# 有Go讚
## From memory safety to exploit in Go
---
## about me
* Jerry CHEN 陳俊佑
* GIM backend
* 寫 Golang 的入門 rust 玩家
---
{%youtube 1rmDEP8oF34 %}
---
## google CTF 2019
*https://twitter.com/googlestudents/status/1141760398867042304*
---
## what's CTF
capture the flag as 解題、攻防
*https://www.youtube.com/watch?v=PBvthC7soS4*
---
## PWN Gomium Browser
---
## PWN Gomium Browser
* `Browser that run go scirpt`
* `pwn2own style (load html)`
* `pop xcalc`
---
## Gomium
DEMO
---
## hello world
DEMO
```
cat hello.go
make hello.html
cat hello.html
make hello
```
https://github.com/jynychen/gomium-exploit/blob/master/hello.go
---
## let's attack
呼叫個小算盤
DEMO
```
cat exec.go
make exec.html
cat exec.html
make exec
```
https://github.com/jynychen/gomium-exploit/blob/master/exec.go
---
## what happend?
`code walk on Gomium Browser Source`
---
## Gomium Browser Source Code
---
## Gomium Browser Source Code
---
## Gomium Browser Source Code
---
## Gomium Browser Source Code
---
## Gomium Browser Source Code
---
## 攻擊思路
1. oob write
2. control IP/PC
3. call target
4. exploit!
---
## 體驗一下 Go
---
## golang interface
抽象物件
https://gobyexample.com/interfaces
---
## golang goroutine
lightweight thread
https://gobyexample.com/goroutines
---
## 攻擊思路
1. [oob write](https://)
2. control IP/PC
3. call target
4. exploit!
---
## interface race
`code walk on race/race.go`
---
## interface race
DEMO
```
go run race/race.go
```
https://github.com/Jyny/go-race-to-exploit/blob/main/race/race.go
---
## 攻擊思路
1. oob write
2. [control IP/PC](https://)
3. call target
4. exploit!
---
## 控制 PC/IP
*https://open4tech.com/microprocessor-program-counter/*
---
## 控制 PC/IP
`code walk on funptr/funcptr.go`
---
## 控制 PC/IP
DEMO
```
go run funcptr/funcptr.go
```
https://github.com/Jyny/go-race-to-exploit/blob/main/funcptr/funcptr.go
---
## 攻擊思路
1. oob write
2. control IP/PC
3. [call target](https://)
4. exploit!
---
## calling target with syscall
`code walk on syscall/syscall.go`
---
## calling target with syscall
DEMO
```
go run syscall/syscall.go
```
https://github.com/Jyny/go-race-to-exploit/blob/main/syscall/syscall.go
---
## 攻擊思路
1. oob write
2. control IP/PC
3. call target
4. [exploit!](https://)
---
## prepare exploit
`code walk on exp.go`
https://github.com/jynychen/gomium-exploit/blob/master/exp.go
---
## How to get addr of target
finding gadget
DEMO
```
make findobj
make findpy
```
---
## let's attack again
DEMO
```
make exp
```
https://github.com/jynychen/gomium-exploit/blob/master/exp.go
---
---
## 修復現況 :(
DEMO
```
uname -a //linux verion
go version
go run exp/exp.go
```
---
## 核心問題
* thread safe (interface, slice, map)
* go build ASLR disable by defaut
---
## thread unsafe
`reference type`
* interface
* slice
* map
`protect with sync.Mutex x/sync`
---
## ASLR
Address space layout randomization
定址空間隨機載入
*https://www.daniloaz.com/en/differences-between-aslr-kaslr-and-karl/*
---
## ASLR
* only enable by default on M$
* NAS S vs Q (2018)
---
## 實況
https://youtu.be/T1lP1b89_cc?si=MHRQ6NWr0lADyoQ0&t=533
---
# Q&A
---
## Reference
* https://github.com/Jyny/go-race-to-exploit
* https://github.com/jynychen/gomium-exploit
* https://github.com/google/google-ctf/tree/main/2019/finals/pwn-gomium
* https://blog.stalkr.net/2019/12/the-gomium-browser-exploits.html
* https://github.com/netanel01/ctf-writeups/tree/master/googlectf/2019/pwn_gomium
{"title":"有Go讚: From memory safety to exploit in Go","description":"golang interface• interface race (thread safe)• syscall• 跳過 compile time 型別檢查• 做到控制 var int 變成 funcPtr, 控制 EIP/PC• 思路","contributors":"[{\"id\":\"a3283302-4fa2-4474-ace8-9e17aa848aea\",\"add\":5784,\"del\":1352}]"}