SlideShare a Scribd company logo

Noip2 stack buffer overflow

Download as PPTX, PDF
B
b0920075

This is my Safe Programming Final Project

Education
1 of 30
安全程式設計 Noip2 Stack based buffer overflow 第五組:林昱辰 陳宗暉 蘇才維 吳尚浩 閻昱萱
漏洞出處
軟體介紹:Noip Noip是全球最知名的動態DNS提供商,他們的動態更新客戶端存在於眾多的系統、軟體和嵌入式軟體中
漏洞成因:
Summary: File Format:ELF 32 bit Dynamically linked Not Stripped
Payload = (292 - 21)*nop + shellcode + ret_address ↑ buffer到ret address的bytes數 – shellcode bytes數 Shellcode 21個bytes ↓
SCRIPT
Nop Slide
DEMO
結束
才怪
因為shellcode出了點意外,換了好多個都 無法提權,SO……我們決定做個小彌補
Noip2 Stack based buffer overflow BETA 利用ret2ibc+ROP繞過NX
DEP Data Execution Prevention 可寫的地方不可執行,可執行的地方不可寫 gcc: -zexecstack(關閉NX)
shellcode shellcode shellcode shellcode STACK
ROP Return Oriented Programming 返回導向編程 執行針對性的機器語言指令序列(=Gadget) RET到自身含有ret的代碼上
Gadget 名詞:小機具、小組件 一段一段由ret組成的程式碼片段
CODE: Func(argv1, argv2) STACK argv2ESP→ Assembly: PUSH argv2
STACK argv2 argv1ESP→ CODE: Func(argv1, argv2) Assembly: PUSH argv2 PUSH argv1
STACK argv1 argv2 Ret addrESP→ CODE: Func(argv1, argv2) Assembly: PUSH argv2 PUSH argv1 call Func
STACK argv2 argv1 Ret addr Prev ebpESP→ CODE: Func(argv1, argv2) Assembly: PUSH argv2 PUSH argv1 call Func push EBP
argv2 argv1 Ret addr Prev ebpEBP=ESP→ CODE: Func(argv1, argv2) Assembly: PUSH argv2 PUSH argv1 call Func push EBP MOV EBP,ESP
STACK argv2 argv1 Ret addr Prev ebp buffer EBP→ CODE: Func(argv1, argv2) Assembly: PUSH argv2 PUSH argv1 call Func push EBP MOV EBP,ESP SUB ESP,8 ESP→
Ret2Libc 執行C語言程式通常都會載入 Libc裡面有很多好用的function 覆蓋返回地址為現有函數地址 ※不能return到shellcode,就return到現有函式上 偽造堆疊,建立函數呼叫 AAAA system() ret_addr ptr“/bin/bash” STACK HIGH LOW Ret_addr
Libc Function = Libc Base Address + Function Offset ↑ ↑ 動態載入決定 固定不變 (NoASLR→固定)
SCRIPT
AAAA gets_func@libc pop_ret gets_argv_addr system@libc AAAA gets_argv_addr Padding 讀/bin/bash字串進來 清空stack + Chain 存/bin/bash字串在bss segment 執行 不重要隨便打 system的參數(跟上面那個同地址)
DEMO
結束
真的啦

Recommended

Mysql fast share
Mysql fast shareMysql fast share
Mysql fast share
rfyiamcool
 
Oda安装 恢复步骤
Oda安装 恢复步骤Oda安装 恢复步骤
Oda安装 恢复步骤
n-lauren
 
系統程式 -- 為何撰寫此書
系統程式 -- 為何撰寫此書系統程式 -- 為何撰寫此書
系統程式 -- 為何撰寫此書
鍾誠 陳鍾誠
 
打造你自己的DNS服务器
打造你自己的DNS服务器打造你自己的DNS服务器
打造你自己的DNS服务器
Yihua Huang
 
Free rtos简介
Free rtos简介Free rtos简介
Free rtos简介
Bei Li
 
Linux基础
Linux基础Linux基础
Linux基础
zhuqling
 
icecream / icecc:分散式編譯系統簡介
icecream / icecc:分散式編譯系統簡介icecream / icecc:分散式編譯系統簡介
icecream / icecc:分散式編譯系統簡介
Kito Cheng
 
Windbg入门
Windbg入门Windbg入门
Windbg入门
晓锋 陈
 

Recommended

Mysql fast share
Mysql fast shareMysql fast share
Mysql fast share
rfyiamcool
 
Oda安装 恢复步骤
Oda安装 恢复步骤Oda安装 恢复步骤
Oda安装 恢复步骤
n-lauren
 
系統程式 -- 為何撰寫此書
系統程式 -- 為何撰寫此書系統程式 -- 為何撰寫此書
系統程式 -- 為何撰寫此書
鍾誠 陳鍾誠
 
打造你自己的DNS服务器
打造你自己的DNS服务器打造你自己的DNS服务器
打造你自己的DNS服务器
Yihua Huang
 
Free rtos简介
Free rtos简介Free rtos简介
Free rtos简介
Bei Li
 
Linux基础
Linux基础Linux基础
Linux基础
zhuqling
 
icecream / icecc:分散式編譯系統簡介
icecream / icecc:分散式編譯系統簡介icecream / icecc:分散式編譯系統簡介
icecream / icecc:分散式編譯系統簡介
Kito Cheng
 
Windbg入门
Windbg入门Windbg入门
Windbg入门
晓锋 陈
 
從學步到起飛,談Lean Startup和PMF
從學步到起飛,談Lean Startup和PMF從學步到起飛,談Lean Startup和PMF
從學步到起飛,談Lean Startup和PMF
Mr PM
 
實用分析工具 Amplitude / 分析工具hub - Segment
實用分析工具 Amplitude / 分析工具hub - Segment實用分析工具 Amplitude / 分析工具hub - Segment
實用分析工具 Amplitude / 分析工具hub - Segment
Wu Wells
 
成長駭客 Growth Hacker
成長駭客 Growth Hacker成長駭客 Growth Hacker
成長駭客 Growth Hacker
Taien Wang
 
就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍
Aidan Wu
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
Angel Boy
 
Execution
ExecutionExecution
Execution
Angel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
百人團隊敏捷轉型暨持續性整合與交付實踐
百人團隊敏捷轉型暨持續性整合與交付實踐百人團隊敏捷轉型暨持續性整合與交付實踐
百人團隊敏捷轉型暨持續性整合與交付實踐
Taien Wang
 
Nae client(using Node.js to create shell cmd)
Nae client(using Node.js to create shell cmd)Nae client(using Node.js to create shell cmd)
Nae client(using Node.js to create shell cmd)
fisher zheng
 
Voldemort Intro Tangfl
Voldemort Intro TangflVoldemort Intro Tangfl
Voldemort Intro Tangfl
fulin tang
 
Sth About SSD
Sth About SSDSth About SSD
Sth About SSD
XueZhang Wu
 
實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...
實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...
實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...
IttrainingIttraining
 
Erlang and HTML5
Erlang and HTML5Erlang and HTML5
Erlang and HTML5
Witeman Zheng
 
LLVM introduction
LLVM introductionLLVM introduction
LLVM introduction
National Cheng Kung University
 
Intro to svn
Intro to svnIntro to svn
Intro to svn
Yingshiuan Pan
 
Hacking Nginx at Taobao
Hacking Nginx at TaobaoHacking Nginx at Taobao
Hacking Nginx at Taobao
Joshua Zhu
 
探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG
探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG
探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG
YingSiang Geng
 
Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure
Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure
Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure
National Cheng Kung University
 

More Related Content

Viewers also liked

就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍
Aidan Wu
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 

Viewers also liked (12)

從學步到起飛,談Lean Startup和PMF
從學步到起飛,談Lean Startup和PMF從學步到起飛,談Lean Startup和PMF
從學步到起飛,談Lean Startup和PMF
 
實用分析工具 Amplitude / 分析工具hub - Segment
實用分析工具 Amplitude / 分析工具hub - Segment實用分析工具 Amplitude / 分析工具hub - Segment
實用分析工具 Amplitude / 分析工具hub - Segment
 
成長駭客 Growth Hacker
成長駭客 Growth Hacker成長駭客 Growth Hacker
成長駭客 Growth Hacker
 
就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Execution
ExecutionExecution
Execution
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
百人團隊敏捷轉型暨持續性整合與交付實踐
百人團隊敏捷轉型暨持續性整合與交付實踐百人團隊敏捷轉型暨持續性整合與交付實踐
百人團隊敏捷轉型暨持續性整合與交付實踐
 

Similar to Noip2 stack buffer overflow

Hbase在淘宝的应用与优化 修改
Hbase在淘宝的应用与优化 修改Hbase在淘宝的应用与优化 修改
Hbase在淘宝的应用与优化 修改
yp_fangdong
 
大型视频网站单点分析与可用性提升-Qcon2011
大型视频网站单点分析与可用性提升-Qcon2011大型视频网站单点分析与可用性提升-Qcon2011
大型视频网站单点分析与可用性提升-Qcon2011
Yiwei Ma
 
Java线上应用问题排查方法和工具(空望)
Java线上应用问题排查方法和工具(空望)Java线上应用问题排查方法和工具(空望)
Java线上应用问题排查方法和工具(空望)
ykdsg
 
Juniper ScreenOS 基于Policy的
Juniper ScreenOS 基于Policy的Juniper ScreenOS 基于Policy的
Juniper ScreenOS 基于Policy的
mickchen
 

Similar to Noip2 stack buffer overflow (20)

Nae client(using Node.js to create shell cmd)
Nae client(using Node.js to create shell cmd)Nae client(using Node.js to create shell cmd)
Nae client(using Node.js to create shell cmd)
 
Voldemort Intro Tangfl
Voldemort Intro TangflVoldemort Intro Tangfl
Voldemort Intro Tangfl
 
Sth About SSD
Sth About SSDSth About SSD
Sth About SSD
 
實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...
實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...
實作 Linux Driver 移植在樹莓 Pi 上:Linux One wire sensor & I2C framebuffer Driver Po...
 
Erlang and HTML5
Erlang and HTML5Erlang and HTML5
Erlang and HTML5
 
LLVM introduction
LLVM introductionLLVM introduction
LLVM introduction
 
Intro to svn
Intro to svnIntro to svn
Intro to svn
 
Hacking Nginx at Taobao
Hacking Nginx at TaobaoHacking Nginx at Taobao
Hacking Nginx at Taobao
 
探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG
探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG
探索 ISTIO 新型 DATA PLANE 架構 AMBIENT MESH - GOLANG TAIWAN GATHERING #77 X CNTUG
 
Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure
Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure
Accelerating or Complicating PHP execution by LLVM Compiler Infrastructure
 
Hbase在淘宝的应用与优化 修改
Hbase在淘宝的应用与优化 修改Hbase在淘宝的应用与优化 修改
Hbase在淘宝的应用与优化 修改
 
大型视频网站单点分析与可用性提升-Qcon2011
大型视频网站单点分析与可用性提升-Qcon2011大型视频网站单点分析与可用性提升-Qcon2011
大型视频网站单点分析与可用性提升-Qcon2011
 
使用dd命令快速复制LV
使用dd命令快速复制LV使用dd命令快速复制LV
使用dd命令快速复制LV
 
Java线上应用问题排查方法和工具(空望)
Java线上应用问题排查方法和工具(空望)Java线上应用问题排查方法和工具(空望)
Java线上应用问题排查方法和工具(空望)
 
[NTU CSIE] Intro to Windows lab
[NTU CSIE] Intro to Windows lab[NTU CSIE] Intro to Windows lab
[NTU CSIE] Intro to Windows lab
 
Juniper ScreenOS 基于Policy的
Juniper ScreenOS 基于Policy的Juniper ScreenOS 基于Policy的
Juniper ScreenOS 基于Policy的
 
金盾集訓 II
金盾集訓 II金盾集訓 II
金盾集訓 II
 
全端物聯網探索之旅 - 重點整理版
全端物聯網探索之旅 - 重點整理版全端物聯網探索之旅 - 重點整理版
全端物聯網探索之旅 - 重點整理版
 
Build Your Own Android Toolchain from scratch
Build Your Own Android Toolchain from scratchBuild Your Own Android Toolchain from scratch
Build Your Own Android Toolchain from scratch
 
Micro service
Micro serviceMicro service
Micro service
 

Noip2 stack buffer overflow