ntustxtdoh 資訊安全基礎工作坊 基礎逆向教育訓練
TRANSCRIPT
TEEMO KNOWS BINARYTDOH x TAIWAN TECH 2015/11/29
aaaddress1
SELF INTRODUCTION➤ 馬聖豪 (aaaddress1)➤ 義守大學資訊工程二年級➤ Reverse Engineering Skills
➤ Windows / Mac OS /Android➤ TDoHacker Core Member➤ HITCON 2015 CMT:
➤ AIDS➤ x86 靜態手花詐欺術
➤ Wooyun WhiteHat: x86 手花詐欺➤ 逢甲 2015 行動計算研討會 :
AIDS➤ 成功大學 2015 行動 APP 競賽
SELF INTRODUCTION➤ Hack BOT
➤ CrackShield / MapleHack➤ Tower Of Savior➤ FaceBook: Adr’s FB➤ Isu Hack➤ 競時通防爆 PING
➤ CSharp,VB,C/CPlus,x86,Python,Smali,Swift
OUTLINE➤ main() is not the really
main➤ OllyDBG:Baby First (Exam)➤ Return-oriented
Programming➤ Overflow: Revo Wolf(Exam)➤ Fuzzing➤ Make a fuzzer in C++ ➤ How to fuzzing with Z3
SWEET REMINDER
Tool https://goo.gl/4sJRtB
Examhttps://goo.gl/xUYkoz
REALLYMAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
REALLY MAIN
_Start
REALLY MAIN
REALLY MAINParameter Data
REALLY MAIN➤ Label “_start” is really main.
➤ CRTStartUp is loaded in label “_start”.(To init RTC/new/delete/arg…etc)
➤ Find programmer’s main (normal c plus compile)➤ Find the address calling GetCommandLine➤ Find the address calling exit() or cexit()➤ Programmer’s main function is between them.
DEMOOlly Debugger:Really Main
EXAMOlly Debugger: Baby First&Take a break!
ROPReturn-oriented-Programming
WE NEED TO KNOW MOREBEFORE ROP
X86 CALLING COVENTION
&STACK FRAMES
ROP
ROP
ROP
ROP
ROP
ROP[EBP+0 ] = Pointer to old EBP[EBP+4 ] = Return Address[EBP+8 ] = First Parameter[EBP+C ] = Second Parameter[EBP+10 ] = Third Parameter…etc[EBP+8 + 4*index] = Parameter[index]
ROP VOID FUNC(){ INT A = 0; INT B = 1; INT C = 2;}
[EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2
push EBPmov
EBP,ESPSUB ESP,
LEN
ROPVOID FUNC(){ NFUNC(ARG1,ARG2,ARG3…)}
push ebp mov ebp,esp
.
.push arg3push arg2push arg1call nFunc
ROP
ROP
ROP
ROP
WHY?
ROP
StackESP + 0
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
ROP
StackESP + 0 Old EBP
ESP + 4
ESP + 8
ESP + C
ESP + 10
ESP + 14
_______EIP
ROP
StackEBP + 0
=ESP Old EBP
EBP + 4
EBP + 8
EBP + C
EBP + 10
EBP + 14
_______EIP
ROP
StackEBP - 8
=ESP Buffer
EBP - 4 Buffer
EBP + 0 Old EBP
EBP + 4
EBP + 8
EBP + C
_______EIP
ROP
StackEBP - 8
=ESP 1
EBP - 4 Buffer
EBP + 0 Buffer
EBP + 4 Old EBP
EBP + 8
EBP + C
_______EIP
ROP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
_______EIP
ROP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
ROP
StackEBP - 8
=ESP EBP
EBP - 4 return Address
EBP + 0 1
EBP + 4 Buffer
EBP + 8 Buffer
EBP + C Old EBP
_______EIP
ROP
StackEBP + 0
=ESP EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
ROP
StackEBP + 0
=ESP EBP
EBP + 4 return Address
EBP + 8 1
EBP + C Buffer
EBP + 10 Buffer
EBP + 14 Old EBP
_______EIP
ROP
_______EIP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
ROP
_______EIP
StackEBP - 8
=ESP return Address
EBP - 4 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
ROP
StackEBP - 4
=ESP 1
EBP + 0 Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP
ROP
StackEBP + 0
= ESP Buffer
EBP + 4 Buffer
EBP + 8 Old EBP
EBP + C
EBP + 10
_______EIP
LET’S PLAY WITHBEEF
OVERFLOW
BOFOVERFLOW AND RIP…
BUFFER OVERFLOW➤ We just can see , cannot modify the application.➤ For Exploit?➤ Overflow local variables. (EBP+N are good friend to us) ➤ Do something for get control EIP/RIP.
BUFFER OVERFLOW
[EBP-8] [EBP-10]
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
BUFFER OVERFLOW
How to let data == “admin”?
BUFFER OVERFLOW
[EBP-8] [EBP-10]
BUFFER OVERFLOW
Stack
BUFFER OVERFLOW
StackESP Old EBP
_______EIP
BUFFER OVERFLOW
StackEBP
=ESP Old EBP
_______EIP
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP
_______EIP
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP
_______EIP
Variable “name”
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP
_______EIP
Variable “data”
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
BUFFER OVERFLOW
StackEBP - 10 Buffer
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “aaaa”
BUFFER OVERFLOW
StackEBP - 10 aaaa
EBP - C Buffer
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “aaaa”
BUFFER OVERFLOW
StackEBP - 10 aaaa
EBP - C BBBB
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “aaaaBBBB”
BUFFER OVERFLOW
StackEBP - 10 REVO
EBP - C WOLF
EBP - 8 0x6C6C6548= lleH
EBP - 4 0x0000216F=\x00\x00!o
EBP=ESP Old EBP_______EIP
If you input “OVERFLOW”
IF WE INPUT MORE WORDS…?
MAGIC!
BUFFER OVERFLOW
StackEBP - 10 REVO
EBP - C WOLF
EBP - 8 revo
EBP - 4 wolf
EBP=ESP Old EBP_______EIP
If you input “OVERFLOWoverflow”
BUFFER OVERFLOW
StackEBP - 10 AAAA
EBP - C AAAA
EBP - 8 imda
EBP - 4 \x00\x00\x00n
EBP=ESP Old EBP_______EIP
SO, We can input“AAAAAAAAadmin”
BUFFER OVERFLOW
DANGER FUNCTION
#include <iostream>printf, fprintf, snprintf, vprintf, …etc
DEMOOverflow
EXAMOverflow: Revo wolf&Take a break!
EXAMOverflow: 7$BUY TICKETS&Take a break!
EXAMOverflow: Lee Sin can Read&Take a break!
FUZZING Fuzzing the key with Z3.py
“Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software.
From Wikipedia
WHAT IS FUZZING?
When we need to fuzz?A.Prove that something is always true
B.Fuzzing for something unexpectedC.Fuckinnnnnnnnnnnnng CryptoD.A lot of choice, find one is correct
FUZZING FOR WHAT?
Your said :Get the key is easy?
YOU THINK REVERSING IS:
SOLVING PROBLEMS?
BRAIN FUCKING (O)
FUZZING
FUZZING
Key= adr
‘a’ = 0x61,’d’ = 0x64, r = 0x72
FUZZING
FUZZING
Key= adr
0x00726461 = \x00\x72\x64\x61= \x00adr
FUZZING
FUZZING
How to find the key matching the factors?
MAKE A MINI FUZZER
IN C PLUS PLUS
Check Current Temp Key
0x20 to 0x7E, Visible ASCII Char Range
Display to us.
BUT…IF LENGT OF THE KEY ISN’T JUST 3 WORDS?
Z3Prove Tool
Z3 BEGIN
➤Get and Install Python2.7✴ Z3.py script environment✴ www.python.org
➤You can use python basically➤Get Z3.py for Windows
✴ Prove tool✴ github.com/Z3Prover/z3/wiki/Using-Z3Py-on-Window
s
猜謎➤ 無腦➤ 很軟➤ 手有毒
FUZZING(Z3)
Include Z3 function to your python scriptlike you use #include <iostream> in C++
FUZZING(Z3)
BitVec(“Name” , BitCount)For example:
1.char a => a = BitVec(“a”, 8)2.short b => b = BitVec(“b”, 16)3.int c => c = BitVec(“C”, 32) =>
Int(“c”)4.bool e => e = BitVec(‘e’, 8)
FUZZING(Z3)
Solve(All rules ), Z3 will auto fuzz all variables,and find a result(JUST ONE RESULT!).Then, print all results of variables.
FUZZING(Z3)
If you have a looooot of rules,you can use Solver().
Solver.add() can remember all rules you requested.
FUZZING(Z3)
If you want to check currentwhether rules can come true, you just use: Solver.check()
FUZZING(Z3)
If Z3 cannot find any result,check() will reply you “unsat”.
FUZZING(Z3)
If Z3 can find any result,check() will reply you “sat”.
FUZZING(Z3)
Finally, if you get “sat”,you can use: Solver.model()It will save a result in it.
Use model[Variable Name],and get the answer by String
FUZZING(Z3)
So,How to fuzz the key with z3?
DEMOFuzzing with z3.py
EXAMFuzzing: ShacoBuysCrusts&Take a Break!
EXAMFuzzing: AIS3 Final Exam Binary
