端端舝

? ?癖瑰 (aaaddress1)
? 膽忐?𡦀揃�?最?爛�
? Reverse Engineering Skills
? Windows / Mac OS /Android
? TDoHacker Core Member
? HITCON 2015 CMT:
? AIDS
? x86髺颷?豪厜ヾ胍
? Wooyun WhiteHat: x86?豪厜ヾ
? 瑙樅2015?��呾旃�𩂰: AIDS
? 傖髡?𡦀2015?�APP��

? Hack BOT
? CrackShield / MapleHack
? Tower Of Savior
? FaceBook: Adr＊s FB
? Isu Hack
? �媆籵滅惇PING?
? CSharp,VB,C/CPlus,?
x86,Python,Smali,Swift

NTUSTxTDOH - Pwn價渙 2015/12/27

PWN = 帤�𤒇衄氪肮砩狟
陂龰麼氪鏽狟杻隅/窒煦跃癹

OUTPUT RESULT
BROWSER
Html,JS,VBScript(IE)＃etc
RESPONSE

OUTPUT RESULT
BROWSER
Html,JS,VBScript(IE)＃etc
RESPONSE
BOF, Heap Overflow, SEH ＃blabla

RESPONSE&
Socket/HTTP
BOF, Heap Overflow, SEH ＃blabla

Use the exploit?
-> Control RIP (BOF,Heap,SEH,Sigreturn＃)

Use the exploit?
-> RIP (BOF,Heap, SEH, Sigreturn＃)
-> Shellcode

[EBP+0 ] = Pointer to old EBP
[EBP+4 ] = Return Address
[EBP+8 ] = First Parameter
[EBP+C ] = Second Parameter
[EBP+10 ] = Third Parameter
＃etc
[EBP+8 + 4*index] = Parameter[index]

VOID FUNC()
{
INT A = 0;
INT B = 1;
INT C = 2;
}
[EBP - 4] =0
[EBP - 8] =1
[EBP - C] =2
push EBP
mov EBP,ESP
SUB ESP, LEN

VOID FUNC()
{
NFUNC(ARG1,ARG2,ARG3＃)
}
push ebp
mov ebp,esp
.
.
push arg3
push arg2
push arg1
call nFunc

Stack
ESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14

Stack
ESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP

Stack
EBP + 0
=ESP
Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP

Stack
EBP - 8
=ESP
Bu?er
EBP - 4 Bu?er
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP

Stack
EBP - 8
=ESP
1
EBP - 4 Bu?er
EBP + 0 Bu?er
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP

Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Bu?er
EBP + 4 Bu?er
EBP + 8 Old EBP
EBP + C
_______EIP

Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Bu?er
EBP + 4 Bu?er
EBP + 8 Old EBP
EBP + C

Stack
EBP - 8
=ESP
EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Bu?er
EBP + 8 Bu?er
EBP + C Old EBP
_______EIP

Stack
EBP + 0
=ESP
EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Bu?er
EBP + 10 Bu?er
EBP + 14 Old EBP
_______EIP

_______EIP
Stack
EBP - 8
=ESP
return Address
EBP - 4 1
EBP + 0 Bu?er
EBP + 4 Bu?er
EBP + 8 Old EBP
EBP + C

Stack
EBP - 4
=ESP
1
EBP + 0 Bu?er
EBP + 4 Bu?er
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP

Stack
EBP + 0
= ESP
Bu?er
EBP + 4 Bu?er
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP

EBP+n
EBP+8
EBP+4
EBP+0
EBP-X
EBP-Y

EBP+4+4*k
EBP+8
EBP+4
EBP+0
EBP-X
EBP-Y

How to let data == ※admin§?

Buffer over?ow
Stack
ESP Old EBP
_______EIP

Buffer over?ow
Stack
EBP
=ESP
Old EBP
_______EIP

Buffer over?ow
Stack
EBP - 10 Bu?er
EBP - C Bu?er
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP

Buffer over?ow
Stack
EBP - 10 Bu?er
EBP - C Bu?er
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
Variable ※name§

Buffer over?ow
Stack
EBP - 10 Bu?er
EBP - C Bu?er
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
Variable ※data§

Buffer over?ow
Stack
EBP - 10 Bu?er
EBP - C Bu?er
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
※aaaa§

Buffer over?ow
Stack
EBP - 10 aaaa
EBP - C Bu?er
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
※aaaa§

Buffer over?ow
Stack
EBP - 10 aaaa
EBP - C BBBB
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
※aaaaBBBB§

Buffer over?ow
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8
0x6C6C6548
= lleH
EBP - 4
0x0000216F
=x00x00!o
EBP
=ESP
Old EBP
_______EIP
If you input
※OVERFLOW§
Little Endian

if we input more words＃?
Magic!

Buffer over?ow
Stack
EBP - 10 REVO
EBP - C WOLF
EBP - 8 revo
EBP - 4 wolf
EBP
=ESP
Old EBP
_______EIP
If you input
※OVERFLOWoverflow§

Buffer over?ow
Stack
EBP - 10 AAAA
EBP - C AAAA
EBP - 8 imda
EBP - 4 x00x00x00n
EBP
=ESP
Old EBP
_______EIP
SO, We can input
※AAAAAAAAadmin§

Danger function
#include <iostream>
printf, fprintf, snprintf, vprintf, ＃etc

端端舝

NTUSTxTDOH - Pwn價渙 2015/12/27

More Related Content

NTUSTxTDOH - Pwn價渙 2015/12/27