--- title: Pwn --- # Pwn 0x1 by Roy > Pwn~ > [投影片連結](https://drive.google.com/file/d/12-BNNNP6wxk1qz3f3WROf3syEl_p1Arm/view?usp=sharing) > [課程影片連結](https://youtu.be/pik4qZP1TFY) > [sli.do 匿名發問](https://app.sli.do/event/hkbgehvp?utm_medium=hp)(連結已關閉) > [課後問卷](https://docs.google.com/forms/d/e/1FAIpQLSeYFWINFOV2xa7y0FwmbhOOCU4MnLU7qZdnhyBBfpWQfntuoQ/viewform) ## 環境設定 * VM * Ubuntu 20.04 * 使用上午 Reverse 提供之 VM 即可 * 安裝腳本 * 使用自己電腦時才須使用 :::spoiler Install script ```bash #!/bin/bash cd $HOME sudo apt update sudo apt upgrade sudo apt install -y binutils nasm gcc-multilib g++-multilib libc6-dev-i386 libc6-dbg libc6-dbg:i386 python3-pip libssl-dev gdb sudo pip3 install capstone pwntools ropgadget # mkdir tools && cd tools git clone https://github.com/longld/peda.git git clone https://github.com/scwuaptx/Pwngdb.git cp ~/tools/Pwngdb/.gdbinit ~/ sed -i 's/~\/peda/~\/tools\/peda/' ~/.gdbinit sed -i 's/~\/Pwngdb/~\/tools\/Pwngdb/' ~/.gdbinit ``` ::: ## pwn - 複習reverse - peda插件 - gdb - `attach <pid>` - 如不能attch `echo 0 /proc/sys/kernel/` - `vmmap` - `elfsymbol` - `find` - `pattern` 可以查詢偏移量 - pattern create size [file] - 產生cyclic pattern - [file] 存到檔案 - pattern offset - `checksec ./example` 檢測執行的binary ## ELF (Excutable and Linkable Format) - 組成 - ELF header - Program Header Table - Sections - .text 程式碼 - .data 全域變數(已初始化) - .bss 全域變數(未初始化) - .rodara const 變數 - ..其他 - Section header - `readelf -a ./lab2` - ELF Linking View - memory(由上到下) - kernel space - stack(往下) - heap (往上、malloc 出來的會放在這裡) - data (可讀可寫不可執行) - code (可讀可執行不可寫) - 會頻繁用到 - push/pop (x86 assembly) - x86 calling convention - 在底層(assembly)是怎麼呼叫function? - c declaration - 呼叫者準備參數 - func參數由右往左push進去stack - 結果存在eax - x86_64 calling convention - 放的順序不一樣XD - 系統呼叫：syscall - x86: int 0x80 - function - prologue (進入function的開頭) - Stack fram: ESP~EBP - body - 計算回傳值 - epilogue (function的最後) - 基本上是prologue反過來做 - `leave` `ret` 就可以做完 - ret = pop eip ### 常見漏洞 - Buffer Overflow - Stack Based - 輸入過長字串蓋到return address - 需要計算想蓋過的記憶體位址偏移 - 利用pwntools的p32() or p64解題 - Heap Based - 窩不知道 - Interger Overflow - Race Condition ## pwntools ```python3 #!/usr/bin/env python3 # -*- coding: utf-8 -*- from pwn import * context(arch='i386', os='linux') r = remote('beef.nisra.net', 31337) payload = b'' r.sendline(payload) r.interactive() ``` - p16() / p32() / p64() - 將string或int型態打包成記憶體型態(回傳形式是bytes) - remote(host, port) / process(path) - send(bytes) / sendline(bytes) - 發送資料 / 發送資料(換行) - recv(int) - recvuntil(bytes) ',' - recvline() - interactive() --- ###### tags: `Enlightened` `NISRA` `2020` <style> .navbar-brand::after { content: " × NISRA"; } </style>