Exploit Helpers Contents 1 Who Am I 2

  • Slides: 25
Download presentation
박주현 Exploit Helpers

박주현 Exploit Helpers

Contents 1. Who Am I 2. Exploit sequence 1. Checking protection in binary –

Contents 1. Who Am I 2. Exploit sequence 1. Checking protection in binary – checksec. sh 2. Finding exploitable vector – IDA Pro, Gdb-peda, Qira, Core dump 3. Exploit – Pwntools

Who Am I Xㅡ ㅁ Terminal cdor 1@Ubuntu ~$ whoami 1. 누구세요? Name =

Who Am I Xㅡ ㅁ Terminal cdor 1@Ubuntu ~$ whoami 1. 누구세요? Name = 박 주 현 Nick = cdor 1 Age = 17 School = 한세사이버보안고등학교 해킹보안과 Team = H 3 X 0 R Belong to = 서울여대정보보호영재교육원 3기, KSIA 2. 뭐 좋아하세요? Pwnable, Reversing 3. 뭐 하고 계세요? Pwnable. kr 문제풀이. . Heap exploit 공부. . OS 원리 공부. . arm, mips공부. . cdor 1@Ubuntu ~$ https: //fb. com/parkcdor 1

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector Static analyze : IDA Pro Dynamic analyze : Gdb-peda, Qira, Core dump 3. Exploit - Pwntools

Checksec. sh Checking Protection http: //www. trapkit. de/tools/checksec. html

Checksec. sh Checking Protection http: //www. trapkit. de/tools/checksec. html

How Checksec. sh Works? 1. Find symbol name 2. Segment header 3. File Type

How Checksec. sh Works? 1. Find symbol name 2. Segment header 3. File Type 4. Entry

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector Static analyze : IDA Pro Dynamic analyze : Gdb-peda, Qira, Core dump 3. Exploit - Pwntools

IDA Pro Hex-Ray Assembly ->Disassemble-> C language https: //www. hex-rays. com/products/ida/

IDA Pro Hex-Ray Assembly ->Disassemble-> C language https: //www. hex-rays. com/products/ida/

How IDA Pro works? DWORD PTR [esp+0 x 8], 0 x 3 mov DWORD

How IDA Pro works? DWORD PTR [esp+0 x 8], 0 x 3 mov DWORD PTR [esp+0 x 4], 0 x 2 mov DWORD PTR [esp], 0 x 1 call 0 x 80483 c 4 <babo> mov edx, DWORD PTR [ebp+0 x 8] mov DWORD PTR [esp+0 x 4], edx mov DWORD PTR [esp], eax call 0 x 80482 f 4 <printf@plt> (gdb) x/s 0 x 8048510: "%dn" Automate hand-ray into Algorithm babo(1, 2, 3); printf(“%dn”, argv[1]);

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector Static analyze : IDA Pro Dynamic analyze : Gdb-peda, Qira, Core dump 3. Exploit - Pwntools

Gdb-peda

Gdb-peda

Gdb-peda How To Install 1. git clone https: //github. com/longld/peda. git ~/peda 2. echo

Gdb-peda How To Install 1. git clone https: //github. com/longld/peda. git ~/peda 2. echo "source ~/peda. py" >> ~/. gdbinit IF error Downgrade your linux python version 3. x. x -> 2. 7. x or Downgrade your gdb version

Gdb-peda https: //github. com/longld/peda

Gdb-peda https: //github. com/longld/peda

How Gdb-peda works? Visualization the stack & code & register

How Gdb-peda works? Visualization the stack & code & register

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector Static analyze : IDA Pro Dynamic analyze : Gdb-peda, Qira, Core dump 3. Exploit - Pwntools

Qira Timeless Debugger http: //qira. me

Qira Timeless Debugger http: //qira. me

How Qira works? Save the status at the Previous command

How Qira works? Save the status at the Previous command

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector Static analyze : IDA Pro Dynamic analyze : Gdb-peda, Qira, Core dump 3. Exploit - Pwntools

Core dump How To Use 1. sudo -s 2. echo "/home/cdor 1/core. %e" >

Core dump How To Use 1. sudo -s 2. echo "/home/cdor 1/core. %e" > /proc/sys/kernel/core_pattern 3. ulimit –c unlimited 4. gdb Binary core. Binary

How Core dump works? When the interruption occurred, system makes core dump Like SIGSEGV

How Core dump works? When the interruption occurred, system makes core dump Like SIGSEGV 0 x 4141 in () ?

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector

Exploit sequence 1. Checking protection in binary - checksec. sh 2. Finding exploitable vector Static analyze : IDA Pro Dynamic analyze : Gdb-peda, Qira, Core dump 3. Exploit - Pwntools

Pwntools Make exploit easily, short, spend less time, look nice http: //pwntools. readthedocs. io

Pwntools Make exploit easily, short, spend less time, look nice http: //pwntools. readthedocs. io

How Pwntools works? s = socket(AF_INET, SOCK_STREAM) s. connect(‘cdor 1. com’, 0113) p =

How Pwntools works? s = socket(AF_INET, SOCK_STREAM) s. connect(‘cdor 1. com’, 0113) p = lambda x: struct. pack("<L", x) up = lambda x: struct. unpack("<L", x)[0] s = remote(‘cdor 1. com’, 0113) payload += p 32(system_plt) payload += p(system_plt) Pwntools simplifies the exploit code into 1 line

Practice With Plaid CTF 2013 Ropasaurusrex

Practice With Plaid CTF 2013 Ropasaurusrex

THANK YOU http: //cdor 1. tistory. com

THANK YOU http: //cdor 1. tistory. com

COMMUNITY HELPERS COMMUNITY HELPERS VIDEO FIREFIGHTER Job vCOMMUNITY HELPERS COMMUNITY HELPERS VIDEO FIREFIGHTER Job v
Community Helpers Turboquest Introduction to community helpers ACommunity Helpers Turboquest Introduction to community helpers A
EXPLOIT Equipo 3 Exploit Definicin Es un programaEXPLOIT Equipo 3 Exploit Definicin Es un programa
Contents 2 Contents 3 Contents 4 Contents 5Contents 2 Contents 3 Contents 4 Contents 5
TITLE CONTENTS 1 CONTENTS 2 CONTENTS 3 CONTENTSTITLE CONTENTS 1 CONTENTS 2 CONTENTS 3 CONTENTS
CONTENTS 1 CONTENTS 2 CONTENTS 3 CONTENTS 4CONTENTS 1 CONTENTS 2 CONTENTS 3 CONTENTS 4
contents 1 contents 2 contents 3 contents 4contents 1 contents 2 contents 3 contents 4
CMS Contents Managements System 0 CONTENTS CMS ContentsCMS Contents Managements System 0 CONTENTS CMS Contents
CELL CONTENTS Cell Contents Cell contents with whichCELL CONTENTS Cell Contents Cell contents with which
MODERN ISSUES and MODERN HELPERS Unit 3 AfricaMODERN ISSUES and MODERN HELPERS Unit 3 Africa
Mbhelpers com My Business Helpers Mbhelpers com AboutMbhelpers com My Business Helpers Mbhelpers com About
Notes for helpers Supporting everyone to tell theirNotes for helpers Supporting everyone to tell their
Helpers and Halos Examining Social Evaluation in theHelpers and Halos Examining Social Evaluation in the
Lecture 4 Data types select helpers and exercisesLecture 4 Data types select helpers and exercises
The Lorax Helpers Our mission Through fun andThe Lorax Helpers Our mission Through fun and
Helping the Helpers Addressing Knowledge Service Gaps inHelping the Helpers Addressing Knowledge Service Gaps in
Community Helpers Police Officers Police Officers n WhatCommunity Helpers Police Officers Police Officers n What
Emergency Responders In Need Helping the Helpers 2014Emergency Responders In Need Helping the Helpers 2014
Community Helpers of Rutherford Co 1453 B HopeCommunity Helpers of Rutherford Co 1453 B Hope
Series The Importance of The Importance Of HelpersSeries The Importance of The Importance Of Helpers
Chad Michel cmichelnebraskaglobal com SOA SERVICE HELPERS MEChad Michel cmichelnebraskaglobal com SOA SERVICE HELPERS ME
HEROES AND HELPERS Presenter Name Name of SchoolHEROES AND HELPERS Presenter Name Name of School
Community Helpers By Ms Hufnagles Second Grade ClassCommunity Helpers By Ms Hufnagles Second Grade Class
Our school has many helpers Together we workOur school has many helpers Together we work