakers.info/iphone%E8%84%B1%E7%8D%84%E3%83%8B%E3%83%A5%E3%83%BC%E3%82%B9/pod2g%E3%81%8Cios5-1%E7%B4%90%E3%81%AA%E3%81%97%E8%84%B1%E7%8D%84%E3%81%AE%E6%83%85%E5%A0%B1%E3%82%92%E6%96%B0%E3%81%9F%E3%81%AB%E5%85%AC%E9%96%8B%EF%BC%81%E3%81%A4%E3%81%84%E3%81%ABaslr%E3%82%92/
2
201110 4410http://books.rakuten.co.jp/rb/HACKING%EF%BC%9A%E7%BE%8E%E3%81%97%E3%81%8D%E7%AD%96%E8%AC%80%E7%AC%AC2%E7%89%88-%E8%84%86%E5%BC%B1%E6%80%A7%E6%94%BB%E6%92%83%E3%81%AE%E7%90%86%E8%AB%96%E3%81%A8%E5%AE%9F%E9%9A%9B-%E3%82%B8%E3%83%A7%E3%83%B3%E3%83%BB%E3%82%A8%E3%83%AA%E3%82%AF%E3%82%BD%E3%83%B3-9784873115146/item/11418036/
XcodeoverFlow
/48