RTL Chaining sangjun123naver com Contents n n RTL
![Return to Libc [*] First, Get Library Address, Library argument print libraryname find &system,](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-6.jpg "Return to Libc [*] First, Get Library Address, Library argument print libraryname find &system,")
![Return to Libc [*] Finally, Just Attack! - Buffer[? ] + SFP[4] + system](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-7.jpg "Return to Libc [*] Finally, Just Attack! - Buffer[? ] + SFP[4] + system")
![RTL Chaining [*] First, Find Gadget(pop. . ret) Usage: objdump –d. /binary pop ret](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-10.jpg "RTL Chaining [*] First, Find Gadget(pop. . ret) Usage: objdump –d. /binary pop ret")
![RTL Chaining [*] Second, Find 1 byte char(/bin/sh) Usage: objdump –s. /binary | grep](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-11.jpg "RTL Chaining [*] Second, Find 1 byte char(/bin/sh) Usage: objdump –s. /binary | grep")
![RTL Chaining [*] Third, Find. bss Address Usage: objdump –h. /binary | grep bss](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-12.jpg "RTL Chaining [*] Third, Find. bss Address Usage: objdump –h. /binary | grep bss")
![RTL Chaining [*] Fourth, Find vuln@plt strcpy@plt = 0 x 080483 a 0 jmp](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-13.jpg "RTL Chaining [*] Fourth, Find vuln@plt strcpy@plt = 0 x 080483 a 0 jmp")
![RTL Chaining Finish!! I Have. . [Gadget, character, bss, strcpy@plt, system]](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-15.jpg "RTL Chaining Finish!! I Have. . [Gadget, character, bss, strcpy@plt, system]")
![Attack Scenario [*] Payload strcpy@plt + ppr +. bss + “/”. . . System](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-16.jpg "Attack Scenario [*] Payload strcpy@plt + ppr +. bss + “/”. . . System")
![Demo [Environment] - Ubuntu 14. 04 LTS - Netcat Remote Server - gcc –o](https://slidetodoc.com/presentation_image_h2/9ac7c9f96084a7626d2bad19710a1ac9/image-17.jpg "Demo [Environment] - Ubuntu 14. 04 LTS - Netcat Remote Server - gcc –o")
- Slides: 18
RTL Chaining 송상준 sangjun_123@naver. com 서초고등학교
Contents n 자기소개 n RTL Chaining n Demo
자기소개 n n 서초고등학교 2학년 Best of the Best 4기 교육생 정보보안팀 Hack. Cat 소속 s 0 ngsari. tistory. com
Return to Libc [*] First, Get Library Address, Library argument print libraryname find &system, +9999, ”/bin/sh”
Return to Libc [*] Finally, Just Attack! - Buffer[? ] + SFP[4] + system + exit + /bin/sh system(“/bin/sh”) -> exit(0);
RTL Chaining [*] First, Find Gadget(pop. . ret) Usage: objdump –d. /binary pop ret = 0 x 0804852 f pop ret = 0 x 0804852 e
RTL Chaining [*] Second, Find 1 byte char(/bin/sh) Usage: objdump –s. /binary | grep “/” – 0 x 08048154 (/, b, i, n, s, h, x 00)을 모두 구해야함
RTL Chaining [*] Third, Find. bss Address Usage: objdump –h. /binary | grep bss - insert char(/bin/sh) in. bss (custom stack) bss = 0 x 0804 a 028 bss size = 1028 byte
RTL Chaining [*] Fourth, Find vuln@plt strcpy@plt = 0 x 080483 a 0 jmp ds: offset은 got주소!!
RTL Chaining Finish!! I Have. . [Gadget, character, bss, strcpy@plt, system]
Attack Scenario [*] Payload strcpy@plt + ppr +. bss + “/”. . . System + exit + bss C Code? -> strcpy(bss[0], “/”); strcpy(bss[1], “b”); . . .
Demo [Environment] - Ubuntu 14. 04 LTS - Netcat Remote Server - gcc –o exploit. c –fno-stack-protector
Backward chaining
Dậy thổi cơm mua thịt cá
Cơm
Backward chaining
Jess expert system
Indian optical square in surveying
Forward chaining
Contoh kasus backward chaining
Give a forward chaining proof of the sentence 7 < 3 9
Differenza tra shaping e chaining
Forward chaining example
Behavior chain interruption strategy
Concatenamento anterogrado
Hash function code
Row chaining
Servlet chaining
Rule-based expert system
Quadratic probing
Backward chaining occupational therapy
