1 / 61

Memory Protection Mechanism of Linux

Memory Protection Mechanism of Linux. TEAM PWN&PLAY YIS of KSIA 김태욱 xodnr631@naver.com fb.com/xodnr631. YIS. TEAM PWN&PLAY. SYSTEM HACKING. Memory Protection Mechanism of Linux. Buffer Overflow (1). 사용자가 입력한 데이터의 크기가 너무 과하여 제한된 버퍼의 용량을 넘쳐버렸을때 생기는 버그를 이용해 해킹하는 기술

kaiser
Download Presentation

Memory Protection Mechanism of Linux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Memory Protection Mechanism of Linux TEAM PWN&PLAY YIS of KSIA 김태욱 xodnr631@naver.com fb.com/xodnr631

  2. YIS

  3. TEAM PWN&PLAY

  4. SYSTEM HACKING • Memory Protection Mechanismof Linux

  5. Buffer Overflow (1) • 사용자가 입력한 데이터의 크기가 너무 과하여 제한된 버퍼의 용량을 넘쳐버렸을때생기는 버그를 이용해 해킹하는 기술 • 버퍼 : 컴퓨터의 주기억 장치와 주변장치 사이에서 데이터를 주고받을때 정보를 임시로 기억해두는 임시저장공간

  6. Buffer Overflow (1) • 사용자가 입력한 데이터의 크기가 너무 과하여 제한된 버퍼의 용량을 넘쳐버렸을때생기는 버그를 이용해 해킹하는 기술 • 버퍼 : 컴퓨터의 주기억 장치와 주변장치 사이에서 데이터를 주고받을때 정보를 임시로 기억해두는 임시저장공간

  7. Buffer Overflow (2)

  8. Buffer Overflow (2)

  9. Buffer Overflow (3) BUFFER – SFP – RET – Argc/Argv – 환경변수 - 파일명

  10. Buffer Overflow (3) BUFFER – SFP – RET – Argc/Argv – 환경변수 - 파일명 A AAAAAAAAAAAAAAAAAA

  11. Stack

  12. Stack 유저영역

  13. Memory LOW HIGH

  14. Memory LOW HIGH

  15. Buffer Overflow (5) <BOF 문제풀이 유형>

  16. Buffer Overflow (5) int main(intargc, char *argv[]) {     char buffer[256];     if(argc < 2){ printf("argv error\n”); exit(0);     } strcpy(buffer, argv[1]); printf("%s\n", buffer); }

  17. Buffer Overflow (5)

  18. Buffer Overflow (5) int main() {     char buffer[16];     gets(buffer); printf("%s\n", buffer); }

  19. Buffer Overflow (5)     // here is changed! // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i]));

  20. Buffer Overflow (5)       // here is changed!         if(strlen(argv[0]) != 77){ printf("argv[0] error\n");  exit(0);         }

  21. BUT

  22. Memory Protection (1) DEP(Data Execution Prevention)

  23. Memory Protection (1) DEP(Data Execution Prevention) STACK

  24. Memory Protection (1) DEP(Data Execution Prevention) STACK LOW HIGH

  25. Memory Protection (1) DEP(Data Execution Prevention) STACK LOW HIGH

  26. Memory Protection (1) RTL(Return-to-libc) STACK LOW HIGH

  27. Memory Protection (1) RTL(Return-to-libc) A AAAAAAAAAAAAAAAAAA

  28. Memory Protection (1) RTL(Return-to-libc) A AAAAAAAAAAAAAAAAAA &system() &execl() &/bin/sh

  29. Memory Protection (2) ASLR(Address Space Layout Randomization)

  30. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK

  31. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH

  32. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커

  33. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커

  34. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커

  35. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커

  36. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커

  37. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커

  38. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커

  39. Memory Protection (2) ASLR(Address Space Layout Randomization) STACK LOW HIGH 난짱해커 똑같은주소

  40. ↑ 고정 된 주소 ↑ 계속해서 바뀌는 주소

  41. ↑ 고정 된 주소 ↑ 계속해서 바뀌는 주소

  42. Memory Protection (3) ASCII Armor

  43. Memory Protection (3) ASCII Armor STACK LOW HIGH

  44. Memory Protection (3) ASCII Armor STACK LOW HIGH

More Related