Professional Documents
Culture Documents
Tutorial Guide: SSTF 2022 Hacker's Playground
Tutorial Guide: SSTF 2022 Hacker's Playground
Samsung Research
Tutorial Guide
BOF 101
Binary pwn
BOF(Buffer Overflow)?
2
What can we do with BOF?
system('/bin/sh');
3
Stack Layout (Intel x64 + gcc)
[Stack memory]
int func() { …
Stack grows this way
int var1;
RSP (memory address decrease this way)
int var2; buf
char buf[16]; stack frame of
…
func() var2
return 0; var1
} RBP RBP(old) Stack Frame Base of caller()
int caller() {
stack frame of ret Return address of func()
func(); caller()
}
…
4
Stack Layout (Intel x64)
[Stack memory]
int func() { …
int var1;
RSP AAAAAAAA
int var2; AAAAAAAA
char buf[16]; stack frame of
…
func() AAAAAAAA
return 0; AAAAAAAA
} RBP AAAAAAAA
After the execution of func(),
AAAAAAAA this function will return to
address “0xAAAAAAAA”.
…
If you can put lots of data to buf,
you can overwrite If ret can be overwritten, you can control
all variables and ret of the function. the execution path of the program as you want.
5
6
7
Quiz #1
#include <stdio.h>
#include <string.h>
8
Solution for Quiz #1
#include <stdio.h>
#include <string.h>
if(!strcmp(level, "admin")){
printf("Congratulation!\n");
}
return 0;
level You should overwrite here!
else{
printf("Sorry, You have failed.\n");
return -1; RBP(old)
}
} ret
int main() {
printf("Let's do BOF!\n");
BOF();
…
return 0;
}
9
Solution for Quiz #1
_ _ __ ___ _
_ _ __ ___ _
guest_ _ _
_ _ __ ___ _
RBP(old)
ret
…
Initial state
10
Solution for Quiz #1
… …
_ _ __ ___ _ AAAAAAAA
_ _ __ ___ _
AA(null)_ _ _ _ _
guest_ _ _ guest_ _ _
_ _ __ ___ _ _ _ __ ___ _
RBP(old) RBP(old)
ret ret
… …
Initial state When ‘A’x10
is given
When you put some string via scanf(), the end of the string is set to null(\x00). 11
Solution for Quiz #1
… … …
When you put some string via scanf(), the end of the string is set to null(\x00). 12
Solution for Quiz #1
… … … …
When you put some string via scanf(), the end of the string is set to null(\x00). 13
Solution for Quiz #1
14
15
Quiz #2
#include <stdio.h>
[Stack memory]
…
void secret(){
printf("This is secret function!\n");
}
17
Solution for Quiz #2
#include <stdio.h>
[Stack memory]
…
void secret(){
printf("This is secret function!\n");
}
AAAAAAAA Array of 16 bytes
int main() {
AAAAAAAA
char name[16];
18
Solution for Quiz #2
1. Connect to server and get secret()’s address 2. Overwrite name and RBP with ‘A’x24 and
- ASLR is off. So secret()’s address is static. overwrite main()’s ret to secret()’s address
- You should consider the endianness.
(order of address bytes)
19
Let’s practice
20
Practice: BOF 101
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Can you execute printflag function?
int printflag() {
char buf[32];
FILE* fp = fopen("/flag", "r");
fread(buf, 1, 32, fp);
Environment info.
fclose(fp);
printf("%s", buf);
▪ x64 64bit elf binary
printf("Hello, %s. Your level is %s\n", name, level); ▪ No stack canary
return 0;
} ▪ ASLR off
int main() {
int check=0xdeadbeef; You can try!
char name[140];
printf("printflag()'s addr: %p\n", &printflag); ▪ nc bof101.sstf.site 1337
printf("What is your name?\n: ");
scanf("%s", name);
if (check != 0xdeadbeef) { Try it before you see the solution.
printf(“[Warning!] BOF detected!\n");
exit(0);
}
return 0;
}
21
Solution for BOF 101
#include <stdio.h>
#include <stdlib.h>
#include <string.h> [Stack memory]
…
int printflag() {
char buf[32];
FILE* fp = fopen("/flag", "r");
fread(buf, 1, 32, fp);
fclose(fp);
printf("%s", buf); name Array of 140 bytes
printf("Hello, %s. Your level is %s\n", name, level);
return 0;
}
int main() {
check 4 bytes
int check=0xdeadbeef;
char name[140]; RBP(old) 8 bytes
printf("printflag()'s addr: %p\n", &printflag);
printf("What is your name?\n: "); ret You should overwrite this
to printflag()’s address
…
scanf("%s", name);
if (check != 0xdeadbeef) {
printf(“[Warning!] BOF detected!\n");
exit(0);
}
return 0;
}
22
Solution for BOF 101
#include <stdio.h>
#include <stdlib.h>
#include <string.h> [Stack memory]
…
int printflag() {
char buf[32];
FILE* fp = fopen("/flag", "r");
fread(buf, 1, 32, fp);
fclose(fp);
printf("%s", buf); 'A'x140 Array of 140 bytes
printf("Hello, %s. Your level is %s\n", name, level);
return 0;
}
int main() {
0xdeadbeef 4 bytes
int check=0xdeadbeef;
char name[140]; AAAAAAAA 8 bytes
printf("printflag()'s addr: %p\n", &printflag);
printf("What is your name?\n: "); 0x555555555229 You should overwrite this
to printflag()’s address
…
scanf("%s", name);
if (check != 0xdeadbeef) {
printf(“[Warning!] BOF detected!\n");
exit(0);
}
return 0;
}
23
Solution for BOF 101
1. Connect to server and get printflag()’s address 2. Overwrite name , check and RBP with proper
- ASLR is off. So printflag()’s address is static. values and overwrite main()’s ret to
printflag()’s address
24